diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight.yaml new file mode 100644 index 000000000..13e6bc5a6 --- /dev/null +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight.yaml @@ -0,0 +1,15 @@ +framework: + id: aws_acsc_essential_eight + title: Australian Cyber Security Center (ACSC) Essential Eight + description: The Australian Cyber Security Center (ACSC) Essential Eight is a set of baseline security strategies designed to mitigate cyber security incidents. The Essential Eight is a prioritized list of mitigation strategies that organizations can implement to protect their systems against a range of adversaries. The Essential Eight is based on the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents. + section-code: aws_acsc_essential_eight + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_1 + - id: aws_acsc_essential_eight_ml_2 + - id: aws_acsc_essential_eight_ml_3 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1.yaml index aaa0edf09..263e4c70e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_1 -Title: ACSC Essential Eight Maturity Level 1 -Description: The availability category refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers. -SectionCode: ml_1 -Children: - - aws_acsc_essential_eight_ml_1_2 - - aws_acsc_essential_eight_ml_1_5 - - aws_acsc_essential_eight_ml_1_6 - - aws_acsc_essential_eight_ml_1_7 - - aws_acsc_essential_eight_ml_1_8 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1 + title: ACSC Essential Eight Maturity Level 1 + description: The availability category refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers. + section-code: ml_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_1_2 + - id: aws_acsc_essential_eight_ml_1_5 + - id: aws_acsc_essential_eight_ml_1_6 + - id: aws_acsc_essential_eight_ml_1_7 + - id: aws_acsc_essential_eight_ml_1_8 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2.yaml index de871cbb5..f3f3a5b24 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_1_2 -Title: 'ACSC-EE-ML1-2: Patch applications ML1' -Description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. -SectionCode: "2" -Children: - - aws_acsc_essential_eight_ml_1_2_5 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_2 + title: "ACSC-EE-ML1-2: Patch applications ML1" + description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_1_2_5 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2_5.yaml index 60997e3df..3ff6f1e59 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_2_5.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_1_2_5 -Title: 'ACSC-EE-ML1-2.5: Patch applications ML1' -Description: Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. -SectionCode: "5" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_2_5 + title: "ACSC-EE-ML1-2.5: Patch applications ML1" + description: Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5.yaml index ee108bc08..4276e7999 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5.yaml @@ -1,11 +1,16 @@ -ID: aws_acsc_essential_eight_ml_1_5 -Title: 'ACSC-EE-ML1-5: Restrict administrative privileges ML1' -Description: The restriction of administrative privileges is the practice of limiting the number of privileged accounts and the extent of their access to systems and data. -SectionCode: "5" -Children: - - aws_acsc_essential_eight_ml_1_5_2 - - aws_acsc_essential_eight_ml_1_5_3 - - aws_acsc_essential_eight_ml_1_5_4 - - aws_acsc_essential_eight_ml_1_5_5 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_5 + title: "ACSC-EE-ML1-5: Restrict administrative privileges ML1" + description: The restriction of administrative privileges is the practice of limiting the number of privileged accounts and the extent of their access to systems and data. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_1_5_2 + - id: aws_acsc_essential_eight_ml_1_5_3 + - id: aws_acsc_essential_eight_ml_1_5_4 + - id: aws_acsc_essential_eight_ml_1_5_5 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_2.yaml index 7669f764e..e76b09f4a 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_2.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_1_5_2 -Title: 'ACSC-EE-ML1-5.2: Restrict administrative privileges ML1' -Description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services. -SectionCode: "2" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_5_2 + title: "ACSC-EE-ML1-5.2: Restrict administrative privileges ML1" + description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_3.yaml index bd054f48d..9cf5e0130 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_3.yaml @@ -1,15 +1,20 @@ -ID: aws_acsc_essential_eight_ml_1_5_3 -Title: 'ACSC-EE-ML1-5.3: Restrict administrative privileges ML1' -Description: Privileged users use separate privileged and unprivileged operating environments. -SectionCode: "3" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_5_3 + title: "ACSC-EE-ML1-5.3: Restrict administrative privileges ML1" + description: Privileged users use separate privileged and unprivileged operating environments. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_4.yaml index 68515e1cb..78a7d1c9c 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_4.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_1_5_4 -Title: 'ACSC-EE-ML1-5.4: Restrict administrative privileges ML1' -Description: Unprivileged accounts cannot logon to privileged operating environments. -SectionCode: "4" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_5_4 + title: "ACSC-EE-ML1-5.4: Restrict administrative privileges ML1" + description: Unprivileged accounts cannot logon to privileged operating environments. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_5.yaml index 0cf131f1d..f8446dbdf 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_5_5.yaml @@ -1,17 +1,22 @@ -ID: aws_acsc_essential_eight_ml_1_5_5 -Title: 'ACSC-EE-ML1-5.5: Restrict administrative privileges ML1' -Description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. -SectionCode: "5" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_5_5 + title: "ACSC-EE-ML1-5.5: Restrict administrative privileges ML1" + description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6.yaml index f4179a81f..014561c2d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6.yaml @@ -1,13 +1,18 @@ -ID: aws_acsc_essential_eight_ml_1_6 -Title: 'ACSC-EE-ML1-6: Patch operating systems ML1' -Description: The patching of operating systems is the practice of applying patches, updates or vendor mitigations to security vulnerabilities in operating systems. -SectionCode: "6" -Children: - - aws_acsc_essential_eight_ml_1_6_2 - - aws_acsc_essential_eight_ml_1_6_3 - - aws_acsc_essential_eight_ml_1_6_4 - - aws_acsc_essential_eight_ml_1_6_5 - - aws_acsc_essential_eight_ml_1_6_6 - - aws_acsc_essential_eight_ml_1_6_7 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_6 + title: "ACSC-EE-ML1-6: Patch operating systems ML1" + description: The patching of operating systems is the practice of applying patches, updates or vendor mitigations to security vulnerabilities in operating systems. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_1_6_2 + - id: aws_acsc_essential_eight_ml_1_6_3 + - id: aws_acsc_essential_eight_ml_1_6_4 + - id: aws_acsc_essential_eight_ml_1_6_5 + - id: aws_acsc_essential_eight_ml_1_6_6 + - id: aws_acsc_essential_eight_ml_1_6_7 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_2.yaml index f256a929c..764eea144 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_2.yaml @@ -1,9 +1,14 @@ -ID: aws_acsc_essential_eight_ml_1_6_2 -Title: 'ACSC-EE-ML1-6.2: Patch operating systems ML1' -Description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. -SectionCode: "2" -Children: [] -Controls: - - aws_1test - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_6_2 + title: "ACSC-EE-ML1-6.2: Patch operating systems ML1" + description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_1test + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_3.yaml index bcf68a1d8..af364c7f5 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_3.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_1_6_3 -Title: 'ACSC-EE-ML1-6.3: Patch operating systems ML1' -Description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. -SectionCode: "3" -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_6_3 + title: "ACSC-EE-ML1-6.3: Patch operating systems ML1" + description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_4.yaml index 69e2036cc..7ba84a024 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_4.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_1_6_4 -Title: 'ACSC-EE-ML1-6.4: Patch operating systems ML1' -Description: A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. -SectionCode: "4" -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_6_4 + title: "ACSC-EE-ML1-6.4: Patch operating systems ML1" + description: A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_5.yaml index 06324cd8c..df5559498 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_5.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_1_6_5 -Title: 'ACSC-EE-ML1-6.5: Patch operating systems ML1' -Description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. -SectionCode: "5" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_6_5 + title: "ACSC-EE-ML1-6.5: Patch operating systems ML1" + description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_6.yaml index 501a2ec7c..fa8c07d48 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_6.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_1_6_6 -Title: 'ACSC-EE-ML1-6.6: Patch operating systems ML1' -Description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release. -SectionCode: "6" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_6_6 + title: "ACSC-EE-ML1-6.6: Patch operating systems ML1" + description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_7.yaml index 49ed210c1..4a6c24e78 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_6_7.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_1_6_7 -Title: 'ACSC-EE-ML1-6.7: Patch operating systems ML1' -Description: Operating systems that are no longer supported by vendors are replaced. -SectionCode: "7" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_6_7 + title: "ACSC-EE-ML1-6.7: Patch operating systems ML1" + description: Operating systems that are no longer supported by vendors are replaced. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7.yaml index eeee60550..aa6b531bd 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7.yaml @@ -1,11 +1,16 @@ -ID: aws_acsc_essential_eight_ml_1_7 -Title: 'ACSC-EE-ML1-7: Application control ML1' -Description: Application control is the practice of restricting the execution of applications to those that have been authorised and are known to be secure. -SectionCode: "7" -Children: - - aws_acsc_essential_eight_ml_1_7_1 - - aws_acsc_essential_eight_ml_1_7_2 - - aws_acsc_essential_eight_ml_1_7_3 - - aws_acsc_essential_eight_ml_1_7_4 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_7 + title: "ACSC-EE-ML1-7: Application control ML1" + description: Application control is the practice of restricting the execution of applications to those that have been authorised and are known to be secure. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_1_7_1 + - id: aws_acsc_essential_eight_ml_1_7_2 + - id: aws_acsc_essential_eight_ml_1_7_3 + - id: aws_acsc_essential_eight_ml_1_7_4 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_1.yaml index 8936bbbfb..be50458c7 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_1.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_1_7_1 -Title: 'ACSC-EE-ML1-7.1: Multi-factor authentication ML1' -Description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. -SectionCode: "1" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_7_1 + title: "ACSC-EE-ML1-7.1: Multi-factor authentication ML1" + description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_2.yaml index 74a4ea77f..b6d59900a 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_2.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_1_7_2 -Title: 'ACSC-EE-ML1-7.2: Multi-factor authentication ML1' -Description: Multi-factor authentication is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data. -SectionCode: "2" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_7_2 + title: "ACSC-EE-ML1-7.2: Multi-factor authentication ML1" + description: Multi-factor authentication is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_3.yaml index 59569eafc..bf83de49e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_3.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_1_7_3 -Title: 'ACSC-EE-ML1-7.3: Multi-factor authentication ML1' -Description: Multi-factor authentication (where available) is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data. -SectionCode: "3" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_7_3 + title: "ACSC-EE-ML1-7.3: Multi-factor authentication ML1" + description: Multi-factor authentication (where available) is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_4.yaml index aefdff950..2d7682bab 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_7_4.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_1_7_4 -Title: 'ACSC-EE-ML1-7.4: Multi-factor authentication ML1' -Description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. -SectionCode: "4" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_7_4 + title: "ACSC-EE-ML1-7.4: Multi-factor authentication ML1" + description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8.yaml index b3bbd341f..ae01ce500 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_1_8 -Title: 'ACSC-EE-ML1-8: Regular backups ML1' -Description: Regular backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. -SectionCode: "8" -Children: - - aws_acsc_essential_eight_ml_1_8_1 - - aws_acsc_essential_eight_ml_1_8_2 - - aws_acsc_essential_eight_ml_1_8_3 - - aws_acsc_essential_eight_ml_1_8_5 - - aws_acsc_essential_eight_ml_1_8_6 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_8 + title: "ACSC-EE-ML1-8: Regular backups ML1" + description: Regular backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_1_8_1 + - id: aws_acsc_essential_eight_ml_1_8_2 + - id: aws_acsc_essential_eight_ml_1_8_3 + - id: aws_acsc_essential_eight_ml_1_8_5 + - id: aws_acsc_essential_eight_ml_1_8_6 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_1.yaml index 3ad6e5ca3..3d01a9346 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_1.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_1_8_1 -Title: 'ACSC-EE-ML1-8.1: Regular backups ML1' -Description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. -SectionCode: "1" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_8_1 + title: "ACSC-EE-ML1-8.1: Regular backups ML1" + description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_2.yaml index 225f6b32a..712432acd 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_2.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_1_8_2 -Title: 'ACSC-EE-ML1-8.2: Regular backups ML1' -Description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. -SectionCode: "2" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_8_2 + title: "ACSC-EE-ML1-8.2: Regular backups ML1" + description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_3.yaml index a2b6858a0..99e8b2341 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_3.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_1_8_3 -Title: 'ACSC-EE-ML1-8.3: Regular backups ML1' -Description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. -SectionCode: "3" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_8_3 + title: "ACSC-EE-ML1-8.3: Regular backups ML1" + description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_5.yaml index e5b44cd92..650815143 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_5.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_1_8_5 -Title: 'ACSC-EE-ML1-8.5: Regular backups ML1' -Description: Unprivileged accounts cannot access backups belonging to other accounts. -SectionCode: "5" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_8_5 + title: "ACSC-EE-ML1-8.5: Regular backups ML1" + description: Unprivileged accounts cannot access backups belonging to other accounts. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_user_in_group + - aws_opensearch_domain_fine_grained_access_enabled + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_6.yaml index a622a37bc..6bab5d917 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_1_8_6.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_1_8_6 -Title: 'ACSC-EE-ML1-8.6: Regular backups ML1' -Description: Unprivileged accounts are prevented from modifying and deleting backups. -SectionCode: "6" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_1_8_6 + title: "ACSC-EE-ML1-8.6: Regular backups ML1" + description: Unprivileged accounts are prevented from modifying and deleting backups. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_user_in_group + - aws_opensearch_domain_fine_grained_access_enabled + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2.yaml index c2c9e13fb..ee1409fce 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2.yaml @@ -1,13 +1,18 @@ -ID: aws_acsc_essential_eight_ml_2 -Title: ACSC Essential Eight Maturity Level 2 -Description: The Essential Eight Maturity Model is a prioritised list of strategies to mitigate cyber security incidents. The model consists of 8 essential strategies that organisations can implement to protect their systems from a range of adversaries. -SectionCode: ml_2 -Children: - - aws_acsc_essential_eight_ml_2_1 - - aws_acsc_essential_eight_ml_2_2 - - aws_acsc_essential_eight_ml_2_5 - - aws_acsc_essential_eight_ml_2_6 - - aws_acsc_essential_eight_ml_2_7 - - aws_acsc_essential_eight_ml_2_8 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2 + title: ACSC Essential Eight Maturity Level 2 + description: The Essential Eight Maturity Model is a prioritised list of strategies to mitigate cyber security incidents. The model consists of 8 essential strategies that organisations can implement to protect their systems from a range of adversaries. + section-code: ml_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_2_1 + - id: aws_acsc_essential_eight_ml_2_2 + - id: aws_acsc_essential_eight_ml_2_5 + - id: aws_acsc_essential_eight_ml_2_6 + - id: aws_acsc_essential_eight_ml_2_7 + - id: aws_acsc_essential_eight_ml_2_8 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1.yaml index 523418121..056cfc5cf 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_2_1 -Title: 'ACSC-EE-ML2-1: Patch applications ML2' -Description: An automated method of asset discovery is used at least weekly to support the detection of assets for subsequent vulnerability scanning activities. -SectionCode: "1" -Children: - - aws_acsc_essential_eight_ml_2_1_3 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_1 + title: "ACSC-EE-ML2-1: Patch applications ML2" + description: An automated method of asset discovery is used at least weekly to support the detection of assets for subsequent vulnerability scanning activities. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_2_1_3 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1_3.yaml index 9323d4dc9..7d3dbb3c7 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_1_3.yaml @@ -1,39 +1,44 @@ -ID: aws_acsc_essential_eight_ml_2_1_3 -Title: 'ACSC-EE-ML2-1.3: Application control ML2' -Description: Allowed and blocked execution events on workstations and internet-facing servers are logged. -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_1_3 + title: "ACSC-EE-ML2-1.3: Application control ML2" + description: Allowed and blocked execution events on workstations and internet-facing servers are logged. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_apigateway_stage_logging_enabled + - aws_appsync_graphql_api_field_level_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_codebuild_project_logging_enabled + - aws_dms_replication_task_source_database_logging_enabled + - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled + - aws_ecs_task_definition_logging_enabled + - aws_eks_cluster_control_plane_audit_logging_enabled + - aws_elastic_beanstalk_environment_logs_to_cloudwatch + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_classic_lb_desync_mitigation_mode + - aws_gatewayv2_stage_access_logging_enabled + - aws_neptune_db_cluster_audit_logging_enabled + - aws_networkfirewall_firewall_logging_enabled + - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled + - aws_rds_db_cluster_events_subscription + - aws_rds_db_instance_events_subscription + - aws_rds_db_instance_logging_enabled + - aws_rds_db_parameter_group_events_subscription + - aws_rds_db_security_group_events_subscription + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_route53_zone_query_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_sfn_state_machine_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2.yaml index e51def06f..5099e021d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_2_2 -Title: 'ACSC-EE-ML2-2: Patch operating systems ML2' -Description: An automated method of asset discovery is used at least weekly to support the detection of assets for subsequent vulnerability scanning activities. -SectionCode: "2" -Children: - - aws_acsc_essential_eight_ml_2_2_5 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_2 + title: "ACSC-EE-ML2-2: Patch operating systems ML2" + description: An automated method of asset discovery is used at least weekly to support the detection of assets for subsequent vulnerability scanning activities. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_2_2_5 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2_5.yaml index a0e0cbda3..35d45bd8d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_2_5.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_2_2_5 -Title: 'ACSC-EE-ML2-2.5: Patch applications ML2' -Description: A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications. -SectionCode: "5" -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_2_5 + title: "ACSC-EE-ML2-2.5: Patch applications ML2" + description: A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5.yaml index 4b57ff8f9..c451929df 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5.yaml @@ -1,18 +1,23 @@ -ID: aws_acsc_essential_eight_ml_2_5 -Title: 'ACSC-EE-ML2-5: Restrict administrative privileges ML2' -Description: Requests for privileged access to systems and applications are validated when first requested. -SectionCode: "5" -Children: - - aws_acsc_essential_eight_ml_2_5_2 - - aws_acsc_essential_eight_ml_2_5_3 - - aws_acsc_essential_eight_ml_2_5_4 - - aws_acsc_essential_eight_ml_2_5_5 - - aws_acsc_essential_eight_ml_2_5_6 - - aws_acsc_essential_eight_ml_2_5_7 - - aws_acsc_essential_eight_ml_2_5_8 - - aws_acsc_essential_eight_ml_2_5_9 - - aws_acsc_essential_eight_ml_2_5_10 - - aws_acsc_essential_eight_ml_2_5_11 - - aws_acsc_essential_eight_ml_2_5_12 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5 + title: "ACSC-EE-ML2-5: Restrict administrative privileges ML2" + description: Requests for privileged access to systems and applications are validated when first requested. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_2_5_2 + - id: aws_acsc_essential_eight_ml_2_5_3 + - id: aws_acsc_essential_eight_ml_2_5_4 + - id: aws_acsc_essential_eight_ml_2_5_5 + - id: aws_acsc_essential_eight_ml_2_5_6 + - id: aws_acsc_essential_eight_ml_2_5_7 + - id: aws_acsc_essential_eight_ml_2_5_8 + - id: aws_acsc_essential_eight_ml_2_5_9 + - id: aws_acsc_essential_eight_ml_2_5_10 + - id: aws_acsc_essential_eight_ml_2_5_11 + - id: aws_acsc_essential_eight_ml_2_5_12 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_10.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_10.yaml index 5ebdb4b76..b2878031d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_10.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_10.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_2_5_10 -Title: 'ACSC-EE-ML2-5.10: Restrict administrative privileges ML2' -Description: Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. -SectionCode: "10" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_10 + title: "ACSC-EE-ML2-5.10: Restrict administrative privileges ML2" + description: Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_11.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_11.yaml index 6b645835f..1d6743d2b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_11.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_11.yaml @@ -1,39 +1,44 @@ -ID: aws_acsc_essential_eight_ml_2_5_11 -Title: 'ACSC-EE-ML2-5.11: Restrict administrative privileges ML2' -Description: Privileged access events are logged. -SectionCode: "11" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_11 + title: "ACSC-EE-ML2-5.11: Restrict administrative privileges ML2" + description: Privileged access events are logged. + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_apigateway_stage_logging_enabled + - aws_appsync_graphql_api_field_level_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_codebuild_project_logging_enabled + - aws_dms_replication_task_source_database_logging_enabled + - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled + - aws_ecs_task_definition_logging_enabled + - aws_eks_cluster_control_plane_audit_logging_enabled + - aws_elastic_beanstalk_environment_logs_to_cloudwatch + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_classic_lb_desync_mitigation_mode + - aws_gatewayv2_stage_access_logging_enabled + - aws_neptune_db_cluster_audit_logging_enabled + - aws_networkfirewall_firewall_logging_enabled + - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled + - aws_rds_db_cluster_events_subscription + - aws_rds_db_instance_events_subscription + - aws_rds_db_instance_logging_enabled + - aws_rds_db_parameter_group_events_subscription + - aws_rds_db_security_group_events_subscription + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_route53_zone_query_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_sfn_state_machine_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_12.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_12.yaml index f5da22e61..b96d38cb5 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_12.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_12.yaml @@ -1,39 +1,44 @@ -ID: aws_acsc_essential_eight_ml_2_5_12 -Title: 'ACSC-EE-ML2-5.12: Restrict administrative privileges ML2' -Description: Privileged account and group management events are logged. -SectionCode: "12" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_12 + title: "ACSC-EE-ML2-5.12: Restrict administrative privileges ML2" + description: Privileged account and group management events are logged. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_apigateway_stage_logging_enabled + - aws_appsync_graphql_api_field_level_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_codebuild_project_logging_enabled + - aws_dms_replication_task_source_database_logging_enabled + - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled + - aws_ecs_task_definition_logging_enabled + - aws_eks_cluster_control_plane_audit_logging_enabled + - aws_elastic_beanstalk_environment_logs_to_cloudwatch + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_classic_lb_desync_mitigation_mode + - aws_gatewayv2_stage_access_logging_enabled + - aws_neptune_db_cluster_audit_logging_enabled + - aws_networkfirewall_firewall_logging_enabled + - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled + - aws_rds_db_cluster_events_subscription + - aws_rds_db_instance_events_subscription + - aws_rds_db_instance_logging_enabled + - aws_rds_db_parameter_group_events_subscription + - aws_rds_db_security_group_events_subscription + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_route53_zone_query_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_sfn_state_machine_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_2.yaml index 3e395a93c..af62d01f8 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_2.yaml @@ -1,32 +1,37 @@ -ID: aws_acsc_essential_eight_ml_2_5_2 -Title: 'ACSC-EE-ML2-5.2: Restrict administrative privileges ML2' -Description: Privileged access to systems and applications is automatically disabled after 12 months unless revalidated. -SectionCode: "2" -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_backup_recovery_point_manual_deletion_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_sagemaker_notebook_instance_root_access_disabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_2 + title: "ACSC-EE-ML2-5.2: Restrict administrative privileges ML2" + description: Privileged access to systems and applications is automatically disabled after 12 months unless revalidated. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_account_part_of_organizations + - aws_backup_recovery_point_manual_deletion_disabled + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies + - aws_neptune_db_cluster_iam_authentication_enabled + - aws_opensearch_domain_fine_grained_access_enabled + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_instance_iam_authentication_enabled + - aws_s3_bucket_acls_should_prohibit_user_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_3.yaml index be011628c..81f18c55e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_3.yaml @@ -1,32 +1,37 @@ -ID: aws_acsc_essential_eight_ml_2_5_3 -Title: 'ACSC-EE-ML2-5.3: Restrict administrative privileges ML2' -Description: Privileged access to systems and applications is automatically disabled after 45 days of inactivity. -SectionCode: "3" -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_backup_recovery_point_manual_deletion_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_sagemaker_notebook_instance_root_access_disabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_3 + title: "ACSC-EE-ML2-5.3: Restrict administrative privileges ML2" + description: Privileged access to systems and applications is automatically disabled after 45 days of inactivity. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_account_part_of_organizations + - aws_backup_recovery_point_manual_deletion_disabled + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies + - aws_neptune_db_cluster_iam_authentication_enabled + - aws_opensearch_domain_fine_grained_access_enabled + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_instance_iam_authentication_enabled + - aws_s3_bucket_acls_should_prohibit_user_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_4.yaml index 22d8fa7fd..554cc1e3a 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_4.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_2_5_4 -Title: 'ACSC-EE-ML2-5.4: Restrict administrative privileges ML2' -Description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services. -SectionCode: "4" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_4 + title: "ACSC-EE-ML2-5.4: Restrict administrative privileges ML2" + description: Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_5.yaml index 2c03d6934..dc246e5d2 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_5.yaml @@ -1,20 +1,25 @@ -ID: aws_acsc_essential_eight_ml_2_5_5 -Title: 'ACSC-EE-ML2-5.5: Restrict administrative privileges ML2' -Description: Privileged users use separate privileged and unprivileged operating environments. -SectionCode: "5" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_5 + title: "ACSC-EE-ML2-5.5: Restrict administrative privileges ML2" + description: Privileged users use separate privileged and unprivileged operating environments. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_6.yaml index fc083befd..35c5d7fbb 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_6.yaml @@ -1,20 +1,25 @@ -ID: aws_acsc_essential_eight_ml_2_5_6 -Title: 'ACSC-EE-ML2-5.6: Restrict administrative privileges ML2' -Description: Privileged operating environments are not virtualised within unprivileged operating environments. -SectionCode: "6" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_6 + title: "ACSC-EE-ML2-5.6: Restrict administrative privileges ML2" + description: Privileged operating environments are not virtualised within unprivileged operating environments. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_7.yaml index 10363ad97..7671cf05c 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_7.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_2_5_7 -Title: 'ACSC-EE-ML2-5.7: Restrict administrative privileges ML2' -Description: Unprivileged accounts cannot logon to privileged operating environments. -SectionCode: "7" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_7 + title: "ACSC-EE-ML2-5.7: Restrict administrative privileges ML2" + description: Unprivileged accounts cannot logon to privileged operating environments. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_8.yaml index d27533e09..c2fff8305 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_8.yaml @@ -1,20 +1,25 @@ -ID: aws_acsc_essential_eight_ml_2_5_8 -Title: 'ACSC-EE-ML2-5.8: Restrict administrative privileges ML2' -Description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. -SectionCode: "8" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_8 + title: "ACSC-EE-ML2-5.8: Restrict administrative privileges ML2" + description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_9.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_9.yaml index 8da35e585..0f1476da8 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_9.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_5_9.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_2_5_9 -Title: 'ACSC-EE-ML2-5.9: Restrict administrative privileges ML2' -Description: Unprivileged accounts cannot logon to privileged operating environments. -SectionCode: "9" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_5_9 + title: "ACSC-EE-ML2-5.9: Restrict administrative privileges ML2" + description: Unprivileged accounts cannot logon to privileged operating environments. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6.yaml index fe0822024..177af41d7 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6.yaml @@ -1,13 +1,18 @@ -ID: aws_acsc_essential_eight_ml_2_6 -Title: 'ACSC-EE-ML2-6: Multi-factor authentication ML2' -Description: Multi-factor authentication is enabled for all users and administrators. -SectionCode: "6" -Children: - - aws_acsc_essential_eight_ml_2_6_2 - - aws_acsc_essential_eight_ml_2_6_3 - - aws_acsc_essential_eight_ml_2_6_4 - - aws_acsc_essential_eight_ml_2_6_5 - - aws_acsc_essential_eight_ml_2_6_6 - - aws_acsc_essential_eight_ml_2_6_7 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_6 + title: "ACSC-EE-ML2-6: Multi-factor authentication ML2" + description: Multi-factor authentication is enabled for all users and administrators. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_2_6_2 + - id: aws_acsc_essential_eight_ml_2_6_3 + - id: aws_acsc_essential_eight_ml_2_6_4 + - id: aws_acsc_essential_eight_ml_2_6_5 + - id: aws_acsc_essential_eight_ml_2_6_6 + - id: aws_acsc_essential_eight_ml_2_6_7 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_2.yaml index c976d6276..99bab9382 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_2.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_2_6_2 -Title: 'ACSC-EE-ML2-6.2: Patch operating systems ML2' -Description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. -SectionCode: "2" -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_6_2 + title: "ACSC-EE-ML2-6.2: Patch operating systems ML2" + description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_3.yaml index 25450aea7..d4459da7b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_3.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_2_6_3 -Title: 'ACSC-EE-ML2-6.3: Patch operating systems ML2' -Description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. -SectionCode: "3" -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_6_3 + title: "ACSC-EE-ML2-6.3: Patch operating systems ML2" + description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_4.yaml index 78f052411..4d05e0ffa 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_4.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_2_6_4 -Title: 'ACSC-EE-ML2-6.4: Patch operating systems ML2' -Description: A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. -SectionCode: "4" -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_6_4 + title: "ACSC-EE-ML2-6.4: Patch operating systems ML2" + description: A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_5.yaml index 3da6c71c5..21babff7c 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_5.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_2_6_5 -Title: 'ACSC-EE-ML2-6.5: Patch operating systems ML2' -Description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of Internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. -SectionCode: "5" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_6_5 + title: "ACSC-EE-ML2-6.5: Patch operating systems ML2" + description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of Internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_6.yaml index d2aac1b1b..ceddd8d16 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_6.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_2_6_6 -Title: 'ACSC-EE-ML2-6.6: Patch operating systems ML2' -Description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release. -SectionCode: "6" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_6_6 + title: "ACSC-EE-ML2-6.6: Patch operating systems ML2" + description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_7.yaml index 100864143..563b9e68b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_6_7.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_2_6_7 -Title: 'ACSC-EE-ML2-6.7: Patch operating systems ML2' -Description: Operating systems that are no longer supported by vendors are replaced. -SectionCode: "7" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_6_7 + title: "ACSC-EE-ML2-6.7: Patch operating systems ML2" + description: Operating systems that are no longer supported by vendors are replaced. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7.yaml index 5eb6f5ffa..cacb63330 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_2_7 -Title: 'ACSC-EE-ML2-7: Application control ML2' -Description: Allowed and blocked execution events on workstations and internet-facing servers are logged. -SectionCode: "7" -Children: - - aws_acsc_essential_eight_ml_2_7_1 - - aws_acsc_essential_eight_ml_2_7_4 - - aws_acsc_essential_eight_ml_2_7_5 - - aws_acsc_essential_eight_ml_2_7_6 - - aws_acsc_essential_eight_ml_2_7_7 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_7 + title: "ACSC-EE-ML2-7: Application control ML2" + description: Allowed and blocked execution events on workstations and internet-facing servers are logged. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_2_7_1 + - id: aws_acsc_essential_eight_ml_2_7_4 + - id: aws_acsc_essential_eight_ml_2_7_5 + - id: aws_acsc_essential_eight_ml_2_7_6 + - id: aws_acsc_essential_eight_ml_2_7_7 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_1.yaml index c7ac1e352..b9234d93e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_1.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_2_7_1 -Title: 'ACSC-EE-ML2-7.1: Multi-factor authentication ML2' -Description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. -SectionCode: "1" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_7_1 + title: "ACSC-EE-ML2-7.1: Multi-factor authentication ML2" + description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_4.yaml index 7aa7916cc..c78fc6dbc 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_4.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_2_7_4 -Title: 'ACSC-EE-ML2-7.4: Multi-factor authentication ML2' -Description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. -SectionCode: "4" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_7_4 + title: "ACSC-EE-ML2-7.4: Multi-factor authentication ML2" + description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_5.yaml index 09f2fb5fa..bf29da464 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_5.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_2_7_5 -Title: 'ACSC-EE-ML2-7.5: Multi-factor authentication ML2' -Description: Multi-factor authentication is used to authenticate privileged users of systems. -SectionCode: "5" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_7_5 + title: "ACSC-EE-ML2-7.5: Multi-factor authentication ML2" + description: Multi-factor authentication is used to authenticate privileged users of systems. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_6.yaml index 7e48ac651..9189d5c7e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_6.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_2_7_6 -Title: 'ACSC-EE-ML2-7.6: Multi-factor authentication ML2' -Description: 'Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.' -SectionCode: "6" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_7_6 + title: "ACSC-EE-ML2-7.6: Multi-factor authentication ML2" + description: "Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_7.yaml index 2d505c5a3..fda5a707b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_7_7.yaml @@ -1,39 +1,44 @@ -ID: aws_acsc_essential_eight_ml_2_7_7 -Title: 'ACSC-EE-ML2-7.7: Multi-factor authentication ML2' -Description: Successful and unsuccessful multi-factor authentication events are logged. -SectionCode: "7" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_appsync_graphql_api_field_level_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_codebuild_project_logging_enabled - - aws_dms_replication_task_source_database_logging_enabled - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ecs_task_definition_logging_enabled - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_gatewayv2_stage_access_logging_enabled - - aws_neptune_db_cluster_audit_logging_enabled - - aws_networkfirewall_firewall_logging_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_logging_enabled - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_route53_zone_query_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_sfn_state_machine_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_7_7 + title: "ACSC-EE-ML2-7.7: Multi-factor authentication ML2" + description: Successful and unsuccessful multi-factor authentication events are logged. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_apigateway_stage_logging_enabled + - aws_appsync_graphql_api_field_level_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_codebuild_project_logging_enabled + - aws_dms_replication_task_source_database_logging_enabled + - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled + - aws_ecs_task_definition_logging_enabled + - aws_eks_cluster_control_plane_audit_logging_enabled + - aws_elastic_beanstalk_environment_logs_to_cloudwatch + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_classic_lb_desync_mitigation_mode + - aws_gatewayv2_stage_access_logging_enabled + - aws_neptune_db_cluster_audit_logging_enabled + - aws_networkfirewall_firewall_logging_enabled + - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled + - aws_rds_db_cluster_events_subscription + - aws_rds_db_instance_events_subscription + - aws_rds_db_instance_logging_enabled + - aws_rds_db_parameter_group_events_subscription + - aws_rds_db_security_group_events_subscription + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_route53_zone_query_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_sfn_state_machine_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8.yaml index a40121e2a..f6dd10c2c 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_2_8 -Title: 'ACSC-EE-ML2-8: Daily backups ML2' -Description: Backups are taken daily and retained for at least 7 days. -SectionCode: "8" -Children: - - aws_acsc_essential_eight_ml_2_8_1 - - aws_acsc_essential_eight_ml_2_8_2 - - aws_acsc_essential_eight_ml_2_8_3 - - aws_acsc_essential_eight_ml_2_8_5 - - aws_acsc_essential_eight_ml_2_8_6 - - aws_acsc_essential_eight_ml_2_8_7 - - aws_acsc_essential_eight_ml_2_8_8 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_8 + title: "ACSC-EE-ML2-8: Daily backups ML2" + description: Backups are taken daily and retained for at least 7 days. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_2_8_1 + - id: aws_acsc_essential_eight_ml_2_8_2 + - id: aws_acsc_essential_eight_ml_2_8_3 + - id: aws_acsc_essential_eight_ml_2_8_5 + - id: aws_acsc_essential_eight_ml_2_8_6 + - id: aws_acsc_essential_eight_ml_2_8_7 + - id: aws_acsc_essential_eight_ml_2_8_8 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_1.yaml index 2a2965175..46da354d0 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_1.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_2_8_1 -Title: 'ACSC-EE-ML2-8.1: Regular backups ML2' -Description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. -SectionCode: "1" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_8_1 + title: "ACSC-EE-ML2-8.1: Regular backups ML2" + description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_2.yaml index 6e6de5d53..fe41c0d2f 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_2.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_2_8_2 -Title: 'ACSC-EE-ML2-8.2: Regular backups ML2' -Description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. -SectionCode: "2" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_8_2 + title: "ACSC-EE-ML2-8.2: Regular backups ML2" + description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_3.yaml index 170382845..04fe9e78b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_3.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_2_8_3 -Title: 'ACSC-EE-ML2-8.3: Regular backups ML2' -Description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. -SectionCode: "3" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_8_3 + title: "ACSC-EE-ML2-8.3: Regular backups ML2" + description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_5.yaml index 3d17a353a..f65043deb 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_5.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_2_8_5 -Title: 'ACSC-EE-ML2-8.5: Regular backups ML2' -Description: Unprivileged accounts cannot access backups belonging to other accounts. -SectionCode: "5" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_8_5 + title: "ACSC-EE-ML2-8.5: Regular backups ML2" + description: Unprivileged accounts cannot access backups belonging to other accounts. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_user_in_group + - aws_opensearch_domain_fine_grained_access_enabled + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_6.yaml index 7bfe0caab..76ed3539c 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_6.yaml @@ -1,37 +1,42 @@ -ID: aws_acsc_essential_eight_ml_2_8_6 -Title: 'ACSC-EE-ML2-8.6: Regular backups ML2' -Description: Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts. -SectionCode: "6" -Children: [] -Controls: - - aws_backup_recovery_point_manual_deletion_disabled - - aws_cloudtrail_bucket_not_public - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_account_public_access_blocked - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_lambda_function_restrict_public_access - - aws_neptune_db_cluster_snapshot_prohibit_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_access_point_restrict_public_access - - aws_s3_bucket_mfa_delete_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_document_prohibit_public_access -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_8_6 + title: "ACSC-EE-ML2-8.6: Regular backups ML2" + description: Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_recovery_point_manual_deletion_disabled + - aws_cloudtrail_bucket_not_public + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_no_root_user + - aws_efs_access_point_enforce_root_directory + - aws_efs_access_point_enforce_user_identity + - aws_emr_account_public_access_blocked + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_lambda_function_restrict_public_access + - aws_neptune_db_cluster_snapshot_prohibit_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_access_point_restrict_public_access + - aws_s3_bucket_mfa_delete_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_document_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_7.yaml index d747cdba7..e0769e225 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_7.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_2_8_7 -Title: 'ACSC-EE-ML2-8.7: Regular backups ML2' -Description: Unprivileged accounts are prevented from modifying and deleting backups. -SectionCode: "7" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_8_7 + title: "ACSC-EE-ML2-8.7: Regular backups ML2" + description: Unprivileged accounts are prevented from modifying and deleting backups. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_user_in_group + - aws_opensearch_domain_fine_grained_access_enabled + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_8.yaml index 2e6bee8dd..f6845f445 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_2_8_8.yaml @@ -1,37 +1,42 @@ -ID: aws_acsc_essential_eight_ml_2_8_8 -Title: 'ACSC-EE-ML2-8.8: Regular backups ML2' -Description: Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups. -SectionCode: "8" -Children: [] -Controls: - - aws_backup_recovery_point_manual_deletion_disabled - - aws_cloudtrail_bucket_not_public - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_account_public_access_blocked - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_lambda_function_restrict_public_access - - aws_neptune_db_cluster_snapshot_prohibit_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_access_point_restrict_public_access - - aws_s3_bucket_mfa_delete_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_document_prohibit_public_access -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_2_8_8 + title: "ACSC-EE-ML2-8.8: Regular backups ML2" + description: Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_recovery_point_manual_deletion_disabled + - aws_cloudtrail_bucket_not_public + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_no_root_user + - aws_efs_access_point_enforce_root_directory + - aws_efs_access_point_enforce_user_identity + - aws_emr_account_public_access_blocked + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_lambda_function_restrict_public_access + - aws_neptune_db_cluster_snapshot_prohibit_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_access_point_restrict_public_access + - aws_s3_bucket_mfa_delete_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_document_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3.yaml index 449356255..a250c9b3e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_3 -Title: ACSC Essential Eight Maturity Level 3 -Description: The Essential Eight Maturity Model is a prioritised list of strategies to mitigate cyber security incidents. The model consists of 8 essential strategies that organisations can implement to protect their systems from a range of adversaries. -SectionCode: ml_3 -Children: - - aws_acsc_essential_eight_ml_3_1 - - aws_acsc_essential_eight_ml_3_2 - - aws_acsc_essential_eight_ml_3_4 - - aws_acsc_essential_eight_ml_3_5 - - aws_acsc_essential_eight_ml_3_6 - - aws_acsc_essential_eight_ml_3_7 - - aws_acsc_essential_eight_ml_3_8 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3 + title: ACSC Essential Eight Maturity Level 3 + description: The Essential Eight Maturity Model is a prioritised list of strategies to mitigate cyber security incidents. The model consists of 8 essential strategies that organisations can implement to protect their systems from a range of adversaries. + section-code: ml_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_3_1 + - id: aws_acsc_essential_eight_ml_3_2 + - id: aws_acsc_essential_eight_ml_3_4 + - id: aws_acsc_essential_eight_ml_3_5 + - id: aws_acsc_essential_eight_ml_3_6 + - id: aws_acsc_essential_eight_ml_3_7 + - id: aws_acsc_essential_eight_ml_3_8 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1.yaml index 6a1d3dfd8..9ab4fb701 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1.yaml @@ -1,10 +1,15 @@ -ID: aws_acsc_essential_eight_ml_3_1 -Title: 'ACSC-EE-ML3-1: Application control ML3' -Description: Application control is implemented on workstations and servers. -SectionCode: "1" -Children: - - aws_acsc_essential_eight_ml_3_1_6 - - aws_acsc_essential_eight_ml_3_1_7 - - aws_acsc_essential_eight_ml_3_1_8 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_1 + title: "ACSC-EE-ML3-1: Application control ML3" + description: Application control is implemented on workstations and servers. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_3_1_6 + - id: aws_acsc_essential_eight_ml_3_1_7 + - id: aws_acsc_essential_eight_ml_3_1_8 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_6.yaml index b99be8d9d..f755db3d9 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_6.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_3_1_6 -Title: 'ACSC-EE-ML3-1.6: Application control ML3' -Description: Allowed and blocked execution events on workstations and servers are centrally logged. -SectionCode: "6" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_es_domain_audit_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_1_6 + title: "ACSC-EE-ML3-1.6: Application control ML3" + description: Allowed and blocked execution events on workstations and servers are centrally logged. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_es_domain_audit_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_7.yaml index 2352e5f23..410a7fe02 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_7.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_3_1_7 -Title: 'ACSC-EE-ML3-1.7: Application control ML3' -Description: Event logs are protected from unauthorised modification and deletion. -SectionCode: "7" -Children: [] -Controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_s3_public_access_block_bucket -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_1_7 + title: "ACSC-EE-ML3-1.7: Application control ML3" + description: Event logs are protected from unauthorised modification and deletion. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_security_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_s3_public_access_block_bucket diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_8.yaml index 6adb5ecd4..9bcbd0884 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_1_8.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_3_1_8 -Title: 'ACSC-EE-ML3-1.8: Application control ML3' -Description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. -SectionCode: "8" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_securityhub_enabled - - aws_sns_topic_notification_delivery_status_enabled - - aws_wafv2_rule_group_logging_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_1_8 + title: "ACSC-EE-ML3-1.8: Application control ML3" + description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_securityhub_enabled + - aws_sns_topic_notification_delivery_status_enabled + - aws_wafv2_rule_group_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2.yaml index 87abefd91..1643e6c08 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2.yaml @@ -1,9 +1,14 @@ -ID: aws_acsc_essential_eight_ml_3_2 -Title: 'ACSC-EE-ML3-2: Patch applications ML3' -Description: All workstations and servers have the latest security-relevant patches applied. -SectionCode: "2" -Children: - - aws_acsc_essential_eight_ml_3_2_2 - - aws_acsc_essential_eight_ml_3_2_9 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_2 + title: "ACSC-EE-ML3-2: Patch applications ML3" + description: All workstations and servers have the latest security-relevant patches applied. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_3_2_2 + - id: aws_acsc_essential_eight_ml_3_2_9 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_2.yaml index 49c1879a6..dc9a68137 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_2.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_3_2_2 -Title: 'ACSC-EE-ML3-2.2: Patch applications ML3' -Description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. -SectionCode: "2" -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_2_2 + title: "ACSC-EE-ML3-2.2: Patch applications ML3" + description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_9.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_9.yaml index 315616769..d341350fd 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_9.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_2_9.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_3_2_9 -Title: 'ACSC-EE-ML3-2.9: Patch applications ML3' -Description: Applications that are no longer supported by vendors are removed. -SectionCode: "9" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_2_9 + title: "ACSC-EE-ML3-2.9: Patch applications ML3" + description: Applications that are no longer supported by vendors are removed. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4.yaml index 99d394159..6c70ef75f 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_3_4 -Title: 'ACSC-EE-ML3-4: User application hardening ML3' -Description: Web browsers do not process Java from the internet. -SectionCode: "4" -Children: - - aws_acsc_essential_eight_ml_3_4_18 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_4 + title: "ACSC-EE-ML3-4: User application hardening ML3" + description: Web browsers do not process Java from the internet. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_3_4_18 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4_18.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4_18.yaml index 55d313ff2..ec4827ca0 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4_18.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_4_18.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_3_4_18 -Title: 'ACSC-EE-ML3-4.18: User application hardening ML3' -Description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. -SectionCode: "18" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_securityhub_enabled - - aws_sns_topic_notification_delivery_status_enabled - - aws_wafv2_rule_group_logging_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_4_18 + title: "ACSC-EE-ML3-4.18: User application hardening ML3" + description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. + section-code: "18" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_securityhub_enabled + - aws_sns_topic_notification_delivery_status_enabled + - aws_wafv2_rule_group_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5.yaml index 5d04484d3..82272aff2 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5.yaml @@ -1,21 +1,26 @@ -ID: aws_acsc_essential_eight_ml_3_5 -Title: 'ACSC-EE-ML3-5: Restrict administrative privileges ML3' -Description: Requests for privileged access to systems and applications are validated when first requested. -SectionCode: "5" -Children: - - aws_acsc_essential_eight_ml_3_5_2 - - aws_acsc_essential_eight_ml_3_5_3 - - aws_acsc_essential_eight_ml_3_5_4 - - aws_acsc_essential_eight_ml_3_5_5 - - aws_acsc_essential_eight_ml_3_5_6 - - aws_acsc_essential_eight_ml_3_5_7 - - aws_acsc_essential_eight_ml_3_5_8 - - aws_acsc_essential_eight_ml_3_5_9 - - aws_acsc_essential_eight_ml_3_5_11 - - aws_acsc_essential_eight_ml_3_5_12 - - aws_acsc_essential_eight_ml_3_5_14 - - aws_acsc_essential_eight_ml_3_5_15 - - aws_acsc_essential_eight_ml_3_5_16 - - aws_acsc_essential_eight_ml_3_5_17 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5 + title: "ACSC-EE-ML3-5: Restrict administrative privileges ML3" + description: Requests for privileged access to systems and applications are validated when first requested. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_3_5_2 + - id: aws_acsc_essential_eight_ml_3_5_3 + - id: aws_acsc_essential_eight_ml_3_5_4 + - id: aws_acsc_essential_eight_ml_3_5_5 + - id: aws_acsc_essential_eight_ml_3_5_6 + - id: aws_acsc_essential_eight_ml_3_5_7 + - id: aws_acsc_essential_eight_ml_3_5_8 + - id: aws_acsc_essential_eight_ml_3_5_9 + - id: aws_acsc_essential_eight_ml_3_5_11 + - id: aws_acsc_essential_eight_ml_3_5_12 + - id: aws_acsc_essential_eight_ml_3_5_14 + - id: aws_acsc_essential_eight_ml_3_5_15 + - id: aws_acsc_essential_eight_ml_3_5_16 + - id: aws_acsc_essential_eight_ml_3_5_17 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_11.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_11.yaml index 1609bbf46..93fa2056f 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_11.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_11.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_3_5_11 -Title: 'ACSC-EE-ML3-5.11: Restrict administrative privileges ML3' -Description: Administrative activities are conducted through jump servers. -SectionCode: "11" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_11 + title: "ACSC-EE-ML3-5.11: Restrict administrative privileges ML3" + description: Administrative activities are conducted through jump servers. + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_12.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_12.yaml index 055d7fab4..2b953e305 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_12.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_12.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_3_5_12 -Title: 'ACSC-EE-ML3-5.12: Restrict administrative privileges ML3' -Description: Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. -SectionCode: "12" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_12 + title: "ACSC-EE-ML3-5.12: Restrict administrative privileges ML3" + description: Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_14.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_14.yaml index 39251d07d..24ba9535d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_14.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_14.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_3_5_14 -Title: 'ACSC-EE-ML3-5.14: Restrict administrative privileges ML3' -Description: Privileged access events are centrally logged. -SectionCode: "14" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_es_domain_audit_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_14 + title: "ACSC-EE-ML3-5.14: Restrict administrative privileges ML3" + description: Privileged access events are centrally logged. + section-code: "14" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_es_domain_audit_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_15.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_15.yaml index 0d6332686..d266d5296 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_15.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_15.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_3_5_15 -Title: 'ACSC-EE-ML3-5.15: Restrict administrative privileges ML3' -Description: Privileged account and group management events are centrally logged. -SectionCode: "15" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_es_domain_audit_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_15 + title: "ACSC-EE-ML3-5.15: Restrict administrative privileges ML3" + description: Privileged account and group management events are centrally logged. + section-code: "15" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_es_domain_audit_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_16.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_16.yaml index f52d3a9c8..c7b13aeb3 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_16.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_16.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_3_5_16 -Title: 'ACSC-EE-ML3-5.16: Restrict administrative privileges ML3' -Description: Event logs are protected from unauthorised modification and deletion. -SectionCode: "16" -Children: [] -Controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_s3_public_access_block_bucket -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_16 + title: "ACSC-EE-ML3-5.16: Restrict administrative privileges ML3" + description: Event logs are protected from unauthorised modification and deletion. + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_security_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_s3_public_access_block_bucket diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_17.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_17.yaml index 747448189..81567063d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_17.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_17.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_3_5_17 -Title: 'ACSC-EE-ML3-5.17: Restrict administrative privileges ML3' -Description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. -SectionCode: "17" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_securityhub_enabled - - aws_sns_topic_notification_delivery_status_enabled - - aws_wafv2_rule_group_logging_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_17 + title: "ACSC-EE-ML3-5.17: Restrict administrative privileges ML3" + description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. + section-code: "17" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_securityhub_enabled + - aws_sns_topic_notification_delivery_status_enabled + - aws_wafv2_rule_group_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_2.yaml index 119754d76..b7de7ddf0 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_2.yaml @@ -1,32 +1,37 @@ -ID: aws_acsc_essential_eight_ml_3_5_2 -Title: 'ACSC-EE-ML3-5.2: Restrict administrative privileges ML3' -Description: Privileged access is restricted to the minimum number of people required. -SectionCode: "2" -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_backup_recovery_point_manual_deletion_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_sagemaker_notebook_instance_root_access_disabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_2 + title: "ACSC-EE-ML3-5.2: Restrict administrative privileges ML3" + description: Privileged access is restricted to the minimum number of people required. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_account_part_of_organizations + - aws_backup_recovery_point_manual_deletion_disabled + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies + - aws_neptune_db_cluster_iam_authentication_enabled + - aws_opensearch_domain_fine_grained_access_enabled + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_instance_iam_authentication_enabled + - aws_s3_bucket_acls_should_prohibit_user_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_3.yaml index 33a10e600..737ae21d1 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_3.yaml @@ -1,32 +1,37 @@ -ID: aws_acsc_essential_eight_ml_3_5_3 -Title: 'ACSC-EE-ML3-5.3: Restrict administrative privileges ML3' -Description: Privileged access to systems and applications is automatically disabled after 45 days of inactivity. -SectionCode: "3" -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_backup_recovery_point_manual_deletion_disabled - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_sagemaker_notebook_instance_root_access_disabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_3 + title: "ACSC-EE-ML3-5.3: Restrict administrative privileges ML3" + description: Privileged access to systems and applications is automatically disabled after 45 days of inactivity. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_account_part_of_organizations + - aws_backup_recovery_point_manual_deletion_disabled + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies + - aws_neptune_db_cluster_iam_authentication_enabled + - aws_opensearch_domain_fine_grained_access_enabled + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_instance_iam_authentication_enabled + - aws_s3_bucket_acls_should_prohibit_user_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_4.yaml index b8eeb4ce3..a87cf047d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_4.yaml @@ -1,11 +1,16 @@ -ID: aws_acsc_essential_eight_ml_3_5_4 -Title: 'ACSC-EE-ML3-5.4: Restrict administrative privileges ML3' -Description: Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties. -SectionCode: "4" -Children: [] -Controls: - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_4 + title: "ACSC-EE-ML3-5.4: Restrict administrative privileges ML3" + description: Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_iam_user_in_group + - aws_opensearch_domain_fine_grained_access_enabled + - aws_s3_bucket_policy_restricts_cross_account_permission_changes diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_5.yaml index 72a0f20e9..ecd7fd681 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_5.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_3_5_5 -Title: 'ACSC-EE-ML3-5.5: Restrict administrative privileges ML3' -Description: Privileged accounts are prevented from accessing the internet, email and web services. -SectionCode: "5" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_5 + title: "ACSC-EE-ML3-5.5: Restrict administrative privileges ML3" + description: Privileged accounts are prevented from accessing the internet, email and web services. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_6.yaml index 4be58fdc5..f50d934fe 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_6.yaml @@ -1,20 +1,25 @@ -ID: aws_acsc_essential_eight_ml_3_5_6 -Title: 'ACSC-EE-ML3-5.6: Restrict administrative privileges ML3' -Description: Privileged users use separate privileged and unprivileged operating environments. -SectionCode: "6" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_6 + title: "ACSC-EE-ML3-5.6: Restrict administrative privileges ML3" + description: Privileged users use separate privileged and unprivileged operating environments. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_7.yaml index 1b13a7932..7a61ddc4b 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_7.yaml @@ -1,20 +1,25 @@ -ID: aws_acsc_essential_eight_ml_3_5_7 -Title: 'ACSC-EE-ML3-5.7: Restrict administrative privileges ML3' -Description: Privileged operating environments are not virtualised within unprivileged operating environments. -SectionCode: "7" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_7 + title: "ACSC-EE-ML3-5.7: Restrict administrative privileges ML3" + description: Privileged operating environments are not virtualised within unprivileged operating environments. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_8.yaml index 8c63f9e05..9e4db7ca1 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_8.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_3_5_8 -Title: 'ACSC-EE-ML3-5.8: Restrict administrative privileges ML3' -Description: Unprivileged accounts cannot logon to privileged operating environments. -SectionCode: "8" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_8 + title: "ACSC-EE-ML3-5.8: Restrict administrative privileges ML3" + description: Unprivileged accounts cannot logon to privileged operating environments. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_9.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_9.yaml index 6baffecb3..9b41f9b78 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_9.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_5_9.yaml @@ -1,20 +1,25 @@ -ID: aws_acsc_essential_eight_ml_3_5_9 -Title: 'ACSC-EE-ML3-5.9: Restrict administrative privileges ML3' -Description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. -SectionCode: "9" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_no_root_user - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_5_9 + title: "ACSC-EE-ML3-5.9: Restrict administrative privileges ML3" + description: Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_no_root_user + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6.yaml index ad486044a..a855631d4 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_3_6 -Title: 'ACSC-EE-ML3-6: Patch operating systems ML3' -Description: An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. -SectionCode: "6" -Children: - - aws_acsc_essential_eight_ml_3_6_2 - - aws_acsc_essential_eight_ml_3_6_3 - - aws_acsc_essential_eight_ml_3_6_4 - - aws_acsc_essential_eight_ml_3_6_5 - - aws_acsc_essential_eight_ml_3_6_6 - - aws_acsc_essential_eight_ml_3_6_7 - - aws_acsc_essential_eight_ml_3_6_8 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_6 + title: "ACSC-EE-ML3-6: Patch operating systems ML3" + description: An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_3_6_2 + - id: aws_acsc_essential_eight_ml_3_6_3 + - id: aws_acsc_essential_eight_ml_3_6_4 + - id: aws_acsc_essential_eight_ml_3_6_5 + - id: aws_acsc_essential_eight_ml_3_6_6 + - id: aws_acsc_essential_eight_ml_3_6_7 + - id: aws_acsc_essential_eight_ml_3_6_8 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_2.yaml index 4af3c6e85..0243af5ed 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_2.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_3_6_2 -Title: 'ACSC-EE-ML3-6.2: Patch operating systems ML3' -Description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. -SectionCode: "2" -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_6_2 + title: "ACSC-EE-ML3-6.2: Patch operating systems ML3" + description: A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_3.yaml index 25bd16416..dde00a72f 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_3.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_3_6_3 -Title: 'ACSC-EE-ML3-6.3: Patch operating systems ML3' -Description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. -SectionCode: "3" -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_6_3 + title: "ACSC-EE-ML3-6.3: Patch operating systems ML3" + description: A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_4.yaml index bc73c51dd..4d9ca9809 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_4.yaml @@ -1,8 +1,13 @@ -ID: aws_acsc_essential_eight_ml_3_6_4 -Title: 'ACSC-EE-ML3-6.4: Patch operating systems ML3' -Description: A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. -SectionCode: "4" -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_6_4 + title: "ACSC-EE-ML3-6.4: Patch operating systems ML3" + description: A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_5.yaml index e0247e416..636188578 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_5.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_3_6_5 -Title: 'ACSC-EE-ML3-6.5: Patch operating systems ML3' -Description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of Internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. -SectionCode: "5" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_6_5 + title: "ACSC-EE-ML3-6.5: Patch operating systems ML3" + description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of Internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_6.yaml index 54a644681..d0873ad78 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_6.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_3_6_6 -Title: 'ACSC-EE-ML3-6.6: Patch operating systems ML3' -Description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists. -SectionCode: "6" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_6_6 + title: "ACSC-EE-ML3-6.6: Patch operating systems ML3" + description: Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_7.yaml index c6e780896..f54bea7a0 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_7.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_3_6_7 -Title: 'ACSC-EE-ML3-6.7: Patch operating systems ML3' -Description: The latest release, or the previous release, of operating systems are used. -SectionCode: "7" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_6_7 + title: "ACSC-EE-ML3-6.7: Patch operating systems ML3" + description: The latest release, or the previous release, of operating systems are used. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_8.yaml index 9be90d706..3becfc91e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_6_8.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_3_6_8 -Title: 'ACSC-EE-ML3-6.8: Patch operating systems ML3' -Description: Operating systems that are no longer supported by vendors are replaced. -SectionCode: "8" -Children: [] -Controls: - - aws_ecs_service_fargate_using_latest_platform_version - - aws_eks_cluster_with_latest_kubernetes_version - - aws_elastic_beanstalk_environment_managed_updates_enabled - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_lambda_function_use_latest_runtime - - aws_opensearch_domain_updated_with_latest_service_software_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_6_8 + title: "ACSC-EE-ML3-6.8: Patch operating systems ML3" + description: Operating systems that are no longer supported by vendors are replaced. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_service_fargate_using_latest_platform_version + - aws_eks_cluster_with_latest_kubernetes_version + - aws_elastic_beanstalk_environment_managed_updates_enabled + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_lambda_function_use_latest_runtime + - aws_opensearch_domain_updated_with_latest_service_software_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7.yaml index 86c5867d0..ab12f6102 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7.yaml @@ -1,17 +1,22 @@ -ID: aws_acsc_essential_eight_ml_3_7 -Title: 'ACSC-EE-ML3-7: Restrict administrative privileges ML3' -Description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. -SectionCode: "7" -Children: - - aws_acsc_essential_eight_ml_3_7_1 - - aws_acsc_essential_eight_ml_3_7_2 - - aws_acsc_essential_eight_ml_3_7_3 - - aws_acsc_essential_eight_ml_3_7_4 - - aws_acsc_essential_eight_ml_3_7_5 - - aws_acsc_essential_eight_ml_3_7_6 - - aws_acsc_essential_eight_ml_3_7_7 - - aws_acsc_essential_eight_ml_3_7_8 - - aws_acsc_essential_eight_ml_3_7_9 - - aws_acsc_essential_eight_ml_3_7_10 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7 + title: "ACSC-EE-ML3-7: Restrict administrative privileges ML3" + description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_3_7_1 + - id: aws_acsc_essential_eight_ml_3_7_2 + - id: aws_acsc_essential_eight_ml_3_7_3 + - id: aws_acsc_essential_eight_ml_3_7_4 + - id: aws_acsc_essential_eight_ml_3_7_5 + - id: aws_acsc_essential_eight_ml_3_7_6 + - id: aws_acsc_essential_eight_ml_3_7_7 + - id: aws_acsc_essential_eight_ml_3_7_8 + - id: aws_acsc_essential_eight_ml_3_7_9 + - id: aws_acsc_essential_eight_ml_3_7_10 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_1.yaml index 9f9ce71f9..aafcecaf1 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_1.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_3_7_1 -Title: 'ACSC-EE-ML3-7.1: Multi-factor authentication ML3' -Description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. -SectionCode: "1" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7_1 + title: "ACSC-EE-ML3-7.1: Multi-factor authentication ML3" + description: Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_10.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_10.yaml index fffcacc56..7e0f06953 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_10.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_10.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_3_7_10 -Title: 'ACSC-EE-ML3-7.10: Multi-factor authentication ML3' -Description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. -SectionCode: "10" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_securityhub_enabled - - aws_sns_topic_notification_delivery_status_enabled - - aws_wafv2_rule_group_logging_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7_10 + title: "ACSC-EE-ML3-7.10: Multi-factor authentication ML3" + description: Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_securityhub_enabled + - aws_sns_topic_notification_delivery_status_enabled + - aws_wafv2_rule_group_logging_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_2.yaml index 180aa2eed..29352de47 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_2.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_3_7_2 -Title: 'ACSC-EE-ML3-7.2: Multi-factor authentication ML3' -Description: Multi-factor authentication is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data. -SectionCode: "2" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7_2 + title: "ACSC-EE-ML3-7.2: Multi-factor authentication ML3" + description: Multi-factor authentication is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_3.yaml index 39825d340..21ddfc7f1 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_3.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_3_7_3 -Title: 'ACSC-EE-ML3-7.3: Multi-factor authentication ML3' -Description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. -SectionCode: "3" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7_3 + title: "ACSC-EE-ML3-7.3: Multi-factor authentication ML3" + description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_4.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_4.yaml index b60fb9890..2537dfa54 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_4.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_4.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_3_7_4 -Title: 'ACSC-EE-ML3-7.4: Multi-factor authentication ML3' -Description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. -SectionCode: "4" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7_4 + title: "ACSC-EE-ML3-7.4: Multi-factor authentication ML3" + description: Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_5.yaml index fa145d9ef..b1f707cfc 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_5.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_3_7_5 -Title: 'ACSC-EE-ML3-7.5: Multi-factor authentication ML3' -Description: Multi-factor authentication is used to authenticate privileged users of systems. -SectionCode: "5" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7_5 + title: "ACSC-EE-ML3-7.5: Multi-factor authentication ML3" + description: Multi-factor authentication is used to authenticate privileged users of systems. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_6.yaml index 72a4eefb9..58544d9a1 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_6.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_3_7_6 -Title: 'ACSC-EE-ML3-7.6: Multi-factor authentication ML3' -Description: Multi-factor authentication is used to authenticate users accessing important data repositories. -SectionCode: "6" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7_6 + title: "ACSC-EE-ML3-7.6: Multi-factor authentication ML3" + description: Multi-factor authentication is used to authenticate users accessing important data repositories. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_7.yaml index 9ae86f21c..a18156959 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_7.yaml @@ -1,12 +1,17 @@ -ID: aws_acsc_essential_eight_ml_3_7_7 -Title: 'ACSC-EE-ML3-7.7: Multi-factor authentication ML3' -Description: 'Multi-factor authentication is phishing-resistant and uses either: something users have and something users know, or something users have that is unlocked by something users know or are.' -SectionCode: "7" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_s3_bucket_mfa_delete_enabled -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7_7 + title: "ACSC-EE-ML3-7.7: Multi-factor authentication ML3" + description: "Multi-factor authentication is phishing-resistant and uses either: something users have and something users know, or something users have that is unlocked by something users know or are." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_s3_bucket_mfa_delete_enabled diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_8.yaml index a7896ef2a..392287678 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_8.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_3_7_8 -Title: 'ACSC-EE-ML3-7.8: Multi-factor authentication ML3' -Description: Successful and unsuccessful multi-factor authentication events are centrally logged. -SectionCode: "8" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_es_domain_audit_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7_8 + title: "ACSC-EE-ML3-7.8: Multi-factor authentication ML3" + description: Successful and unsuccessful multi-factor authentication events are centrally logged. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_es_domain_audit_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_9.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_9.yaml index 6d80d1950..77349891d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_9.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_7_9.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_3_7_9 -Title: 'ACSC-EE-ML3-7.9: Multi-factor authentication ML3' -Description: Event logs are protected from unauthorised modification and deletion. -SectionCode: "9" -Children: [] -Controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_s3_public_access_block_bucket -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_7_9 + title: "ACSC-EE-ML3-7.9: Multi-factor authentication ML3" + description: Event logs are protected from unauthorised modification and deletion. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_security_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_s3_public_access_block_bucket diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8.yaml index a4e45ac7b..3eb8ff086 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8.yaml @@ -1,14 +1,19 @@ -ID: aws_acsc_essential_eight_ml_3_8 -Title: 'ACSC-EE-ML3-8: Regular backups ML3' -Description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. -SectionCode: "8" -Children: - - aws_acsc_essential_eight_ml_3_8_1 - - aws_acsc_essential_eight_ml_3_8_2 - - aws_acsc_essential_eight_ml_3_8_3 - - aws_acsc_essential_eight_ml_3_8_5 - - aws_acsc_essential_eight_ml_3_8_6 - - aws_acsc_essential_eight_ml_3_8_7 - - aws_acsc_essential_eight_ml_3_8_8 -Controls: [] -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_8 + title: "ACSC-EE-ML3-8: Regular backups ML3" + description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_acsc_essential_eight_ml_3_8_1 + - id: aws_acsc_essential_eight_ml_3_8_2 + - id: aws_acsc_essential_eight_ml_3_8_3 + - id: aws_acsc_essential_eight_ml_3_8_5 + - id: aws_acsc_essential_eight_ml_3_8_6 + - id: aws_acsc_essential_eight_ml_3_8_7 + - id: aws_acsc_essential_eight_ml_3_8_8 diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_1.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_1.yaml index 29401b115..204801f90 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_1.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_1.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_3_8_1 -Title: 'ACSC-EE-ML3-8.1: Regular backups ML3' -Description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. -SectionCode: "1" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_8_1 + title: "ACSC-EE-ML3-8.1: Regular backups ML3" + description: Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_2.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_2.yaml index 431e03520..c12969be6 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_2.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_2.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_3_8_2 -Title: 'ACSC-EE-ML3-8.2: Regular backups ML3' -Description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. -SectionCode: "2" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_8_2 + title: "ACSC-EE-ML3-8.2: Regular backups ML3" + description: Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_3.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_3.yaml index 1c55ae47b..748eb789e 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_3.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_3.yaml @@ -1,27 +1,32 @@ -ID: aws_acsc_essential_eight_ml_3_8_3 -Title: 'ACSC-EE-ML3-8.3: Regular backups ML3' -Description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. -SectionCode: "3" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_docdb_cluster_backup_retention_period_7_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_neptune_db_cluster_automated_backup_enabled - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_8_3 + title: "ACSC-EE-ML3-8.3: Regular backups ML3" + description: Backups of important data, software and configuration settings are retained in a secure and resilient manner. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_docdb_cluster_backup_retention_period_7_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_neptune_db_cluster_automated_backup_enabled + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_5.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_5.yaml index e4ed3d61d..47289f61d 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_5.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_5.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_3_8_5 -Title: 'ACSC-EE-ML3-8.5: Regular backups ML3' -Description: Unprivileged accounts cannot access backups belonging to other accounts, nor their own accounts. -SectionCode: "5" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_8_5 + title: "ACSC-EE-ML3-8.5: Regular backups ML3" + description: Unprivileged accounts cannot access backups belonging to other accounts, nor their own accounts. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_user_in_group + - aws_opensearch_domain_fine_grained_access_enabled + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_6.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_6.yaml index 50ea3bbcc..731cdce89 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_6.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_6.yaml @@ -1,37 +1,42 @@ -ID: aws_acsc_essential_eight_ml_3_8_6 -Title: 'ACSC-EE-ML3-8.6: Regular backups ML3' -Description: Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts, nor their own accounts. -SectionCode: "6" -Children: [] -Controls: - - aws_backup_recovery_point_manual_deletion_disabled - - aws_cloudtrail_bucket_not_public - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_account_public_access_blocked - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_lambda_function_restrict_public_access - - aws_neptune_db_cluster_snapshot_prohibit_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_access_point_restrict_public_access - - aws_s3_bucket_mfa_delete_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_document_prohibit_public_access -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_8_6 + title: "ACSC-EE-ML3-8.6: Regular backups ML3" + description: Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts, nor their own accounts. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_recovery_point_manual_deletion_disabled + - aws_cloudtrail_bucket_not_public + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_no_root_user + - aws_efs_access_point_enforce_root_directory + - aws_efs_access_point_enforce_user_identity + - aws_emr_account_public_access_blocked + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_lambda_function_restrict_public_access + - aws_neptune_db_cluster_snapshot_prohibit_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_access_point_restrict_public_access + - aws_s3_bucket_mfa_delete_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_document_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_7.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_7.yaml index 31f6e0ca1..f44b8b013 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_7.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_7.yaml @@ -1,16 +1,21 @@ -ID: aws_acsc_essential_eight_ml_3_8_7 -Title: 'ACSC-EE-ML3-8.7: Regular backups ML3' -Description: Unprivileged accounts are prevented from modifying and deleting backups. -SectionCode: "7" -Children: [] -Controls: - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_user_in_group - - aws_opensearch_domain_fine_grained_access_enabled - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_8_7 + title: "ACSC-EE-ML3-8.7: Regular backups ML3" + description: Unprivileged accounts are prevented from modifying and deleting backups. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_user_in_group + - aws_opensearch_domain_fine_grained_access_enabled + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_8.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_8.yaml index 1f3e2e7fa..087cad44c 100755 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_8.yaml +++ b/compliance/frameworks/aws/aws_acsc_essential_eight/aws_acsc_essential_eight_ml_3_8_8.yaml @@ -1,37 +1,42 @@ -ID: aws_acsc_essential_eight_ml_3_8_8 -Title: 'ACSC-EE-ML3-8.8: Regular backups ML3' -Description: Privileged accounts (including backup administrator accounts) are prevented from modifying and deleting backups during their retention period. -SectionCode: "8" -Children: [] -Controls: - - aws_backup_recovery_point_manual_deletion_disabled - - aws_cloudtrail_bucket_not_public - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_no_root_user - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_account_public_access_blocked - - aws_eventbridge_custom_bus_resource_based_policy_attached - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_lambda_function_restrict_public_access - - aws_neptune_db_cluster_snapshot_prohibit_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_access_point_restrict_public_access - - aws_s3_bucket_mfa_delete_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_ssm_document_prohibit_public_access -Tags: {} +control-group: + id: aws_acsc_essential_eight_ml_3_8_8 + title: "ACSC-EE-ML3-8.8: Regular backups ML3" + description: Privileged accounts (including backup administrator accounts) are prevented from modifying and deleting backups during their retention period. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_recovery_point_manual_deletion_disabled + - aws_cloudtrail_bucket_not_public + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_no_root_user + - aws_efs_access_point_enforce_root_directory + - aws_efs_access_point_enforce_user_identity + - aws_emr_account_public_access_blocked + - aws_eventbridge_custom_bus_resource_based_policy_attached + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_lambda_function_restrict_public_access + - aws_neptune_db_cluster_snapshot_prohibit_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_access_point_restrict_public_access + - aws_s3_bucket_mfa_delete_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_ssm_document_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_acsc_essential_eight/root.yaml b/compliance/frameworks/aws/aws_acsc_essential_eight/root.yaml deleted file mode 100755 index fd91d33a2..000000000 --- a/compliance/frameworks/aws/aws_acsc_essential_eight/root.yaml +++ /dev/null @@ -1,14 +0,0 @@ -ID: aws_acsc_essential_eight -Title: Australian Cyber Security Center (ACSC) Essential Eight -Description: The Australian Cyber Security Center (ACSC) Essential Eight is a set of baseline security strategies designed to mitigate cyber security incidents. The Essential Eight is a prioritized list of mitigation strategies that organizations can implement to protect their systems against a range of adversaries. The Essential Eight is based on the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents. -SectionCode: aws_acsc_essential_eight -Children: - - aws_acsc_essential_eight_ml_1 - - aws_acsc_essential_eight_ml_2 - - aws_acsc_essential_eight_ml_3 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: {} diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls.yaml new file mode 100644 index 000000000..817ef430b --- /dev/null +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls.yaml @@ -0,0 +1,77 @@ +framework: + id: aws_all_controls + title: All Controls + description: This benchmark contains all controls grouped by service to help you detect resource configurations that do not meet best practices. + section-code: aws_all_controls + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_all_controls_account + - id: aws_all_controls_acm + - id: aws_all_controls_apigateway + - id: aws_all_controls_appstream + - id: aws_all_controls_appsync + - id: aws_all_controls_athena + - id: aws_all_controls_autoscaling + - id: aws_all_controls_backup + - id: aws_all_controls_cloudformation + - id: aws_all_controls_cloudfront + - id: aws_all_controls_cloudtrail + - id: aws_all_controls_cloudwatch + - id: aws_all_controls_codebuild + - id: aws_all_controls_codedeploy + - id: aws_all_controls_config + - id: aws_all_controls_dax + - id: aws_all_controls_directoryservice + - id: aws_all_controls_dlm + - id: aws_all_controls_dms + - id: aws_all_controls_docdb + - id: aws_all_controls_drs + - id: aws_all_controls_dynamodb + - id: aws_all_controls_ebs + - id: aws_all_controls_ec2 + - id: aws_all_controls_ecr + - id: aws_all_controls_ecs + - id: aws_all_controls_efs + - id: aws_all_controls_eks + - id: aws_all_controls_elasticache + - id: aws_all_controls_elasticbeanstalk + - id: aws_all_controls_elb + - id: aws_all_controls_emr + - id: aws_all_controls_es + - id: aws_all_controls_eventbridge + - id: aws_all_controls_fsx + - id: aws_all_controls_glacier + - id: aws_all_controls_glue + - id: aws_all_controls_guardduty + - id: aws_all_controls_iam + - id: aws_all_controls_kinesis + - id: aws_all_controls_kms + - id: aws_all_controls_lambda + - id: aws_all_controls_lightsail + - id: aws_all_controls_mq + - id: aws_all_controls_msk + - id: aws_all_controls_neptune + - id: aws_all_controls_networkfirewall + - id: aws_all_controls_opensearch + - id: aws_all_controls_organization + - id: aws_all_controls_pca + - id: aws_all_controls_rds + - id: aws_all_controls_redshift + - id: aws_all_controls_route53 + - id: aws_all_controls_s3 + - id: aws_all_controls_sagemaker + - id: aws_all_controls_secretsmanager + - id: aws_all_controls_securityhub + - id: aws_all_controls_sfn + - id: aws_all_controls_sns + - id: aws_all_controls_sqs + - id: aws_all_controls_ssm + - id: aws_all_controls_vpc + - id: aws_all_controls_waf + - id: aws_all_controls_wafv2 + - id: aws_all_controls_workspaces diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_account.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_account.yaml index 65c1e2c6d..56cbb7572 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_account.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_account.yaml @@ -1,9 +1,14 @@ -ID: aws_all_controls_account -Title: Account -Description: This section contains recommendations for configuring Account resources. -SectionCode: account -Children: [] -Controls: - - aws_account_alternate_contact_security_registered - - aws_account_part_of_organizations -Tags: {} +control-group: + id: aws_all_controls_account + title: Account + description: This section contains recommendations for configuring Account resources. + section-code: account + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_account_alternate_contact_security_registered + - aws_account_part_of_organizations diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_acm.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_acm.yaml index cb18601b4..3ae7417e0 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_acm.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_acm.yaml @@ -1,14 +1,19 @@ -ID: aws_all_controls_acm -Title: ACM -Description: This section contains recommendations for configuring ACM resources. -SectionCode: acm -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_acm_certificate_no_failed_certificate - - aws_acm_certificate_no_pending_validation_certificate - - aws_acm_certificate_no_wildcard_domain_name - - aws_acm_certificate_not_expired - - aws_acm_certificate_rsa_key_length_2048_bits_or_greater - - aws_acm_certificate_transparency_logging_enabled -Tags: {} +control-group: + id: aws_all_controls_acm + title: ACM + description: This section contains recommendations for configuring ACM resources. + section-code: acm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_acm_certificate_expires_30_days + - aws_acm_certificate_no_failed_certificate + - aws_acm_certificate_no_pending_validation_certificate + - aws_acm_certificate_no_wildcard_domain_name + - aws_acm_certificate_not_expired + - aws_acm_certificate_rsa_key_length_2048_bits_or_greater + - aws_acm_certificate_transparency_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_apigateway.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_apigateway.yaml index 9cb68ee87..5ff362597 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_apigateway.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_apigateway.yaml @@ -1,20 +1,25 @@ -ID: aws_all_controls_apigateway -Title: API Gateway -Description: This section contains recommendations for configuring API Gateway resources. -SectionCode: apigateway -Children: [] -Controls: - - aws_api_gateway_method_authorization_type_configured - - aws_api_gateway_method_request_parameter_validated - - aws_api_gateway_rest_api_public_endpoint_with_authorizer - - aws_api_gatewayv2_route_authorization_type_configured - - aws_api_gatewayv2_route_authorizer_configured - - aws_apigateway_rest_api_authorizers_configured - - aws_apigateway_rest_api_endpoint_restrict_public_access - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_apigateway_stage_logging_enabled - - aws_apigateway_stage_use_waf_web_acl - - aws_gatewayv2_stage_access_logging_enabled -Tags: {} +control-group: + id: aws_all_controls_apigateway + title: API Gateway + description: This section contains recommendations for configuring API Gateway resources. + section-code: apigateway + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_api_gateway_method_authorization_type_configured + - aws_api_gateway_method_request_parameter_validated + - aws_api_gateway_rest_api_public_endpoint_with_authorizer + - aws_api_gatewayv2_route_authorization_type_configured + - aws_api_gatewayv2_route_authorizer_configured + - aws_apigateway_rest_api_authorizers_configured + - aws_apigateway_rest_api_endpoint_restrict_public_access + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_apigateway_stage_logging_enabled + - aws_apigateway_stage_use_waf_web_acl + - aws_gatewayv2_stage_access_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appstream.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appstream.yaml index d74ea9eba..ba65dc491 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appstream.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appstream.yaml @@ -1,11 +1,16 @@ -ID: aws_all_controls_appstream -Title: AppStream -Description: This section contains recommendations for configuring AppStream resources. -SectionCode: appstream -Children: [] -Controls: - - aws_appstream_fleet_default_internet_access_disabled - - aws_appstream_fleet_idle_disconnect_timeout_600_seconds - - aws_appstream_fleet_max_user_duration_36000_seconds - - aws_appstream_fleet_session_disconnect_timeout_300_seconds -Tags: {} +control-group: + id: aws_all_controls_appstream + title: AppStream + description: This section contains recommendations for configuring AppStream resources. + section-code: appstream + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_appstream_fleet_default_internet_access_disabled + - aws_appstream_fleet_idle_disconnect_timeout_600_seconds + - aws_appstream_fleet_max_user_duration_36000_seconds + - aws_appstream_fleet_session_disconnect_timeout_300_seconds diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appsync.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appsync.yaml index 467239668..6a1c9851f 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appsync.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_appsync.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_appsync -Title: AppSync -Description: This section contains recommendations for configuring AppSync resources. -SectionCode: appsync -Children: [] -Controls: - - aws_appsync_graphql_api_field_level_logging_enabled -Tags: {} +control-group: + id: aws_all_controls_appsync + title: AppSync + description: This section contains recommendations for configuring AppSync resources. + section-code: appsync + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_appsync_graphql_api_field_level_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_athena.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_athena.yaml index 1decc2968..089bfe4da 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_athena.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_athena.yaml @@ -1,9 +1,14 @@ -ID: aws_all_controls_athena -Title: Athena -Description: This section contains recommendations for configuring Athena resources. -SectionCode: athena -Children: [] -Controls: - - aws_athena_workgroup_encryption_at_rest_enabled - - aws_athena_workgroup_enforce_configuration_enabled -Tags: {} +control-group: + id: aws_all_controls_athena + title: Athena + description: This section contains recommendations for configuring Athena resources. + section-code: athena + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_athena_workgroup_encryption_at_rest_enabled + - aws_athena_workgroup_enforce_configuration_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_autoscaling.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_autoscaling.yaml index dae5886ae..1542360ea 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_autoscaling.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_autoscaling.yaml @@ -1,17 +1,22 @@ -ID: aws_all_controls_autoscaling -Title: Auto Scaling -Description: This section contains recommendations for configuring Auto Scaling resources. -SectionCode: autoscaling -Children: [] -Controls: - - aws_autoscaling_ec2_launch_configuration_no_sensitive_data - - aws_autoscaling_group_multiple_az_configured - - aws_autoscaling_group_no_suspended_process - - aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled - - aws_autoscaling_group_uses_ec2_launch_template - - aws_autoscaling_group_with_lb_use_health_check - - aws_autoscaling_launch_config_hop_limit - - aws_autoscaling_launch_config_public_ip_disabled - - aws_autoscaling_launch_config_requires_imdsv2 - - aws_autoscaling_use_multiple_instance_types_in_multiple_az -Tags: {} +control-group: + id: aws_all_controls_autoscaling + title: Auto Scaling + description: This section contains recommendations for configuring Auto Scaling resources. + section-code: autoscaling + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_ec2_launch_configuration_no_sensitive_data + - aws_autoscaling_group_multiple_az_configured + - aws_autoscaling_group_no_suspended_process + - aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled + - aws_autoscaling_group_uses_ec2_launch_template + - aws_autoscaling_group_with_lb_use_health_check + - aws_autoscaling_launch_config_hop_limit + - aws_autoscaling_launch_config_public_ip_disabled + - aws_autoscaling_launch_config_requires_imdsv2 + - aws_autoscaling_use_multiple_instance_types_in_multiple_az diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_backup.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_backup.yaml index 673acf1dd..e64fc6372 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_backup.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_backup.yaml @@ -1,13 +1,18 @@ -ID: aws_all_controls_backup -Title: Backup -Description: This section contains recommendations for configuring Backup resources. -SectionCode: backup -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_plan_region_configured - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_backup_vault_region_configured -Tags: {} +control-group: + id: aws_all_controls_backup + title: Backup + description: This section contains recommendations for configuring Backup resources. + section-code: backup + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_plan_region_configured + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_backup_vault_region_configured diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudformation.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudformation.yaml index 33fa39c64..bee612735 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudformation.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudformation.yaml @@ -1,12 +1,17 @@ -ID: aws_all_controls_cloudformation -Title: CloudFormation -Description: This section contains recommendations for configuring CloudFormation resources. -SectionCode: cloudformation -Children: [] -Controls: - - aws_cloudformation_stack_drift_detection_check - - aws_cloudformation_stack_notifications_enabled - - aws_cloudformation_stack_output_no_secrets - - aws_cloudformation_stack_rollback_enabled - - aws_cloudformation_stack_termination_protection_enabled -Tags: {} +control-group: + id: aws_all_controls_cloudformation + title: CloudFormation + description: This section contains recommendations for configuring CloudFormation resources. + section-code: cloudformation + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudformation_stack_drift_detection_check + - aws_cloudformation_stack_notifications_enabled + - aws_cloudformation_stack_output_no_secrets + - aws_cloudformation_stack_rollback_enabled + - aws_cloudformation_stack_termination_protection_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudfront.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudfront.yaml index bca8bc426..a093a76c8 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudfront.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudfront.yaml @@ -1,22 +1,27 @@ -ID: aws_all_controls_cloudfront -Title: CloudFront -Description: This section contains recommendations for configuring CloudFront resources. -SectionCode: cloudfront -Children: [] -Controls: - - aws_cloudfront_distribution_configured_with_origin_failover - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_default_root_object_configured - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudfront_distribution_field_level_encryption_enabled - - aws_cloudfront_distribution_geo_restrictions_enabled - - aws_cloudfront_distribution_latest_tls_version - - aws_cloudfront_distribution_logging_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_cloudfront_distribution_no_non_existent_s3_origin - - aws_cloudfront_distribution_origin_access_identity_enabled - - aws_cloudfront_distribution_sni_enabled - - aws_cloudfront_distribution_use_custom_ssl_certificate - - aws_cloudfront_distribution_use_secure_cipher - - aws_cloudfront_distribution_waf_enabled -Tags: {} +control-group: + id: aws_all_controls_cloudfront + title: CloudFront + description: This section contains recommendations for configuring CloudFront resources. + section-code: cloudfront + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudfront_distribution_configured_with_origin_failover + - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled + - aws_cloudfront_distribution_default_root_object_configured + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_cloudfront_distribution_field_level_encryption_enabled + - aws_cloudfront_distribution_geo_restrictions_enabled + - aws_cloudfront_distribution_latest_tls_version + - aws_cloudfront_distribution_logging_enabled + - aws_cloudfront_distribution_no_deprecated_ssl_protocol + - aws_cloudfront_distribution_no_non_existent_s3_origin + - aws_cloudfront_distribution_origin_access_identity_enabled + - aws_cloudfront_distribution_sni_enabled + - aws_cloudfront_distribution_use_custom_ssl_certificate + - aws_cloudfront_distribution_use_secure_cipher + - aws_cloudfront_distribution_waf_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudtrail.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudtrail.yaml index f14516674..25320d7b4 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudtrail.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudtrail.yaml @@ -1,23 +1,28 @@ -ID: aws_all_controls_cloudtrail -Title: CloudTrail -Description: This section contains recommendations for configuring CloudTrail resources. -SectionCode: cloudtrail -Children: [] -Controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_multi_region_trail_integrated_with_logs - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_s3_object_read_events_audit_enabled - - aws_cloudtrail_s3_object_write_events_audit_enabled - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_bucket_mfa_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_enabled_account - - aws_cloudtrail_trail_insight_selectors_and_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled -Tags: {} +control-group: + id: aws_all_controls_cloudtrail + title: CloudTrail + description: This section contains recommendations for configuring CloudTrail resources. + section-code: cloudtrail + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_multi_region_read_write_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_multi_region_trail_integrated_with_logs + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_s3_logging_enabled + - aws_cloudtrail_s3_object_read_events_audit_enabled + - aws_cloudtrail_s3_object_write_events_audit_enabled + - aws_cloudtrail_security_trail_enabled + - aws_cloudtrail_trail_bucket_mfa_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_enabled_account + - aws_cloudtrail_trail_insight_selectors_and_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudwatch.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudwatch.yaml index 8fc1402dd..65cf5a492 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudwatch.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_cloudwatch.yaml @@ -1,27 +1,32 @@ -ID: aws_all_controls_cloudwatch -Title: CloudWatch -Description: This section contains recommendations for configuring CloudWatch resources. -SectionCode: cloudwatch -Children: [] -Controls: - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_alarm_action_enabled_check - - aws_cloudwatch_cross_account_sharing - - aws_cloudwatch_log_group_retention_period_365 - - aws_log_group_encryption_at_rest_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_organization - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc -Tags: {} +control-group: + id: aws_all_controls_cloudwatch + title: CloudWatch + description: This section contains recommendations for configuring CloudWatch resources. + section-code: cloudwatch + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_alarm_action_enabled_check + - aws_cloudwatch_cross_account_sharing + - aws_cloudwatch_log_group_retention_period_365 + - aws_log_group_encryption_at_rest_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_organization + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codebuild.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codebuild.yaml index b4c6c4b6e..4e30f972a 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codebuild.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codebuild.yaml @@ -1,15 +1,20 @@ -ID: aws_all_controls_codebuild -Title: CodeBuild -Description: This section contains recommendations for configuring CodeBuild resources. -SectionCode: codebuild -Children: [] -Controls: - - aws_codebuild_project_artifact_encryption_enabled - - aws_codebuild_project_build_greater_then_90_days - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_logging_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_s3_logs_encryption_enabled - - aws_codebuild_project_source_repo_oauth_configured - - aws_codebuild_project_with_user_controlled_buildspec -Tags: {} +control-group: + id: aws_all_controls_codebuild + title: CodeBuild + description: This section contains recommendations for configuring CodeBuild resources. + section-code: codebuild + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_artifact_encryption_enabled + - aws_codebuild_project_build_greater_then_90_days + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_logging_enabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_s3_logs_encryption_enabled + - aws_codebuild_project_source_repo_oauth_configured + - aws_codebuild_project_with_user_controlled_buildspec diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codedeploy.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codedeploy.yaml index d02d3ca23..f98e53ae7 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codedeploy.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_codedeploy.yaml @@ -1,7 +1,11 @@ -ID: aws_all_controls_codedeploy -Title: CodeDeploy -Description: This section contains recommendations for configuring CodeDeploy resources. -SectionCode: codedeploy -Children: [] -Controls: null -Tags: {} +control-group: + id: aws_all_controls_codedeploy + title: CodeDeploy + description: This section contains recommendations for configuring CodeDeploy resources. + section-code: codedeploy + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_config.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_config.yaml index 87c8424e4..87851b2de 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_config.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_config.yaml @@ -1,9 +1,14 @@ -ID: aws_all_controls_config -Title: Config -Description: This section contains recommendations for configuring Config resources. -SectionCode: config -Children: [] -Controls: - - aws_config_configuration_recorder_no_failed_deliver_logs - - aws_config_enabled_all_regions -Tags: {} +control-group: + id: aws_all_controls_config + title: Config + description: This section contains recommendations for configuring Config resources. + section-code: config + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_config_configuration_recorder_no_failed_deliver_logs + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dax.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dax.yaml index 8e5430819..90d9b923e 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dax.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dax.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_dax -Title: DAX -Description: This section contains recommendations for configuring DAX resources. -SectionCode: dax -Children: [] -Controls: - - aws_dax_cluster_encryption_at_rest_enabled -Tags: {} +control-group: + id: aws_all_controls_dax + title: DAX + description: This section contains recommendations for configuring DAX resources. + section-code: dax + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_dax_cluster_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_directoryservice.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_directoryservice.yaml index 666cbafca..c2446839e 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_directoryservice.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_directoryservice.yaml @@ -1,10 +1,15 @@ -ID: aws_all_controls_directoryservice -Title: Directory Service -Description: This section contains recommendations for configuring Directory Service resources. -SectionCode: directoryservice -Children: [] -Controls: - - aws_directory_service_certificate_expires_90_days - - aws_directory_service_directory_snapshots_limit_2 - - aws_directory_service_directory_sns_notifications_enabled -Tags: {} +control-group: + id: aws_all_controls_directoryservice + title: Directory Service + description: This section contains recommendations for configuring Directory Service resources. + section-code: directoryservice + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_directory_service_certificate_expires_90_days + - aws_directory_service_directory_snapshots_limit_2 + - aws_directory_service_directory_sns_notifications_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dlm.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dlm.yaml index d1e570432..e44723e22 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dlm.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dlm.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_dlm -Title: DLM -Description: This section contains recommendations for configuring DLM resources. -SectionCode: dlm -Children: [] -Controls: - - aws_dlm_ebs_snapshot_lifecycle_policy_enabled -Tags: {} +control-group: + id: aws_all_controls_dlm + title: DLM + description: This section contains recommendations for configuring DLM resources. + section-code: dlm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_dlm_ebs_snapshot_lifecycle_policy_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dms.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dms.yaml index d9117e935..314d61d44 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dms.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dms.yaml @@ -1,12 +1,17 @@ -ID: aws_all_controls_dms -Title: DMS -Description: This section contains recommendations for configuring DMS resources. -SectionCode: dms -Children: [] -Controls: - - aws_dms_certificate_not_expired - - aws_dms_endpoint_ssl_configured - - aws_dms_replication_instance_automatic_minor_version_upgrade_enabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_dms_replication_task_source_database_logging_enabled -Tags: {} +control-group: + id: aws_all_controls_dms + title: DMS + description: This section contains recommendations for configuring DMS resources. + section-code: dms + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_dms_certificate_not_expired + - aws_dms_endpoint_ssl_configured + - aws_dms_replication_instance_automatic_minor_version_upgrade_enabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_dms_replication_task_source_database_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_docdb.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_docdb.yaml index 5ee14459e..b7292e0d7 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_docdb.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_docdb.yaml @@ -1,12 +1,17 @@ -ID: aws_all_controls_docdb -Title: DocumentDB -Description: This section contains recommendations for configuring DocumentDB resources. -SectionCode: docdb -Children: [] -Controls: - - aws_docdb_cluster_backup_retention_period_7_days - - aws_docdb_cluster_deletion_protection_enabled - - aws_docdb_cluster_encryption_at_rest_enabled - - aws_docdb_cluster_instance_encryption_at_rest_enabled - - aws_docdb_cluster_instance_logging_enabled -Tags: {} +control-group: + id: aws_all_controls_docdb + title: DocumentDB + description: This section contains recommendations for configuring DocumentDB resources. + section-code: docdb + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_docdb_cluster_backup_retention_period_7_days + - aws_docdb_cluster_deletion_protection_enabled + - aws_docdb_cluster_encryption_at_rest_enabled + - aws_docdb_cluster_instance_encryption_at_rest_enabled + - aws_docdb_cluster_instance_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_drs.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_drs.yaml index c134c97d8..acbf724d3 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_drs.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_drs.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_drs -Title: DRS -Description: This section contains recommendations for configuring DRS resources. -SectionCode: drs -Children: [] -Controls: - - aws_drs_job_enabled -Tags: {} +control-group: + id: aws_all_controls_drs + title: DRS + description: This section contains recommendations for configuring DRS resources. + section-code: drs + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_drs_job_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dynamodb.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dynamodb.yaml index d5cb18a79..68b442ad5 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dynamodb.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_dynamodb.yaml @@ -1,14 +1,19 @@ -ID: aws_all_controls_dynamodb -Title: DynamoDB -Description: This section contains recommendations for configuring DynamoDB resources. -SectionCode: dynamodb -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_deletion_protection_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan -Tags: {} +control-group: + id: aws_all_controls_dynamodb + title: DynamoDB + description: This section contains recommendations for configuring DynamoDB resources. + section-code: dynamodb + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_deletion_protection_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ebs.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ebs.yaml index a90c43fa1..1bf9e898c 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ebs.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ebs.yaml @@ -1,16 +1,21 @@ -ID: aws_all_controls_ebs -Title: EBS -Description: This section contains recommendations for configuring EBS resources. -SectionCode: ebs -Children: [] -Controls: - - aws_ebs_attached_volume_delete_on_termination_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_encryption_at_rest_enabled - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ebs_volume_snapshot_exists - - aws_ebs_volume_unused -Tags: {} +control-group: + id: aws_all_controls_ebs + title: EBS + description: This section contains recommendations for configuring EBS resources. + section-code: ebs + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ebs_attached_volume_delete_on_termination_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_snapshot_encryption_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ebs_volume_encryption_at_rest_enabled + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ebs_volume_snapshot_exists + - aws_ebs_volume_unused diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ec2.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ec2.yaml index 3f4b036e6..e9674f6b1 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ec2.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ec2.yaml @@ -1,49 +1,54 @@ -ID: aws_all_controls_ec2 -Title: EC2 -Description: This section contains recommendations for configuring EC2 resources. -SectionCode: ec2 -Children: [] -Controls: - - aws_ec2_ami_ebs_encryption_enabled - - aws_ec2_ami_not_older_than_90_days - - aws_ec2_ami_restrict_public_access - - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_no_amazon_key_pair - - aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access - - aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access - - aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration - - aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access - - aws_ec2_instance_no_iam_role_with_data_destruction_access - - aws_ec2_instance_no_iam_role_with_destruction_kms_access - - aws_ec2_instance_no_iam_role_with_destruction_rds_access - - aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access - - aws_ec2_instance_no_iam_role_with_management_level_access - - aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access - - aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access - - aws_ec2_instance_no_iam_role_with_org_write_access - - aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access - - aws_ec2_instance_no_iam_role_with_security_group_write_access - - aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration - - aws_ec2_instance_no_iam_with_write_level_access - - aws_ec2_instance_no_launch_wizard_security_group - - aws_ec2_instance_not_older_than_180_days - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_not_use_multiple_enis - - aws_ec2_instance_protected_by_backup_plan - - aws_ec2_instance_publicly_accessible_iam_profile_attached - - aws_ec2_instance_termination_protection_enabled - - aws_ec2_instance_user_data_no_secrets - - aws_ec2_instance_uses_imdsv2 - - aws_ec2_instance_virtualization_type_no_paravirtual - - aws_ec2_launch_template_not_publicly_accessible - - aws_ec2_network_interface_unused - - aws_ec2_stopped_instance_30_days - - aws_ec2_stopped_instance_90_days - - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled -Tags: {} +control-group: + id: aws_all_controls_ec2 + title: EC2 + description: This section contains recommendations for configuring EC2 resources. + section-code: ec2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ec2_ami_ebs_encryption_enabled + - aws_ec2_ami_not_older_than_90_days + - aws_ec2_ami_restrict_public_access + - aws_ec2_client_vpn_endpoint_client_connection_logging_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_no_amazon_key_pair + - aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access + - aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access + - aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration + - aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access + - aws_ec2_instance_no_iam_role_with_data_destruction_access + - aws_ec2_instance_no_iam_role_with_destruction_kms_access + - aws_ec2_instance_no_iam_role_with_destruction_rds_access + - aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access + - aws_ec2_instance_no_iam_role_with_management_level_access + - aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access + - aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access + - aws_ec2_instance_no_iam_role_with_org_write_access + - aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access + - aws_ec2_instance_no_iam_role_with_security_group_write_access + - aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration + - aws_ec2_instance_no_iam_with_write_level_access + - aws_ec2_instance_no_launch_wizard_security_group + - aws_ec2_instance_not_older_than_180_days + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_not_use_multiple_enis + - aws_ec2_instance_protected_by_backup_plan + - aws_ec2_instance_publicly_accessible_iam_profile_attached + - aws_ec2_instance_termination_protection_enabled + - aws_ec2_instance_user_data_no_secrets + - aws_ec2_instance_uses_imdsv2 + - aws_ec2_instance_virtualization_type_no_paravirtual + - aws_ec2_launch_template_not_publicly_accessible + - aws_ec2_network_interface_unused + - aws_ec2_stopped_instance_30_days + - aws_ec2_stopped_instance_90_days + - aws_ec2_transit_gateway_auto_cross_account_attachment_disabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecr.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecr.yaml index 153c03bfd..0bbff6f6e 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecr.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecr.yaml @@ -1,11 +1,16 @@ -ID: aws_all_controls_ecr -Title: ECR -Description: This section contains recommendations for configuring ECR resources. -SectionCode: ecr -Children: [] -Controls: - - aws_ecr_repository_image_scan_on_push_enabled - - aws_ecr_repository_lifecycle_policy_configured - - aws_ecr_repository_prohibit_public_access - - aws_ecr_repository_tag_immutability_enabled -Tags: {} +control-group: + id: aws_all_controls_ecr + title: ECR + description: This section contains recommendations for configuring ECR resources. + section-code: ecr + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecr_repository_image_scan_on_push_enabled + - aws_ecr_repository_lifecycle_policy_configured + - aws_ecr_repository_prohibit_public_access + - aws_ecr_repository_tag_immutability_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecs.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecs.yaml index c14a1d3b1..0c6dbf6f0 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecs.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ecs.yaml @@ -1,22 +1,27 @@ -ID: aws_all_controls_ecs -Title: ECS -Description: This section contains recommendations for configuring ECS resources. -SectionCode: ecs -Children: [] -Controls: - - aws_ecs_cluster_container_insights_enabled - - aws_ecs_cluster_container_instance_agent_connected - - aws_ecs_cluster_encryption_at_rest_enabled - - aws_ecs_cluster_no_active_services_count - - aws_ecs_cluster_no_registered_container_instance - - aws_ecs_service_fargate_using_latest_platform_version - - aws_ecs_service_load_balancer_attached - - aws_ecs_service_not_publicly_accessible - - aws_ecs_task_definition_container_environment_no_secret - - aws_ecs_task_definition_container_non_privileged - - aws_ecs_task_definition_container_readonly_root_filesystem - - aws_ecs_task_definition_logging_enabled - - aws_ecs_task_definition_no_host_pid_mode - - aws_ecs_task_definition_no_root_user - - aws_ecs_task_definition_user_for_host_mode_check -Tags: {} +control-group: + id: aws_all_controls_ecs + title: ECS + description: This section contains recommendations for configuring ECS resources. + section-code: ecs + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ecs_cluster_container_insights_enabled + - aws_ecs_cluster_container_instance_agent_connected + - aws_ecs_cluster_encryption_at_rest_enabled + - aws_ecs_cluster_no_active_services_count + - aws_ecs_cluster_no_registered_container_instance + - aws_ecs_service_fargate_using_latest_platform_version + - aws_ecs_service_load_balancer_attached + - aws_ecs_service_not_publicly_accessible + - aws_ecs_task_definition_container_environment_no_secret + - aws_ecs_task_definition_container_non_privileged + - aws_ecs_task_definition_container_readonly_root_filesystem + - aws_ecs_task_definition_logging_enabled + - aws_ecs_task_definition_no_host_pid_mode + - aws_ecs_task_definition_no_root_user + - aws_ecs_task_definition_user_for_host_mode_check diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_efs.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_efs.yaml index 2c48996bc..ca663ea19 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_efs.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_efs.yaml @@ -1,15 +1,20 @@ -ID: aws_all_controls_efs -Title: EFS -Description: This section contains recommendations for configuring EFS resources. -SectionCode: efs -Children: [] -Controls: - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_efs_file_system_encrypt_data_at_rest - - aws_efs_file_system_encrypted_with_cmk - - aws_efs_file_system_enforces_ssl - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_efs_file_system_restrict_public_access -Tags: {} +control-group: + id: aws_all_controls_efs + title: EFS + description: This section contains recommendations for configuring EFS resources. + section-code: efs + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_efs_access_point_enforce_root_directory + - aws_efs_access_point_enforce_user_identity + - aws_efs_file_system_encrypt_data_at_rest + - aws_efs_file_system_encrypted_with_cmk + - aws_efs_file_system_enforces_ssl + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_efs_file_system_restrict_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eks.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eks.yaml index f617dbe44..41bc2cf17 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eks.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eks.yaml @@ -1,14 +1,19 @@ -ID: aws_all_controls_eks -Title: EKS -Description: This section contains recommendations for configuring EKS resources. -SectionCode: eks -Children: [] -Controls: - - aws_eks_cluster_control_plane_audit_logging_enabled - - aws_eks_cluster_endpoint_public_access_restricted - - aws_eks_cluster_endpoint_restrict_public_access - - aws_eks_cluster_no_default_vpc - - aws_eks_cluster_no_multiple_security_groups - - aws_eks_cluster_secrets_encrypted - - aws_eks_cluster_with_latest_kubernetes_version -Tags: {} +control-group: + id: aws_all_controls_eks + title: EKS + description: This section contains recommendations for configuring EKS resources. + section-code: eks + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_eks_cluster_control_plane_audit_logging_enabled + - aws_eks_cluster_endpoint_public_access_restricted + - aws_eks_cluster_endpoint_restrict_public_access + - aws_eks_cluster_no_default_vpc + - aws_eks_cluster_no_multiple_security_groups + - aws_eks_cluster_secrets_encrypted + - aws_eks_cluster_with_latest_kubernetes_version diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticache.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticache.yaml index 9f4c397e8..20f8c7d72 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticache.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticache.yaml @@ -1,16 +1,21 @@ -ID: aws_all_controls_elasticache -Title: ElastiCache -Description: This section contains recommendations for configuring ElastiCache resources. -SectionCode: elasticache -Children: [] -Controls: - - aws_elasticache_cluster_auto_minor_version_upgrade_enabled - - aws_elasticache_cluster_no_default_subnet_group - - aws_elasticache_cluster_no_public_subnet - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elasticache_replication_group_auto_failover_enabled - - aws_elasticache_replication_group_encryption_at_rest_enabled - - aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk - - aws_elasticache_replication_group_encryption_in_transit_enabled - - aws_elasticache_replication_group_redis_auth_enabled -Tags: {} +control-group: + id: aws_all_controls_elasticache + title: ElastiCache + description: This section contains recommendations for configuring ElastiCache resources. + section-code: elasticache + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_elasticache_cluster_auto_minor_version_upgrade_enabled + - aws_elasticache_cluster_no_default_subnet_group + - aws_elasticache_cluster_no_public_subnet + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elasticache_replication_group_auto_failover_enabled + - aws_elasticache_replication_group_encryption_at_rest_enabled + - aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk + - aws_elasticache_replication_group_encryption_in_transit_enabled + - aws_elasticache_replication_group_redis_auth_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticbeanstalk.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticbeanstalk.yaml index 4955483db..d41e66673 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticbeanstalk.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elasticbeanstalk.yaml @@ -1,10 +1,15 @@ -ID: aws_all_controls_elasticbeanstalk -Title: Elastic Beanstalk -Description: This section contains recommendations for configuring Elastic Beanstalk resources. -SectionCode: elasticbeanstalk -Children: [] -Controls: - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elastic_beanstalk_environment_logs_to_cloudwatch - - aws_elastic_beanstalk_environment_managed_updates_enabled -Tags: {} +control-group: + id: aws_all_controls_elasticbeanstalk + title: Elastic Beanstalk + description: This section contains recommendations for configuring Elastic Beanstalk resources. + section-code: elasticbeanstalk + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elastic_beanstalk_environment_logs_to_cloudwatch + - aws_elastic_beanstalk_environment_managed_updates_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elb.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elb.yaml index 60cf5724d..4dd4867f8 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elb.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_elb.yaml @@ -1,30 +1,35 @@ -ID: aws_all_controls_elb -Title: ELB -Description: This section contains recommendations for configuring ELB resources. -SectionCode: elb -Children: [] -Controls: - - aws_ec2_classic_lb_connection_draining_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_application_classic_network_lb_prohibit_public_access - - aws_elb_application_gateway_network_lb_multiple_az_configured - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_application_lb_desync_mitigation_mode - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_application_lb_with_outbound_rule - - aws_elb_application_network_lb_use_listeners - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_elb_classic_lb_multiple_az_configured - - aws_elb_classic_lb_no_registered_instance - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_elb_classic_lb_with_inbound_rule - - aws_elb_classic_lb_with_outbound_rule - - aws_elb_listener_use_secure_ssl_cipher - - aws_elb_network_lb_tls_listener_security_policy_configured - - aws_elb_tls_listener_protocol_version -Tags: {} +control-group: + id: aws_all_controls_elb + title: ELB + description: This section contains recommendations for configuring ELB resources. + section-code: elb + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ec2_classic_lb_connection_draining_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_application_classic_network_lb_prohibit_public_access + - aws_elb_application_gateway_network_lb_multiple_az_configured + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_application_lb_desync_mitigation_mode + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_lb_waf_enabled + - aws_elb_application_lb_with_outbound_rule + - aws_elb_application_network_lb_use_listeners + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_elb_classic_lb_desync_mitigation_mode + - aws_elb_classic_lb_multiple_az_configured + - aws_elb_classic_lb_no_registered_instance + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_elb_classic_lb_with_inbound_rule + - aws_elb_classic_lb_with_outbound_rule + - aws_elb_listener_use_secure_ssl_cipher + - aws_elb_network_lb_tls_listener_security_policy_configured + - aws_elb_tls_listener_protocol_version diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_emr.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_emr.yaml index adbb98c67..732a5c2f5 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_emr.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_emr.yaml @@ -1,13 +1,18 @@ -ID: aws_all_controls_emr -Title: EMR -Description: This section contains recommendations for configuring EMR resources. -SectionCode: emr -Children: [] -Controls: - - aws_emr_account_public_access_blocked - - aws_emr_cluster_encryption_at_rest_with_sse_kms - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_local_disk_encrypted_with_cmk - - aws_emr_cluster_master_nodes_no_public_ip - - aws_emr_cluster_security_configuration_enabled -Tags: {} +control-group: + id: aws_all_controls_emr + title: EMR + description: This section contains recommendations for configuring EMR resources. + section-code: emr + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_emr_account_public_access_blocked + - aws_emr_cluster_encryption_at_rest_with_sse_kms + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_local_disk_encrypted_with_cmk + - aws_emr_cluster_master_nodes_no_public_ip + - aws_emr_cluster_security_configuration_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_es.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_es.yaml index a343c3bd4..654a57da3 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_es.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_es.yaml @@ -1,18 +1,23 @@ -ID: aws_all_controls_es -Title: Elasticsearch -Description: This section contains recommendations for configuring Elasticsearch resources. -SectionCode: es -Children: [] -Controls: - - aws_es_domain_audit_logging_enabled - - aws_es_domain_cognito_authentication_enabled - - aws_es_domain_data_nodes_min_3 - - aws_es_domain_dedicated_master_nodes_min_3 - - aws_es_domain_encrypted_using_tls_1_2 - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_error_logging_enabled - - aws_es_domain_in_vpc - - aws_es_domain_internal_user_database_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_es_domain_node_to_node_encryption_enabled -Tags: {} +control-group: + id: aws_all_controls_es + title: Elasticsearch + description: This section contains recommendations for configuring Elasticsearch resources. + section-code: es + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_es_domain_audit_logging_enabled + - aws_es_domain_cognito_authentication_enabled + - aws_es_domain_data_nodes_min_3 + - aws_es_domain_dedicated_master_nodes_min_3 + - aws_es_domain_encrypted_using_tls_1_2 + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_error_logging_enabled + - aws_es_domain_in_vpc + - aws_es_domain_internal_user_database_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_es_domain_node_to_node_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eventbridge.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eventbridge.yaml index 6d92fbe7f..b0eddabf9 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eventbridge.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_eventbridge.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_eventbridge -Title: EventBridge -Description: This section contains recommendations for configuring EventBridge resources. -SectionCode: eventbridge -Children: [] -Controls: - - aws_eventbridge_custom_bus_resource_based_policy_attached -Tags: {} +control-group: + id: aws_all_controls_eventbridge + title: EventBridge + description: This section contains recommendations for configuring EventBridge resources. + section-code: eventbridge + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_eventbridge_custom_bus_resource_based_policy_attached diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_fsx.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_fsx.yaml index f1d280c10..af3af673a 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_fsx.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_fsx.yaml @@ -1,9 +1,14 @@ -ID: aws_all_controls_fsx -Title: FSx -Description: This section contains recommendations for configuring FSx resources. -SectionCode: fsx -Children: [] -Controls: - - aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled - - aws_fsx_file_system_protected_by_backup_plan -Tags: {} +control-group: + id: aws_all_controls_fsx + title: FSx + description: This section contains recommendations for configuring FSx resources. + section-code: fsx + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled + - aws_fsx_file_system_protected_by_backup_plan diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glacier.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glacier.yaml index 50577adf6..a12869f39 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glacier.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glacier.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_glacier -Title: Glacier -Description: This section contains recommendations for configuring Glacier resources. -SectionCode: glacier -Children: [] -Controls: - - aws_glacier_vault_restrict_public_access -Tags: {} +control-group: + id: aws_all_controls_glacier + title: Glacier + description: This section contains recommendations for configuring Glacier resources. + section-code: glacier + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_glacier_vault_restrict_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glue.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glue.yaml index 0eb5c2d9e..cf22f725e 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glue.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_glue.yaml @@ -1,11 +1,16 @@ -ID: aws_all_controls_glue -Title: Glue -Description: This section contains recommendations for configuring Glue resources. -SectionCode: glue -Children: [] -Controls: - - aws_glue_connection_ssl_enabled - - aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled - - aws_glue_data_catalog_encryption_settings_password_encryption_enabled - - aws_glue_job_bookmarks_encryption_enabled -Tags: {} +control-group: + id: aws_all_controls_glue + title: Glue + description: This section contains recommendations for configuring Glue resources. + section-code: glue + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_glue_connection_ssl_enabled + - aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled + - aws_glue_data_catalog_encryption_settings_password_encryption_enabled + - aws_glue_job_bookmarks_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_guardduty.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_guardduty.yaml index b8d2e501d..6dcdccb2e 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_guardduty.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_guardduty.yaml @@ -1,10 +1,15 @@ -ID: aws_all_controls_guardduty -Title: GuardDuty -Description: This section contains recommendations for configuring GuardDuty resources. -SectionCode: guardduty -Children: [] -Controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_guardduty_no_high_severity_findings -Tags: {} +control-group: + id: aws_all_controls_guardduty + title: GuardDuty + description: This section contains recommendations for configuring GuardDuty resources. + section-code: guardduty + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_guardduty_no_high_severity_findings diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_iam.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_iam.yaml index 4ca6b8a3f..f54f72d0f 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_iam.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_iam.yaml @@ -1,55 +1,60 @@ -ID: aws_all_controls_iam -Title: IAM -Description: This section contains recommendations for configuring IAM resources. -SectionCode: iam -Children: [] -Controls: - - aws_iam_access_analyzer_enabled - - aws_iam_account_password_policy_min_length_14 - - aws_iam_account_password_policy_one_lowercase_letter - - aws_iam_account_password_policy_one_number - - aws_iam_account_password_policy_one_symbol - - aws_iam_account_password_policy_one_uppercase_letter - - aws_iam_account_password_policy_reuse_24 - - aws_iam_account_password_policy_strong_min_length_8 - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_custom_policy_unattached_no_star_star - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_inline_policy_no_administrative_privileges - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_all_attached_no_star_star - - aws_iam_policy_custom_attached_no_star_star - - aws_iam_policy_custom_no_assume_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_custom_no_permissive_role_assumption - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_full_access_to_cloudtrail - - aws_iam_policy_no_full_access_to_kms - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_role_no_administrator_access_policy_attached - - aws_iam_role_unused_60 - - aws_iam_root_last_used - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_security_audit_role - - aws_iam_server_certificate_not_expired - - aws_iam_support_role - - aws_iam_user_access_key_age_90 - - aws_iam_user_access_key_unused_45 - - aws_iam_user_access_keys_and_password_at_setup - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_console_access_unused_45 - - aws_iam_user_group_role_cloudshell_fullaccess_restricted - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_no_policies - - aws_iam_user_one_active_key - - aws_iam_user_unused_credentials_45 - - aws_iam_user_unused_credentials_90 - - aws_iam_user_with_administrator_access_mfa_enabled -Tags: {} +control-group: + id: aws_all_controls_iam + title: IAM + description: This section contains recommendations for configuring IAM resources. + section-code: iam + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_access_analyzer_enabled + - aws_iam_account_password_policy_min_length_14 + - aws_iam_account_password_policy_one_lowercase_letter + - aws_iam_account_password_policy_one_number + - aws_iam_account_password_policy_one_symbol + - aws_iam_account_password_policy_one_uppercase_letter + - aws_iam_account_password_policy_reuse_24 + - aws_iam_account_password_policy_strong_min_length_8 + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_custom_policy_unattached_no_star_star + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_inline_policy_no_administrative_privileges + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_all_attached_no_star_star + - aws_iam_policy_custom_attached_no_star_star + - aws_iam_policy_custom_no_assume_role + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_custom_no_permissive_role_assumption + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_full_access_to_cloudtrail + - aws_iam_policy_no_full_access_to_kms + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_role_no_administrator_access_policy_attached + - aws_iam_role_unused_60 + - aws_iam_root_last_used + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_security_audit_role + - aws_iam_server_certificate_not_expired + - aws_iam_support_role + - aws_iam_user_access_key_age_90 + - aws_iam_user_access_key_unused_45 + - aws_iam_user_access_keys_and_password_at_setup + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_console_access_unused_45 + - aws_iam_user_group_role_cloudshell_fullaccess_restricted + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_no_policies + - aws_iam_user_one_active_key + - aws_iam_user_unused_credentials_45 + - aws_iam_user_unused_credentials_90 + - aws_iam_user_with_administrator_access_mfa_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kinesis.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kinesis.yaml index b4a0da107..9c8e3192b 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kinesis.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kinesis.yaml @@ -1,10 +1,15 @@ -ID: aws_all_controls_kinesis -Title: Kinesis -Description: This section contains recommendations for configuring Kinesis resources. -SectionCode: kinesis -Children: [] -Controls: - - aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled - - aws_kinesis_stream_encrypted_with_kms_cmk - - aws_kinesis_stream_server_side_encryption_enabled -Tags: {} +control-group: + id: aws_all_controls_kinesis + title: Kinesis + description: This section contains recommendations for configuring Kinesis resources. + section-code: kinesis + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled + - aws_kinesis_stream_encrypted_with_kms_cmk + - aws_kinesis_stream_server_side_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kms.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kms.yaml index ee4dfa995..f397120b6 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kms.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_kms.yaml @@ -1,13 +1,18 @@ -ID: aws_all_controls_kms -Title: KMS -Description: This section contains recommendations for configuring KMS resources. -SectionCode: kms -Children: [] -Controls: - - aws_kms_cmk_policy_prohibit_public_access - - aws_kms_cmk_rotation_enabled - - aws_kms_cmk_unused - - aws_kms_key_decryption_restricted_in_iam_customer_managed_policy - - aws_kms_key_decryption_restricted_in_iam_inline_policy - - aws_kms_key_not_pending_deletion -Tags: {} +control-group: + id: aws_all_controls_kms + title: KMS + description: This section contains recommendations for configuring KMS resources. + section-code: kms + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_kms_cmk_policy_prohibit_public_access + - aws_kms_cmk_rotation_enabled + - aws_kms_cmk_unused + - aws_kms_key_decryption_restricted_in_iam_customer_managed_policy + - aws_kms_key_decryption_restricted_in_iam_inline_policy + - aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lambda.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lambda.yaml index 735dc8e94..674e32421 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lambda.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lambda.yaml @@ -1,20 +1,25 @@ -ID: aws_all_controls_lambda -Title: Lambda -Description: This section contains recommendations for configuring Lambda resources. -SectionCode: lambda -Children: [] -Controls: - - aws_lambda_function_cloudtrail_logging_enabled - - aws_lambda_function_cloudwatch_insights_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_cors_configuration - - aws_lambda_function_dead_letter_queue_configured - - aws_lambda_function_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_multiple_az_configured - - aws_lambda_function_restrict_public_access - - aws_lambda_function_restrict_public_url - - aws_lambda_function_tracing_enabled - - aws_lambda_function_use_latest_runtime - - aws_lambda_function_variables_no_sensitive_data -Tags: {} +control-group: + id: aws_all_controls_lambda + title: Lambda + description: This section contains recommendations for configuring Lambda resources. + section-code: lambda + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_lambda_function_cloudtrail_logging_enabled + - aws_lambda_function_cloudwatch_insights_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_cors_configuration + - aws_lambda_function_dead_letter_queue_configured + - aws_lambda_function_encryption_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_multiple_az_configured + - aws_lambda_function_restrict_public_access + - aws_lambda_function_restrict_public_url + - aws_lambda_function_tracing_enabled + - aws_lambda_function_use_latest_runtime + - aws_lambda_function_variables_no_sensitive_data diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lightsail.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lightsail.yaml index 2a5c5069b..5c6849334 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lightsail.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_lightsail.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_lightsail -Title: Lightsail -Description: This section contains recommendations for configuring Lightsail resources. -SectionCode: lightsail -Children: [] -Controls: - - aws_lightsail_instance_ipv6_networking_disabled -Tags: {} +control-group: + id: aws_all_controls_lightsail + title: Lightsail + description: This section contains recommendations for configuring Lightsail resources. + section-code: lightsail + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_lightsail_instance_ipv6_networking_disabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_mq.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_mq.yaml index e99efcccc..d50fd20ff 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_mq.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_mq.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_mq -Title: MQ -Description: This section contains recommendations for configuring MQ resources. -SectionCode: mq -Children: [] -Controls: - - aws_mq_broker_restrict_public_access -Tags: {} +control-group: + id: aws_all_controls_mq + title: MQ + description: This section contains recommendations for configuring MQ resources. + section-code: mq + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_mq_broker_restrict_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_msk.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_msk.yaml index 686e2eef5..12288f178 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_msk.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_msk.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_msk -Title: MSK -Description: This section contains recommendations for configuring MSK resources. -SectionCode: msk -Children: [] -Controls: - - aws_msk_cluster_encryption_in_transit_with_tls_enabled -Tags: {} +control-group: + id: aws_all_controls_msk + title: MSK + description: This section contains recommendations for configuring MSK resources. + section-code: msk + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_msk_cluster_encryption_in_transit_with_tls_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_neptune.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_neptune.yaml index 0342ea5d5..26e1af20f 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_neptune.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_neptune.yaml @@ -1,16 +1,21 @@ -ID: aws_all_controls_neptune -Title: Neptune -Description: This section contains recommendations for configuring Neptune resources. -SectionCode: neptune -Children: [] -Controls: - - aws_neptune_db_cluster_audit_logging_enabled - - aws_neptune_db_cluster_automated_backup_enabled - - aws_neptune_db_cluster_copy_tags_to_snapshot_enabled - - aws_neptune_db_cluster_deletion_protection_enabled - - aws_neptune_db_cluster_encryption_at_rest_enabled - - aws_neptune_db_cluster_iam_authentication_enabled - - aws_neptune_db_cluster_no_public_subnet - - aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled - - aws_neptune_db_cluster_snapshot_prohibit_public_access -Tags: {} +control-group: + id: aws_all_controls_neptune + title: Neptune + description: This section contains recommendations for configuring Neptune resources. + section-code: neptune + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_neptune_db_cluster_audit_logging_enabled + - aws_neptune_db_cluster_automated_backup_enabled + - aws_neptune_db_cluster_copy_tags_to_snapshot_enabled + - aws_neptune_db_cluster_deletion_protection_enabled + - aws_neptune_db_cluster_encryption_at_rest_enabled + - aws_neptune_db_cluster_iam_authentication_enabled + - aws_neptune_db_cluster_no_public_subnet + - aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled + - aws_neptune_db_cluster_snapshot_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_networkfirewall.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_networkfirewall.yaml index de7293b6c..bdc5f6227 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_networkfirewall.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_networkfirewall.yaml @@ -1,14 +1,19 @@ -ID: aws_all_controls_networkfirewall -Title: Network Firewall -Description: This section contains recommendations for configuring Network Firewall resources. -SectionCode: networkfirewall -Children: [] -Controls: - - aws_networkfirewall_firewall_deletion_protection_enabled - - aws_networkfirewall_firewall_in_vpc - - aws_networkfirewall_firewall_logging_enabled - - aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets - - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets - - aws_networkfirewall_firewall_policy_rule_group_not_empty - - aws_networkfirewall_stateless_rule_group_not_empty -Tags: {} +control-group: + id: aws_all_controls_networkfirewall + title: Network Firewall + description: This section contains recommendations for configuring Network Firewall resources. + section-code: networkfirewall + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_networkfirewall_firewall_deletion_protection_enabled + - aws_networkfirewall_firewall_in_vpc + - aws_networkfirewall_firewall_logging_enabled + - aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets + - aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets + - aws_networkfirewall_firewall_policy_rule_group_not_empty + - aws_networkfirewall_stateless_rule_group_not_empty diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_opensearch.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_opensearch.yaml index 77117dc55..a37f2a0c9 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_opensearch.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_opensearch.yaml @@ -1,18 +1,23 @@ -ID: aws_all_controls_opensearch -Title: OpenSearch -Description: This section contains recommendations for configuring OpenSearch resources. -SectionCode: opensearch -Children: [] -Controls: - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_cognito_authentication_enabled_for_kibana - - aws_opensearch_domain_data_node_fault_tolerance - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_fine_grained_access_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_in_vpc - - aws_opensearch_domain_internal_user_database_disabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_updated_with_latest_service_software_version -Tags: {} +control-group: + id: aws_all_controls_opensearch + title: OpenSearch + description: This section contains recommendations for configuring OpenSearch resources. + section-code: opensearch + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_cognito_authentication_enabled_for_kibana + - aws_opensearch_domain_data_node_fault_tolerance + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_fine_grained_access_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_in_vpc + - aws_opensearch_domain_internal_user_database_disabled + - aws_opensearch_domain_logs_to_cloudwatch + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_updated_with_latest_service_software_version diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_organization.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_organization.yaml index e14ba356b..6528174c2 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_organization.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_organization.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_organization -Title: Organization -Description: This section contains recommendations for configuring Organization resources. -SectionCode: organization -Children: [] -Controls: - - aws_organizational_tag_policies_enabled -Tags: {} +control-group: + id: aws_all_controls_organization + title: Organization + description: This section contains recommendations for configuring Organization resources. + section-code: organization + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_organizational_tag_policies_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_pca.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_pca.yaml index 000cf9e29..9b7ec9686 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_pca.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_pca.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_pca -Title: Private Certificate Authority -Description: This section contains recommendations for configuring Private Certificate Authority resources. -SectionCode: pca -Children: [] -Controls: - - aws_acmpca_root_certificate_authority_disabled -Tags: {} +control-group: + id: aws_all_controls_pca + title: Private Certificate Authority + description: This section contains recommendations for configuring Private Certificate Authority resources. + section-code: pca + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_acmpca_root_certificate_authority_disabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_rds.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_rds.yaml index 61b6bc1cb..6f59241cb 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_rds.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_rds.yaml @@ -1,44 +1,49 @@ -ID: aws_all_controls_rds -Title: RDS -Description: This section contains recommendations for configuring RDS resources. -SectionCode: rds -Children: [] -Controls: - - aws_rds_db_cluster_aurora_backtracking_enabled - - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled - - aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_cluster_automatic_minor_version_upgrade_enabled - - aws_rds_db_cluster_copy_tags_to_snapshot_enabled - - aws_rds_db_cluster_deletion_protection_enabled - - aws_rds_db_cluster_encryption_at_rest_enabled - - aws_rds_db_cluster_events_subscription - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_cluster_multiple_az_enabled - - aws_rds_db_cluster_no_default_admin_name - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_and_cluster_no_default_port - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_backup_retention_period_less_than_7 - - aws_rds_db_instance_ca_certificate_expires_7_days - - aws_rds_db_instance_cloudwatch_logs_enabled - - aws_rds_db_instance_connections_encryption_enabled - - aws_rds_db_instance_copy_tags_to_snapshot_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_events_subscription - - aws_rds_db_instance_iam_authentication_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_in_vpc - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_no_default_admin_name - - aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_instance_protected_by_backup_plan - - aws_rds_db_parameter_group_events_subscription - - aws_rds_db_security_group_events_subscription - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access -Tags: {} +control-group: + id: aws_all_controls_rds + title: RDS + description: This section contains recommendations for configuring RDS resources. + section-code: rds + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_rds_db_cluster_aurora_backtracking_enabled + - aws_rds_db_cluster_aurora_mysql_audit_logging_enabled + - aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_cluster_automatic_minor_version_upgrade_enabled + - aws_rds_db_cluster_copy_tags_to_snapshot_enabled + - aws_rds_db_cluster_deletion_protection_enabled + - aws_rds_db_cluster_encryption_at_rest_enabled + - aws_rds_db_cluster_events_subscription + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_cluster_multiple_az_enabled + - aws_rds_db_cluster_no_default_admin_name + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_and_cluster_no_default_port + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_backup_retention_period_less_than_7 + - aws_rds_db_instance_ca_certificate_expires_7_days + - aws_rds_db_instance_cloudwatch_logs_enabled + - aws_rds_db_instance_connections_encryption_enabled + - aws_rds_db_instance_copy_tags_to_snapshot_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_events_subscription + - aws_rds_db_instance_iam_authentication_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_in_vpc + - aws_rds_db_instance_logging_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_no_default_admin_name + - aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_instance_protected_by_backup_plan + - aws_rds_db_parameter_group_events_subscription + - aws_rds_db_security_group_events_subscription + - aws_rds_db_snapshot_encrypted_at_rest + - aws_rds_db_snapshot_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_redshift.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_redshift.yaml index 3c09cd117..5c36f9de1 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_redshift.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_redshift.yaml @@ -1,18 +1,23 @@ -ID: aws_all_controls_redshift -Title: Redshift -Description: This section contains recommendations for configuring Redshift resources. -SectionCode: redshift -Children: [] -Controls: - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_automatic_upgrade_major_versions_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_redshift_cluster_no_default_admin_name - - aws_redshift_cluster_no_default_database_name - - aws_redshift_cluster_prohibit_public_access -Tags: {} +control-group: + id: aws_all_controls_redshift + title: Redshift + description: This section contains recommendations for configuring Redshift resources. + section-code: redshift + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_automatic_upgrade_major_versions_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_redshift_cluster_no_default_admin_name + - aws_redshift_cluster_no_default_database_name + - aws_redshift_cluster_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_route53.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_route53.yaml index e41f530f1..e596bf2b7 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_route53.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_route53.yaml @@ -1,14 +1,19 @@ -ID: aws_all_controls_route53 -Title: Route 53 -Description: This section contains recommendations for configuring Route 53 resources. -SectionCode: route53 -Children: [] -Controls: - - aws_route53_domain_auto_renew_enabled - - aws_route53_domain_expires_30_days - - aws_route53_domain_expires_7_days - - aws_route53_domain_not_expired - - aws_route53_domain_privacy_protection_enabled - - aws_route53_domain_transfer_lock_enabled - - aws_route53_zone_query_logging_enabled -Tags: {} +control-group: + id: aws_all_controls_route53 + title: Route 53 + description: This section contains recommendations for configuring Route 53 resources. + section-code: route53 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_route53_domain_auto_renew_enabled + - aws_route53_domain_expires_30_days + - aws_route53_domain_expires_7_days + - aws_route53_domain_not_expired + - aws_route53_domain_privacy_protection_enabled + - aws_route53_domain_transfer_lock_enabled + - aws_route53_zone_query_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_s3.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_s3.yaml index 6e6a76f84..b197820e9 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_s3.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_s3.yaml @@ -1,30 +1,35 @@ -ID: aws_all_controls_s3 -Title: S3 -Description: This section contains recommendations for configuring S3 resources. -SectionCode: s3 -Children: [] -Controls: - - aws_s3_access_point_restrict_public_access - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_event_notifications_enabled - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_mfa_delete_enabled - - aws_s3_bucket_not_accessible_to_all_authenticated_user - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_policy_restricts_cross_account_permission_changes - - aws_s3_bucket_protected_by_macie - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_static_website_hosting_disabled - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled - - aws_s3_bucket_versioning_enabled - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_s3_public_access_block_bucket_account -Tags: {} +control-group: + id: aws_all_controls_s3 + title: S3 + description: This section contains recommendations for configuring S3 resources. + section-code: s3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_s3_access_point_restrict_public_access + - aws_s3_bucket_acls_should_prohibit_user_access + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_event_notifications_enabled + - aws_s3_bucket_lifecycle_policy_enabled + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_mfa_delete_enabled + - aws_s3_bucket_not_accessible_to_all_authenticated_user + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_policy_restricts_cross_account_permission_changes + - aws_s3_bucket_protected_by_macie + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_bucket_static_website_hosting_disabled + - aws_s3_bucket_versioning_and_lifecycle_policy_enabled + - aws_s3_bucket_versioning_enabled + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_s3_public_access_block_bucket_account diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sagemaker.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sagemaker.yaml index c5a954193..0e5f0c7c6 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sagemaker.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sagemaker.yaml @@ -1,19 +1,24 @@ -ID: aws_all_controls_sagemaker -Title: SageMaker -Description: This section contains recommendations for configuring SageMaker resources. -SectionCode: sagemaker -Children: [] -Controls: - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_model_in_vpc - - aws_sagemaker_model_network_isolation_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encrypted_with_kms_cmk - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_in_vpc - - aws_sagemaker_notebook_instance_root_access_disabled - - aws_sagemaker_training_job_in_vpc - - aws_sagemaker_training_job_inter_container_traffic_encryption_enabled - - aws_sagemaker_training_job_network_isolation_enabled - - aws_sagemaker_training_job_volume_and_data_encryption_enabled -Tags: {} +control-group: + id: aws_all_controls_sagemaker + title: SageMaker + description: This section contains recommendations for configuring SageMaker resources. + section-code: sagemaker + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_model_in_vpc + - aws_sagemaker_model_network_isolation_enabled + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_encrypted_with_kms_cmk + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_in_vpc + - aws_sagemaker_notebook_instance_root_access_disabled + - aws_sagemaker_training_job_in_vpc + - aws_sagemaker_training_job_inter_container_traffic_encryption_enabled + - aws_sagemaker_training_job_network_isolation_enabled + - aws_sagemaker_training_job_volume_and_data_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_secretsmanager.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_secretsmanager.yaml index b64250a42..cd15f86fe 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_secretsmanager.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_secretsmanager.yaml @@ -1,14 +1,19 @@ -ID: aws_all_controls_secretsmanager -Title: Secrets Manager -Description: This section contains recommendations for configuring Secrets Manager resources. -SectionCode: secretsmanager -Children: [] -Controls: - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_automatic_rotation_lambda_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_secretsmanager_secret_last_changed_90_day - - aws_secretsmanager_secret_last_used_1_day - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: {} +control-group: + id: aws_all_controls_secretsmanager + title: Secrets Manager + description: This section contains recommendations for configuring Secrets Manager resources. + section-code: secretsmanager + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_automatic_rotation_lambda_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_secretsmanager_secret_last_changed_90_day + - aws_secretsmanager_secret_last_used_1_day + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_securityhub.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_securityhub.yaml index 8e3ce48e0..6d73d6650 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_securityhub.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_securityhub.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_securityhub -Title: Security Hub -Description: This section contains recommendations for configuring Security Hub resources. -SectionCode: securityhub -Children: [] -Controls: - - aws_securityhub_enabled -Tags: {} +control-group: + id: aws_all_controls_securityhub + title: Security Hub + description: This section contains recommendations for configuring Security Hub resources. + section-code: securityhub + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sfn.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sfn.yaml index 69ca5f85b..2c1102c58 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sfn.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sfn.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_sfn -Title: Step Functions -Description: This section contains recommendations for configuring Step Functions resources. -SectionCode: sfn -Children: [] -Controls: - - aws_sfn_state_machine_logging_enabled -Tags: {} +control-group: + id: aws_all_controls_sfn + title: Step Functions + description: This section contains recommendations for configuring Step Functions resources. + section-code: sfn + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_sfn_state_machine_logging_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sns.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sns.yaml index 703a01a36..6e18f8116 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sns.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sns.yaml @@ -1,13 +1,18 @@ -ID: aws_all_controls_sns -Title: SNS -Description: This section contains recommendations for configuring SNS resources. -SectionCode: sns -Children: [] -Controls: - - aws_sns_topic_encrypted_at_rest - - aws_sns_topic_notification_delivery_status_enabled - - aws_sns_topic_policy_prohibit_cross_account_access - - aws_sns_topic_policy_prohibit_public_access - - aws_sns_topic_policy_prohibit_publishing_access - - aws_sns_topic_policy_prohibit_subscription_access -Tags: {} +control-group: + id: aws_all_controls_sns + title: SNS + description: This section contains recommendations for configuring SNS resources. + section-code: sns + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_sns_topic_encrypted_at_rest + - aws_sns_topic_notification_delivery_status_enabled + - aws_sns_topic_policy_prohibit_cross_account_access + - aws_sns_topic_policy_prohibit_public_access + - aws_sns_topic_policy_prohibit_publishing_access + - aws_sns_topic_policy_prohibit_subscription_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sqs.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sqs.yaml index 67fb54300..ed39a8d36 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sqs.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_sqs.yaml @@ -1,11 +1,16 @@ -ID: aws_all_controls_sqs -Title: SQS -Description: This section contains recommendations for configuring SQS resources. -SectionCode: sqs -Children: [] -Controls: - - aws_sqs_queue_dead_letter_queue_configured - - aws_sqs_queue_encrypted_at_rest - - aws_sqs_queue_encrypted_with_kms_cmk - - aws_sqs_queue_policy_prohibit_public_access -Tags: {} +control-group: + id: aws_all_controls_sqs + title: SQS + description: This section contains recommendations for configuring SQS resources. + section-code: sqs + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_sqs_queue_dead_letter_queue_configured + - aws_sqs_queue_encrypted_at_rest + - aws_sqs_queue_encrypted_with_kms_cmk + - aws_sqs_queue_policy_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ssm.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ssm.yaml index a542b8c2b..5ed745f56 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ssm.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_ssm.yaml @@ -1,12 +1,17 @@ -ID: aws_all_controls_ssm -Title: SSM -Description: This section contains recommendations for configuring SSM resources. -SectionCode: ssm -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_document_prohibit_public_access - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_ssm_parameter_encryption_enabled -Tags: {} +control-group: + id: aws_all_controls_ssm + title: SSM + description: This section contains recommendations for configuring SSM resources. + section-code: ssm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_document_prohibit_public_access + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant + - aws_ssm_parameter_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_vpc.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_vpc.yaml index fb1e7634c..d98fba43a 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_vpc.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_vpc.yaml @@ -1,42 +1,47 @@ -ID: aws_all_controls_vpc -Title: VPC -Description: This section contains recommendations for configuring VPC resources. -SectionCode: vpc -Children: [] -Controls: - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_eip_associated - - aws_vpc_endpoint_service_acceptance_required_enabled - - aws_vpc_flow_logs_enabled - - aws_vpc_gateway_endpoint_restrict_public_access - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_in_more_than_one_region - - aws_vpc_network_acl_remote_administration - - aws_vpc_network_acl_unused - - aws_vpc_not_in_use - - aws_vpc_peering_connection_no_cross_account_access - - aws_vpc_peering_connection_route_table_least_privilege - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_allows_ingress_authorized_ports - - aws_vpc_security_group_allows_ingress_to_cassandra_ports - - aws_vpc_security_group_allows_ingress_to_memcached_port - - aws_vpc_security_group_allows_ingress_to_mongodb_ports - - aws_vpc_security_group_allows_ingress_to_oracle_ports - - aws_vpc_security_group_associated_to_eni - - aws_vpc_security_group_not_uses_launch_wizard_sg - - aws_vpc_security_group_remote_administration_ipv4 - - aws_vpc_security_group_remote_administration_ipv6 - - aws_vpc_security_group_remote_administration - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_kafka_port - - aws_vpc_security_group_restrict_ingress_kibana_port - - aws_vpc_security_group_restrict_ingress_rdp_all - - aws_vpc_security_group_restrict_ingress_redis_port - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_security_group_restricted_common_ports - - aws_vpc_security_group_unused - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_vpc_vpn_tunnel_up -Tags: {} +control-group: + id: aws_all_controls_vpc + title: VPC + description: This section contains recommendations for configuring VPC resources. + section-code: vpc + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_vpc_configured_to_use_vpc_endpoints + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_eip_associated + - aws_vpc_endpoint_service_acceptance_required_enabled + - aws_vpc_flow_logs_enabled + - aws_vpc_gateway_endpoint_restrict_public_access + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_in_more_than_one_region + - aws_vpc_network_acl_remote_administration + - aws_vpc_network_acl_unused + - aws_vpc_not_in_use + - aws_vpc_peering_connection_no_cross_account_access + - aws_vpc_peering_connection_route_table_least_privilege + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_allows_ingress_authorized_ports + - aws_vpc_security_group_allows_ingress_to_cassandra_ports + - aws_vpc_security_group_allows_ingress_to_memcached_port + - aws_vpc_security_group_allows_ingress_to_mongodb_ports + - aws_vpc_security_group_allows_ingress_to_oracle_ports + - aws_vpc_security_group_associated_to_eni + - aws_vpc_security_group_not_uses_launch_wizard_sg + - aws_vpc_security_group_remote_administration_ipv4 + - aws_vpc_security_group_remote_administration_ipv6 + - aws_vpc_security_group_remote_administration + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_kafka_port + - aws_vpc_security_group_restrict_ingress_kibana_port + - aws_vpc_security_group_restrict_ingress_rdp_all + - aws_vpc_security_group_restrict_ingress_redis_port + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_security_group_restricted_common_ports + - aws_vpc_security_group_unused + - aws_vpc_subnet_auto_assign_public_ip_disabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_waf.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_waf.yaml index 9a488e120..844ce0d0c 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_waf.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_waf.yaml @@ -1,15 +1,20 @@ -ID: aws_all_controls_waf -Title: WAF -Description: This section contains recommendations for configuring WAF resources. -SectionCode: waf -Children: [] -Controls: - - aws_waf_regional_rule_condition_attached - - aws_waf_regional_rule_group_rule_attached - - aws_waf_regional_web_acl_rule_attached - - aws_waf_rule_condition_attached - - aws_waf_rule_group_rule_attached - - aws_waf_web_acl_logging_enabled - - aws_waf_web_acl_resource_associated - - aws_waf_web_acl_rule_attached -Tags: {} +control-group: + id: aws_all_controls_waf + title: WAF + description: This section contains recommendations for configuring WAF resources. + section-code: waf + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_waf_regional_rule_condition_attached + - aws_waf_regional_rule_group_rule_attached + - aws_waf_regional_web_acl_rule_attached + - aws_waf_rule_condition_attached + - aws_waf_rule_group_rule_attached + - aws_waf_web_acl_logging_enabled + - aws_waf_web_acl_resource_associated + - aws_waf_web_acl_rule_attached diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_wafv2.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_wafv2.yaml index a63f93765..dc40125a0 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_wafv2.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_wafv2.yaml @@ -1,10 +1,15 @@ -ID: aws_all_controls_wafv2 -Title: WAFv2 -Description: This section contains recommendations for configuring WAFv2 resources. -SectionCode: wafv2 -Children: [] -Controls: - - aws_wafv2_rule_group_logging_enabled - - aws_wafv2_web_acl_logging_enabled - - aws_wafv2_web_acl_rule_attached -Tags: {} +control-group: + id: aws_all_controls_wafv2 + title: WAFv2 + description: This section contains recommendations for configuring WAFv2 resources. + section-code: wafv2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_wafv2_rule_group_logging_enabled + - aws_wafv2_web_acl_logging_enabled + - aws_wafv2_web_acl_rule_attached diff --git a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_workspaces.yaml b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_workspaces.yaml index 447e6e034..85eaa21ee 100755 --- a/compliance/frameworks/aws/aws_all_controls/aws_all_controls_workspaces.yaml +++ b/compliance/frameworks/aws/aws_all_controls/aws_all_controls_workspaces.yaml @@ -1,8 +1,13 @@ -ID: aws_all_controls_workspaces -Title: WorkSpaces -Description: This section contains recommendations for configuring WorkSpaces resources. -SectionCode: workspaces -Children: [] -Controls: - - aws_workspaces_workspace_volume_encryption_enabled -Tags: {} +control-group: + id: aws_all_controls_workspaces + title: WorkSpaces + description: This section contains recommendations for configuring WorkSpaces resources. + section-code: workspaces + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_workspaces_workspace_volume_encryption_enabled diff --git a/compliance/frameworks/aws/aws_all_controls/root.yaml b/compliance/frameworks/aws/aws_all_controls/root.yaml deleted file mode 100755 index b3b118414..000000000 --- a/compliance/frameworks/aws/aws_all_controls/root.yaml +++ /dev/null @@ -1,76 +0,0 @@ -ID: aws_all_controls -Title: All Controls -Description: This benchmark contains all controls grouped by service to help you detect resource configurations that do not meet best practices. -SectionCode: aws_all_controls -Children: - - aws_all_controls_account - - aws_all_controls_acm - - aws_all_controls_apigateway - - aws_all_controls_appstream - - aws_all_controls_appsync - - aws_all_controls_athena - - aws_all_controls_autoscaling - - aws_all_controls_backup - - aws_all_controls_cloudformation - - aws_all_controls_cloudfront - - aws_all_controls_cloudtrail - - aws_all_controls_cloudwatch - - aws_all_controls_codebuild - - aws_all_controls_codedeploy - - aws_all_controls_config - - aws_all_controls_dax - - aws_all_controls_directoryservice - - aws_all_controls_dlm - - aws_all_controls_dms - - aws_all_controls_docdb - - aws_all_controls_drs - - aws_all_controls_dynamodb - - aws_all_controls_ebs - - aws_all_controls_ec2 - - aws_all_controls_ecr - - aws_all_controls_ecs - - aws_all_controls_efs - - aws_all_controls_eks - - aws_all_controls_elasticache - - aws_all_controls_elasticbeanstalk - - aws_all_controls_elb - - aws_all_controls_emr - - aws_all_controls_es - - aws_all_controls_eventbridge - - aws_all_controls_fsx - - aws_all_controls_glacier - - aws_all_controls_glue - - aws_all_controls_guardduty - - aws_all_controls_iam - - aws_all_controls_kinesis - - aws_all_controls_kms - - aws_all_controls_lambda - - aws_all_controls_lightsail - - aws_all_controls_mq - - aws_all_controls_msk - - aws_all_controls_neptune - - aws_all_controls_networkfirewall - - aws_all_controls_opensearch - - aws_all_controls_organization - - aws_all_controls_pca - - aws_all_controls_rds - - aws_all_controls_redshift - - aws_all_controls_route53 - - aws_all_controls_s3 - - aws_all_controls_sagemaker - - aws_all_controls_secretsmanager - - aws_all_controls_securityhub - - aws_all_controls_sfn - - aws_all_controls_sns - - aws_all_controls_sqs - - aws_all_controls_ssm - - aws_all_controls_vpc - - aws_all_controls_waf - - aws_all_controls_wafv2 - - aws_all_controls_workspaces -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: {} diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower.yaml new file mode 100644 index 000000000..a2557a91c --- /dev/null +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower.yaml @@ -0,0 +1,31 @@ +framework: + id: aws_audit_manager_control_tower + title: AWS Audit Manager Control Tower Guardrails + description: AWS Control Tower is a service that enables you to enforce and manage governance rules for security, operations, and compliance at scale across all your organizations and accounts in the AWS Cloud. + section-code: aws_audit_manager_control_tower + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_audit_manager_control_tower_ebs_checks + - id: aws_audit_manager_control_tower_disallow_internet_connection + - id: aws_audit_manager_control_tower_multi_factor_authentication + - id: aws_audit_manager_control_tower_disallow_public_access + - id: aws_audit_manager_control_tower_disallow_instances diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances.yaml index dc312d3f2..0f61c86de 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances.yaml @@ -1,21 +1,26 @@ -ID: aws_audit_manager_control_tower_disallow_instances -Title: Disallow Instances -Description: This benchmark checks if RDS storage is encrypted and S3 bucket's versioning is enabled. -SectionCode: disallow_instances -Children: - - aws_audit_manager_control_tower_disallow_instances_5_0_1 - - aws_audit_manager_control_tower_disallow_instances_5_1_1 -Controls: [] -Tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - control_set: - - disallow_instances - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_instances + title: Disallow Instances + description: This benchmark checks if RDS storage is encrypted and S3 bucket's versioning is enabled. + section-code: disallow_instances + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + control_set: + - disallow_instances + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_audit_manager_control_tower_disallow_instances_5_0_1 + - id: aws_audit_manager_control_tower_disallow_instances_5_1_1 diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_0_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_0_1.yaml index fce1d4a61..e1183ee07 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_0_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_0_1.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_disallow_instances_5_0_1 -Title: 0.1 - Disallow RDS database instances that are not storage encrypted -Description: Disallow RDS database instances that are not storage encrypted - Checks whether storage encryption is enabled for your RDS DB instances. -SectionCode: "5_0_1" -Children: [] -Controls: - - aws_rds_db_instance_encryption_at_rest_enabled -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 5.0.1 - category: - - Compliance - control_set: - - disallow_instances - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_instances_5_0_1 + title: 0.1 - Disallow RDS database instances that are not storage encrypted + description: Disallow RDS database instances that are not storage encrypted - Checks whether storage encryption is enabled for your RDS DB instances. + section-code: "5_0_1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 5.0.1 + category: + - Compliance + control_set: + - disallow_instances + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark + controls: + - aws_rds_db_instance_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_1_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_1_1.yaml index c70576aaa..68ea0d80a 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_1_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_instances_5_1_1.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_disallow_instances_5_1_1 -Title: 1.1 - Disallow S3 buckets that are not versioning enabled -Description: Disallow S3 buckets that are not versioning enabled - Checks whether versioning is enabled for your S3 buckets. -SectionCode: "5_1_1" -Children: [] -Controls: - - aws_s3_bucket_versioning_enabled -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 5.1.1 - category: - - Compliance - control_set: - - disallow_instances - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_instances_5_1_1 + title: 1.1 - Disallow S3 buckets that are not versioning enabled + description: Disallow S3 buckets that are not versioning enabled - Checks whether versioning is enabled for your S3 buckets. + section-code: "5_1_1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 5.1.1 + category: + - Compliance + control_set: + - disallow_instances + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection.yaml index 21045acb7..7b2751f6c 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection.yaml @@ -1,21 +1,26 @@ -ID: aws_audit_manager_control_tower_disallow_internet_connection -Title: Disallow Internet Connection -Description: This benchmark checks if the VPC security group restricts ingress from RDP and SSH. -SectionCode: disallow_internet_connection -Children: - - aws_audit_manager_control_tower_disallow_internet_connection_2_0_1 - - aws_audit_manager_control_tower_disallow_internet_connection_2_0_2 -Controls: [] -Tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - control_set: - - disallow_internet_connection - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_internet_connection + title: Disallow Internet Connection + description: This benchmark checks if the VPC security group restricts ingress from RDP and SSH. + section-code: disallow_internet_connection + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + control_set: + - disallow_internet_connection + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark + control-group: + - id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_1 + - id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_2 diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_1.yaml index 4baa7dc9b..a9de40557 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_1.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_disallow_internet_connection_2_0_1 -Title: 0.1 - Disallow internet connection through RDP -Description: Disallow internet connection through RDP - Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified -SectionCode: "2_0_1" -Children: [] -Controls: - - aws_vpc_security_group_restrict_ingress_common_ports_all -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 2.0.1 - category: - - Compliance - control_set: - - disallow_internet_connection - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_1 + title: 0.1 - Disallow internet connection through RDP + description: Disallow internet connection through RDP - Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified + section-code: "2_0_1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 2.0.1 + category: + - Compliance + control_set: + - disallow_internet_connection + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark + controls: + - aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_2.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_2.yaml index 38a3049c2..da2f7fb85 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_2.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_internet_connection_2_0_2.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_disallow_internet_connection_2_0_2 -Title: 0.2 - Disallow internet connection through SSH -Description: Disallow internet connection through SSH - Checks whether security groups that are in use disallow unrestricted incoming SSH traffic. -SectionCode: "2_0_2" -Children: [] -Controls: - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 2.0.2 - category: - - Compliance - control_set: - - disallow_internet_connection - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_internet_connection_2_0_2 + title: 0.2 - Disallow internet connection through SSH + description: Disallow internet connection through SSH - Checks whether security groups that are in use disallow unrestricted incoming SSH traffic. + section-code: "2_0_2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 2.0.2 + category: + - Compliance + control_set: + - disallow_internet_connection + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark + controls: + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access.yaml index 066b32b9f..8456d713f 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access.yaml @@ -1,23 +1,28 @@ -ID: aws_audit_manager_control_tower_disallow_public_access -Title: Disallow Public Access -Description: This benchmark checks if RDS instances, snapshots and S3 buckets are not publicly accessible. -SectionCode: disallow_public_access -Children: - - aws_audit_manager_control_tower_disallow_public_access_4_0_1 - - aws_audit_manager_control_tower_disallow_public_access_4_0_2 - - aws_audit_manager_control_tower_disallow_public_access_4_1_1 - - aws_audit_manager_control_tower_disallow_public_access_4_1_2 -Controls: [] -Tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - control_set: - - disallow_public_access - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_public_access + title: Disallow Public Access + description: This benchmark checks if RDS instances, snapshots and S3 buckets are not publicly accessible. + section-code: disallow_public_access + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + control_set: + - disallow_public_access + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_audit_manager_control_tower_disallow_public_access_4_0_1 + - id: aws_audit_manager_control_tower_disallow_public_access_4_0_2 + - id: aws_audit_manager_control_tower_disallow_public_access_4_1_1 + - id: aws_audit_manager_control_tower_disallow_public_access_4_1_2 diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_1.yaml index f1c304d7c..7964ad80c 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_1.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_disallow_public_access_4_0_1 -Title: 0.1 - Disallow public access to RDS database instances -Description: Disallow public access to RDS database instances - Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item. -SectionCode: "4_0_1" -Children: [] -Controls: - - aws_rds_db_instance_prohibit_public_access -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 4.0.1 - category: - - Compliance - control_set: - - disallow_public_access - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_public_access_4_0_1 + title: 0.1 - Disallow public access to RDS database instances + description: Disallow public access to RDS database instances - Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item. + section-code: "4_0_1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 4.0.1 + category: + - Compliance + control_set: + - disallow_public_access + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark + controls: + - aws_rds_db_instance_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_2.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_2.yaml index f7185ab17..dcda384bf 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_2.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_0_2.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_disallow_public_access_4_0_2 -Title: 0.2 - Disallow public access to RDS database snapshots -Description: Disallow public access to RDS database snapshots - Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public. -SectionCode: "4_0_2" -Children: [] -Controls: - - aws_rds_db_snapshot_prohibit_public_access -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 4.0.2 - category: - - Compliance - control_set: - - disallow_public_access - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_public_access_4_0_2 + title: 0.2 - Disallow public access to RDS database snapshots + description: Disallow public access to RDS database snapshots - Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public. + section-code: "4_0_2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 4.0.2 + category: + - Compliance + control_set: + - disallow_public_access + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark + controls: + - aws_rds_db_snapshot_prohibit_public_access diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_1.yaml index 3f6113e08..555c67121 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_1.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_disallow_public_access_4_1_1 -Title: 1.1 - Disallow public read access to S3 buckets -Description: Disallow public read access to S3 buckets - Checks that your S3 buckets do not allow public read access. -SectionCode: "4_1_1" -Children: [] -Controls: - - aws_s3_bucket_restrict_public_read_access -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 4.1.1 - category: - - Compliance - control_set: - - disallow_public_access - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_public_access_4_1_1 + title: 1.1 - Disallow public read access to S3 buckets + description: Disallow public read access to S3 buckets - Checks that your S3 buckets do not allow public read access. + section-code: "4_1_1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 4.1.1 + category: + - Compliance + control_set: + - disallow_public_access + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_s3_bucket_restrict_public_read_access diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_2.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_2.yaml index 204cec3de..1418c2d4f 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_2.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_disallow_public_access_4_1_2.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_disallow_public_access_4_1_2 -Title: 1.2 - Disallow public write access to S3 buckets -Description: Disallow public write access to S3 buckets - Checks that your S3 buckets do not allow public write access. -SectionCode: "4_1_2" -Children: [] -Controls: - - aws_s3_bucket_restrict_public_write_access -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 4.1.2 - category: - - Compliance - control_set: - - disallow_public_access - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_disallow_public_access_4_1_2 + title: 1.2 - Disallow public write access to S3 buckets + description: Disallow public write access to S3 buckets - Checks that your S3 buckets do not allow public write access. + section-code: "4_1_2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 4.1.2 + category: + - Compliance + control_set: + - disallow_public_access + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_s3_bucket_restrict_public_write_access diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks.yaml index f9ae7ae21..88ac7bd54 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_ebs_checks -Title: EBS checks -Description: This benchmark checks if EBS volumes are in use, encrypted etc. -SectionCode: ebs_checks -Children: - - aws_audit_manager_control_tower_ebs_checks_1_0_1 - - aws_audit_manager_control_tower_ebs_checks_1_0_2 - - aws_audit_manager_control_tower_ebs_checks_1_0_3 -Controls: [] -Tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - control_set: - - ebs_checks - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_ebs_checks + title: EBS checks + description: This benchmark checks if EBS volumes are in use, encrypted etc. + section-code: ebs_checks + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + control_set: + - ebs_checks + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark + control-group: + - id: aws_audit_manager_control_tower_ebs_checks_1_0_1 + - id: aws_audit_manager_control_tower_ebs_checks_1_0_2 + - id: aws_audit_manager_control_tower_ebs_checks_1_0_3 diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_1.yaml index 6f5e3397a..ae55f8940 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_1.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_ebs_checks_1_0_1 -Title: 0.1 - Disallow launch of EC2 instance types that are not EBS-optimized -Description: Disallow launch of EC2 instance types that are not EBS-optimized - Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized. -SectionCode: "1_0_1" -Children: [] -Controls: - - aws_ec2_instance_ebs_optimized -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 1.0.1 - category: - - Compliance - control_set: - - ebs_checks - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_ebs_checks_1_0_1 + title: 0.1 - Disallow launch of EC2 instance types that are not EBS-optimized + description: Disallow launch of EC2 instance types that are not EBS-optimized - Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized. + section-code: "1_0_1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 1.0.1 + category: + - Compliance + control_set: + - ebs_checks + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark + controls: + - aws_ec2_instance_ebs_optimized diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_2.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_2.yaml index fe885ea63..d191d2961 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_2.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_2.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_ebs_checks_1_0_2 -Title: 0.2 - Disallow EBS volumes that are unattached to an EC2 instance -Description: Disallow EBS volumes that are unattached to an EC2 instance - Checks whether EBS volumes are attached to EC2 instances. -SectionCode: "1_0_2" -Children: [] -Controls: - - aws_ebs_volume_unused -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 1.0.2 - category: - - Compliance - control_set: - - ebs_checks - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_ebs_checks_1_0_2 + title: 0.2 - Disallow EBS volumes that are unattached to an EC2 instance + description: Disallow EBS volumes that are unattached to an EC2 instance - Checks whether EBS volumes are attached to EC2 instances. + section-code: "1_0_2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 1.0.2 + category: + - Compliance + control_set: + - ebs_checks + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark + controls: + - aws_ebs_volume_unused diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_3.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_3.yaml index 765527f81..eb6d532e9 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_3.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_ebs_checks_1_0_3.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_ebs_checks_1_0_3 -Title: 0.3 - Enable encryption for EBS volumes attached to EC2 instances -Description: Enable encryption for EBS volumes attached to EC2 instances - Checks whether EBS volumes that are in an attached state are encrypted. -SectionCode: "1_0_3" -Children: [] -Controls: - - aws_ebs_attached_volume_encryption_enabled -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 1.0.3 - category: - - Compliance - control_set: - - ebs_checks - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_ebs_checks_1_0_3 + title: 0.3 - Enable encryption for EBS volumes attached to EC2 instances + description: Enable encryption for EBS volumes attached to EC2 instances - Checks whether EBS volumes that are in an attached state are encrypted. + section-code: "1_0_3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 1.0.3 + category: + - Compliance + control_set: + - ebs_checks + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark + controls: + - aws_ebs_attached_volume_encryption_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication.yaml index 1604e2ea8..74f696230 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_multi_factor_authentication -Title: Multi-Factor Authentication -Description: This benchmark checks if MFA is enabled for all the IAM users. -SectionCode: multi_factor_authentication -Children: - - aws_audit_manager_control_tower_multi_factor_authentication_3_0_1 - - aws_audit_manager_control_tower_multi_factor_authentication_3_0_2 - - aws_audit_manager_control_tower_multi_factor_authentication_3_0_3 -Controls: [] -Tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - control_set: - - multi_factor_authentication - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_multi_factor_authentication + title: Multi-Factor Authentication + description: This benchmark checks if MFA is enabled for all the IAM users. + section-code: multi_factor_authentication + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + category: + - Compliance + control_set: + - multi_factor_authentication + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_1 + - id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_2 + - id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_3 diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_1.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_1.yaml index d32f4c1f7..dbb70c934 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_1.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_1.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_multi_factor_authentication_3_0_1 -Title: 0.1 - Disallow access to IAM users without MFA -Description: Disallow access to IAM users without MFA - Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. -SectionCode: "3_0_1" -Children: [] -Controls: - - aws_iam_user_mfa_enabled -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 3.0.1 - category: - - Compliance - control_set: - - multi_factor_authentication - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_1 + title: 0.1 - Disallow access to IAM users without MFA + description: Disallow access to IAM users without MFA - Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. + section-code: "3_0_1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 3.0.1 + category: + - Compliance + control_set: + - multi_factor_authentication + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_2.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_2.yaml index 020560fea..18f3bc621 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_2.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_2.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_multi_factor_authentication_3_0_2 -Title: 0.2 - Disallow console access to IAM users without MFA -Description: Disallow console access to IAM users without MFA - Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. -SectionCode: "3_0_2" -Children: [] -Controls: - - aws_iam_user_console_access_mfa_enabled -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 3.0.2 - category: - - Compliance - control_set: - - multi_factor_authentication - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_2 + title: 0.2 - Disallow console access to IAM users without MFA + description: Disallow console access to IAM users without MFA - Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. + section-code: "3_0_2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 3.0.2 + category: + - Compliance + control_set: + - multi_factor_authentication + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_user_console_access_mfa_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_3.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_3.yaml index 6acf23690..3ef09bca9 100755 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_3.yaml +++ b/compliance/frameworks/aws/aws_audit_manager_control_tower/aws_audit_manager_control_tower_multi_factor_authentication_3_0_3.yaml @@ -1,22 +1,27 @@ -ID: aws_audit_manager_control_tower_multi_factor_authentication_3_0_3 -Title: 0.3 - Enable MFA for the root user -Description: Enable MFA for the root user - Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. -SectionCode: "3_0_3" -Children: [] -Controls: - - aws_iam_root_user_mfa_enabled -Tags: - audit_manager_control_tower: - - "true" - audit_manager_control_tower_item_id: - - 3.0.3 - category: - - Compliance - control_set: - - multi_factor_authentication - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_audit_manager_control_tower_multi_factor_authentication_3_0_3 + title: 0.3 - Enable MFA for the root user + description: Enable MFA for the root user - Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. + section-code: "3_0_3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + audit_manager_control_tower: + - "true" + audit_manager_control_tower_item_id: + - 3.0.3 + category: + - Compliance + control_set: + - multi_factor_authentication + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_audit_manager_control_tower/root.yaml b/compliance/frameworks/aws/aws_audit_manager_control_tower/root.yaml deleted file mode 100755 index bda024eef..000000000 --- a/compliance/frameworks/aws/aws_audit_manager_control_tower/root.yaml +++ /dev/null @@ -1,30 +0,0 @@ -ID: aws_audit_manager_control_tower -Title: AWS Audit Manager Control Tower Guardrails -Description: AWS Control Tower is a service that enables you to enforce and manage governance rules for security, operations, and compliance at scale across all your organizations and accounts in the AWS Cloud. -SectionCode: aws_audit_manager_control_tower -Children: - - aws_audit_manager_control_tower_ebs_checks - - aws_audit_manager_control_tower_disallow_internet_connection - - aws_audit_manager_control_tower_multi_factor_authentication - - aws_audit_manager_control_tower_disallow_public_access - - aws_audit_manager_control_tower_disallow_instances -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - audit_manager_control_tower: - - "true" - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1.yaml new file mode 100644 index 000000000..1e4426b02 --- /dev/null +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1.yaml @@ -0,0 +1,36 @@ +framework: + id: aws_cis_controls_v8_ig1 + title: CIS Controls v8 IG1 + description: The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. + section-code: aws_cis_controls_v8_ig1 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_1 + - id: aws_cis_controls_v8_ig1_3 + - id: aws_cis_controls_v8_ig1_4 + - id: aws_cis_controls_v8_ig1_5 + - id: aws_cis_controls_v8_ig1_6 + - id: aws_cis_controls_v8_ig1_7 + - id: aws_cis_controls_v8_ig1_8 + - id: aws_cis_controls_v8_ig1_10 + - id: aws_cis_controls_v8_ig1_11 + - id: aws_cis_controls_v8_ig1_12 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1.yaml index 6faf2775f..bbd3a230c 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1.yaml @@ -1,19 +1,24 @@ -ID: aws_cis_controls_v8_ig1_1 -Title: Inventory and Control of Enterprise Assets -Description: Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. -SectionCode: "1" -Children: - - aws_cis_controls_v8_ig1_1_1 - - aws_cis_controls_v8_ig1_1_2 -Controls: [] -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_1 + title: Inventory and Control of Enterprise Assets + description: Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_1_1 + - id: aws_cis_controls_v8_ig1_1_2 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10.yaml index 39d8f016d..62f0e0ba9 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10.yaml @@ -1,19 +1,24 @@ -ID: aws_cis_controls_v8_ig1_10 -Title: Malware Defenses -Description: Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. -SectionCode: "10" -Children: - - aws_cis_controls_v8_ig1_10_1 - - aws_cis_controls_v8_ig1_10_2 -Controls: [] -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_10 + title: Malware Defenses + description: Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_10_1 + - id: aws_cis_controls_v8_ig1_10_2 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_1.yaml index 4990d5743..ae06621c1 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_1.yaml @@ -1,18 +1,23 @@ -ID: aws_cis_controls_v8_ig1_10_1 -Title: Deploy and Maintain Anti-Malware Software -Description: Deploy and maintain anti-malware software on all enterprise assets. -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_10_1 + title: Deploy and Maintain Anti-Malware Software + description: Deploy and maintain anti-malware software on all enterprise assets. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_2.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_2.yaml index e6a348456..81bae7133 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_2.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_10_2.yaml @@ -1,18 +1,23 @@ -ID: aws_cis_controls_v8_ig1_10_2 -Title: Configure Automatic Anti-Malware Signature Updates -Description: Configure automatic updates for anti-malware signature files on all enterprise assets. -SectionCode: "2" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_10_2 + title: Configure Automatic Anti-Malware Signature Updates + description: Configure automatic updates for anti-malware signature files on all enterprise assets. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11.yaml index ec702dc66..337127dde 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11.yaml @@ -1,20 +1,25 @@ -ID: aws_cis_controls_v8_ig1_11 -Title: Data Recovery -Description: Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. -SectionCode: "11" -Children: - - aws_cis_controls_v8_ig1_11_2 - - aws_cis_controls_v8_ig1_11_3 - - aws_cis_controls_v8_ig1_11_4 -Controls: [] -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_11 + title: Data Recovery + description: Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_11_2 + - id: aws_cis_controls_v8_ig1_11_3 + - id: aws_cis_controls_v8_ig1_11_4 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_2.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_2.yaml index 5bd34707e..7c13c4fec 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_2.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_2.yaml @@ -1,29 +1,34 @@ -ID: aws_cis_controls_v8_ig1_11_2 -Title: Perform Automated Backups -Description: Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. -SectionCode: "2" -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_11_2 + title: Perform Automated Backups + description: Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_maintenance_settings_check + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_3.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_3.yaml index de642cd1d..128a6e352 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_3.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_3.yaml @@ -1,20 +1,25 @@ -ID: aws_cis_controls_v8_ig1_11_3 -Title: Protect Recovery Data -Description: Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. -SectionCode: "3" -Children: [] -Controls: - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_11_3 + title: Protect Recovery Data + description: Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_4.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_4.yaml index 98ad3610c..ada6024f6 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_4.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_11_4.yaml @@ -1,29 +1,34 @@ -ID: aws_cis_controls_v8_ig1_11_4 -Title: Establish and Maintain an Isolated Instance of Recovery Data -Description: Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services. -SectionCode: "4" -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_11_4 + title: Establish and Maintain an Isolated Instance of Recovery Data + description: Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_maintenance_settings_check + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12.yaml index 8ed3cd6f7..b218a2c39 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12.yaml @@ -1,18 +1,23 @@ -ID: aws_cis_controls_v8_ig1_12 -Title: Network Infrastructure Management -Description: Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. -SectionCode: "12" -Children: - - aws_cis_controls_v8_ig1_12_1 -Controls: [] -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_12 + title: Network Infrastructure Management + description: Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_12_1 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12_1.yaml index 2857338fe..bfeddd6e2 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_12_1.yaml @@ -1,19 +1,24 @@ -ID: aws_cis_controls_v8_ig1_12_1 -Title: Ensure Network Infrastructure is Up-to-Date -Description: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. -SectionCode: "1" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_12_1 + title: Ensure Network Infrastructure is Up-to-Date + description: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_1.yaml index eb1f1f5c0..66dd3a762 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_1.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_controls_v8_ig1_1_1 -Title: Establish and Maintain Detailed Enterprise Asset Inventory -Description: 'Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.' -SectionCode: "1" -Children: [] -Controls: - - aws_ec2_stopped_instance_30_days - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_eip_associated - - aws_vpc_network_acl_unused - - aws_vpc_security_group_associated_to_eni -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_1_1 + title: Establish and Maintain Detailed Enterprise Asset Inventory + description: "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_stopped_instance_30_days + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_eip_associated + - aws_vpc_network_acl_unused + - aws_vpc_security_group_associated_to_eni diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_2.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_2.yaml index 68893a734..662cd5d62 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_2.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_1_2.yaml @@ -1,18 +1,23 @@ -ID: aws_cis_controls_v8_ig1_1_2 -Title: Address Unauthorized Assets -Description: Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. -SectionCode: "2" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_1_2 + title: Address Unauthorized Assets + description: Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3.yaml index fae2aca65..6498055ef 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3.yaml @@ -1,19 +1,24 @@ -ID: aws_cis_controls_v8_ig1_3 -Title: Data Protection -Description: Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. -SectionCode: "3" -Children: - - aws_cis_controls_v8_ig1_3_3 - - aws_cis_controls_v8_ig1_3_4 -Controls: [] -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_3 + title: Data Protection + description: Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_3_3 + - id: aws_cis_controls_v8_ig1_3_4 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_3.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_3.yaml index b6a455dd4..08eccb1c9 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_3.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_3.yaml @@ -1,52 +1,57 @@ -ID: aws_cis_controls_v8_ig1_3_3 -Title: Configure Data Access Control Lists -Description: Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. -SectionCode: "3" -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_3_3 + title: Configure Data Access Control Lists + description: Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_user_for_host_mode_check + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_4.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_4.yaml index dad0769f3..c4d5dc677 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_4.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_3_4.yaml @@ -1,18 +1,23 @@ -ID: aws_cis_controls_v8_ig1_3_4 -Title: Enforce Data Retention -Description: Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines. -SectionCode: "4" -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_3_4 + title: Enforce Data Retention + description: Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4.yaml index c595227a7..6be5514d3 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4.yaml @@ -1,20 +1,25 @@ -ID: aws_cis_controls_v8_ig1_4 -Title: Secure Configuration of Enterprise Assets and Software -Description: Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). -SectionCode: "4" -Children: - - aws_cis_controls_v8_ig1_4_1 - - aws_cis_controls_v8_ig1_4_6 - - aws_cis_controls_v8_ig1_4_7 -Controls: [] -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_4 + title: Secure Configuration of Enterprise Assets and Software + description: Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_4_1 + - id: aws_cis_controls_v8_ig1_4_6 + - id: aws_cis_controls_v8_ig1_4_7 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_1.yaml index bd4cdf6bf..20696b873 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_1.yaml @@ -1,23 +1,28 @@ -ID: aws_cis_controls_v8_ig1_4_1 -Title: Establish and Maintain a Secure Configuration Process -Description: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. -SectionCode: "1" -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_cloudtrail_security_trail_enabled - - aws_ebs_volume_unused - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_4_1 + title: Establish and Maintain a Secure Configuration Process + description: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_cloudtrail_security_trail_enabled + - aws_ebs_volume_unused + - aws_ec2_stopped_instance_30_days + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_6.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_6.yaml index 20bc51b78..047590c2c 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_6.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_6.yaml @@ -1,47 +1,52 @@ -ID: aws_cis_controls_v8_ig1_4_6 -Title: Securely Manage Enterprise Assets and Software -Description: Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. -SectionCode: "6" -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_iam_profile_attached - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_kms_cmk_rotation_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_flow_logs_enabled - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_4_6 + title: Securely Manage Enterprise Assets and Software + description: Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_iam_profile_attached + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_kms_cmk_rotation_enabled + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_flow_logs_enabled + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_7.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_7.yaml index 1dae31926..8e4dc9c56 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_7.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_4_7.yaml @@ -1,19 +1,24 @@ -ID: aws_cis_controls_v8_ig1_4_7 -Title: Manage Default Accounts on Enterprise Assets and Software -Description: 'Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.' -SectionCode: "7" -Children: [] -Controls: - - aws_iam_root_user_mfa_enabled - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_4_7 + title: Manage Default Accounts on Enterprise Assets and Software + description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_root_user_mfa_enabled + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5.yaml index e298a1d18..dfcfdd666 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5.yaml @@ -1,20 +1,25 @@ -ID: aws_cis_controls_v8_ig1_5 -Title: Account Management -Description: Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. -SectionCode: "5" -Children: - - aws_cis_controls_v8_ig1_5_2 - - aws_cis_controls_v8_ig1_5_3 - - aws_cis_controls_v8_ig1_5_4 -Controls: [] -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_5 + title: Account Management + description: Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_5_2 + - id: aws_cis_controls_v8_ig1_5_3 + - id: aws_cis_controls_v8_ig1_5_4 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_2.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_2.yaml index dc231eef4..fdc9f0e9c 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_2.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_2.yaml @@ -1,21 +1,26 @@ -ID: aws_cis_controls_v8_ig1_5_2 -Title: Use Unique Passwords -Description: Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. -SectionCode: "2" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_5_2 + title: Use Unique Passwords + description: Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_3.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_3.yaml index 882e0f5cf..ecb5ea10e 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_3.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_3.yaml @@ -1,18 +1,23 @@ -ID: aws_cis_controls_v8_ig1_5_3 -Title: Disable Dormant Accounts -Description: Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. -SectionCode: "3" -Children: [] -Controls: - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_5_3 + title: Disable Dormant Accounts + description: Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_4.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_4.yaml index 0e036c65b..620b7aad5 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_4.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_5_4.yaml @@ -1,19 +1,24 @@ -ID: aws_cis_controls_v8_ig1_5_4 -Title: Restrict Administrator Privileges to Dedicated Administrator Accounts -Description: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. -SectionCode: "4" -Children: [] -Controls: - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_5_4 + title: Restrict Administrator Privileges to Dedicated Administrator Accounts + description: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6.yaml index b697ef402..6caa9062b 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6.yaml @@ -1,18 +1,23 @@ -ID: aws_cis_controls_v8_ig1_6 -Title: Access Control Management -Description: Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. -SectionCode: "6" -Children: - - aws_cis_controls_v8_ig1_6_5 -Controls: [] -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_6 + title: Access Control Management + description: Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_6_5 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6_5.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6_5.yaml index 6cfdef52b..9e638a466 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6_5.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_6_5.yaml @@ -1,19 +1,24 @@ -ID: aws_cis_controls_v8_ig1_6_5 -Title: Require MFA for Administrative Access -Description: Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. -SectionCode: "5" -Children: [] -Controls: - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_6_5 + title: Require MFA for Administrative Access + description: Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7.yaml index 2e00d993e..94862f079 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7.yaml @@ -1,19 +1,24 @@ -ID: aws_cis_controls_v8_ig1_7 -Title: Continuous Vulnerability Management -Description: Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. -SectionCode: "7" -Children: - - aws_cis_controls_v8_ig1_7_1 - - aws_cis_controls_v8_ig1_7_3 -Controls: [] -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_7 + title: Continuous Vulnerability Management + description: Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_7_1 + - id: aws_cis_controls_v8_ig1_7_3 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_1.yaml index 7a09e0854..09066237d 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_1.yaml @@ -1,20 +1,25 @@ -ID: aws_cis_controls_v8_ig1_7_1 -Title: Establish and Maintain a Vulnerability Management Process -Description: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_7_1 + title: Establish and Maintain a Vulnerability Management Process + description: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_3.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_3.yaml index 194c60368..f7298138a 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_3.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_7_3.yaml @@ -1,19 +1,24 @@ -ID: aws_cis_controls_v8_ig1_7_3 -Title: Perform Automated Operating System Patch Management -Description: Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. -SectionCode: "3" -Children: [] -Controls: - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_7_3 + title: Perform Automated Operating System Patch Management + description: Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8.yaml index 05bd6da21..64bb679c6 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8.yaml @@ -1,19 +1,24 @@ -ID: aws_cis_controls_v8_ig1_8 -Title: Audit Log Management -Description: Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. -SectionCode: "8" -Children: - - aws_cis_controls_v8_ig1_8_1 - - aws_cis_controls_v8_ig1_8_2 -Controls: [] -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_8 + title: Audit Log Management + description: Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_controls_v8_ig1_8_1 + - id: aws_cis_controls_v8_ig1_8_2 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_1.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_1.yaml index 2d10ece8e..05fd73323 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_1.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_1.yaml @@ -1,18 +1,23 @@ -ID: aws_cis_controls_v8_ig1_8_1 -Title: Establish and Maintain an Audit Log Management Process -Description: Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_8_1 + title: Establish and Maintain an Audit Log Management Process + description: Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_2.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_2.yaml index 5b2e445e9..3e8977ca5 100755 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_2.yaml +++ b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/aws_cis_controls_v8_ig1_8_2.yaml @@ -1,31 +1,36 @@ -ID: aws_cis_controls_v8_ig1_8_2 -Title: Collect Audit Logs -Description: Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_controls_v8_ig1_8_2 + title: Collect Audit Logs + description: Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis_controls_v8_ig1: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/root.yaml b/compliance/frameworks/aws/aws_cis_controls_v8_ig1/root.yaml deleted file mode 100755 index 3de3bf8d7..000000000 --- a/compliance/frameworks/aws/aws_cis_controls_v8_ig1/root.yaml +++ /dev/null @@ -1,35 +0,0 @@ -ID: aws_cis_controls_v8_ig1 -Title: CIS Controls v8 IG1 -Description: The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. -SectionCode: aws_cis_controls_v8_ig1 -Children: - - aws_cis_controls_v8_ig1_1 - - aws_cis_controls_v8_ig1_3 - - aws_cis_controls_v8_ig1_4 - - aws_cis_controls_v8_ig1_5 - - aws_cis_controls_v8_ig1_6 - - aws_cis_controls_v8_ig1_7 - - aws_cis_controls_v8_ig1_8 - - aws_cis_controls_v8_ig1_10 - - aws_cis_controls_v8_ig1_11 - - aws_cis_controls_v8_ig1_12 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cis_controls_v8_ig1: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120.yaml b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120.yaml new file mode 100644 index 000000000..5ddce9063 --- /dev/null +++ b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120.yaml @@ -0,0 +1,32 @@ +framework: + id: aws_cis_v120 + title: CIS v1.2.0 + description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. + section-code: aws_cis_v120 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.2.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v120_1 + - id: aws_cis_v120_2 + - id: aws_cis_v120_3 + - id: aws_cis_v120_4 diff --git a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_1.yaml b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_1.yaml index 0d3cc7f20..786e8fe0e 100755 --- a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_1.yaml @@ -1,37 +1,42 @@ -ID: aws_cis_v120_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v120_1_1 - - aws_cis_v120_1_2 - - aws_cis_v120_1_3 - - aws_cis_v120_1_4 - - aws_cis_v120_1_8 - - aws_cis_v120_1_11 - - aws_cis_v120_1_12 - - aws_cis_v120_1_13 - - aws_cis_v120_1_15 - - aws_cis_v120_1_16 - - aws_cis_v120_1_17 - - aws_cis_v120_1_18 - - aws_cis_v120_1_19 - - aws_cis_v120_1_20 - - aws_cis_v120_1_21 - - aws_cis_v120_1_22 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v120_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v120_1_1 + - aws_cis_v120_1_2 + - aws_cis_v120_1_3 + - aws_cis_v120_1_4 + - aws_cis_v120_1_8 + - aws_cis_v120_1_11 + - aws_cis_v120_1_12 + - aws_cis_v120_1_13 + - aws_cis_v120_1_15 + - aws_cis_v120_1_16 + - aws_cis_v120_1_17 + - aws_cis_v120_1_18 + - aws_cis_v120_1_19 + - aws_cis_v120_1_20 + - aws_cis_v120_1_21 + - aws_cis_v120_1_22 diff --git a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_2.yaml b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_2.yaml index 0e8eee74d..511af74f7 100755 --- a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_2.yaml @@ -1,29 +1,34 @@ -ID: aws_cis_v120_2 -Title: Logging -Description: "" -SectionCode: "2" -Children: [] -Controls: - - aws_cis_v120_2_2 - - aws_cis_v120_2_3 - - aws_cis_v120_2_4 - - aws_cis_v120_2_5 - - aws_cis_v120_2_6 - - aws_cis_v120_2_7 - - aws_cis_v120_2_8 - - aws_cis_v120_2_9 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v120_2 + title: Logging + description: Logging + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v120_2_2 + - aws_cis_v120_2_3 + - aws_cis_v120_2_4 + - aws_cis_v120_2_5 + - aws_cis_v120_2_6 + - aws_cis_v120_2_7 + - aws_cis_v120_2_8 + - aws_cis_v120_2_9 diff --git a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_3.yaml b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_3.yaml index 8e9d22a2a..3b6c0b2e2 100755 --- a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_3.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_v120_3 -Title: Monitoring -Description: "" -SectionCode: "3" -Children: [] -Controls: - - aws_cis_v120_3_5 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_cis_v120_3 + title: Monitoring + description: Monitoring + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cis_v120_3_5 diff --git a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_4.yaml b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_4.yaml index 52aee0681..eae0e5d45 100755 --- a/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v120/aws_cis_v120_4.yaml @@ -1,24 +1,29 @@ -ID: aws_cis_v120_4 -Title: Networking -Description: "" -SectionCode: "4" -Children: [] -Controls: - - aws_cis_v120_4_1 - - aws_cis_v120_4_2 - - aws_cis_v120_4_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.2.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_cis_v120_4 + title: Networking + description: Networking + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.2.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark + controls: + - aws_cis_v120_4_1 + - aws_cis_v120_4_2 + - aws_cis_v120_4_4 diff --git a/compliance/frameworks/aws/aws_cis_v120/root.yaml b/compliance/frameworks/aws/aws_cis_v120/root.yaml deleted file mode 100755 index d8c208889..000000000 --- a/compliance/frameworks/aws/aws_cis_v120/root.yaml +++ /dev/null @@ -1,31 +0,0 @@ -ID: aws_cis_v120 -Title: CIS v1.2.0 -Description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. -SectionCode: aws_cis_v120 -Children: - - aws_cis_v120_1 - - aws_cis_v120_2 - - aws_cis_v120_3 - - aws_cis_v120_4 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.2.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130.yaml new file mode 100644 index 000000000..49e4acecb --- /dev/null +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130.yaml @@ -0,0 +1,33 @@ +framework: + id: aws_cis_v130 + title: CIS v1.3.0 + description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. + section-code: aws_cis_v130 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.3.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v130_1 + - id: aws_cis_v130_2 + - id: aws_cis_v130_3 + - id: aws_cis_v130_4 + - id: aws_cis_v130_5 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_1.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_1.yaml index 6c46c0a77..432d00f61 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_1.yaml @@ -1,41 +1,46 @@ -ID: aws_cis_v130_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v130_1_1 - - aws_cis_v130_1_2 - - aws_cis_v130_1_3 - - aws_cis_v130_1_4 - - aws_cis_v130_1_5 - - aws_cis_v130_1_7 - - aws_cis_v130_1_8 - - aws_cis_v130_1_10 - - aws_cis_v130_1_11 - - aws_cis_v130_1_12 - - aws_cis_v130_1_13 - - aws_cis_v130_1_14 - - aws_cis_v130_1_15 - - aws_cis_v130_1_16 - - aws_cis_v130_1_17 - - aws_cis_v130_1_18 - - aws_cis_v130_1_19 - - aws_cis_v130_1_20 - - aws_cis_v130_1_21 - - aws_cis_v130_1_22 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v130_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v130_1_1 + - aws_cis_v130_1_2 + - aws_cis_v130_1_3 + - aws_cis_v130_1_4 + - aws_cis_v130_1_5 + - aws_cis_v130_1_7 + - aws_cis_v130_1_8 + - aws_cis_v130_1_10 + - aws_cis_v130_1_11 + - aws_cis_v130_1_12 + - aws_cis_v130_1_13 + - aws_cis_v130_1_14 + - aws_cis_v130_1_15 + - aws_cis_v130_1_16 + - aws_cis_v130_1_17 + - aws_cis_v130_1_18 + - aws_cis_v130_1_19 + - aws_cis_v130_1_20 + - aws_cis_v130_1_21 + - aws_cis_v130_1_22 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2.yaml index 13e37b396..b29df9b30 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2.yaml @@ -1,23 +1,28 @@ -ID: aws_cis_v130_2 -Title: Storage -Description: "" -SectionCode: "2" -Children: - - aws_cis_v130_2_1 - - aws_cis_v130_2_2 -Controls: [] -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v130_2 + title: Storage + description: Storage + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v130_2_1 + - id: aws_cis_v130_2_2 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_1.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_1.yaml index d0105b2dd..b80c6f214 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_1.yaml @@ -1,23 +1,28 @@ -ID: aws_cis_v130_2_1 -Title: Simple Storage Service (S3) -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v130_2_1_1 - - aws_cis_v130_2_1_2 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_cis_v130_2_1 + title: Simple Storage Service (S3) + description: Simple Storage Service (S3) + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_cis_v130_2_1_1 + - aws_cis_v130_2_1_2 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_2.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_2.yaml index 6b3968465..bda025a4c 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_2_2.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_v130_2_2 -Title: Elastic Compute Cloud (EC2) -Description: "" -SectionCode: "2" -Children: [] -Controls: - - aws_cis_v130_2_2_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.2" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark +control-group: + id: aws_cis_v130_2_2 + title: Elastic Compute Cloud (EC2) + description: Elastic Compute Cloud (EC2) + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.2" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark + controls: + - aws_cis_v130_2_2_1 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_3.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_3.yaml index 226318b59..f2e600635 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_3.yaml @@ -1,28 +1,33 @@ -ID: aws_cis_v130_3 -Title: Logging -Description: "" -SectionCode: "3" -Children: [] -Controls: - - aws_cis_v130_3_2 - - aws_cis_v130_3_3 - - aws_cis_v130_3_4 - - aws_cis_v130_3_5 - - aws_cis_v130_3_6 - - aws_cis_v130_3_7 - - aws_cis_v130_3_8 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v130_3 + title: Logging + description: Logging + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v130_3_2 + - aws_cis_v130_3_3 + - aws_cis_v130_3_4 + - aws_cis_v130_3_5 + - aws_cis_v130_3_6 + - aws_cis_v130_3_7 + - aws_cis_v130_3_8 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_4.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_4.yaml index c9b8df5d8..356f50416 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_4.yaml @@ -1,23 +1,28 @@ -ID: aws_cis_v130_4 -Title: Monitoring -Description: "" -SectionCode: "4" -Children: [] -Controls: - - aws_cis_v130_4_3 - - aws_cis_v130_4_8 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_cis_v130_4 + title: Monitoring + description: Monitoring + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cis_v130_4_3 + - aws_cis_v130_4_8 diff --git a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_5.yaml b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_5.yaml index e927f9c56..c44b5253e 100755 --- a/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_5.yaml +++ b/compliance/frameworks/aws/aws_cis_v130/aws_cis_v130_5.yaml @@ -1,23 +1,28 @@ -ID: aws_cis_v130_5 -Title: Networking -Description: "" -SectionCode: "5" -Children: [] -Controls: - - aws_cis_v130_5_2 - - aws_cis_v130_5_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.3.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_cis_v130_5 + title: Networking + description: Networking + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.3.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark + controls: + - aws_cis_v130_5_2 + - aws_cis_v130_5_4 diff --git a/compliance/frameworks/aws/aws_cis_v130/root.yaml b/compliance/frameworks/aws/aws_cis_v130/root.yaml deleted file mode 100755 index c74136d5d..000000000 --- a/compliance/frameworks/aws/aws_cis_v130/root.yaml +++ /dev/null @@ -1,32 +0,0 @@ -ID: aws_cis_v130 -Title: CIS v1.3.0 -Description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. -SectionCode: aws_cis_v130 -Children: - - aws_cis_v130_1 - - aws_cis_v130_2 - - aws_cis_v130_3 - - aws_cis_v130_4 - - aws_cis_v130_5 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.3.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140.yaml new file mode 100644 index 000000000..f12b59cfc --- /dev/null +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140.yaml @@ -0,0 +1,33 @@ +framework: + id: aws_cis_v140 + title: CIS v1.4.0 + description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. + section-code: aws_cis_v140 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.4.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v140_1 + - id: aws_cis_v140_2 + - id: aws_cis_v140_3 + - id: aws_cis_v140_4 + - id: aws_cis_v140_5 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_1.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_1.yaml index d3df30bc2..199121905 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_1.yaml @@ -1,39 +1,44 @@ -ID: aws_cis_v140_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v140_1_1 - - aws_cis_v140_1_2 - - aws_cis_v140_1_3 - - aws_cis_v140_1_4 - - aws_cis_v140_1_5 - - aws_cis_v140_1_7 - - aws_cis_v140_1_10 - - aws_cis_v140_1_11 - - aws_cis_v140_1_12 - - aws_cis_v140_1_13 - - aws_cis_v140_1_14 - - aws_cis_v140_1_15 - - aws_cis_v140_1_16 - - aws_cis_v140_1_17 - - aws_cis_v140_1_18 - - aws_cis_v140_1_19 - - aws_cis_v140_1_20 - - aws_cis_v140_1_21 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v140_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v140_1_1 + - aws_cis_v140_1_2 + - aws_cis_v140_1_3 + - aws_cis_v140_1_4 + - aws_cis_v140_1_5 + - aws_cis_v140_1_7 + - aws_cis_v140_1_10 + - aws_cis_v140_1_11 + - aws_cis_v140_1_12 + - aws_cis_v140_1_13 + - aws_cis_v140_1_14 + - aws_cis_v140_1_15 + - aws_cis_v140_1_16 + - aws_cis_v140_1_17 + - aws_cis_v140_1_18 + - aws_cis_v140_1_19 + - aws_cis_v140_1_20 + - aws_cis_v140_1_21 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2.yaml index d869ef00f..2155945b3 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2.yaml @@ -1,24 +1,29 @@ -ID: aws_cis_v140_2 -Title: Storage -Description: "" -SectionCode: "2" -Children: - - aws_cis_v140_2_1 - - aws_cis_v140_2_2 - - aws_cis_v140_2_3 -Controls: [] -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v140_2 + title: Storage + description: Storage + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v140_2_1 + - id: aws_cis_v140_2_2 + - id: aws_cis_v140_2_3 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_1.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_1.yaml index b7cbc6249..4d1875e45 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_1.yaml @@ -1,25 +1,30 @@ -ID: aws_cis_v140_2_1 -Title: Simple Storage Service (S3) -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v140_2_1_1 - - aws_cis_v140_2_1_2 - - aws_cis_v140_2_1_3 - - aws_cis_v140_2_1_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_cis_v140_2_1 + title: Simple Storage Service (S3) + description: Simple Storage Service (S3) + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_cis_v140_2_1_1 + - aws_cis_v140_2_1_2 + - aws_cis_v140_2_1_3 + - aws_cis_v140_2_1_4 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_2.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_2.yaml index 1c95b4798..4d1fe036c 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_2.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_v140_2_2 -Title: Elastic Compute Cloud (EC2) -Description: "" -SectionCode: "2" -Children: [] -Controls: - - aws_cis_v140_2_2_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark +control-group: + id: aws_cis_v140_2_2 + title: Elastic Compute Cloud (EC2) + description: Elastic Compute Cloud (EC2) + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark + controls: + - aws_cis_v140_2_2_1 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_3.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_3.yaml index 0b5d19f2f..b1dc331ce 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_2_3.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_v140_2_3 -Title: Relational Database Service (RDS) -Description: "" -SectionCode: "3" -Children: [] -Controls: - - aws_cis_v140_2_3_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark +control-group: + id: aws_cis_v140_2_3 + title: Relational Database Service (RDS) + description: Relational Database Service (RDS) + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark + controls: + - aws_cis_v140_2_3_1 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_3.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_3.yaml index 7ba08fe15..6e01cac7b 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_3.yaml @@ -1,29 +1,34 @@ -ID: aws_cis_v140_3 -Title: Logging -Description: "" -SectionCode: "3" -Children: [] -Controls: - - aws_cis_v140_3_2 - - aws_cis_v140_3_3 - - aws_cis_v140_3_4 - - aws_cis_v140_3_5 - - aws_cis_v140_3_6 - - aws_cis_v140_3_7 - - aws_cis_v140_3_8 - - aws_cis_v140_3_9 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v140_3 + title: Logging + description: Logging + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v140_3_2 + - aws_cis_v140_3_3 + - aws_cis_v140_3_4 + - aws_cis_v140_3_5 + - aws_cis_v140_3_6 + - aws_cis_v140_3_7 + - aws_cis_v140_3_8 + - aws_cis_v140_3_9 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_4.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_4.yaml index 50f4d6031..7ac6e89ca 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_4.yaml @@ -1,24 +1,29 @@ -ID: aws_cis_v140_4 -Title: Monitoring -Description: "" -SectionCode: "4" -Children: [] -Controls: - - aws_cis_v140_4_5 - - aws_cis_v140_4_7 - - aws_cis_v140_4_8 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_cis_v140_4 + title: Monitoring + description: Monitoring + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cis_v140_4_5 + - aws_cis_v140_4_7 + - aws_cis_v140_4_8 diff --git a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_5.yaml b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_5.yaml index 454293785..717e02d07 100755 --- a/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_5.yaml +++ b/compliance/frameworks/aws/aws_cis_v140/aws_cis_v140_5.yaml @@ -1,24 +1,29 @@ -ID: aws_cis_v140_5 -Title: Networking -Description: "" -SectionCode: "5" -Children: [] -Controls: - - aws_cis_v140_5_1 - - aws_cis_v140_5_2 - - aws_cis_v140_5_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.4.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_cis_v140_5 + title: Networking + description: Networking + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.4.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark + controls: + - aws_cis_v140_5_1 + - aws_cis_v140_5_2 + - aws_cis_v140_5_4 diff --git a/compliance/frameworks/aws/aws_cis_v140/root.yaml b/compliance/frameworks/aws/aws_cis_v140/root.yaml deleted file mode 100755 index 53685d7f6..000000000 --- a/compliance/frameworks/aws/aws_cis_v140/root.yaml +++ /dev/null @@ -1,32 +0,0 @@ -ID: aws_cis_v140 -Title: CIS v1.4.0 -Description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. -SectionCode: aws_cis_v140 -Children: - - aws_cis_v140_1 - - aws_cis_v140_2 - - aws_cis_v140_3 - - aws_cis_v140_4 - - aws_cis_v140_5 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.4.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150.yaml new file mode 100644 index 000000000..ded300d2f --- /dev/null +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150.yaml @@ -0,0 +1,33 @@ +framework: + id: aws_cis_v150 + title: CIS v1.5.0 + description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. + section-code: aws_cis_v150 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.5.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v150_1 + - id: aws_cis_v150_2 + - id: aws_cis_v150_3 + - id: aws_cis_v150_4 + - id: aws_cis_v150_5 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_1.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_1.yaml index 026f0e6df..3d163355f 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_1.yaml @@ -1,40 +1,45 @@ -ID: aws_cis_v150_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v150_1_1 - - aws_cis_v150_1_2 - - aws_cis_v150_1_3 - - aws_cis_v150_1_4 - - aws_cis_v150_1_5 - - aws_cis_v150_1_7 - - aws_cis_v150_1_8 - - aws_cis_v150_1_9 - - aws_cis_v150_1_10 - - aws_cis_v150_1_11 - - aws_cis_v150_1_12 - - aws_cis_v150_1_13 - - aws_cis_v150_1_14 - - aws_cis_v150_1_15 - - aws_cis_v150_1_16 - - aws_cis_v150_1_17 - - aws_cis_v150_1_18 - - aws_cis_v150_1_19 - - aws_cis_v150_1_21 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v150_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v150_1_1 + - aws_cis_v150_1_2 + - aws_cis_v150_1_3 + - aws_cis_v150_1_4 + - aws_cis_v150_1_5 + - aws_cis_v150_1_7 + - aws_cis_v150_1_8 + - aws_cis_v150_1_9 + - aws_cis_v150_1_10 + - aws_cis_v150_1_11 + - aws_cis_v150_1_12 + - aws_cis_v150_1_13 + - aws_cis_v150_1_14 + - aws_cis_v150_1_15 + - aws_cis_v150_1_16 + - aws_cis_v150_1_17 + - aws_cis_v150_1_18 + - aws_cis_v150_1_19 + - aws_cis_v150_1_21 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2.yaml index 2e57ab1ee..876dadedd 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2.yaml @@ -1,25 +1,30 @@ -ID: aws_cis_v150_2 -Title: Storage -Description: "" -SectionCode: "2" -Children: - - aws_cis_v150_2_1 - - aws_cis_v150_2_2 - - aws_cis_v150_2_3 - - aws_cis_v150_2_4 -Controls: [] -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v150_2 + title: Storage + description: Storage + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v150_2_1 + - id: aws_cis_v150_2_2 + - id: aws_cis_v150_2_3 + - id: aws_cis_v150_2_4 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_1.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_1.yaml index ab9503ac5..e2d4a9511 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_1.yaml @@ -1,25 +1,30 @@ -ID: aws_cis_v150_2_1 -Title: Simple Storage Service (S3) -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v150_2_1_1 - - aws_cis_v150_2_1_2 - - aws_cis_v150_2_1_3 - - aws_cis_v150_2_1_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_cis_v150_2_1 + title: Simple Storage Service (S3) + description: Simple Storage Service (S3) + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_cis_v150_2_1_1 + - aws_cis_v150_2_1_2 + - aws_cis_v150_2_1_3 + - aws_cis_v150_2_1_4 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_2.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_2.yaml index cccd83fcd..f45b81e54 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_2.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_v150_2_2 -Title: Elastic Compute Cloud (EC2) -Description: "" -SectionCode: "2" -Children: [] -Controls: - - aws_cis_v150_2_2_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.2" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark +control-group: + id: aws_cis_v150_2_2 + title: Elastic Compute Cloud (EC2) + description: Elastic Compute Cloud (EC2) + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.2" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark + controls: + - aws_cis_v150_2_2_1 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_3.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_3.yaml index 9e5edf3dc..61b53871c 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_3.yaml @@ -1,24 +1,29 @@ -ID: aws_cis_v150_2_3 -Title: Relational Database Service (RDS) -Description: "" -SectionCode: "3" -Children: [] -Controls: - - aws_cis_v150_2_3_1 - - aws_cis_v150_2_3_2 - - aws_cis_v150_2_3_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.3" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark +control-group: + id: aws_cis_v150_2_3 + title: Relational Database Service (RDS) + description: Relational Database Service (RDS) + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.3" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark + controls: + - aws_cis_v150_2_3_1 + - aws_cis_v150_2_3_2 + - aws_cis_v150_2_3_3 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_4.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_4.yaml index 90f0b2dfb..28270e938 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_2_4.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_v150_2_4 -Title: Elastic File System (EFS) -Description: "" -SectionCode: "4" -Children: [] -Controls: - - aws_cis_v150_2_4_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.4" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/EFS - type: - - Benchmark +control-group: + id: aws_cis_v150_2_4 + title: Elastic File System (EFS) + description: Elastic File System (EFS) + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.4" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/EFS + type: + - Benchmark + controls: + - aws_cis_v150_2_4_1 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_3.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_3.yaml index d6a5389b1..fca9e83a3 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_3.yaml @@ -1,29 +1,34 @@ -ID: aws_cis_v150_3 -Title: Logging -Description: "" -SectionCode: "3" -Children: [] -Controls: - - aws_cis_v150_3_2 - - aws_cis_v150_3_3 - - aws_cis_v150_3_4 - - aws_cis_v150_3_5 - - aws_cis_v150_3_6 - - aws_cis_v150_3_7 - - aws_cis_v150_3_8 - - aws_cis_v150_3_9 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v150_3 + title: Logging + description: Logging + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v150_3_2 + - aws_cis_v150_3_3 + - aws_cis_v150_3_4 + - aws_cis_v150_3_5 + - aws_cis_v150_3_6 + - aws_cis_v150_3_7 + - aws_cis_v150_3_8 + - aws_cis_v150_3_9 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_4.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_4.yaml index 32ad9bf90..6622a8c46 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_4.yaml @@ -1,25 +1,30 @@ -ID: aws_cis_v150_4 -Title: Monitoring -Description: "" -SectionCode: "4" -Children: [] -Controls: - - aws_cis_v150_4_3 - - aws_cis_v150_4_5 - - aws_cis_v150_4_7 - - aws_cis_v150_4_8 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_cis_v150_4 + title: Monitoring + description: Monitoring + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cis_v150_4_3 + - aws_cis_v150_4_5 + - aws_cis_v150_4_7 + - aws_cis_v150_4_8 diff --git a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_5.yaml b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_5.yaml index 1c61fac00..66c3cf9f1 100755 --- a/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_5.yaml +++ b/compliance/frameworks/aws/aws_cis_v150/aws_cis_v150_5.yaml @@ -1,25 +1,30 @@ -ID: aws_cis_v150_5 -Title: Networking -Description: "" -SectionCode: "5" -Children: [] -Controls: - - aws_cis_v150_5_2 - - aws_cis_v150_5_3 - - aws_cis_v150_5_4 - - aws_cis_v150_5_5 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.5.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_cis_v150_5 + title: Networking + description: Networking + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.5.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark + controls: + - aws_cis_v150_5_2 + - aws_cis_v150_5_3 + - aws_cis_v150_5_4 + - aws_cis_v150_5_5 diff --git a/compliance/frameworks/aws/aws_cis_v150/root.yaml b/compliance/frameworks/aws/aws_cis_v150/root.yaml deleted file mode 100755 index 4e1d5d8f9..000000000 --- a/compliance/frameworks/aws/aws_cis_v150/root.yaml +++ /dev/null @@ -1,32 +0,0 @@ -ID: aws_cis_v150 -Title: CIS v1.5.0 -Description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. -SectionCode: aws_cis_v150 -Children: - - aws_cis_v150_1 - - aws_cis_v150_2 - - aws_cis_v150_3 - - aws_cis_v150_4 - - aws_cis_v150_5 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.5.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200.yaml new file mode 100644 index 000000000..a97b9f70b --- /dev/null +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200.yaml @@ -0,0 +1,33 @@ +framework: + id: aws_cis_v200 + title: CIS v2.0.0 + description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. + section-code: aws_cis_v200 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v2.0.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v200_1 + - id: aws_cis_v200_2 + - id: aws_cis_v200_3 + - id: aws_cis_v200_4 + - id: aws_cis_v200_5 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_1.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_1.yaml index 5e63a7366..6acb80855 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_1.yaml @@ -1,40 +1,45 @@ -ID: aws_cis_v200_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v200_1_1 - - aws_cis_v200_1_2 - - aws_cis_v200_1_3 - - aws_cis_v200_1_4 - - aws_cis_v200_1_5 - - aws_cis_v200_1_7 - - aws_cis_v200_1_8 - - aws_cis_v200_1_10 - - aws_cis_v200_1_11 - - aws_cis_v200_1_12 - - aws_cis_v200_1_13 - - aws_cis_v200_1_14 - - aws_cis_v200_1_15 - - aws_cis_v200_1_16 - - aws_cis_v200_1_17 - - aws_cis_v200_1_18 - - aws_cis_v200_1_19 - - aws_cis_v200_1_20 - - aws_cis_v200_1_21 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v200_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v200_1_1 + - aws_cis_v200_1_2 + - aws_cis_v200_1_3 + - aws_cis_v200_1_4 + - aws_cis_v200_1_5 + - aws_cis_v200_1_7 + - aws_cis_v200_1_8 + - aws_cis_v200_1_10 + - aws_cis_v200_1_11 + - aws_cis_v200_1_12 + - aws_cis_v200_1_13 + - aws_cis_v200_1_14 + - aws_cis_v200_1_15 + - aws_cis_v200_1_16 + - aws_cis_v200_1_17 + - aws_cis_v200_1_18 + - aws_cis_v200_1_19 + - aws_cis_v200_1_20 + - aws_cis_v200_1_21 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2.yaml index da5c46903..5e2ff6dcd 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2.yaml @@ -1,25 +1,30 @@ -ID: aws_cis_v200_2 -Title: Storage -Description: "" -SectionCode: "2" -Children: - - aws_cis_v200_2_1 - - aws_cis_v200_2_2 - - aws_cis_v200_2_3 - - aws_cis_v200_2_4 -Controls: [] -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v200_2 + title: Storage + description: Storage + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v200_2_1 + - id: aws_cis_v200_2_2 + - id: aws_cis_v200_2_3 + - id: aws_cis_v200_2_4 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_1.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_1.yaml index 2c1c003a8..4afa8ffe7 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_1.yaml @@ -1,25 +1,30 @@ -ID: aws_cis_v200_2_1 -Title: Simple Storage Service (S3) -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v200_2_1_1 - - aws_cis_v200_2_1_2 - - aws_cis_v200_2_1_3 - - aws_cis_v200_2_1_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_cis_v200_2_1 + title: Simple Storage Service (S3) + description: Simple Storage Service (S3) + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_cis_v200_2_1_1 + - aws_cis_v200_2_1_2 + - aws_cis_v200_2_1_3 + - aws_cis_v200_2_1_4 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_2.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_2.yaml index fd1fc1053..29c6b6127 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_2.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_v200_2_2 -Title: Elastic Compute Cloud (EC2) -Description: "" -SectionCode: "2" -Children: [] -Controls: - - aws_cis_v200_2_2_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.2" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark +control-group: + id: aws_cis_v200_2_2 + title: Elastic Compute Cloud (EC2) + description: Elastic Compute Cloud (EC2) + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.2" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark + controls: + - aws_cis_v200_2_2_1 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_3.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_3.yaml index 5019966b7..1eb5d9c30 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_3.yaml @@ -1,24 +1,29 @@ -ID: aws_cis_v200_2_3 -Title: Relational Database Service (RDS) -Description: "" -SectionCode: "3" -Children: [] -Controls: - - aws_cis_v200_2_3_1 - - aws_cis_v200_2_3_2 - - aws_cis_v200_2_3_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.3" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark +control-group: + id: aws_cis_v200_2_3 + title: Relational Database Service (RDS) + description: Relational Database Service (RDS) + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.3" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark + controls: + - aws_cis_v200_2_3_1 + - aws_cis_v200_2_3_2 + - aws_cis_v200_2_3_3 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_4.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_4.yaml index 3938ba9c8..4818ac280 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_2_4.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_v200_2_4 -Title: Elastic File System (EFS) -Description: "" -SectionCode: "4" -Children: [] -Controls: - - aws_cis_v200_2_4_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.4" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/EFS - type: - - Benchmark +control-group: + id: aws_cis_v200_2_4 + title: Elastic File System (EFS) + description: Elastic File System (EFS) + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.4" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/EFS + type: + - Benchmark + controls: + - aws_cis_v200_2_4_1 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_3.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_3.yaml index 9ffc62ba7..116ac059d 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_3.yaml @@ -1,29 +1,34 @@ -ID: aws_cis_v200_3 -Title: Logging -Description: "" -SectionCode: "3" -Children: [] -Controls: - - aws_cis_v200_3_2 - - aws_cis_v200_3_3 - - aws_cis_v200_3_4 - - aws_cis_v200_3_5 - - aws_cis_v200_3_6 - - aws_cis_v200_3_7 - - aws_cis_v200_3_8 - - aws_cis_v200_3_9 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v200_3 + title: Logging + description: Logging + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v200_3_2 + - aws_cis_v200_3_3 + - aws_cis_v200_3_4 + - aws_cis_v200_3_5 + - aws_cis_v200_3_6 + - aws_cis_v200_3_7 + - aws_cis_v200_3_8 + - aws_cis_v200_3_9 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_4.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_4.yaml index c07ae90e1..c9df763ef 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_4.yaml @@ -1,23 +1,28 @@ -ID: aws_cis_v200_4 -Title: Monitoring -Description: "" -SectionCode: "4" -Children: [] -Controls: - - aws_cis_v200_4_3 - - aws_cis_v200_4_6 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_cis_v200_4 + title: Monitoring + description: Monitoring + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cis_v200_4_3 + - aws_cis_v200_4_6 diff --git a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_5.yaml b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_5.yaml index 3a185c6e0..95cfcb5a5 100755 --- a/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_5.yaml +++ b/compliance/frameworks/aws/aws_cis_v200/aws_cis_v200_5.yaml @@ -1,26 +1,31 @@ -ID: aws_cis_v200_5 -Title: Networking -Description: "" -SectionCode: "5" -Children: [] -Controls: - - aws_cis_v200_5_2 - - aws_cis_v200_5_3 - - aws_cis_v200_5_4 - - aws_cis_v200_5_5 - - aws_cis_v200_5_6 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_cis_v200_5 + title: Networking + description: Networking + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark + controls: + - aws_cis_v200_5_2 + - aws_cis_v200_5_3 + - aws_cis_v200_5_4 + - aws_cis_v200_5_5 + - aws_cis_v200_5_6 diff --git a/compliance/frameworks/aws/aws_cis_v200/root.yaml b/compliance/frameworks/aws/aws_cis_v200/root.yaml deleted file mode 100755 index cfec0752a..000000000 --- a/compliance/frameworks/aws/aws_cis_v200/root.yaml +++ /dev/null @@ -1,32 +0,0 @@ -ID: aws_cis_v200 -Title: CIS v2.0.0 -Description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. -SectionCode: aws_cis_v200 -Children: - - aws_cis_v200_1 - - aws_cis_v200_2 - - aws_cis_v200_3 - - aws_cis_v200_4 - - aws_cis_v200_5 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v2.0.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300.yaml new file mode 100644 index 000000000..35ce5b34a --- /dev/null +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300.yaml @@ -0,0 +1,33 @@ +framework: + id: aws_cis_v300 + title: CIS v3.0.0 + description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. + section-code: aws_cis_v300 + metadata: + defaults: + auto-assign: true + enabled: true + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v3.0.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v300_1 + - id: aws_cis_v300_2 + - id: aws_cis_v300_3 + - id: aws_cis_v300_4 + - id: aws_cis_v300_5 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_1.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_1.yaml index b456cfc57..03e5405f5 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_1.yaml @@ -1,40 +1,45 @@ -ID: aws_cis_v300_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v300_1_1 - - aws_cis_v300_1_2 - - aws_cis_v300_1_3 - - aws_cis_v300_1_4 - - aws_cis_v300_1_5 - - aws_cis_v300_1_6 - - aws_cis_v300_1_7 - - aws_cis_v300_1_8 - - aws_cis_v300_1_10 - - aws_cis_v300_1_11 - - aws_cis_v300_1_12 - - aws_cis_v300_1_14 - - aws_cis_v300_1_15 - - aws_cis_v300_1_16 - - aws_cis_v300_1_17 - - aws_cis_v300_1_18 - - aws_cis_v300_1_19 - - aws_cis_v300_1_20 - - aws_cis_v300_1_21 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v300_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v300_1_1 + - aws_cis_v300_1_2 + - aws_cis_v300_1_3 + - aws_cis_v300_1_4 + - aws_cis_v300_1_5 + - aws_cis_v300_1_6 + - aws_cis_v300_1_7 + - aws_cis_v300_1_8 + - aws_cis_v300_1_10 + - aws_cis_v300_1_11 + - aws_cis_v300_1_12 + - aws_cis_v300_1_14 + - aws_cis_v300_1_15 + - aws_cis_v300_1_16 + - aws_cis_v300_1_17 + - aws_cis_v300_1_18 + - aws_cis_v300_1_19 + - aws_cis_v300_1_20 + - aws_cis_v300_1_21 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2.yaml index d7322457d..af32b72a1 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2.yaml @@ -1,25 +1,30 @@ -ID: aws_cis_v300_2 -Title: Storage -Description: "" -SectionCode: "2" -Children: - - aws_cis_v300_2_1 - - aws_cis_v300_2_2 - - aws_cis_v300_2_3 - - aws_cis_v300_2_4 -Controls: [] -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v300_2 + title: Storage + description: Storage + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cis_v300_2_1 + - id: aws_cis_v300_2_2 + - id: aws_cis_v300_2_3 + - id: aws_cis_v300_2_4 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_1.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_1.yaml index 11065f18d..5da66f8d1 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_1.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_1.yaml @@ -1,24 +1,29 @@ -ID: aws_cis_v300_2_1 -Title: Simple Storage Service (S3) -Description: "" -SectionCode: "1" -Children: [] -Controls: - - aws_cis_v300_2_1_1 - - aws_cis_v300_2_1_2 - - aws_cis_v300_2_1_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.1" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_cis_v300_2_1 + title: Simple Storage Service (S3) + description: Simple Storage Service (S3) + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.1" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_cis_v300_2_1_1 + - aws_cis_v300_2_1_2 + - aws_cis_v300_2_1_3 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_2.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_2.yaml index e558e2329..d95802e1b 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_2.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_2.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_v300_2_2 -Title: Elastic Compute Cloud (EC2) -Description: "" -SectionCode: "2" -Children: [] -Controls: - - aws_cis_v300_2_2_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.2" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark +control-group: + id: aws_cis_v300_2_2 + title: Elastic Compute Cloud (EC2) + description: Elastic Compute Cloud (EC2) + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.2" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark + controls: + - aws_cis_v300_2_2_1 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_3.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_3.yaml index 9ee5e8403..9b41f1e28 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_3.yaml @@ -1,24 +1,29 @@ -ID: aws_cis_v300_2_3 -Title: Relational Database Service (RDS) -Description: "" -SectionCode: "3" -Children: [] -Controls: - - aws_cis_v300_2_3_1 - - aws_cis_v300_2_3_2 - - aws_cis_v300_2_3_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.3" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark +control-group: + id: aws_cis_v300_2_3 + title: Relational Database Service (RDS) + description: Relational Database Service (RDS) + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.3" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark + controls: + - aws_cis_v300_2_3_1 + - aws_cis_v300_2_3_2 + - aws_cis_v300_2_3_3 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_4.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_4.yaml index 64f2e6e44..67d24a5b4 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_2_4.yaml @@ -1,22 +1,27 @@ -ID: aws_cis_v300_2_4 -Title: Elastic File System (EFS) -Description: "" -SectionCode: "4" -Children: [] -Controls: - - aws_cis_v300_2_4_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2.4" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/EFS - type: - - Benchmark +control-group: + id: aws_cis_v300_2_4 + title: Elastic File System (EFS) + description: Elastic File System (EFS) + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2.4" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/EFS + type: + - Benchmark + controls: + - aws_cis_v300_2_4_1 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_3.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_3.yaml index 289c51506..fdccbcb15 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_3.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_3.yaml @@ -1,28 +1,33 @@ -ID: aws_cis_v300_3 -Title: Logging -Description: "" -SectionCode: "3" -Children: [] -Controls: - - aws_cis_v300_3_2 - - aws_cis_v300_3_3 - - aws_cis_v300_3_4 - - aws_cis_v300_3_5 - - aws_cis_v300_3_6 - - aws_cis_v300_3_8 - - aws_cis_v300_3_9 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cis_v300_3 + title: Logging + description: Logging + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cis_v300_3_2 + - aws_cis_v300_3_3 + - aws_cis_v300_3_4 + - aws_cis_v300_3_5 + - aws_cis_v300_3_6 + - aws_cis_v300_3_8 + - aws_cis_v300_3_9 diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_4.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_4.yaml index da81b934e..b0cec7981 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_4.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_4.yaml @@ -1,21 +1,25 @@ -ID: aws_cis_v300_4 -Title: Monitoring -Description: "" -SectionCode: "4" -Children: [] -Controls: null -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_cis_v300_4 + title: Monitoring + description: Monitoring + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark diff --git a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_5.yaml b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_5.yaml index 5bf029cbc..97d411ed0 100755 --- a/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_5.yaml +++ b/compliance/frameworks/aws/aws_cis_v300/aws_cis_v300_5.yaml @@ -1,25 +1,30 @@ -ID: aws_cis_v300_5 -Title: Networking -Description: "" -SectionCode: "5" -Children: [] -Controls: - - aws_cis_v300_5_2 - - aws_cis_v300_5_3 - - aws_cis_v300_5_5 - - aws_cis_v300_5_6 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v3.0.0 - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_cis_v300_5 + title: Networking + description: Networking + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v3.0.0 + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark + controls: + - aws_cis_v300_5_2 + - aws_cis_v300_5_3 + - aws_cis_v300_5_5 + - aws_cis_v300_5_6 diff --git a/compliance/frameworks/aws/aws_cis_v300/root.yaml b/compliance/frameworks/aws/aws_cis_v300/root.yaml deleted file mode 100755 index 3fb16cecf..000000000 --- a/compliance/frameworks/aws/aws_cis_v300/root.yaml +++ /dev/null @@ -1,32 +0,0 @@ -ID: aws_cis_v300 -Title: CIS v3.0.0 -Description: The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. -SectionCode: aws_cis_v300 -Children: - - aws_cis_v300_1 - - aws_cis_v300_2 - - aws_cis_v300_3 - - aws_cis_v300_4 - - aws_cis_v300_5 -Controls: [] -Defaults: - AutoAssign: true - Enabled: true - TracksDriftEvents: false -Tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v3.0.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials.yaml new file mode 100644 index 000000000..58f76bad8 --- /dev/null +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials.yaml @@ -0,0 +1,31 @@ +framework: + id: aws_cisa_cyber_essentials + title: CISA Cyber Essentials + description: CISA's Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. + section-code: aws_cisa_cyber_essentials + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cisa_cyber_essentials_your_systems + - id: aws_cisa_cyber_essentials_your_surroundings + - id: aws_cisa_cyber_essentials_your_data + - id: aws_cisa_cyber_essentials_your_crisis_response + - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first.yaml index 56c209723..3770b2adc 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first.yaml @@ -1,20 +1,25 @@ -ID: aws_cisa_cyber_essentials_booting_up_things_to_do_first -Title: 'Booting Up: Things to Do First' -Description: Even before your organization has begun to adopt a Culture of Cyber Readiness, there are things you can begin doing today to make your organization more prepared against cyber risks. -SectionCode: booting_up_things_to_do_first -Children: - - aws_cisa_cyber_essentials_booting_up_things_to_do_first_1 - - aws_cisa_cyber_essentials_booting_up_things_to_do_first_2 - - aws_cisa_cyber_essentials_booting_up_things_to_do_first_3 -Controls: [] -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_booting_up_things_to_do_first + title: "Booting Up: Things to Do First" + description: Even before your organization has begun to adopt a Culture of Cyber Readiness, there are things you can begin doing today to make your organization more prepared against cyber risks. + section-code: booting_up_things_to_do_first + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_1 + - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_2 + - id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_3 diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_1.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_1.yaml index 5b189753b..10fc26d6b 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_1.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_1.yaml @@ -1,34 +1,39 @@ -ID: aws_cisa_cyber_essentials_booting_up_things_to_do_first_1 -Title: 'Booting Up: Things to Do First-1' -Description: Employ a backup solution that automatically and continuously backs up critical data and system configurations. -SectionCode: "1" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_1 + title: "Booting Up: Things to Do First-1" + description: Employ a backup solution that automatically and continuously backs up critical data and system configurations. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_2.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_2.yaml index 07e60c263..229d955a0 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_2.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_2.yaml @@ -1,21 +1,26 @@ -ID: aws_cisa_cyber_essentials_booting_up_things_to_do_first_2 -Title: 'Booting Up: Things to Do First-2' -Description: Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users. -SectionCode: "2" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_2 + title: "Booting Up: Things to Do First-2" + description: Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_3.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_3.yaml index 5362ad605..ae0dab6aa 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_3.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_booting_up_things_to_do_first_3.yaml @@ -1,20 +1,25 @@ -ID: aws_cisa_cyber_essentials_booting_up_things_to_do_first_3 -Title: 'Booting Up: Things to Do First-3' -Description: Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly. -SectionCode: "3" -Children: [] -Controls: - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_booting_up_things_to_do_first_3 + title: "Booting Up: Things to Do First-3" + description: Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response.yaml index 3470428fd..129d94908 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response.yaml @@ -1,18 +1,23 @@ -ID: aws_cisa_cyber_essentials_your_crisis_response -Title: Your Crisis Response -Description: As your strategy for responding to and recovering from compromise, this is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to limit damage and quicken restoration of normal operations. -SectionCode: your_crisis_response -Children: - - aws_cisa_cyber_essentials_your_crisis_response_2 -Controls: [] -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_crisis_response + title: Your Crisis Response + description: As your strategy for responding to and recovering from compromise, this is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to limit damage and quicken restoration of normal operations. + section-code: your_crisis_response + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cisa_cyber_essentials_your_crisis_response_2 diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response_2.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response_2.yaml index b925bc077..718133f49 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response_2.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_crisis_response_2.yaml @@ -1,19 +1,24 @@ -ID: aws_cisa_cyber_essentials_your_crisis_response_2 -Title: Your Crisis Response-2 -Description: Lead development of an internal reporting structure to detect, communicate and contain attacks. -SectionCode: "2" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_crisis_response_2 + title: Your Crisis Response-2 + description: Lead development of an internal reporting structure to detect, communicate and contain attacks. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data.yaml index dfbff956a..96ef8380f 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data.yaml @@ -1,22 +1,27 @@ -ID: aws_cisa_cyber_essentials_your_data -Title: Your Data -Description: Your data, intellectual property, and other sensitive information is what your organization is built on. As such, it is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to make backups and avoid loss of information critical to operations. -SectionCode: your_data -Children: - - aws_cisa_cyber_essentials_your_data_1 - - aws_cisa_cyber_essentials_your_data_2 - - aws_cisa_cyber_essentials_your_data_3 - - aws_cisa_cyber_essentials_your_data_4 - - aws_cisa_cyber_essentials_your_data_5 -Controls: [] -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_data + title: Your Data + description: Your data, intellectual property, and other sensitive information is what your organization is built on. As such, it is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to make backups and avoid loss of information critical to operations. + section-code: your_data + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cisa_cyber_essentials_your_data_1 + - id: aws_cisa_cyber_essentials_your_data_2 + - id: aws_cisa_cyber_essentials_your_data_3 + - id: aws_cisa_cyber_essentials_your_data_4 + - id: aws_cisa_cyber_essentials_your_data_5 diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_1.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_1.yaml index 486141952..d808bbd17 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_1.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_1.yaml @@ -1,35 +1,40 @@ -ID: aws_cisa_cyber_essentials_your_data_1 -Title: Your Data-1 -Description: Learn how your data is protected. -SectionCode: "1" -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_backup_recovery_point_encryption_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypted_with_cmk - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_data_1 + title: Your Data-1 + description: Learn how your data is protected. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_backup_recovery_point_encryption_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypted_with_cmk + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_2.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_2.yaml index fbbc1d166..316c9b49e 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_2.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_2.yaml @@ -1,78 +1,83 @@ -ID: aws_cisa_cyber_essentials_your_data_2 -Title: Your Data-2 -Description: Learn what is happening on your network, manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities. -SectionCode: "2" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_launch_config_public_ip_disabled - - aws_backup_recovery_point_encryption_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_efs_file_system_encrypted_with_cmk - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_logs_to_cloudwatch - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_flow_logs_enabled - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_data_2 + title: Your Data-2 + description: Learn what is happening on your network, manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_apigateway_stage_logging_enabled + - aws_autoscaling_launch_config_public_ip_disabled + - aws_backup_recovery_point_encryption_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dms_replication_instance_not_publicly_accessible + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_efs_file_system_encrypted_with_cmk + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_lb_waf_enabled + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_in_vpc + - aws_es_domain_logs_to_cloudwatch + - aws_es_domain_node_to_node_encryption_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_logging_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_encrypted_at_rest + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_flow_logs_enabled + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_3.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_3.yaml index 2dd1b5802..05c73b553 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_3.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_3.yaml @@ -1,18 +1,23 @@ -ID: aws_cisa_cyber_essentials_your_data_3 -Title: Your Data-3 -Description: Domain name system protection. -SectionCode: "3" -Children: [] -Controls: - - aws_elb_application_lb_waf_enabled -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_data_3 + title: Your Data-3 + description: Domain name system protection. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elb_application_lb_waf_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_4.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_4.yaml index 9d9d0db0f..3d7dd24f0 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_4.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_4.yaml @@ -1,35 +1,40 @@ -ID: aws_cisa_cyber_essentials_your_data_4 -Title: Your Data-4 -Description: Establish regular automated backups and redundancies of key systems. -SectionCode: "4" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_data_4 + title: Your Data-4 + description: Establish regular automated backups and redundancies of key systems. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_5.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_5.yaml index 2ca51a0c5..b2f41f437 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_5.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_data_5.yaml @@ -1,19 +1,24 @@ -ID: aws_cisa_cyber_essentials_your_data_5 -Title: Your Data-5 -Description: Leverage protections for backups, including physical security, encryption and offline copies. -SectionCode: "5" -Children: [] -Controls: - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_data_5 + title: Your Data-5 + description: Leverage protections for backups, including physical security, encryption and offline copies. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings.yaml index 68ed761e5..79c01154b 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings.yaml @@ -1,21 +1,26 @@ -ID: aws_cisa_cyber_essentials_your_surroundings -Title: Your Surroundings -Description: As your organization's digital workplace, this is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to ensure only those who belong on your digital workplace have access to it. -SectionCode: your_surroundings -Children: - - aws_cisa_cyber_essentials_your_surroundings_1 - - aws_cisa_cyber_essentials_your_surroundings_2 - - aws_cisa_cyber_essentials_your_surroundings_3 - - aws_cisa_cyber_essentials_your_surroundings_4 -Controls: [] -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_surroundings + title: Your Surroundings + description: As your organization's digital workplace, this is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to ensure only those who belong on your digital workplace have access to it. + section-code: your_surroundings + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cisa_cyber_essentials_your_surroundings_1 + - id: aws_cisa_cyber_essentials_your_surroundings_2 + - id: aws_cisa_cyber_essentials_your_surroundings_3 + - id: aws_cisa_cyber_essentials_your_surroundings_4 diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_1.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_1.yaml index 8d053a977..18849c9e5 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_1.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_1.yaml @@ -1,20 +1,25 @@ -ID: aws_cisa_cyber_essentials_your_surroundings_1 -Title: Your Surroundings-1 -Description: Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.). -SectionCode: "1" -Children: [] -Controls: - - aws_vpc_eip_associated - - aws_vpc_flow_logs_enabled - - aws_vpc_network_acl_unused -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_surroundings_1 + title: Your Surroundings-1 + description: Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.). + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_vpc_eip_associated + - aws_vpc_flow_logs_enabled + - aws_vpc_network_acl_unused diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_2.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_2.yaml index 3b8e74568..899c61594 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_2.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_2.yaml @@ -1,21 +1,26 @@ -ID: aws_cisa_cyber_essentials_your_surroundings_2 -Title: Your Surroundings-2 -Description: Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users. -SectionCode: "2" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_surroundings_2 + title: Your Surroundings-2 + description: Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_3.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_3.yaml index 17b5c6139..aa469e90b 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_3.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_3.yaml @@ -1,21 +1,26 @@ -ID: aws_cisa_cyber_essentials_your_surroundings_3 -Title: Your Surroundings-3 -Description: Grant access and admin permissions based on need-to-know and least privilege. -SectionCode: "3" -Children: [] -Controls: - - aws_elb_application_network_lb_use_ssl_certificate - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_surroundings_3 + title: Your Surroundings-3 + description: Grant access and admin permissions based on need-to-know and least privilege. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elb_application_network_lb_use_ssl_certificate + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_4.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_4.yaml index c05d8d2cd..689790372 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_4.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_surroundings_4.yaml @@ -1,18 +1,23 @@ -ID: aws_cisa_cyber_essentials_your_surroundings_4 -Title: Your Surroundings-4 -Description: Leverage unique passwords for all user accounts. -SectionCode: "4" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_surroundings_4 + title: Your Surroundings-4 + description: Leverage unique passwords for all user accounts. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems.yaml index d169e7ee6..723508fd6 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems.yaml @@ -1,20 +1,25 @@ -ID: aws_cisa_cyber_essentials_your_systems -Title: Your Systems -Description: As the infrastructure that makes your organization operational, your systems are an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to protect critical assets and applications. -SectionCode: your_systems -Children: - - aws_cisa_cyber_essentials_your_systems_1 - - aws_cisa_cyber_essentials_your_systems_2 - - aws_cisa_cyber_essentials_your_systems_3 -Controls: [] -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_systems + title: Your Systems + description: As the infrastructure that makes your organization operational, your systems are an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to protect critical assets and applications. + section-code: your_systems + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_cisa_cyber_essentials_your_systems_1 + - id: aws_cisa_cyber_essentials_your_systems_2 + - id: aws_cisa_cyber_essentials_your_systems_3 diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_1.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_1.yaml index d46a1ef71..d1b98a2ba 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_1.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_1.yaml @@ -1,24 +1,29 @@ -ID: aws_cisa_cyber_essentials_your_systems_1 -Title: Your Systems-1 -Description: Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at-risk from attack. -SectionCode: "1" -Children: [] -Controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_vpc_eip_associated - - aws_vpc_network_acl_unused -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_systems_1 + title: Your Systems-1 + description: Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at-risk from attack. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant + - aws_vpc_eip_associated + - aws_vpc_network_acl_unused diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_2.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_2.yaml index c03c50afb..9b5673ff2 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_2.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_2.yaml @@ -1,20 +1,25 @@ -ID: aws_cisa_cyber_essentials_your_systems_2 -Title: Your Systems-2 -Description: Leverage automatic updates for all operating systems and third-party software. -SectionCode: "2" -Children: [] -Controls: - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_systems_2 + title: Your Systems-2 + description: Leverage automatic updates for all operating systems and third-party software. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_3.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_3.yaml index c13ca605b..1f0c7f6ba 100755 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_3.yaml +++ b/compliance/frameworks/aws/aws_cisa_cyber_essentials/aws_cisa_cyber_essentials_your_systems_3.yaml @@ -1,121 +1,126 @@ -ID: aws_cisa_cyber_essentials_your_systems_3 -Title: Your Systems-3 -Description: Implement security configurations for all hardware and software assets. -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_apigateway_stage_logging_enabled - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_in_backup_plan - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_protected_by_backup_plan - - aws_ecs_task_definition_user_for_host_mode_check - - aws_efs_file_system_encrypted_with_cmk - - aws_efs_file_system_protected_by_backup_plan - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_logs_to_cloudwatch - - aws_es_domain_node_to_node_encryption_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_guardduty_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_versioning_enabled - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_last_changed_90_day - - aws_secretsmanager_secret_unused_90_day - - aws_securityhub_enabled - - aws_sns_topic_encrypted_at_rest - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_cisa_cyber_essentials_your_systems_3 + title: Your Systems-3 + description: Implement security configurations for all hardware and software assets. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cisa_cyber_essentials: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_apigateway_stage_logging_enabled + - aws_apigateway_stage_use_waf_web_acl + - aws_autoscaling_launch_config_public_ip_disabled + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_dms_replication_instance_not_publicly_accessible + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ebs_volume_in_backup_plan + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_protected_by_backup_plan + - aws_ecs_task_definition_user_for_host_mode_check + - aws_efs_file_system_encrypted_with_cmk + - aws_efs_file_system_protected_by_backup_plan + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_lb_waf_enabled + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_in_vpc + - aws_es_domain_logs_to_cloudwatch + - aws_es_domain_node_to_node_encryption_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_guardduty_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_kms_cmk_rotation_enabled + - aws_kms_key_not_pending_deletion + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_logging_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_encrypted_at_rest + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_bucket_versioning_enabled + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_last_changed_90_day + - aws_secretsmanager_secret_unused_90_day + - aws_securityhub_enabled + - aws_sns_topic_encrypted_at_rest + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_cisa_cyber_essentials/root.yaml b/compliance/frameworks/aws/aws_cisa_cyber_essentials/root.yaml deleted file mode 100755 index bad640e21..000000000 --- a/compliance/frameworks/aws/aws_cisa_cyber_essentials/root.yaml +++ /dev/null @@ -1,30 +0,0 @@ -ID: aws_cisa_cyber_essentials -Title: CISA Cyber Essentials -Description: CISA's Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. -SectionCode: aws_cisa_cyber_essentials -Children: - - aws_cisa_cyber_essentials_your_systems - - aws_cisa_cyber_essentials_your_surroundings - - aws_cisa_cyber_essentials_your_data - - aws_cisa_cyber_essentials_your_crisis_response - - aws_cisa_cyber_essentials_booting_up_things_to_do_first -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cisa_cyber_essentials: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4.yaml new file mode 100644 index 000000000..e3274266f --- /dev/null +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4.yaml @@ -0,0 +1,35 @@ +framework: + id: aws_fedramp_low_rev_4 + title: FedRAMP Low Revision 4 + description: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. + section-code: aws_fedramp_low_rev_4 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Certifications and Attestations + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_low_rev_4_ac + - id: aws_fedramp_low_rev_4_au + - id: aws_fedramp_low_rev_4_ca + - id: aws_fedramp_low_rev_4_cm + - id: aws_fedramp_low_rev_4_cp + - id: aws_fedramp_low_rev_4_ia + - id: aws_fedramp_low_rev_4_ir + - id: aws_fedramp_low_rev_4_sa + - id: aws_fedramp_low_rev_4_sc diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac.yaml index d4fe5d734..4b2a67ff4 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_low_rev_4_ac -Title: benchmark.nist_800_53_rev_4_ac.title -Description: benchmark.nist_800_53_rev_4_ac.description -SectionCode: ac -Children: - - aws_fedramp_low_rev_4_ac_2 - - aws_fedramp_low_rev_4_ac_3 - - aws_fedramp_low_rev_4_ac_17 -Controls: [] -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_ac + title: benchmark.nist_800_53_rev_4_ac.title + description: benchmark.nist_800_53_rev_4_ac.description + section-code: ac + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_low_rev_4_ac_2 + - id: aws_fedramp_low_rev_4_ac_3 + - id: aws_fedramp_low_rev_4_ac_17 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_17.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_17.yaml index b545e2e10..30043ea99 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_17.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_17.yaml @@ -1,47 +1,52 @@ -ID: aws_fedramp_low_rev_4_ac_17 -Title: benchmark.nist_800_53_rev_4_ac_17.title -Description: benchmark.nist_800_53_rev_4_ac_17.description -SectionCode: "17" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_guardduty_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_securityhub_enabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_ac_17 + title: benchmark.nist_800_53_rev_4_ac_17.title + description: benchmark.nist_800_53_rev_4_ac_17.description + section-code: "17" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_guardduty_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_securityhub_enabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_2.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_2.yaml index 97a3c7609..74f41265d 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_2.yaml @@ -1,46 +1,51 @@ -ID: aws_fedramp_low_rev_4_ac_2 -Title: benchmark.nist_800_53_rev_4_ac_2.title -Description: benchmark.nist_800_53_rev_4_ac_2.description -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ecs_task_definition_user_for_host_mode_check - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_iam_account_password_policy_min_length_14 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_ac_2 + title: benchmark.nist_800_53_rev_4_ac_2.title + description: benchmark.nist_800_53_rev_4_ac_2.description + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_ecs_task_definition_user_for_host_mode_check + - aws_es_domain_logs_to_cloudwatch + - aws_guardduty_enabled + - aws_iam_account_password_policy_min_length_14 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_3.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_3.yaml index 73f726baf..cf9b67b91 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ac_3.yaml @@ -1,44 +1,49 @@ -ID: aws_fedramp_low_rev_4_ac_3 -Title: Access Enforcement (AC-3) -Description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. -SectionCode: "3" -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_ac_3 + title: Access Enforcement (AC-3) + description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_user_for_host_mode_check + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au.yaml index 67adba8f0..3e410de71 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_low_rev_4_au -Title: benchmark.nist_800_53_rev_4_au.title -Description: benchmark.nist_800_53_rev_4_au.description -SectionCode: au -Children: - - aws_fedramp_low_rev_4_au_2 - - aws_fedramp_low_rev_4_au_9 - - aws_fedramp_low_rev_4_au_11 -Controls: [] -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_au + title: benchmark.nist_800_53_rev_4_au.title + description: benchmark.nist_800_53_rev_4_au.description + section-code: au + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_low_rev_4_au_2 + - id: aws_fedramp_low_rev_4_au_9 + - id: aws_fedramp_low_rev_4_au_11 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_11.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_11.yaml index 260e96ed1..672b7920a 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_11.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_11.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_low_rev_4_au_11 -Title: Audit Record Retention (AU-11) -Description: The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. -SectionCode: "11" -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_au_11 + title: Audit Record Retention (AU-11) + description: The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_2.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_2.yaml index 4789504d5..da5885923 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_2.yaml @@ -1,28 +1,33 @@ -ID: aws_fedramp_low_rev_4_au_2 -Title: Audit Events (AU-2) -Description: 'The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents.' -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_au_2 + title: Audit Events (AU-2) + description: "The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_9.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_9.yaml index 3184db3b7..f7d4c9a07 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_9.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_au_9.yaml @@ -1,22 +1,27 @@ -ID: aws_fedramp_low_rev_4_au_9 -Title: benchmark.nist_800_53_rev_4_au_9.title -Description: benchmark.nist_800_53_rev_4_au_9.description -SectionCode: "9" -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_au_9 + title: benchmark.nist_800_53_rev_4_au_9.title + description: benchmark.nist_800_53_rev_4_au_9.description + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca.yaml index df8a2c527..01a1b565a 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_low_rev_4_ca -Title: benchmark.nist_800_53_rev_4_ca.title -Description: benchmark.nist_800_53_rev_4_ca.description -SectionCode: ca -Children: - - aws_fedramp_low_rev_4_ca_7 -Controls: [] -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_ca + title: benchmark.nist_800_53_rev_4_ca.title + description: benchmark.nist_800_53_rev_4_ca.description + section-code: ca + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_low_rev_4_ca_7 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca_7.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca_7.yaml index fe5c45f80..32656e800 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ca_7.yaml @@ -1,31 +1,36 @@ -ID: aws_fedramp_low_rev_4_ca_7 -Title: benchmark.nist_800_53_rev_4_ca_7.title -Description: benchmark.nist_800_53_rev_4_ca_7.description -SectionCode: "7" -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_ca_7 + title: benchmark.nist_800_53_rev_4_ca_7.title + description: benchmark.nist_800_53_rev_4_ca_7.description + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_application_lb_waf_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm.yaml index 45e5c0a45..e9c90fa09 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_low_rev_4_cm -Title: benchmark.nist_800_53_rev_4_cm.title -Description: benchmark.nist_800_53_rev_4_cm.description -SectionCode: cm -Children: - - aws_fedramp_low_rev_4_cm_2 - - aws_fedramp_low_rev_4_cm_8 -Controls: [] -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_cm + title: benchmark.nist_800_53_rev_4_cm.title + description: benchmark.nist_800_53_rev_4_cm.description + section-code: cm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_low_rev_4_cm_2 + - id: aws_fedramp_low_rev_4_cm_8 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_2.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_2.yaml index f8ab51240..0d1b4d949 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_2.yaml @@ -1,46 +1,51 @@ -ID: aws_fedramp_low_rev_4_cm_2 -Title: benchmark.nist_800_53_rev_4_cm_2.title -Description: benchmark.nist_800_53_rev_4_cm_2.description -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_unused - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_cm_2 + title: benchmark.nist_800_53_rev_4_cm_2.title + description: benchmark.nist_800_53_rev_4_cm_2.description + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_use_waf_web_acl + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ebs_volume_unused + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_8.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_8.yaml index 0639d0152..4b71c4717 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_8.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cm_8.yaml @@ -1,21 +1,26 @@ -ID: aws_fedramp_low_rev_4_cm_8 -Title: benchmark.nist_800_53_rev_4_cm_8.title -Description: benchmark.nist_800_53_rev_4_cm_8.description -SectionCode: "8" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_cm_8 + title: benchmark.nist_800_53_rev_4_cm_8.title + description: benchmark.nist_800_53_rev_4_cm_8.description + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_guardduty_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp.yaml index 672c6afd0..911c8ac91 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_low_rev_4_cp -Title: benchmark.nist_800_53_rev_4_cp.title -Description: benchmark.nist_800_53_rev_4_cp.description -SectionCode: cp -Children: - - aws_fedramp_low_rev_4_cp_9 - - aws_fedramp_low_rev_4_cp_10 -Controls: [] -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_cp + title: benchmark.nist_800_53_rev_4_cp.title + description: benchmark.nist_800_53_rev_4_cp.description + section-code: cp + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_low_rev_4_cp_9 + - id: aws_fedramp_low_rev_4_cp_10 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_10.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_10.yaml index dc18d093f..6fb8f8cbd 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_10.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_10.yaml @@ -1,37 +1,42 @@ -ID: aws_fedramp_low_rev_4_cp_10 -Title: benchmark.nist_800_53_rev_4_cp_10.title -Description: benchmark.nist_800_53_rev_4_cp_10.description -SectionCode: "10" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_cp_10 + title: benchmark.nist_800_53_rev_4_cp_10.title + description: benchmark.nist_800_53_rev_4_cp_10.description + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_9.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_9.yaml index 15f1d42a4..09def2617 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_9.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_cp_9.yaml @@ -1,31 +1,36 @@ -ID: aws_fedramp_low_rev_4_cp_9 -Title: benchmark.nist_800_53_rev_4_cp_9.title -Description: benchmark.nist_800_53_rev_4_cp_9.description -SectionCode: "9" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_cp_9 + title: benchmark.nist_800_53_rev_4_cp_9.title + description: benchmark.nist_800_53_rev_4_cp_9.description + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia.yaml index 37ac7b75d..a0b95b9d8 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_low_rev_4_ia -Title: benchmark.nist_800_53_rev_4_ia.title -Description: benchmark.nist_800_53_rev_4_ia.description -SectionCode: ia -Children: - - aws_fedramp_low_rev_4_ia_2 -Controls: [] -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_ia + title: benchmark.nist_800_53_rev_4_ia.title + description: benchmark.nist_800_53_rev_4_ia.description + section-code: ia + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_fedramp_low_rev_4_ia_2 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia_2.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia_2.yaml index 9e5807cd0..a98072540 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ia_2.yaml @@ -1,23 +1,28 @@ -ID: aws_fedramp_low_rev_4_ia_2 -Title: benchmark.nist_800_53_rev_4_ia_2.title -Description: benchmark.nist_800_53_rev_4_ia_2.description -SectionCode: "2" -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_ia_2 + title: benchmark.nist_800_53_rev_4_ia_2.title + description: benchmark.nist_800_53_rev_4_ia_2.description + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir.yaml index 46ca28bce..6e43acdc2 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_low_rev_4_ir -Title: benchmark.nist_800_53_rev_4_ir.title -Description: benchmark.nist_800_53_rev_4_ir.description -SectionCode: ir -Children: - - aws_fedramp_low_rev_4_ir_4 -Controls: [] -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_ir + title: benchmark.nist_800_53_rev_4_ir.title + description: benchmark.nist_800_53_rev_4_ir.description + section-code: ir + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_low_rev_4_ir_4 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir_4.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir_4.yaml index 0ea3735ff..f07329701 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_ir_4.yaml @@ -1,22 +1,27 @@ -ID: aws_fedramp_low_rev_4_ir_4 -Title: benchmark.nist_800_53_rev_4_ir_4.title -Description: benchmark.nist_800_53_rev_4_ir_4.description -SectionCode: "4" -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_ir_4 + title: benchmark.nist_800_53_rev_4_ir_4.title + description: benchmark.nist_800_53_rev_4_ir_4.description + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa.yaml index 3cf69c2d8..2f873f377 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_low_rev_4_sa -Title: benchmark.nist_800_53_rev_4_sa.title -Description: benchmark.nist_800_53_rev_4_sa.description -SectionCode: sa -Children: - - aws_fedramp_low_rev_4_sa_3 -Controls: [] -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_sa + title: benchmark.nist_800_53_rev_4_sa.title + description: benchmark.nist_800_53_rev_4_sa.description + section-code: sa + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_low_rev_4_sa_3 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa_3.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa_3.yaml index 45e564203..752b90a4a 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sa_3.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_low_rev_4_sa_3 -Title: benchmark.nist_800_53_rev_4_sa_3.title -Description: benchmark.nist_800_53_rev_4_sa_3.description -SectionCode: "3" -Children: [] -Controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_ssm_managed -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_sa_3 + title: benchmark.nist_800_53_rev_4_sa_3.title + description: benchmark.nist_800_53_rev_4_sa_3.description + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc.yaml index 7129d606c..8d195a387 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc.yaml @@ -1,21 +1,26 @@ -ID: aws_fedramp_low_rev_4_sc -Title: benchmark.nist_800_53_rev_4_sc.title -Description: benchmark.nist_800_53_rev_4_sc.description -SectionCode: sc -Children: - - aws_fedramp_low_rev_4_sc_5 - - aws_fedramp_low_rev_4_sc_7 - - aws_fedramp_low_rev_4_sc_12 - - aws_fedramp_low_rev_4_sc_13 -Controls: [] -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_sc + title: benchmark.nist_800_53_rev_4_sc.title + description: benchmark.nist_800_53_rev_4_sc.description + section-code: sc + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_low_rev_4_sc_5 + - id: aws_fedramp_low_rev_4_sc_7 + - id: aws_fedramp_low_rev_4_sc_12 + - id: aws_fedramp_low_rev_4_sc_13 diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_12.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_12.yaml index ae39df7f4..b55db059a 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_12.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_12.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_low_rev_4_sc_12 -Title: benchmark.nist_800_53_rev_4_sc_12.title -Description: benchmark.nist_800_53_rev_4_sc_12.description -SectionCode: "12" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_sc_12 + title: benchmark.nist_800_53_rev_4_sc_12.title + description: benchmark.nist_800_53_rev_4_sc_12.description + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_kms_cmk_rotation_enabled + - aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_13.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_13.yaml index d2a14eeeb..419e95eae 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_13.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_13.yaml @@ -1,23 +1,28 @@ -ID: aws_fedramp_low_rev_4_sc_13 -Title: Use of Cryptography (SC-13) -Description: The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. -SectionCode: "13" -Children: [] -Controls: - - aws_kms_key_not_pending_deletion - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_sc_13 + title: Use of Cryptography (SC-13) + description: The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. + section-code: "13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_kms_key_not_pending_deletion + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_5.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_5.yaml index 69b4756e7..ad27a27a7 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_5.yaml @@ -1,32 +1,37 @@ -ID: aws_fedramp_low_rev_4_sc_5 -Title: benchmark.nist_800_53_rev_4_sc_5.title -Description: benchmark.nist_800_53_rev_4_sc_5.description -SectionCode: "5" -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ec2_instance_ebs_optimized - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_sc_5 + title: benchmark.nist_800_53_rev_4_sc_5.title + description: benchmark.nist_800_53_rev_4_sc_5.description + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ec2_instance_ebs_optimized + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_7.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_7.yaml index 3b0ee1879..2bd68cec8 100755 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_low_rev_4/aws_fedramp_low_rev_4_sc_7.yaml @@ -1,46 +1,51 @@ -ID: aws_fedramp_low_rev_4_sc_7 -Title: benchmark.nist_800_53_rev_4_sc_7.title -Description: benchmark.nist_800_53_rev_4_sc_7.description -SectionCode: "7" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_low_rev_4_sc_7 + title: benchmark.nist_800_53_rev_4_sc_7.title + description: benchmark.nist_800_53_rev_4_sc_7.description + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_low_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_lb_waf_enabled + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_low_rev_4/root.yaml b/compliance/frameworks/aws/aws_fedramp_low_rev_4/root.yaml deleted file mode 100755 index 7ff820e5c..000000000 --- a/compliance/frameworks/aws/aws_fedramp_low_rev_4/root.yaml +++ /dev/null @@ -1,34 +0,0 @@ -ID: aws_fedramp_low_rev_4 -Title: FedRAMP Low Revision 4 -Description: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. -SectionCode: aws_fedramp_low_rev_4 -Children: - - aws_fedramp_low_rev_4_ac - - aws_fedramp_low_rev_4_au - - aws_fedramp_low_rev_4_ca - - aws_fedramp_low_rev_4_cm - - aws_fedramp_low_rev_4_cp - - aws_fedramp_low_rev_4_ia - - aws_fedramp_low_rev_4_ir - - aws_fedramp_low_rev_4_sa - - aws_fedramp_low_rev_4_sc -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - fedramp_low_rev_4: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Certifications and Attestations - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4.yaml new file mode 100644 index 000000000..0cb27a858 --- /dev/null +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4.yaml @@ -0,0 +1,37 @@ +framework: + id: aws_fedramp_moderate_rev_4 + title: FedRAMP Moderate Revision 4 + description: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. + section-code: aws_fedramp_moderate_rev_4 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Certifications and Attestations + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ac + - id: aws_fedramp_moderate_rev_4_au + - id: aws_fedramp_moderate_rev_4_ca + - id: aws_fedramp_moderate_rev_4_cm + - id: aws_fedramp_moderate_rev_4_cp + - id: aws_fedramp_moderate_rev_4_ia + - id: aws_fedramp_moderate_rev_4_ir + - id: aws_fedramp_moderate_rev_4_ra + - id: aws_fedramp_moderate_rev_4_sa + - id: aws_fedramp_moderate_rev_4_sc + - id: aws_fedramp_moderate_rev_4_si diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac.yaml index 2e39132a2..218f8cf7c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac.yaml @@ -1,24 +1,29 @@ -ID: aws_fedramp_moderate_rev_4_ac -Title: benchmark.nist_800_53_rev_4_ac.title -Description: benchmark.nist_800_53_rev_4_ac.description -SectionCode: ac -Children: - - aws_fedramp_moderate_rev_4_ac_2 - - aws_fedramp_moderate_rev_4_ac_3 - - aws_fedramp_moderate_rev_4_ac_4 - - aws_fedramp_moderate_rev_4_ac_5 - - aws_fedramp_moderate_rev_4_ac_6 - - aws_fedramp_moderate_rev_4_ac_17 - - aws_fedramp_moderate_rev_4_ac_21 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac + title: benchmark.nist_800_53_rev_4_ac.title + description: benchmark.nist_800_53_rev_4_ac.description + section-code: ac + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ac_2 + - id: aws_fedramp_moderate_rev_4_ac_3 + - id: aws_fedramp_moderate_rev_4_ac_4 + - id: aws_fedramp_moderate_rev_4_ac_5 + - id: aws_fedramp_moderate_rev_4_ac_6 + - id: aws_fedramp_moderate_rev_4_ac_17 + - id: aws_fedramp_moderate_rev_4_ac_21 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17.yaml index 84d9a3cd0..6b6cfca8c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_ac_17 -Title: benchmark.nist_800_53_rev_4_ac_17.title -Description: benchmark.nist_800_53_rev_4_ac_17.description -SectionCode: "17" -Children: - - aws_fedramp_moderate_rev_4_ac_17_1 - - aws_fedramp_moderate_rev_4_ac_17_2 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_17 + title: benchmark.nist_800_53_rev_4_ac_17.title + description: benchmark.nist_800_53_rev_4_ac_17.description + section-code: "17" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ac_17_1 + - id: aws_fedramp_moderate_rev_4_ac_17_2 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_1.yaml index 54864751c..fe024d4eb 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_1.yaml @@ -1,40 +1,45 @@ -ID: aws_fedramp_moderate_rev_4_ac_17_1 -Title: benchmark.nist_800_53_rev_4_ac_17_1.title -Description: benchmark.nist_800_53_rev_4_ac_17_1.description -SectionCode: "1" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_guardduty_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_securityhub_enabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_17_1 + title: benchmark.nist_800_53_rev_4_ac_17_1.title + description: benchmark.nist_800_53_rev_4_ac_17_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_guardduty_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_securityhub_enabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_2.yaml index c98c6e161..1b8359b75 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_17_2.yaml @@ -1,23 +1,28 @@ -ID: aws_fedramp_moderate_rev_4_ac_17_2 -Title: benchmark.nist_800_53_rev_4_ac_17_2.title -Description: benchmark.nist_800_53_rev_4_ac_17_2.description -SectionCode: "2" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_17_2 + title: benchmark.nist_800_53_rev_4_ac_17_2.title + description: benchmark.nist_800_53_rev_4_ac_17_2.description + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2.yaml index 3707090f9..55ba516cd 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2.yaml @@ -1,24 +1,29 @@ -ID: aws_fedramp_moderate_rev_4_ac_2 -Title: benchmark.nist_800_53_rev_4_ac_2.title -Description: benchmark.nist_800_53_rev_4_ac_2.description -SectionCode: "2" -Children: - - aws_fedramp_moderate_rev_4_ac_2_1 - - aws_fedramp_moderate_rev_4_ac_2_4 - - aws_fedramp_moderate_rev_4_ac_2_12 - - aws_fedramp_moderate_rev_4_ac_2_f - - aws_fedramp_moderate_rev_4_ac_2_g - - aws_fedramp_moderate_rev_4_ac_2_j - - aws_fedramp_moderate_rev_4_ac_2_3 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_2 + title: benchmark.nist_800_53_rev_4_ac_2.title + description: benchmark.nist_800_53_rev_4_ac_2.description + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ac_2_1 + - id: aws_fedramp_moderate_rev_4_ac_2_4 + - id: aws_fedramp_moderate_rev_4_ac_2_12 + - id: aws_fedramp_moderate_rev_4_ac_2_f + - id: aws_fedramp_moderate_rev_4_ac_2_g + - id: aws_fedramp_moderate_rev_4_ac_2_j + - id: aws_fedramp_moderate_rev_4_ac_2_3 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21.yaml index f9c62d9cf..eec97f6cb 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ac_21 -Title: benchmark.nist_800_53_rev_4_ac_21.title -Description: benchmark.nist_800_53_rev_4_ac_21.description -SectionCode: "21" -Children: - - aws_fedramp_moderate_rev_4_ac_21_b -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_21 + title: benchmark.nist_800_53_rev_4_ac_21.title + description: benchmark.nist_800_53_rev_4_ac_21.description + section-code: "21" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ac_21_b diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21_b.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21_b.yaml index 4aaa8d5ef..348d28585 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21_b.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_21_b.yaml @@ -1,36 +1,41 @@ -ID: aws_fedramp_moderate_rev_4_ac_21_b -Title: AC-21(b) -Description: 'The organization: b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.' -SectionCode: b -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_21_b + title: AC-21(b) + description: "The organization: b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_1.yaml index cf9564b96..8b37c213e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_1.yaml @@ -1,31 +1,36 @@ -ID: aws_fedramp_moderate_rev_4_ac_2_1 -Title: benchmark.nist_800_53_rev_4_ac_2_1.title -Description: benchmark.nist_800_53_rev_4_ac_2_1.description -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_2_1 + title: benchmark.nist_800_53_rev_4_ac_2_1.title + description: benchmark.nist_800_53_rev_4_ac_2_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12.yaml index 5ac4fcd37..1eb2621e4 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ac_2_12 -Title: benchmark.nist_800_53_rev_4_ac_2_12.title -Description: benchmark.nist_800_53_rev_4_ac_2_12.description -SectionCode: "12" -Children: - - aws_fedramp_moderate_rev_4_ac_2_12_a -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_2_12 + title: benchmark.nist_800_53_rev_4_ac_2_12.title + description: benchmark.nist_800_53_rev_4_ac_2_12.description + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ac_2_12_a diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12_a.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12_a.yaml index 0126b3706..3b7d728ac 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12_a.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_12_a.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_ac_2_12_a -Title: AC-2(12)(a) -Description: 'The organization: a. Monitors information system accounts for [Assignment: organization-defined atypical use].' -SectionCode: a -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_2_12_a + title: AC-2(12)(a) + description: "The organization: a. Monitors information system accounts for [Assignment: organization-defined atypical use]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_3.yaml index b77f3d5bc..8f07478d5 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_3.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_ac_2_3 -Title: benchmark.nist_800_53_rev_4_ac_2_3.title -Description: benchmark.nist_800_53_rev_4_ac_2_3.description -SectionCode: "3" -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_2_3 + title: benchmark.nist_800_53_rev_4_ac_2_3.title + description: benchmark.nist_800_53_rev_4_ac_2_3.description + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_4.yaml index 90e8ec0a0..e686065bf 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_4.yaml @@ -1,27 +1,32 @@ -ID: aws_fedramp_moderate_rev_4_ac_2_4 -Title: benchmark.nist_800_53_rev_4_ac_2_4.title -Description: benchmark.nist_800_53_rev_4_ac_2_4.description -SectionCode: "4" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_2_4 + title: benchmark.nist_800_53_rev_4_ac_2_4.title + description: benchmark.nist_800_53_rev_4_ac_2_4.description + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_f.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_f.yaml index 9aaa98859..6f7db179d 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_f.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_f.yaml @@ -1,30 +1,35 @@ -ID: aws_fedramp_moderate_rev_4_ac_2_f -Title: AC-2(f) -Description: 'The organization: f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions].' -SectionCode: f -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_2_f + title: AC-2(f) + description: "The organization: f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]." + section-code: f + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_g.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_g.yaml index da2dd4a95..552fa3e17 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_g.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_g.yaml @@ -1,29 +1,34 @@ -ID: aws_fedramp_moderate_rev_4_ac_2_g -Title: AC-2(g) -Description: 'The organization: g. Monitors the use of information system accounts.' -SectionCode: g -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_2_g + title: AC-2(g) + description: "The organization: g. Monitors the use of information system accounts." + section-code: g + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_es_domain_logs_to_cloudwatch + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_j.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_j.yaml index a09d5c3ab..58f7c5267 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_j.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_2_j.yaml @@ -1,32 +1,37 @@ -ID: aws_fedramp_moderate_rev_4_ac_2_j -Title: AC-2(j) -Description: 'The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency].' -SectionCode: j -Children: [] -Controls: - - aws_ecs_task_definition_user_for_host_mode_check - - aws_iam_account_password_policy_min_length_14 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_2_j + title: AC-2(j) + description: "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." + section-code: j + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ecs_task_definition_user_for_host_mode_check + - aws_iam_account_password_policy_min_length_14 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_3.yaml index acbad7154..6efb8dd65 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_3.yaml @@ -1,44 +1,49 @@ -ID: aws_fedramp_moderate_rev_4_ac_3 -Title: Access Enforcement (AC-3) -Description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. -SectionCode: "3" -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_3 + title: Access Enforcement (AC-3) + description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_user_for_host_mode_check + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_4.yaml index 65f5ade3c..db735893c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_4.yaml @@ -1,36 +1,41 @@ -ID: aws_fedramp_moderate_rev_4_ac_4 -Title: benchmark.nist_800_53_rev_4_ac_4.title -Description: benchmark.nist_800_53_rev_4_ac_4.description -SectionCode: "4" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_4 + title: benchmark.nist_800_53_rev_4_ac_4.title + description: benchmark.nist_800_53_rev_4_ac_4.description + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5.yaml index 8f05523b7..f548ac568 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ac_5 -Title: benchmark.nist_800_53_rev_4_ac_5.title -Description: benchmark.nist_800_53_rev_4_ac_5.description -SectionCode: "5" -Children: - - aws_fedramp_moderate_rev_4_ac_5_c -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_5 + title: benchmark.nist_800_53_rev_4_ac_5.title + description: benchmark.nist_800_53_rev_4_ac_5.description + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ac_5_c diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5_c.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5_c.yaml index b89704c98..8ae6c34ff 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5_c.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_5_c.yaml @@ -1,28 +1,33 @@ -ID: aws_fedramp_moderate_rev_4_ac_5_c -Title: AC-5(c) -Description: 'The organization: c. Defines information system access authorizations to support separation of duties.' -SectionCode: c -Children: [] -Controls: - - aws_ecs_task_definition_user_for_host_mode_check - - aws_iam_account_password_policy_min_length_14 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_5_c + title: AC-5(c) + description: "The organization: c. Defines information system access authorizations to support separation of duties." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ecs_task_definition_user_for_host_mode_check + - aws_iam_account_password_policy_min_length_14 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6.yaml index b6f4336c7..8311d2b58 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6.yaml @@ -1,43 +1,49 @@ -ID: aws_fedramp_moderate_rev_4_ac_6 -Title: benchmark.nist_800_53_rev_4_ac_6.title -Description: benchmark.nist_800_53_rev_4_ac_6.description -SectionCode: "6" -Children: - - aws_fedramp_moderate_rev_4_ac_6_10 -Controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_6 + title: benchmark.nist_800_53_rev_4_ac_6.title + description: benchmark.nist_800_53_rev_4_ac_6.description + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ac_6_10 + controls: + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6_10.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6_10.yaml index ec5c23492..76fe1d3d1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6_10.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ac_6_10.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_ac_6_10 -Title: benchmark.nist_800_53_rev_4_ac_6_10.title -Description: benchmark.nist_800_53_rev_4_ac_6_10.description -SectionCode: "10" -Children: [] -Controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ac_6_10 + title: benchmark.nist_800_53_rev_4_ac_6_10.title + description: benchmark.nist_800_53_rev_4_ac_6_10.description + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_all_policy_no_service_wild_card + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au.yaml index ea22ac465..8de665e0c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au.yaml @@ -1,24 +1,29 @@ -ID: aws_fedramp_moderate_rev_4_au -Title: benchmark.nist_800_53_rev_4_au.title -Description: benchmark.nist_800_53_rev_4_au.description -SectionCode: au -Children: - - aws_fedramp_moderate_rev_4_au_2 - - aws_fedramp_moderate_rev_4_au_3 - - aws_fedramp_moderate_rev_4_au_6 - - aws_fedramp_moderate_rev_4_au_7 - - aws_fedramp_moderate_rev_4_au_9 - - aws_fedramp_moderate_rev_4_au_11 - - aws_fedramp_moderate_rev_4_au_12 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au + title: benchmark.nist_800_53_rev_4_au.title + description: benchmark.nist_800_53_rev_4_au.description + section-code: au + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_au_2 + - id: aws_fedramp_moderate_rev_4_au_3 + - id: aws_fedramp_moderate_rev_4_au_6 + - id: aws_fedramp_moderate_rev_4_au_7 + - id: aws_fedramp_moderate_rev_4_au_9 + - id: aws_fedramp_moderate_rev_4_au_11 + - id: aws_fedramp_moderate_rev_4_au_12 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_11.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_11.yaml index e52047f63..9f9c636a1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_11.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_11.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_au_11 -Title: Audit Record Retention (AU-11) -Description: The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. -SectionCode: "11" -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_11 + title: Audit Record Retention (AU-11) + description: The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12.yaml index 0a6f41582..4df85812e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_au_12 -Title: benchmark.nist_800_53_rev_4_au_12.title -Description: benchmark.nist_800_53_rev_4_au_12.description -SectionCode: "12" -Children: - - aws_fedramp_moderate_rev_4_au_12_a_c -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_12 + title: benchmark.nist_800_53_rev_4_au_12.title + description: benchmark.nist_800_53_rev_4_au_12.description + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_au_12_a_c diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12_a_c.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12_a_c.yaml index 36252d56a..ca96fa818 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12_a_c.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_12_a_c.yaml @@ -1,28 +1,33 @@ -ID: aws_fedramp_moderate_rev_4_au_12_a_c -Title: AU-12(a)(c) -Description: 'The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at all information system and network components where audit capability is deployed/available c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.' -SectionCode: a_c -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_12_a_c + title: AU-12(a)(c) + description: "The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at all information system and network components where audit capability is deployed/available c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3." + section-code: a_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2.yaml index 5131b5305..ab3adb24c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_au_2 -Title: Audit Events (AU-2) -Description: 'The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents.' -SectionCode: "2" -Children: - - aws_fedramp_moderate_rev_4_au_2_a_d -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_2 + title: Audit Events (AU-2) + description: "The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_au_2_a_d diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2_a_d.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2_a_d.yaml index 2cf4dcecc..301c1e7b1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2_a_d.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_2_a_d.yaml @@ -1,28 +1,33 @@ -ID: aws_fedramp_moderate_rev_4_au_2_a_d -Title: AU-2(a)(d) -Description: 'The organization: a. Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes. d. Determines that the following events are to be audited within the information system: [organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event].' -SectionCode: a_d -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_2_a_d + title: AU-2(a)(d) + description: "The organization: a. Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes. d. Determines that the following events are to be audited within the information system: [organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event]." + section-code: a_d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_3.yaml index 08c212596..3f06ca39a 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_3.yaml @@ -1,28 +1,33 @@ -ID: aws_fedramp_moderate_rev_4_au_3 -Title: benchmark.nist_800_53_rev_4_au_3.title -Description: benchmark.nist_800_53_rev_4_au_3.description -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_3 + title: benchmark.nist_800_53_rev_4_au_3.title + description: benchmark.nist_800_53_rev_4_au_3.description + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6.yaml index 25e4f13c1..b670a2b79 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_au_6 -Title: benchmark.nist_800_53_rev_4_au_6.title -Description: benchmark.nist_800_53_rev_4_au_6.description -SectionCode: "6" -Children: - - aws_fedramp_moderate_rev_4_au_6_1_3 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_6 + title: benchmark.nist_800_53_rev_4_au_6.title + description: benchmark.nist_800_53_rev_4_au_6.description + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_au_6_1_3 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6_1_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6_1_3.yaml index 61e35dfda..5ce6ed136 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6_1_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_6_1_3.yaml @@ -1,32 +1,37 @@ -ID: aws_fedramp_moderate_rev_4_au_6_1_3 -Title: AU-6(1)(3) -Description: (1) The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (3) The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. -SectionCode: "1_3" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_6_1_3 + title: AU-6(1)(3) + description: (1) The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (3) The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. + section-code: "1_3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7.yaml index 5ddad2af1..76b76b79b 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_au_7 -Title: benchmark.nist_800_53_rev_4_au_7.title -Description: benchmark.nist_800_53_rev_4_au_7.description -SectionCode: "7" -Children: - - aws_fedramp_moderate_rev_4_au_7_1 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_7 + title: benchmark.nist_800_53_rev_4_au_7.title + description: benchmark.nist_800_53_rev_4_au_7.description + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_au_7_1 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7_1.yaml index 292199826..fad2812a1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_7_1.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_au_7_1 -Title: benchmark.nist_800_53_rev_4_au_7_1.title -Description: benchmark.nist_800_53_rev_4_au_7_1.description -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_7_1 + title: benchmark.nist_800_53_rev_4_au_7_1.title + description: benchmark.nist_800_53_rev_4_au_7_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9.yaml index b6a47f1ab..dea683cf9 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9.yaml @@ -1,21 +1,27 @@ -ID: aws_fedramp_moderate_rev_4_au_9 -Title: benchmark.nist_800_53_rev_4_au_9.title -Description: benchmark.nist_800_53_rev_4_au_9.description -SectionCode: "9" -Children: - - aws_fedramp_moderate_rev_4_au_9_2 -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_9 + title: benchmark.nist_800_53_rev_4_au_9.title + description: benchmark.nist_800_53_rev_4_au_9.description + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_au_9_2 + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_log_group_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9_2.yaml index 03406bb53..863fcf978 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_au_9_2.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_au_9_2 -Title: AU-9(2) Audit Backup On Separate Physical Systems / Components -Description: The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited. -SectionCode: "2" -Children: [] -Controls: - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_au_9_2 + title: AU-9(2) Audit Backup On Separate Physical Systems / Components + description: The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca.yaml index 0484e19fb..4fe191a27 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ca -Title: benchmark.nist_800_53_rev_4_ca.title -Description: benchmark.nist_800_53_rev_4_ca.description -SectionCode: ca -Children: - - aws_fedramp_moderate_rev_4_ca_7 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ca + title: benchmark.nist_800_53_rev_4_ca.title + description: benchmark.nist_800_53_rev_4_ca.description + section-code: ca + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ca_7 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7.yaml index 820b99f56..a3447ec49 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ca_7 -Title: benchmark.nist_800_53_rev_4_ca_7.title -Description: benchmark.nist_800_53_rev_4_ca_7.description -SectionCode: "7" -Children: - - aws_fedramp_moderate_rev_4_ca_7_a_b -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ca_7 + title: benchmark.nist_800_53_rev_4_ca_7.title + description: benchmark.nist_800_53_rev_4_ca_7.description + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ca_7_a_b diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7_a_b.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7_a_b.yaml index f9fbb9875..3d5896776 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7_a_b.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ca_7_a_b.yaml @@ -1,30 +1,35 @@ -ID: aws_fedramp_moderate_rev_4_ca_7_a_b -Title: CA-7(a)(b) -Description: 'The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring.' -SectionCode: a_b -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ca_7_a_b + title: CA-7(a)(b) + description: "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring." + section-code: a_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm.yaml index 4494b906e..10b427ecf 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_cm -Title: benchmark.nist_800_53_rev_4_cm.title -Description: benchmark.nist_800_53_rev_4_cm.description -SectionCode: cm -Children: - - aws_fedramp_moderate_rev_4_cm_2 - - aws_fedramp_moderate_rev_4_cm_7 - - aws_fedramp_moderate_rev_4_cm_8 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cm + title: benchmark.nist_800_53_rev_4_cm.title + description: benchmark.nist_800_53_rev_4_cm.description + section-code: cm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_cm_2 + - id: aws_fedramp_moderate_rev_4_cm_7 + - id: aws_fedramp_moderate_rev_4_cm_8 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_2.yaml index 11187fc0d..1dee818a3 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_2.yaml @@ -1,47 +1,52 @@ -ID: aws_fedramp_moderate_rev_4_cm_2 -Title: benchmark.nist_800_53_rev_4_cm_2.title -Description: benchmark.nist_800_53_rev_4_cm_2.description -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_attached_volume_delete_on_termination_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_unused - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_waf_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cm_2 + title: benchmark.nist_800_53_rev_4_cm_2.title + description: benchmark.nist_800_53_rev_4_cm_2.description + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_use_waf_web_acl + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_attached_volume_delete_on_termination_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ebs_volume_unused + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_elb_application_lb_waf_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7.yaml index 0be498599..de2a391a1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_cm_7 -Title: benchmark.nist_800_53_rev_4_cm_7.title -Description: benchmark.nist_800_53_rev_4_cm_7.description -SectionCode: "7" -Children: - - aws_fedramp_moderate_rev_4_cm_7_a -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cm_7 + title: benchmark.nist_800_53_rev_4_cm_7.title + description: benchmark.nist_800_53_rev_4_cm_7.description + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_cm_7_a diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7_a.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7_a.yaml index f50d77277..0c209cd2d 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7_a.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_7_a.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_cm_7_a -Title: CM-7(a) -Description: 'The organization: a. Configures the information system to provide only essential capabilities.' -SectionCode: a -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cm_7_a + title: CM-7(a) + description: "The organization: a. Configures the information system to provide only essential capabilities." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8.yaml index e8a578126..af7fe5602 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_cm_8 -Title: benchmark.nist_800_53_rev_4_cm_8.title -Description: benchmark.nist_800_53_rev_4_cm_8.description -SectionCode: "8" -Children: - - aws_fedramp_moderate_rev_4_cm_8_1 - - aws_fedramp_moderate_rev_4_cm_8_3 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cm_8 + title: benchmark.nist_800_53_rev_4_cm_8.title + description: benchmark.nist_800_53_rev_4_cm_8.description + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_cm_8_1 + - id: aws_fedramp_moderate_rev_4_cm_8_3 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_1.yaml index 855d10ca4..bbfd71ddf 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_1.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_cm_8_1 -Title: CM-8(1) -Description: The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. -SectionCode: "1" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cm_8_1 + title: CM-8(1) + description: The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3.yaml index 52f3f3006..732e9edb0 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_cm_8_3 -Title: benchmark.nist_800_53_rev_4_cm_8_3.title -Description: benchmark.nist_800_53_rev_4_cm_8_3.description -SectionCode: "3" -Children: - - aws_fedramp_moderate_rev_4_cm_8_3_a -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cm_8_3 + title: benchmark.nist_800_53_rev_4_cm_8_3.title + description: benchmark.nist_800_53_rev_4_cm_8_3.description + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_cm_8_3_a diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3_a.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3_a.yaml index 2c2374683..aab9dbbed 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3_a.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cm_8_3_a.yaml @@ -1,21 +1,26 @@ -ID: aws_fedramp_moderate_rev_4_cm_8_3_a -Title: CM-8(3)(a) -Description: 'The organization: a. Employs automated mechanisms continuously, using automated mechanisms with a maximum five-minute delay in detection, to detect the presence of unauthorized hardware, software, and firmware components within the information system' -SectionCode: a -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cm_8_3_a + title: CM-8(3)(a) + description: "The organization: a. Employs automated mechanisms continuously, using automated mechanisms with a maximum five-minute delay in detection, to detect the presence of unauthorized hardware, software, and firmware components within the information system" + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_guardduty_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp.yaml index 0d21a6b9d..1d333593b 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_cp -Title: benchmark.nist_800_53_rev_4_cp.title -Description: benchmark.nist_800_53_rev_4_cp.description -SectionCode: cp -Children: - - aws_fedramp_moderate_rev_4_cp_9 - - aws_fedramp_moderate_rev_4_cp_10 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cp + title: benchmark.nist_800_53_rev_4_cp.title + description: benchmark.nist_800_53_rev_4_cp.description + section-code: cp + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_cp_9 + - id: aws_fedramp_moderate_rev_4_cp_10 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_10.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_10.yaml index 9a62d6aec..1aa44ae19 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_10.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_10.yaml @@ -1,37 +1,42 @@ -ID: aws_fedramp_moderate_rev_4_cp_10 -Title: benchmark.nist_800_53_rev_4_cp_10.title -Description: benchmark.nist_800_53_rev_4_cp_10.description -SectionCode: "10" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cp_10 + title: benchmark.nist_800_53_rev_4_cp_10.title + description: benchmark.nist_800_53_rev_4_cp_10.description + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9.yaml index 377815bdb..51cd35351 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_cp_9 -Title: benchmark.nist_800_53_rev_4_cp_9.title -Description: benchmark.nist_800_53_rev_4_cp_9.description -SectionCode: "9" -Children: - - aws_fedramp_moderate_rev_4_cp_9_b -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cp_9 + title: benchmark.nist_800_53_rev_4_cp_9.title + description: benchmark.nist_800_53_rev_4_cp_9.description + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_cp_9_b diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9_b.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9_b.yaml index 3e5a3b9ed..990fed5e0 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9_b.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_cp_9_b.yaml @@ -1,31 +1,36 @@ -ID: aws_fedramp_moderate_rev_4_cp_9_b -Title: CP-9(b) -Description: 'The organization: b. Conducts backups of system-level information contained in the information system (daily incremental; weekly full).' -SectionCode: b -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_cp_9_b + title: CP-9(b) + description: "The organization: b. Conducts backups of system-level information contained in the information system (daily incremental; weekly full)." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia.yaml index 7cec4ad4e..48cf25c85 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_ia -Title: benchmark.nist_800_53_rev_4_ia.title -Description: benchmark.nist_800_53_rev_4_ia.description -SectionCode: ia -Children: - - aws_fedramp_moderate_rev_4_ia_2 - - aws_fedramp_moderate_rev_4_ia_5 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ia + title: benchmark.nist_800_53_rev_4_ia.title + description: benchmark.nist_800_53_rev_4_ia.description + section-code: ia + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ia_2 + - id: aws_fedramp_moderate_rev_4_ia_5 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2.yaml index caf981763..056d30bbe 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2.yaml @@ -1,20 +1,26 @@ -ID: aws_fedramp_moderate_rev_4_ia_2 -Title: benchmark.nist_800_53_rev_4_ia_2.title -Description: benchmark.nist_800_53_rev_4_ia_2.description -SectionCode: "2" -Children: - - aws_fedramp_moderate_rev_4_ia_2_1 -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ia_2 + title: benchmark.nist_800_53_rev_4_ia_2.title + description: benchmark.nist_800_53_rev_4_ia_2.description + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ia_2_1 + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1.yaml index 417f75e62..cfa0bb6e1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1.yaml @@ -1,22 +1,28 @@ -ID: aws_fedramp_moderate_rev_4_ia_2_1 -Title: benchmark.nist_800_53_rev_4_ia_2_1.title -Description: benchmark.nist_800_53_rev_4_ia_2_1.description -SectionCode: "1" -Children: - - aws_fedramp_moderate_rev_4_ia_2_1_2 -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ia_2_1 + title: benchmark.nist_800_53_rev_4_ia_2_1.title + description: benchmark.nist_800_53_rev_4_ia_2_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ia_2_1_2 + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1_2.yaml index fef4b8e3f..1fd7eaaee 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_2_1_2.yaml @@ -1,21 +1,26 @@ -ID: aws_fedramp_moderate_rev_4_ia_2_1_2 -Title: IA-2(1)(2) -Description: (1) The information system implements multifactor authentication for network access to privileged accounts. (2) The information system implements multifactor authentication for network access to non- privileged accounts. -SectionCode: "2" -Children: [] -Controls: - - aws_iam_root_user_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_root_user_hardware_mfa_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ia_2_1_2 + title: IA-2(1)(2) + description: (1) The information system implements multifactor authentication for network access to privileged accounts. (2) The information system implements multifactor authentication for network access to non- privileged accounts. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_root_user_hardware_mfa_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5.yaml index c6b2f3514..2616b1afa 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_ia_5 -Title: benchmark.nist_800_53_rev_4_ia_5.title -Description: benchmark.nist_800_53_rev_4_ia_5.description -SectionCode: "5" -Children: - - aws_fedramp_moderate_rev_4_ia_5_1 - - aws_fedramp_moderate_rev_4_ia_5_4 - - aws_fedramp_moderate_rev_4_ia_5_7 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ia_5 + title: benchmark.nist_800_53_rev_4_ia_5.title + description: benchmark.nist_800_53_rev_4_ia_5.description + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ia_5_1 + - id: aws_fedramp_moderate_rev_4_ia_5_4 + - id: aws_fedramp_moderate_rev_4_ia_5_7 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1.yaml index 8dbaf5d08..75e6c3f4d 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ia_5_1 -Title: benchmark.nist_800_53_rev_4_ia_5_1.title -Description: benchmark.nist_800_53_rev_4_ia_5_1.description -SectionCode: "1" -Children: - - aws_fedramp_moderate_rev_4_ia_5_1_a_d_e -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ia_5_1 + title: benchmark.nist_800_53_rev_4_ia_5_1.title + description: benchmark.nist_800_53_rev_4_ia_5_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ia_5_1_a_d_e diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1_a_d_e.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1_a_d_e.yaml index 253f828df..4e6eecf0d 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1_a_d_e.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_1_a_d_e.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ia_5_1_a_d_e -Title: IA-5(1)(a)(d)(e) -Description: 'The information system, for password-based authentication: a. Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; d. Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; e. Prohibits password reuse for 24 generations' -SectionCode: a_d_e -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ia_5_1_a_d_e + title: IA-5(1)(a)(d)(e) + description: "The information system, for password-based authentication: a. Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; d. Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; e. Prohibits password reuse for 24 generations" + section-code: a_d_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_4.yaml index e6e797b4f..d2d69357e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_4.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ia_5_4 -Title: benchmark.nist_800_53_rev_4_ia_5_4.title -Description: benchmark.nist_800_53_rev_4_ia_5_4.description -SectionCode: "4" -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ia_5_4 + title: benchmark.nist_800_53_rev_4_ia_5_4.title + description: benchmark.nist_800_53_rev_4_ia_5_4.description + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_7.yaml index 7ab0b0dd5..d80e7bfa6 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ia_5_7.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ia_5_7 -Title: benchmark.nist_800_53_rev_4_ia_5_7.title -Description: benchmark.nist_800_53_rev_4_ia_5_7.description -SectionCode: "7" -Children: [] -Controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/CodeBuild - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ia_5_7 + title: benchmark.nist_800_53_rev_4_ia_5_7.title + description: benchmark.nist_800_53_rev_4_ia_5_7.description + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/CodeBuild + type: + - Benchmark + controls: + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir.yaml index 7d1bade11..5afd400aa 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_ir -Title: benchmark.nist_800_53_rev_4_ir.title -Description: benchmark.nist_800_53_rev_4_ir.description -SectionCode: ir -Children: - - aws_fedramp_moderate_rev_4_ir_4 - - aws_fedramp_moderate_rev_4_ir_6 - - aws_fedramp_moderate_rev_4_ir_7 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ir + title: benchmark.nist_800_53_rev_4_ir.title + description: benchmark.nist_800_53_rev_4_ir.description + section-code: ir + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ir_4 + - id: aws_fedramp_moderate_rev_4_ir_6 + - id: aws_fedramp_moderate_rev_4_ir_7 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4.yaml index aa60d88e3..019922414 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ir_4 -Title: benchmark.nist_800_53_rev_4_ir_4.title -Description: benchmark.nist_800_53_rev_4_ir_4.description -SectionCode: "4" -Children: - - aws_fedramp_moderate_rev_4_ir_4_1 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ir_4 + title: benchmark.nist_800_53_rev_4_ir_4.title + description: benchmark.nist_800_53_rev_4_ir_4.description + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ir_4_1 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4_1.yaml index 221faa956..bc1bdb687 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_4_1.yaml @@ -1,22 +1,27 @@ -ID: aws_fedramp_moderate_rev_4_ir_4_1 -Title: benchmark.nist_800_53_rev_4_ir_4_1.title -Description: benchmark.nist_800_53_rev_4_ir_4_1.description -SectionCode: "1" -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ir_4_1 + title: benchmark.nist_800_53_rev_4_ir_4_1.title + description: benchmark.nist_800_53_rev_4_ir_4_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6.yaml index 2b5ec9f67..54163f6bc 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ir_6 -Title: benchmark.nist_800_53_rev_4_ir_6.title -Description: benchmark.nist_800_53_rev_4_ir_6.description -SectionCode: "6" -Children: - - aws_fedramp_moderate_rev_4_ir_6_1 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ir_6 + title: benchmark.nist_800_53_rev_4_ir_6.title + description: benchmark.nist_800_53_rev_4_ir_6.description + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ir_6_1 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6_1.yaml index 499b183d9..44fd686ac 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_6_1.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_ir_6_1 -Title: benchmark.nist_800_53_rev_4_ir_6_1.title -Description: benchmark.nist_800_53_rev_4_ir_6_1.description -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ir_6_1 + title: benchmark.nist_800_53_rev_4_ir_6_1.title + description: benchmark.nist_800_53_rev_4_ir_6_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7.yaml index f1cef0d88..9719c6138 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ir_7 -Title: benchmark.nist_800_53_rev_4_ir_7.title -Description: benchmark.nist_800_53_rev_4_ir_7.description -SectionCode: "7" -Children: - - aws_fedramp_moderate_rev_4_ir_7_1 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ir_7 + title: benchmark.nist_800_53_rev_4_ir_7.title + description: benchmark.nist_800_53_rev_4_ir_7.description + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ir_7_1 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7_1.yaml index 4f39f1c50..9b542d26e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ir_7_1.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_ir_7_1 -Title: benchmark.nist_800_53_rev_4_ir_7_1.title -Description: benchmark.nist_800_53_rev_4_ir_7_1.description -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ir_7_1 + title: benchmark.nist_800_53_rev_4_ir_7_1.title + description: benchmark.nist_800_53_rev_4_ir_7_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra.yaml index 88ad10797..e253595cb 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_ra -Title: benchmark.nist_800_53_rev_4_ra.title -Description: benchmark.nist_800_53_rev_4_ra.description -SectionCode: ra -Children: - - aws_fedramp_moderate_rev_4_ra_5 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ra + title: benchmark.nist_800_53_rev_4_ra.title + description: benchmark.nist_800_53_rev_4_ra.description + section-code: ra + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_ra_5 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra_5.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra_5.yaml index f89d46580..f0c912643 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_ra_5.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_ra_5 -Title: benchmark.nist_800_53_rev_4_ra_5.title -Description: benchmark.nist_800_53_rev_4_ra_5.description -SectionCode: "5" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_ra_5 + title: benchmark.nist_800_53_rev_4_ra_5.title + description: benchmark.nist_800_53_rev_4_ra_5.description + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa.yaml index da26587a1..ac06d2256 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa.yaml @@ -1,19 +1,24 @@ -ID: aws_fedramp_moderate_rev_4_sa -Title: benchmark.nist_800_53_rev_4_sa.title -Description: benchmark.nist_800_53_rev_4_sa.description -SectionCode: sa -Children: - - aws_fedramp_moderate_rev_4_sa_3 - - aws_fedramp_moderate_rev_4_sa_10 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sa + title: benchmark.nist_800_53_rev_4_sa.title + description: benchmark.nist_800_53_rev_4_sa.description + section-code: sa + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_sa_3 + - id: aws_fedramp_moderate_rev_4_sa_10 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_10.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_10.yaml index 524d39875..e32e696de 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_10.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_10.yaml @@ -1,21 +1,26 @@ -ID: aws_fedramp_moderate_rev_4_sa_10 -Title: benchmark.nist_800_53_rev_4_sa_10.title -Description: benchmark.nist_800_53_rev_4_sa_10.description -SectionCode: "10" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sa_10 + title: benchmark.nist_800_53_rev_4_sa_10.title + description: benchmark.nist_800_53_rev_4_sa_10.description + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3.yaml index b9d274041..391ed594e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_sa_3 -Title: benchmark.nist_800_53_rev_4_sa_3.title -Description: benchmark.nist_800_53_rev_4_sa_3.description -SectionCode: "3" -Children: - - aws_fedramp_moderate_rev_4_sa_3_a -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sa_3 + title: benchmark.nist_800_53_rev_4_sa_3.title + description: benchmark.nist_800_53_rev_4_sa_3.description + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_sa_3_a diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3_a.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3_a.yaml index a13a880e7..fbacecaf6 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3_a.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sa_3_a.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_sa_3_a -Title: SA-3(a) -Description: 'The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations.' -SectionCode: a -Children: [] -Controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_ssm_managed -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sa_3_a + title: SA-3(a) + description: "The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc.yaml index 5dba67181..ec46dea6a 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc.yaml @@ -1,26 +1,31 @@ -ID: aws_fedramp_moderate_rev_4_sc -Title: benchmark.nist_800_53_rev_4_sc.title -Description: benchmark.nist_800_53_rev_4_sc.description -SectionCode: sc -Children: - - aws_fedramp_moderate_rev_4_sc_2 - - aws_fedramp_moderate_rev_4_sc_4 - - aws_fedramp_moderate_rev_4_sc_5 - - aws_fedramp_moderate_rev_4_sc_7 - - aws_fedramp_moderate_rev_4_sc_8 - - aws_fedramp_moderate_rev_4_sc_12 - - aws_fedramp_moderate_rev_4_sc_13 - - aws_fedramp_moderate_rev_4_sc_23 - - aws_fedramp_moderate_rev_4_sc_28 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc + title: benchmark.nist_800_53_rev_4_sc.title + description: benchmark.nist_800_53_rev_4_sc.description + section-code: sc + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_sc_2 + - id: aws_fedramp_moderate_rev_4_sc_4 + - id: aws_fedramp_moderate_rev_4_sc_5 + - id: aws_fedramp_moderate_rev_4_sc_7 + - id: aws_fedramp_moderate_rev_4_sc_8 + - id: aws_fedramp_moderate_rev_4_sc_12 + - id: aws_fedramp_moderate_rev_4_sc_13 + - id: aws_fedramp_moderate_rev_4_sc_23 + - id: aws_fedramp_moderate_rev_4_sc_28 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_12.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_12.yaml index 252b2a007..f6742fb19 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_12.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_12.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_sc_12 -Title: benchmark.nist_800_53_rev_4_sc_12.title -Description: benchmark.nist_800_53_rev_4_sc_12.description -SectionCode: "12" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_12 + title: benchmark.nist_800_53_rev_4_sc_12.title + description: benchmark.nist_800_53_rev_4_sc_12.description + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_kms_cmk_rotation_enabled + - aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_13.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_13.yaml index b78ca78f2..ceac991ad 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_13.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_13.yaml @@ -1,23 +1,28 @@ -ID: aws_fedramp_moderate_rev_4_sc_13 -Title: Use of Cryptography (SC-13) -Description: The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. -SectionCode: "13" -Children: [] -Controls: - - aws_kms_key_not_pending_deletion - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_13 + title: Use of Cryptography (SC-13) + description: The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. + section-code: "13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_kms_key_not_pending_deletion + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_2.yaml index 205a596a4..e5064391e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_2.yaml @@ -1,22 +1,27 @@ -ID: aws_fedramp_moderate_rev_4_sc_2 -Title: benchmark.nist_800_53_rev_4_sc_2.title -Description: benchmark.nist_800_53_rev_4_sc_2.description -SectionCode: "2" -Children: [] -Controls: - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_2 + title: benchmark.nist_800_53_rev_4_sc_2.title + description: benchmark.nist_800_53_rev_4_sc_2.description + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_23.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_23.yaml index 7021e1aae..3bcafcc4c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_23.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_23.yaml @@ -1,24 +1,29 @@ -ID: aws_fedramp_moderate_rev_4_sc_23 -Title: benchmark.nist_800_53_rev_4_sc_23.title -Description: benchmark.nist_800_53_rev_4_sc_23.description -SectionCode: "23" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_23 + title: benchmark.nist_800_53_rev_4_sc_23.title + description: benchmark.nist_800_53_rev_4_sc_23.description + section-code: "23" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_28.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_28.yaml index 97c157e32..caf521148 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_28.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_28.yaml @@ -1,35 +1,40 @@ -ID: aws_fedramp_moderate_rev_4_sc_28 -Title: Protection of Information at Rest (SC-28) -Description: 'The information system protects the confidentiality AND integrity of [Assignment: organization-defined information at rest].' -SectionCode: "28" -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_volume_encryption_at_rest_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_kms_key_not_pending_deletion - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_object_lock_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_28 + title: Protection of Information at Rest (SC-28) + description: "The information system protects the confidentiality AND integrity of [Assignment: organization-defined information at rest]." + section-code: "28" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_volume_encryption_at_rest_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_es_domain_encryption_at_rest_enabled + - aws_kms_key_not_pending_deletion + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_object_lock_enabled + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_4.yaml index 69a0d4fe3..12d2b63b9 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_4.yaml @@ -1,34 +1,39 @@ -ID: aws_fedramp_moderate_rev_4_sc_4 -Title: benchmark.nist_800_53_rev_4_sc_4.title -Description: benchmark.nist_800_53_rev_4_sc_4.description -SectionCode: "4" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_unused - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_4 + title: benchmark.nist_800_53_rev_4_sc_4.title + description: benchmark.nist_800_53_rev_4_sc_4.description + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ebs_volume_unused + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_5.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_5.yaml index 20d708532..623993054 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_5.yaml @@ -1,30 +1,35 @@ -ID: aws_fedramp_moderate_rev_4_sc_5 -Title: benchmark.nist_800_53_rev_4_sc_5.title -Description: benchmark.nist_800_53_rev_4_sc_5.description -SectionCode: "5" -Children: [] -Controls: - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ec2_instance_ebs_optimized - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_5 + title: benchmark.nist_800_53_rev_4_sc_5.title + description: benchmark.nist_800_53_rev_4_sc_5.description + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ec2_instance_ebs_optimized + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7.yaml index 2ea17c488..d9dd4e7a1 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7.yaml @@ -1,47 +1,53 @@ -ID: aws_fedramp_moderate_rev_4_sc_7 -Title: benchmark.nist_800_53_rev_4_sc_7.title -Description: benchmark.nist_800_53_rev_4_sc_7.description -SectionCode: "7" -Children: - - aws_fedramp_moderate_rev_4_sc_7_3 -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_7 + title: benchmark.nist_800_53_rev_4_sc_7.title + description: benchmark.nist_800_53_rev_4_sc_7.description + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_sc_7_3 + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_lb_waf_enabled + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7_3.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7_3.yaml index 0e16d1f97..2869c7a11 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7_3.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_7_3.yaml @@ -1,39 +1,44 @@ -ID: aws_fedramp_moderate_rev_4_sc_7_3 -Title: benchmark.nist_800_53_rev_4_sc_7_3.title -Description: benchmark.nist_800_53_rev_4_sc_7_3.description -SectionCode: "3" -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_7_3 + title: benchmark.nist_800_53_rev_4_sc_7_3.title + description: benchmark.nist_800_53_rev_4_sc_7_3.description + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8.yaml index 632e97f73..512d5e25b 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8.yaml @@ -1,26 +1,32 @@ -ID: aws_fedramp_moderate_rev_4_sc_8 -Title: Transmission Integrity (SC-8) -Description: The information system protects the confidentiality AND integrity of transmitted information. -SectionCode: "8" -Children: - - aws_fedramp_moderate_rev_4_sc_8_1 -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_8 + title: Transmission Integrity (SC-8) + description: The information system protects the confidentiality AND integrity of transmitted information. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_sc_8_1 + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8_1.yaml index 76088bd32..cd96d829f 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_sc_8_1.yaml @@ -1,25 +1,30 @@ -ID: aws_fedramp_moderate_rev_4_sc_8_1 -Title: benchmark.nist_800_53_rev_4_sc_8_1.title -Description: benchmark.nist_800_53_rev_4_sc_8_1.description -SectionCode: "1" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_sc_8_1 + title: benchmark.nist_800_53_rev_4_sc_8_1.title + description: benchmark.nist_800_53_rev_4_sc_8_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si.yaml index 3e410e493..fba0e215c 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si.yaml @@ -1,21 +1,26 @@ -ID: aws_fedramp_moderate_rev_4_si -Title: benchmark.nist_800_53_rev_4_si.title -Description: benchmark.nist_800_53_rev_4_si.description -SectionCode: si -Children: - - aws_fedramp_moderate_rev_4_si_2 - - aws_fedramp_moderate_rev_4_si_4 - - aws_fedramp_moderate_rev_4_si_7 - - aws_fedramp_moderate_rev_4_si_12 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si + title: benchmark.nist_800_53_rev_4_si.title + description: benchmark.nist_800_53_rev_4_si.description + section-code: si + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_si_2 + - id: aws_fedramp_moderate_rev_4_si_4 + - id: aws_fedramp_moderate_rev_4_si_7 + - id: aws_fedramp_moderate_rev_4_si_12 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_12.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_12.yaml index 31370d83d..d42975a8b 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_12.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_12.yaml @@ -1,31 +1,36 @@ -ID: aws_fedramp_moderate_rev_4_si_12 -Title: benchmark.nist_800_53_rev_4_si_12.title -Description: benchmark.nist_800_53_rev_4_si_12.description -SectionCode: "12" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_cloudwatch_log_group_retention_period_365 - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_12 + title: benchmark.nist_800_53_rev_4_si_12.title + description: benchmark.nist_800_53_rev_4_si_12.description + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_cloudwatch_log_group_retention_period_365 + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2.yaml index ac421fc9e..5522ad4db 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_si_2 -Title: benchmark.nist_800_53_rev_4_si_2.title -Description: benchmark.nist_800_53_rev_4_si_2.description -SectionCode: "2" -Children: - - aws_fedramp_moderate_rev_4_si_2_2 -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_2 + title: benchmark.nist_800_53_rev_4_si_2.title + description: benchmark.nist_800_53_rev_4_si_2.description + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_si_2_2 diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2_2.yaml index a3c644840..db73c92b3 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_2_2.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_si_2_2 -Title: Automated Flaw Remediation Status (SI-2(2)) -Description: The organization employs automated mechanisms at least monthly to determine the state of information system components with regard to flaw remediation. -SectionCode: "2" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_2_2 + title: Automated Flaw Remediation Status (SI-2(2)) + description: The organization employs automated mechanisms at least monthly to determine the state of information system components with regard to flaw remediation. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4.yaml index 03cae8d7c..c4366dc7d 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4.yaml @@ -1,23 +1,28 @@ -ID: aws_fedramp_moderate_rev_4_si_4 -Title: benchmark.nist_800_53_rev_4_si_4.title -Description: benchmark.nist_800_53_rev_4_si_4.description -SectionCode: "4" -Children: - - aws_fedramp_moderate_rev_4_si_4_1 - - aws_fedramp_moderate_rev_4_si_4_16 - - aws_fedramp_moderate_rev_4_si_4_2 - - aws_fedramp_moderate_rev_4_si_4_4 - - aws_fedramp_moderate_rev_4_si_4_5 - - aws_fedramp_moderate_rev_4_si_4_a_b_c -Controls: [] -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_4 + title: benchmark.nist_800_53_rev_4_si_4.title + description: benchmark.nist_800_53_rev_4_si_4.description + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_si_4_1 + - id: aws_fedramp_moderate_rev_4_si_4_16 + - id: aws_fedramp_moderate_rev_4_si_4_2 + - id: aws_fedramp_moderate_rev_4_si_4_4 + - id: aws_fedramp_moderate_rev_4_si_4_5 + - id: aws_fedramp_moderate_rev_4_si_4_a_b_c diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_1.yaml index 417433cca..094ab885d 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_1.yaml @@ -1,18 +1,23 @@ -ID: aws_fedramp_moderate_rev_4_si_4_1 -Title: benchmark.nist_800_53_rev_4_si_4_1.title -Description: benchmark.nist_800_53_rev_4_si_4_1.description -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_4_1 + title: benchmark.nist_800_53_rev_4_si_4_1.title + description: benchmark.nist_800_53_rev_4_si_4_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_16.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_16.yaml index 2eccbafad..b122e7914 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_16.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_16.yaml @@ -1,23 +1,28 @@ -ID: aws_fedramp_moderate_rev_4_si_4_16 -Title: benchmark.nist_800_53_rev_4_si_4_16.title -Description: benchmark.nist_800_53_rev_4_si_4_16.description -SectionCode: "16" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_guardduty_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_4_16 + title: benchmark.nist_800_53_rev_4_si_4_16.title + description: benchmark.nist_800_53_rev_4_si_4_16.description + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_guardduty_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_2.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_2.yaml index af2ad880f..c7c0fc808 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_2.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_2.yaml @@ -1,25 +1,30 @@ -ID: aws_fedramp_moderate_rev_4_si_4_2 -Title: benchmark.nist_800_53_rev_4_si_4_2.title -Description: benchmark.nist_800_53_rev_4_si_4_2.description -SectionCode: "2" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_4_2 + title: benchmark.nist_800_53_rev_4_si_4_2.title + description: benchmark.nist_800_53_rev_4_si_4_2.description + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_guardduty_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_4.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_4.yaml index 1052479b0..a816ba992 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_4.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_4.yaml @@ -1,21 +1,26 @@ -ID: aws_fedramp_moderate_rev_4_si_4_4 -Title: benchmark.nist_800_53_rev_4_si_4_4.title -Description: benchmark.nist_800_53_rev_4_si_4_4.description -SectionCode: "4" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_4_4 + title: benchmark.nist_800_53_rev_4_si_4_4.title + description: benchmark.nist_800_53_rev_4_si_4_4.description + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_5.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_5.yaml index 3f0c215bf..912ca869f 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_5.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_5.yaml @@ -1,21 +1,26 @@ -ID: aws_fedramp_moderate_rev_4_si_4_5 -Title: benchmark.nist_800_53_rev_4_si_4_5.title -Description: benchmark.nist_800_53_rev_4_si_4_5.description -SectionCode: "5" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_4_5 + title: benchmark.nist_800_53_rev_4_si_4_5.title + description: benchmark.nist_800_53_rev_4_si_4_5.description + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_a_b_c.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_a_b_c.yaml index 389378051..070cdc52e 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_a_b_c.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_4_a_b_c.yaml @@ -1,26 +1,31 @@ -ID: aws_fedramp_moderate_rev_4_si_4_a_b_c -Title: SI-4(a)(b)(c) -Description: 'The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: i. strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization.' -SectionCode: a_b_c -Children: [] -Controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_4_a_b_c + title: SI-4(a)(b)(c) + description: "The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: i. strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization." + section-code: a_b_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_use_waf_web_acl + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_elb_application_lb_waf_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7.yaml index 832440609..da314e447 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7.yaml @@ -1,19 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_si_7 -Title: benchmark.nist_800_53_rev_4_si_7.title -Description: benchmark.nist_800_53_rev_4_si_7.description -SectionCode: "7" -Children: - - aws_fedramp_moderate_rev_4_si_7_1 -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_7 + title: benchmark.nist_800_53_rev_4_si_7.title + description: benchmark.nist_800_53_rev_4_si_7.description + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_fedramp_moderate_rev_4_si_7_1 + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7_1.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7_1.yaml index 101c767d1..d8efb22e3 100755 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7_1.yaml +++ b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/aws_fedramp_moderate_rev_4_si_7_1.yaml @@ -1,20 +1,25 @@ -ID: aws_fedramp_moderate_rev_4_si_7_1 -Title: benchmark.nist_800_53_rev_4_si_7_1.title -Description: benchmark.nist_800_53_rev_4_si_7_1.description -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_fedramp_moderate_rev_4_si_7_1 + title: benchmark.nist_800_53_rev_4_si_7_1.title + description: benchmark.nist_800_53_rev_4_si_7_1.description + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + fedramp_moderate_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/root.yaml b/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/root.yaml deleted file mode 100755 index 54c1901bd..000000000 --- a/compliance/frameworks/aws/aws_fedramp_moderate_rev_4/root.yaml +++ /dev/null @@ -1,36 +0,0 @@ -ID: aws_fedramp_moderate_rev_4 -Title: FedRAMP Moderate Revision 4 -Description: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. -SectionCode: aws_fedramp_moderate_rev_4 -Children: - - aws_fedramp_moderate_rev_4_ac - - aws_fedramp_moderate_rev_4_au - - aws_fedramp_moderate_rev_4_ca - - aws_fedramp_moderate_rev_4_cm - - aws_fedramp_moderate_rev_4_cp - - aws_fedramp_moderate_rev_4_ia - - aws_fedramp_moderate_rev_4_ir - - aws_fedramp_moderate_rev_4_ra - - aws_fedramp_moderate_rev_4_sa - - aws_fedramp_moderate_rev_4_sc - - aws_fedramp_moderate_rev_4_si -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - fedramp_moderate_rev_4: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Certifications and Attestations - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec.yaml new file mode 100644 index 000000000..4a31a5215 --- /dev/null +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec.yaml @@ -0,0 +1,31 @@ +framework: + id: aws_ffiec + title: Federal Financial Institutions Examination Council (FFIEC) + description: Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. + section-code: aws_ffiec + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Certifications and Attestations + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_1 + - id: aws_ffiec_d_2 + - id: aws_ffiec_d_3 + - id: aws_ffiec_d_4 + - id: aws_ffiec_d_5 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1.yaml index 8764efe12..2ebbbf148 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1.yaml @@ -1,19 +1,24 @@ -ID: aws_ffiec_d_1 -Title: Cyber Risk Management and Oversight (Domain 1) -Description: Cyber risk management and oversight addresses the board of directors' (board's) oversight and management's development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight. -SectionCode: d_1 -Children: - - aws_ffiec_d_1_g - - aws_ffiec_d_1_rm -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_1 + title: Cyber Risk Management and Oversight (Domain 1) + description: Cyber risk management and oversight addresses the board of directors' (board's) oversight and management's development and implementation of an effective enterprise-wide cybersecurity program with comprehensive policies and procedures for establishing appropriate accountability and oversight. + section-code: d_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_1_g + - id: aws_ffiec_d_1_rm diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g.yaml index 2d7675cdc..928a94cd1 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_1_g -Title: Governance (G) -Description: Governance includes oversight, strategies, policies, and IT asset management to implement an effective governance of the cybersecurity program. -SectionCode: g -Children: - - aws_ffiec_d_1_g_it_b_1 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_1_g + title: Governance (G) + description: Governance includes oversight, strategies, policies, and IT asset management to implement an effective governance of the cybersecurity program. + section-code: g + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_1_g_it_b_1 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g_it_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g_it_b_1.yaml index 053bc8a20..59fffbf74 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g_it_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_g_it_b_1.yaml @@ -1,22 +1,27 @@ -ID: aws_ffiec_d_1_g_it_b_1 -Title: D1.G.IT.B.1 -Description: An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. -SectionCode: it_b_1 -Children: [] -Controls: - - aws_ebs_attached_volume_delete_on_termination_enabled - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_vpc_eip_associated -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_1_g_it_b_1 + title: D1.G.IT.B.1 + description: An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. + section-code: it_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ebs_attached_volume_delete_on_termination_enabled + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_vpc_eip_associated diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm.yaml index 9781475c5..19b547007 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm.yaml @@ -1,19 +1,24 @@ -ID: aws_ffiec_d_1_rm -Title: Risk Management (RM) -Description: Risk Management includes a risk management program, risk assessment process, and audit function to effectively manage risk and assess the effectiveness of key controls. -SectionCode: rm -Children: - - aws_ffiec_d_1_rm_ra_b_2 - - aws_ffiec_d_1_rm_rm_b_1 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_1_rm + title: Risk Management (RM) + description: Risk Management includes a risk management program, risk assessment process, and audit function to effectively manage risk and assess the effectiveness of key controls. + section-code: rm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_1_rm_ra_b_2 + - id: aws_ffiec_d_1_rm_rm_b_1 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_ra_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_ra_b_2.yaml index 741781266..a326d9928 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_ra_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_ra_b_2.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_1_rm_ra_b_2 -Title: D1.RM.RA.B.2 -Description: The risk assessment identifies Internet- based systems and high-risk transactions that warrant additional authentication controls. -SectionCode: ra_b_2 -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_1_rm_ra_b_2 + title: D1.RM.RA.B.2 + description: The risk assessment identifies Internet- based systems and high-risk transactions that warrant additional authentication controls. + section-code: ra_b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_rm_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_rm_b_1.yaml index bdb330c49..db704245d 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_rm_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_1_rm_rm_b_1.yaml @@ -1,32 +1,37 @@ -ID: aws_ffiec_d_1_rm_rm_b_1 -Title: D1.RM.Rm.B.1 -Description: An information security and business continuity risk management function(s) exists within the institution. -SectionCode: rm_b_1 -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_1_rm_rm_b_1 + title: D1.RM.Rm.B.1 + description: An information security and business continuity risk management function(s) exists within the institution. + section-code: rm_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2.yaml index 79ee5f485..da35836b8 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_2 -Title: Threat Intelligence and Collaboration (Domain 2) -Description: Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. -SectionCode: d_2 -Children: - - aws_ffiec_d_2_is - - aws_ffiec_d_2_ma - - aws_ffiec_d_2_ti -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_2 + title: Threat Intelligence and Collaboration (Domain 2) + description: Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. + section-code: d_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_2_is + - id: aws_ffiec_d_2_ma + - id: aws_ffiec_d_2_ti diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is.yaml index 9b398004c..53bbd80d6 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_2_is -Title: Information Sharing (IS) -Description: Information Sharing encompasses establishing relationships with peers and information-sharing forums and how threat information is communicated to those groups as well as internal stakeholders. -SectionCode: is -Children: - - aws_ffiec_d_2_is_is_b_1 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_2_is + title: Information Sharing (IS) + description: Information Sharing encompasses establishing relationships with peers and information-sharing forums and how threat information is communicated to those groups as well as internal stakeholders. + section-code: is + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_2_is_is_b_1 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is_is_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is_is_b_1.yaml index d662ea020..e0959f197 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is_is_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_is_is_b_1.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_2_is_is_b_1 -Title: D2.IS.Is.B.1 -Description: Information security threats are gathered and shared with applicable internal employees. -SectionCode: is_b_1 -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_2_is_is_b_1 + title: D2.IS.Is.B.1 + description: Information security threats are gathered and shared with applicable internal employees. + section-code: is_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma.yaml index f916eeeeb..194abb254 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma.yaml @@ -1,19 +1,24 @@ -ID: aws_ffiec_d_2_ma -Title: Monitoring and Analyzing (MA) -Description: Monitoring and Analyzing refers to how an institution monitors threat sources and what analysis may be performed to identify threats that are specific to the institution or to resolve conflicts in the different threat intelligence streams. -SectionCode: ma -Children: - - aws_ffiec_d_2_ma_ma_b_1 - - aws_ffiec_d_2_ma_ma_b_2 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_2_ma + title: Monitoring and Analyzing (MA) + description: Monitoring and Analyzing refers to how an institution monitors threat sources and what analysis may be performed to identify threats that are specific to the institution or to resolve conflicts in the different threat intelligence streams. + section-code: ma + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_2_ma_ma_b_1 + - id: aws_ffiec_d_2_ma_ma_b_2 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_1.yaml index 5ae8404fd..a6d907dc2 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_1.yaml @@ -1,32 +1,37 @@ -ID: aws_ffiec_d_2_ma_ma_b_1 -Title: D2.MA.Ma.B.1 -Description: Audit log records and other security event logs are reviewed and retained in a secure manner. -SectionCode: ma_b_1 -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_object_lock_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_2_ma_ma_b_1 + title: D2.MA.Ma.B.1 + description: Audit log records and other security event logs are reviewed and retained in a secure manner. + section-code: ma_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_object_lock_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_2.yaml index 92e4d5052..771ed8ea8 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ma_ma_b_2.yaml @@ -1,28 +1,33 @@ -ID: aws_ffiec_d_2_ma_ma_b_2 -Title: D2.MA.Ma.B.2 -Description: Computer event logs are used for investigations once an event has occurred. -SectionCode: ma_b_2 -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_2_ma_ma_b_2 + title: D2.MA.Ma.B.2 + description: Computer event logs are used for investigations once an event has occurred. + section-code: ma_b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti.yaml index a60693c51..a76885d13 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_2_ti -Title: Threat Intelligence (TI) -Description: Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. -SectionCode: ti -Children: - - aws_ffiec_d_2_ti_ti_b_1 - - aws_ffiec_d_2_ti_ti_b_2 - - aws_ffiec_d_2_ti_ti_b_3 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_2_ti + title: Threat Intelligence (TI) + description: Threat intelligence and collaboration includes processes to effectively discover, analyze, and understand cyber threats, with the capability to share information internally and with appropriate third parties. + section-code: ti + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_2_ti_ti_b_1 + - id: aws_ffiec_d_2_ti_ti_b_2 + - id: aws_ffiec_d_2_ti_ti_b_3 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_1.yaml index 1a274be3f..2435affc0 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_1.yaml @@ -1,19 +1,24 @@ -ID: aws_ffiec_d_2_ti_ti_b_1 -Title: D2.TI.Ti.B.1 -Description: The institution belongs or subscribes to a threat and vulnerability information-sharing source(s) that provides information on threats (e.g., FS-ISAC, US- CERT). -SectionCode: ti_b_1 -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_2_ti_ti_b_1 + title: D2.TI.Ti.B.1 + description: The institution belongs or subscribes to a threat and vulnerability information-sharing source(s) that provides information on threats (e.g., FS-ISAC, US- CERT). + section-code: ti_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_2.yaml index 154163654..96aebcaca 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_2.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_2_ti_ti_b_2 -Title: D2.TI.Ti.B.2 -Description: Threat information is used to monitor threats and vulnerabilities. -SectionCode: ti_b_2 -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_2_ti_ti_b_2 + title: D2.TI.Ti.B.2 + description: Threat information is used to monitor threats and vulnerabilities. + section-code: ti_b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_3.yaml index 6d5f86b9f..c9cdd1cb2 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_2_ti_ti_b_3.yaml @@ -1,19 +1,24 @@ -ID: aws_ffiec_d_2_ti_ti_b_3 -Title: D2.TI.Ti.B.3 -Description: Threat information is used to enhance internal risk management and controls. -SectionCode: ti_b_3 -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_2_ti_ti_b_3 + title: D2.TI.Ti.B.3 + description: Threat information is used to enhance internal risk management and controls. + section-code: ti_b_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3.yaml index 363b231ae..4030f2981 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_3 -Title: Cybersecurity Controls (Domain 3) -Description: Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by strengthening the institution's defensive posture through continuous, automated protection and monitoring. -SectionCode: d_3 -Children: - - aws_ffiec_d_3_cc - - aws_ffiec_d_3_dc - - aws_ffiec_d_3_pc -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3 + title: Cybersecurity Controls (Domain 3) + description: Cybersecurity controls are the practices and processes used to protect assets, infrastructure, and information by strengthening the institution's defensive posture through continuous, automated protection and monitoring. + section-code: d_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_3_cc + - id: aws_ffiec_d_3_dc + - id: aws_ffiec_d_3_pc diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc.yaml index 6b5831bd4..43eda8dd1 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc.yaml @@ -1,19 +1,24 @@ -ID: aws_ffiec_d_3_cc -Title: Corrective Controls (CC) -Description: Corrective Controls are utilized to resolve system and software vulnerabilities through patch management and remediation of issues identified during vulnerability scans and penetration testing. -SectionCode: cc -Children: - - aws_ffiec_d_3_cc_pm_b_1 - - aws_ffiec_d_3_cc_pm_b_3 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_cc + title: Corrective Controls (CC) + description: Corrective Controls are utilized to resolve system and software vulnerabilities through patch management and remediation of issues identified during vulnerability scans and penetration testing. + section-code: cc + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_3_cc_pm_b_1 + - id: aws_ffiec_d_3_cc_pm_b_3 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_1.yaml index 3e6002aa8..1b1e3ecdb 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_1.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_3_cc_pm_b_1 -Title: D3.CC.PM.B.1 -Description: A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. -SectionCode: pm_b_1 -Children: [] -Controls: - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_cc_pm_b_1 + title: D3.CC.PM.B.1 + description: A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner. + section-code: pm_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_3.yaml index 5ed2b6c12..03d1f17f2 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_cc_pm_b_3.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_3_cc_pm_b_3 -Title: D3.CC.PM.B.3 -Description: Patch management reports are reviewed and reflect missing security patches. -SectionCode: pm_b_3 -Children: [] -Controls: - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_cc_pm_b_3 + title: D3.CC.PM.B.3 + description: Patch management reports are reviewed and reflect missing security patches. + section-code: pm_b_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc.yaml index 918234160..f76212b5f 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc.yaml @@ -1,26 +1,31 @@ -ID: aws_ffiec_d_3_dc -Title: Detective Controls (DC) -Description: Detective Controls include threat and vulnerability detection, anomalous activity detection, and event detection, may alert the institution to network and system irregularities that indicate an incident has or may occur. -SectionCode: dc -Children: - - aws_ffiec_d_3_dc_an_b_1 - - aws_ffiec_d_3_dc_an_b_2 - - aws_ffiec_d_3_dc_an_b_3 - - aws_ffiec_d_3_dc_an_b_4 - - aws_ffiec_d_3_dc_an_b_5 - - aws_ffiec_d_3_dc_ev_b_1 - - aws_ffiec_d_3_dc_ev_b_2 - - aws_ffiec_d_3_dc_ev_b_3 - - aws_ffiec_d_3_dc_th_b_1 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_dc + title: Detective Controls (DC) + description: Detective Controls include threat and vulnerability detection, anomalous activity detection, and event detection, may alert the institution to network and system irregularities that indicate an incident has or may occur. + section-code: dc + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_3_dc_an_b_1 + - id: aws_ffiec_d_3_dc_an_b_2 + - id: aws_ffiec_d_3_dc_an_b_3 + - id: aws_ffiec_d_3_dc_an_b_4 + - id: aws_ffiec_d_3_dc_an_b_5 + - id: aws_ffiec_d_3_dc_ev_b_1 + - id: aws_ffiec_d_3_dc_ev_b_2 + - id: aws_ffiec_d_3_dc_ev_b_3 + - id: aws_ffiec_d_3_dc_th_b_1 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_1.yaml index ae33799c6..cc62e9ac7 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_1.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_3_dc_an_b_1 -Title: D3.DC.An.B.1 -Description: The institution is able to detect anomalous activities through monitoring across the environment. -SectionCode: an_b_1 -Children: [] -Controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_dc_an_b_1 + title: D3.DC.An.B.1 + description: The institution is able to detect anomalous activities through monitoring across the environment. + section-code: an_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_2.yaml index 776ab373b..d9493afde 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_2.yaml @@ -1,19 +1,24 @@ -ID: aws_ffiec_d_3_dc_an_b_2 -Title: D3.DC.An.B.2 -Description: Customer transactions generating anomalous activity alerts are monitored and reviewed. -SectionCode: an_b_2 -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_dc_an_b_2 + title: D3.DC.An.B.2 + description: Customer transactions generating anomalous activity alerts are monitored and reviewed. + section-code: an_b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_3.yaml index 93a3f5c20..12127c1c0 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_3.yaml @@ -1,28 +1,33 @@ -ID: aws_ffiec_d_3_dc_an_b_3 -Title: D3.DC.An.B.3 -Description: Logs of physical and/or logical access are reviewed following events. -SectionCode: an_b_3 -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_dc_an_b_3 + title: D3.DC.An.B.3 + description: Logs of physical and/or logical access are reviewed following events. + section-code: an_b_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_rds_db_instance_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_4.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_4.yaml index 077c9e54d..6862ba65c 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_4.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_4.yaml @@ -1,30 +1,35 @@ -ID: aws_ffiec_d_3_dc_an_b_4 -Title: D3.DC.An.B.4 -Description: Access to critical systems by third parties is monitored for unauthorized or unusual activity. -SectionCode: an_b_4 -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_dc_an_b_4 + title: D3.DC.An.B.4 + description: Access to critical systems by third parties is monitored for unauthorized or unusual activity. + section-code: an_b_4 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_5.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_5.yaml index 2c1b69105..1c2630047 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_5.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_an_b_5.yaml @@ -1,19 +1,24 @@ -ID: aws_ffiec_d_3_dc_an_b_5 -Title: D3.DC.An.B.5 -Description: Elevated privileges are monitored. -SectionCode: an_b_5 -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_dc_an_b_5 + title: D3.DC.An.B.5 + description: Elevated privileges are monitored. + section-code: an_b_5 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_1.yaml index 7e116b6b3..0b205c161 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_1.yaml @@ -1,27 +1,32 @@ -ID: aws_ffiec_d_3_dc_ev_b_1 -Title: D3.DC.Ev.B.1 -Description: A normal network activity baseline is established. -SectionCode: ev_b_1 -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_dc_ev_b_1 + title: D3.DC.Ev.B.1 + description: A normal network activity baseline is established. + section-code: ev_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_2.yaml index 3235e3d61..89001f1e7 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_2.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_3_dc_ev_b_2 -Title: D3.DC.Ev.B.2 -Description: Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. -SectionCode: ev_b_2 -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_dc_ev_b_2 + title: D3.DC.Ev.B.2 + description: Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. + section-code: ev_b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_3.yaml index b14cc8f43..5db56d97e 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_ev_b_3.yaml @@ -1,21 +1,26 @@ -ID: aws_ffiec_d_3_dc_ev_b_3 -Title: D3.DC.Ev.B.3 -Description: Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. -SectionCode: ev_b_3 -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_dc_ev_b_3 + title: D3.DC.Ev.B.3 + description: Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. + section-code: ev_b_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_th_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_th_b_1.yaml index 7cbb06936..4e74ff683 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_th_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_dc_th_b_1.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_3_dc_th_b_1 -Title: D3.DC.Th.B.1 -Description: Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external-facing systems and the internal network. -SectionCode: th_b_1 -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_dc_th_b_1 + title: D3.DC.Th.B.1 + description: Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external-facing systems and the internal network. + section-code: th_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc.yaml index 8c77e7372..3feaf2021 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc.yaml @@ -1,35 +1,40 @@ -ID: aws_ffiec_d_3_pc -Title: Preventative Controls (PC) -Description: Preventative Controls deter and prevent cyber attacks and include infrastructure management, access management, device and end-point security, and secure coding. -SectionCode: pc -Children: - - aws_ffiec_d_3_pc_am_b_1 - - aws_ffiec_d_3_pc_am_b_10 - - aws_ffiec_d_3_pc_am_b_12 - - aws_ffiec_d_3_pc_am_b_13 - - aws_ffiec_d_3_pc_am_b_15 - - aws_ffiec_d_3_pc_am_b_16 - - aws_ffiec_d_3_pc_am_b_2 - - aws_ffiec_d_3_pc_am_b_3 - - aws_ffiec_d_3_pc_am_b_6 - - aws_ffiec_d_3_pc_am_b_7 - - aws_ffiec_d_3_pc_am_b_8 - - aws_ffiec_d_3_pc_im_b_1 - - aws_ffiec_d_3_pc_im_b_2 - - aws_ffiec_d_3_pc_im_b_3 - - aws_ffiec_d_3_pc_im_b_5 - - aws_ffiec_d_3_pc_im_b_6 - - aws_ffiec_d_3_pc_im_b_7 - - aws_ffiec_d_3_pc_se_b_1 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc + title: Preventative Controls (PC) + description: Preventative Controls deter and prevent cyber attacks and include infrastructure management, access management, device and end-point security, and secure coding. + section-code: pc + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_3_pc_am_b_1 + - id: aws_ffiec_d_3_pc_am_b_10 + - id: aws_ffiec_d_3_pc_am_b_12 + - id: aws_ffiec_d_3_pc_am_b_13 + - id: aws_ffiec_d_3_pc_am_b_15 + - id: aws_ffiec_d_3_pc_am_b_16 + - id: aws_ffiec_d_3_pc_am_b_2 + - id: aws_ffiec_d_3_pc_am_b_3 + - id: aws_ffiec_d_3_pc_am_b_6 + - id: aws_ffiec_d_3_pc_am_b_7 + - id: aws_ffiec_d_3_pc_am_b_8 + - id: aws_ffiec_d_3_pc_im_b_1 + - id: aws_ffiec_d_3_pc_im_b_2 + - id: aws_ffiec_d_3_pc_im_b_3 + - id: aws_ffiec_d_3_pc_im_b_5 + - id: aws_ffiec_d_3_pc_im_b_6 + - id: aws_ffiec_d_3_pc_im_b_7 + - id: aws_ffiec_d_3_pc_se_b_1 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_1.yaml index b7fca48df..e80f2b69c 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_1.yaml @@ -1,27 +1,32 @@ -ID: aws_ffiec_d_3_pc_am_b_1 -Title: D3.PC.Am.B.1 -Description: Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. -SectionCode: am_b_1 -Children: [] -Controls: - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_user_for_host_mode_check - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_1 + title: D3.PC.Am.B.1 + description: Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. + section-code: am_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_user_for_host_mode_check + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_10.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_10.yaml index b7e4044e6..9dc0c141a 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_10.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_10.yaml @@ -1,21 +1,26 @@ -ID: aws_ffiec_d_3_pc_am_b_10 -Title: D3.PC.Am.B.10 -Description: Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution's third party.) -SectionCode: am_b_10 -Children: [] -Controls: - - aws_ec2_instance_in_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_10 + title: D3.PC.Am.B.10 + description: Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution's third party.) + section-code: am_b_10 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_in_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_12.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_12.yaml index b0678808e..e9bfbfcf6 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_12.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_12.yaml @@ -1,33 +1,38 @@ -ID: aws_ffiec_d_3_pc_am_b_12 -Title: D3.PC.Am.B.12 -Description: All passwords are encrypted in storage and in transit. -SectionCode: am_b_12 -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_backup_recovery_point_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_kerberos_enabled - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_12 + title: D3.PC.Am.B.12 + description: All passwords are encrypted in storage and in transit. + section-code: am_b_12 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_backup_recovery_point_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_kerberos_enabled + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_13.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_13.yaml index 86e7c5c13..984f47e3f 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_13.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_13.yaml @@ -1,24 +1,29 @@ -ID: aws_ffiec_d_3_pc_am_b_13 -Title: D3.PC.Am.B.13 -Description: Confidential data is encrypted when transmitted across public or untrusted networks (e.g., Internet). -SectionCode: am_b_13 -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_13 + title: D3.PC.Am.B.13 + description: Confidential data is encrypted when transmitted across public or untrusted networks (e.g., Internet). + section-code: am_b_13 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_15.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_15.yaml index e8bc9e6dc..f4b1f81a9 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_15.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_15.yaml @@ -1,24 +1,29 @@ -ID: aws_ffiec_d_3_pc_am_b_15 -Title: D3.PC.Am.B.15 -Description: Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. -SectionCode: am_b_15 -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_15 + title: D3.PC.Am.B.15 + description: Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. + section-code: am_b_15 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_16.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_16.yaml index decacab3e..de0d4923d 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_16.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_16.yaml @@ -1,21 +1,26 @@ -ID: aws_ffiec_d_3_pc_am_b_16 -Title: D3.PC.Am.B.16 -Description: Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. -SectionCode: am_b_16 -Children: [] -Controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_user_in_group -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_16 + title: D3.PC.Am.B.16 + description: Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. + section-code: am_b_16 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_user_in_group diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_2.yaml index e23fe2d33..51f6dcf04 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_2.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_3_pc_am_b_2 -Title: D3.PC.Am.B.2 -Description: Employee access to systems and confidential data provides for separation of duties. -SectionCode: am_b_2 -Children: [] -Controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_policy_no_star_star - - aws_iam_user_in_group -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_2 + title: D3.PC.Am.B.2 + description: Employee access to systems and confidential data provides for separation of duties. + section-code: am_b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_all_policy_no_service_wild_card + - aws_iam_policy_no_star_star + - aws_iam_user_in_group diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_3.yaml index 54146494b..605623c88 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_3.yaml @@ -1,23 +1,28 @@ -ID: aws_ffiec_d_3_pc_am_b_3 -Title: D3.PC.Am.B.3 -Description: Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls) -SectionCode: am_b_3 -Children: [] -Controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_3 + title: D3.PC.Am.B.3 + description: Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls) + section-code: am_b_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_6.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_6.yaml index 0fe21cc53..63f0d7e0c 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_6.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_6.yaml @@ -1,29 +1,34 @@ -ID: aws_ffiec_d_3_pc_am_b_6 -Title: D3.PC.Am.B.6 -Description: Identification and authentication are required and managed for access to systems, applications, and hardware. -SectionCode: am_b_6 -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_6 + title: D3.PC.Am.B.6 + description: Identification and authentication are required and managed for access to systems, applications, and hardware. + section-code: am_b_6 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_7.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_7.yaml index 22ae0a6f8..83cf3e371 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_7.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_7.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_3_pc_am_b_7 -Title: D3.PC.Am.B.7 -Description: Access controls include password complexity and limits to password attempts and reuse. -SectionCode: am_b_7 -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_7 + title: D3.PC.Am.B.7 + description: Access controls include password complexity and limits to password attempts and reuse. + section-code: am_b_7 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_8.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_8.yaml index ad886958f..e1b2217c3 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_8.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_am_b_8.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_3_pc_am_b_8 -Title: D3.PC.Am.B.8 -Description: All default passwords and unnecessary default accounts are changed before system implementation. -SectionCode: am_b_8 -Children: [] -Controls: - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_am_b_8 + title: D3.PC.Am.B.8 + description: All default passwords and unnecessary default accounts are changed before system implementation. + section-code: am_b_8 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_1.yaml index d39adbbc9..7f9143ae2 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_1.yaml @@ -1,44 +1,49 @@ -ID: aws_ffiec_d_3_pc_im_b_1 -Title: D3.PC.Im.B.1 -Description: Network perimeter defense tools (e.g., border router and firewall) are used. -SectionCode: im_b_1 -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_waf_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_im_b_1 + title: D3.PC.Im.B.1 + description: Network perimeter defense tools (e.g., border router and firewall) are used. + section-code: im_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_use_waf_web_acl + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_elb_application_lb_waf_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_2.yaml index 9bcfc9d64..acbec401e 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_2.yaml @@ -1,23 +1,28 @@ -ID: aws_ffiec_d_3_pc_im_b_2 -Title: D3.PC.IM.B.2 -Description: Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. -SectionCode: im_b_2 -Children: [] -Controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_elb_application_lb_waf_enabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_im_b_2 + title: D3.PC.IM.B.2 + description: Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. + section-code: im_b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_use_waf_web_acl + - aws_elb_application_lb_waf_enabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_3.yaml index 56575e733..003516141 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_3.yaml @@ -1,23 +1,28 @@ -ID: aws_ffiec_d_3_pc_im_b_3 -Title: D3.PC.IM.B.3 -Description: All ports are monitored. -SectionCode: im_b_3 -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_im_b_3 + title: D3.PC.IM.B.3 + description: All ports are monitored. + section-code: im_b_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_5.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_5.yaml index ed6c6d6e7..ad5f071cd 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_5.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_5.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_3_pc_im_b_5 -Title: D3.PC.Im.B.5 -Description: Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced -SectionCode: im_b_5 -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_im_b_5 + title: D3.PC.Im.B.5 + description: Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced + section-code: im_b_5 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_6.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_6.yaml index 557983853..a4025276e 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_6.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_6.yaml @@ -1,21 +1,26 @@ -ID: aws_ffiec_d_3_pc_im_b_6 -Title: D3.PC.Im.B.6 -Description: Ports, functions, protocols and services are prohibited if no longer needed for business purposes. -SectionCode: im_b_6 -Children: [] -Controls: - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_im_b_6 + title: D3.PC.Im.B.6 + description: Ports, functions, protocols and services are prohibited if no longer needed for business purposes. + section-code: im_b_6 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_7.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_7.yaml index 15cdb2349..784be0636 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_7.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_im_b_7.yaml @@ -1,24 +1,29 @@ -ID: aws_ffiec_d_3_pc_im_b_7 -Title: D3.PC.Im.B.7 -Description: Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. -SectionCode: im_b_7 -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_im_b_7 + title: D3.PC.Im.B.7 + description: Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. + section-code: im_b_7 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_se_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_se_b_1.yaml index 5f1750302..3e366ecd6 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_se_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_3_pc_se_b_1.yaml @@ -1,19 +1,24 @@ -ID: aws_ffiec_d_3_pc_se_b_1 -Title: D3.PC.Se.B.1 -Description: Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards. -SectionCode: se_b_1 -Children: [] -Controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_3_pc_se_b_1 + title: D3.PC.Se.B.1 + description: Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards. + section-code: se_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4.yaml index 90726d6dc..ab0b8533a 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_4 -Title: External Dependency Management (Domain 4) -Description: External dependency management involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution's technology assets and information. -SectionCode: d_4 -Children: - - aws_ffiec_d_4_c -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_4 + title: External Dependency Management (Domain 4) + description: External dependency management involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships with access to the institution's technology assets and information. + section-code: d_4 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_4_c diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c.yaml index 266701c4c..ddd9b4173 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_4_c -Title: Connections (C) -Description: Connections incorporate the identification, monitoring, and management of external connections and data flows to third parties. -SectionCode: c -Children: - - aws_ffiec_d_4_c_co_b_2 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_4_c + title: Connections (C) + description: Connections incorporate the identification, monitoring, and management of external connections and data flows to third parties. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_4_c_co_b_2 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c_co_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c_co_b_2.yaml index a2093d2e5..c6527cc9a 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c_co_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_4_c_co_b_2.yaml @@ -1,21 +1,26 @@ -ID: aws_ffiec_d_4_c_co_b_2 -Title: D4.C.Co.B.2 -Description: The institution ensures that third-party connections are authorized. -SectionCode: co_b_2 -Children: [] -Controls: - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_4_c_co_b_2 + title: D4.C.Co.B.2 + description: The institution ensures that third-party connections are authorized. + section-code: co_b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5.yaml index a54e1c9e4..fd017aca4 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_5 -Title: Cyber Incident Management and Resilience (Domain 5) -Description: Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the institution's containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident. -SectionCode: d_5 -Children: - - aws_ffiec_d_5_dr - - aws_ffiec_d_5_er - - aws_ffiec_d_5_ir -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_5 + title: Cyber Incident Management and Resilience (Domain 5) + description: Cyber incident management includes establishing, identifying, and analyzing cyber events; prioritizing the institution's containment or mitigation; and escalating information to appropriate stakeholders. Cyber resilience encompasses both planning and testing to maintain and recover ongoing operations during and following a cyber incident. + section-code: d_5 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_5_dr + - id: aws_ffiec_d_5_er + - id: aws_ffiec_d_5_ir diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr.yaml index 9ddc55ec8..267b83fb4 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_5_dr -Title: Detection, Response, & Mitigation (DR) -Description: Detection, Response, & Mitigation refers to the steps management takes to identify, prioritize, respond to, and mitigate the effects of internal and external threats and vulnerabilities. -SectionCode: dr -Children: - - aws_ffiec_d_5_dr_de_b_1 - - aws_ffiec_d_5_dr_de_b_2 - - aws_ffiec_d_5_dr_de_b_3 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_5_dr + title: Detection, Response, & Mitigation (DR) + description: Detection, Response, & Mitigation refers to the steps management takes to identify, prioritize, respond to, and mitigate the effects of internal and external threats and vulnerabilities. + section-code: dr + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_5_dr_de_b_1 + - id: aws_ffiec_d_5_dr_de_b_2 + - id: aws_ffiec_d_5_dr_de_b_3 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_1.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_1.yaml index b34273cd0..00775c4ad 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_1.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_1.yaml @@ -1,20 +1,25 @@ -ID: aws_ffiec_d_5_dr_de_b_1 -Title: D5.DR.De.B.1 -Description: Alert parameters are set for detecting information security incidents that prompt mitigating actions. -SectionCode: de_b_1 -Children: [] -Controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_5_dr_de_b_1 + title: D5.DR.De.B.1 + description: Alert parameters are set for detecting information security incidents that prompt mitigating actions. + section-code: de_b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_2.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_2.yaml index 472af87d3..ba1e95970 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_2.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_2.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_5_dr_de_b_2 -Title: D5.DR.De.B.2 -Description: System performance reports contain information that can be used as a risk indicator to detect information security incidents. -SectionCode: de_b_2 -Children: [] -Controls: - - aws_lambda_function_dead_letter_queue_configured -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_5_dr_de_b_2 + title: D5.DR.De.B.2 + description: System performance reports contain information that can be used as a risk indicator to detect information security incidents. + section-code: de_b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_lambda_function_dead_letter_queue_configured diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_3.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_3.yaml index 86ca48bc9..e99e5b5bf 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_3.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_dr_de_b_3.yaml @@ -1,30 +1,35 @@ -ID: aws_ffiec_d_5_dr_de_b_3 -Title: D5.DR.De.B.3 -Description: Tools and processes are in place to detect, alert, and trigger the incident response program. -SectionCode: de_b_3 -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_5_dr_de_b_3 + title: D5.DR.De.B.3 + description: Tools and processes are in place to detect, alert, and trigger the incident response program. + section-code: de_b_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er.yaml index 693e280e5..b1297a1ee 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_5_er -Title: Escalation and Reporting (ER) -Description: Escalation & Reporting ensures key stakeholders are informed about the impact of cyber incidents, and regulators, law enforcement, and customers are notified as required. -SectionCode: er -Children: - - aws_ffiec_d_5_er_es_b_4 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_5_er + title: Escalation and Reporting (ER) + description: Escalation & Reporting ensures key stakeholders are informed about the impact of cyber incidents, and regulators, law enforcement, and customers are notified as required. + section-code: er + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_5_er_es_b_4 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er_es_b_4.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er_es_b_4.yaml index 2cc744bfc..32a6e3d09 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er_es_b_4.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_er_es_b_4.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_5_er_es_b_4 -Title: D5.ER.Es.B.4 -Description: Incidents are classified, logged and tracked. -SectionCode: es_b_4 -Children: [] -Controls: - - aws_guardduty_finding_archived -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_5_er_es_b_4 + title: D5.ER.Es.B.4 + description: Incidents are classified, logged and tracked. + section-code: es_b_4 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir.yaml index 3a9feeff0..f929c5812 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir.yaml @@ -1,18 +1,23 @@ -ID: aws_ffiec_d_5_ir -Title: Incident Resilience Planning & Strategy (IR) -Description: Incident Resilience Planning & Strategy incorporates resilience planning and testing into existing business continuity and disaster recovery plans to minimize service disruptions and the destruction or corruption of data. -SectionCode: ir -Children: - - aws_ffiec_d_5_ir_pi_b_6 -Controls: [] -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_5_ir + title: Incident Resilience Planning & Strategy (IR) + description: Incident Resilience Planning & Strategy incorporates resilience planning and testing into existing business continuity and disaster recovery plans to minimize service disruptions and the destruction or corruption of data. + section-code: ir + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_ffiec_d_5_ir_pi_b_6 diff --git a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir_pi_b_6.yaml b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir_pi_b_6.yaml index 92bb61705..937bb03c6 100755 --- a/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir_pi_b_6.yaml +++ b/compliance/frameworks/aws/aws_ffiec/aws_ffiec_d_5_ir_pi_b_6.yaml @@ -1,39 +1,44 @@ -ID: aws_ffiec_d_5_ir_pi_b_6 -Title: D5.IR.Pl.B.6 -Description: The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident. -SectionCode: pi_b_6 -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - ffiec: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_ffiec_d_5_ir_pi_b_6 + title: D5.IR.Pl.B.6 + description: The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident. + section-code: pi_b_6 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + ffiec: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_ffiec/root.yaml b/compliance/frameworks/aws/aws_ffiec/root.yaml deleted file mode 100755 index e99d2c4ae..000000000 --- a/compliance/frameworks/aws/aws_ffiec/root.yaml +++ /dev/null @@ -1,30 +0,0 @@ -ID: aws_ffiec -Title: Federal Financial Institutions Examination Council (FFIEC) -Description: Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. -SectionCode: aws_ffiec -Children: - - aws_ffiec_d_1 - - aws_ffiec_d_2 - - aws_ffiec_d_3 - - aws_ffiec_d_4 - - aws_ffiec_d_5 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - ffiec: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Certifications and Attestations - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security.yaml new file mode 100644 index 000000000..d6c70fa02 --- /dev/null +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security.yaml @@ -0,0 +1,74 @@ +framework: + id: aws_foundational_security + title: AWS Foundational Security Best Practices + description: The AWS Foundational Security Best Practices standard is a set of controls that detect when your deployed accounts and resources deviate from security best practices. + section-code: aws_foundational_security + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_foundational_security_account + - id: aws_foundational_security_acm + - id: aws_foundational_security_apigateway + - id: aws_foundational_security_appsync + - id: aws_foundational_security_athena + - id: aws_foundational_security_autoscaling + - id: aws_foundational_security_backup + - id: aws_foundational_security_cloudformation + - id: aws_foundational_security_cloudfront + - id: aws_foundational_security_cloudtrail + - id: aws_foundational_security_codebuild + - id: aws_foundational_security_config + - id: aws_foundational_security_dms + - id: aws_foundational_security_docdb + - id: aws_foundational_security_dynamodb + - id: aws_foundational_security_ec2 + - id: aws_foundational_security_ecr + - id: aws_foundational_security_ecs + - id: aws_foundational_security_efs + - id: aws_foundational_security_eks + - id: aws_foundational_security_elasticache + - id: aws_foundational_security_elasticbeanstalk + - id: aws_foundational_security_elb + - id: aws_foundational_security_emr + - id: aws_foundational_security_es + - id: aws_foundational_security_eventbridge + - id: aws_foundational_security_fsx + - id: aws_foundational_security_guardduty + - id: aws_foundational_security_iam + - id: aws_foundational_security_kinesis + - id: aws_foundational_security_kms + - id: aws_foundational_security_lambda + - id: aws_foundational_security_msk + - id: aws_foundational_security_neptune + - id: aws_foundational_security_networkfirewall + - id: aws_foundational_security_opensearch + - id: aws_foundational_security_pca + - id: aws_foundational_security_rds + - id: aws_foundational_security_redshift + - id: aws_foundational_security_route53 + - id: aws_foundational_security_s3 + - id: aws_foundational_security_sagemaker + - id: aws_foundational_security_secretsmanager + - id: aws_foundational_security_sfn + - id: aws_foundational_security_sns + - id: aws_foundational_security_sqs + - id: aws_foundational_security_ssm + - id: aws_foundational_security_waf diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_account.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_account.yaml index 528800e1e..004f1eaa5 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_account.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_account.yaml @@ -1,18 +1,23 @@ -ID: aws_foundational_security_account -Title: Account -Description: "" -SectionCode: account -Children: [] -Controls: - - aws_foundational_security_account_1 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/Account - type: - - Benchmark +control-group: + id: aws_foundational_security_account + title: Account + description: Account + section-code: account + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/Account + type: + - Benchmark + controls: + - aws_foundational_security_account_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_acm.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_acm.yaml index 58c965e9d..eeb2eeeb9 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_acm.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_acm.yaml @@ -1,19 +1,24 @@ -ID: aws_foundational_security_acm -Title: ACM -Description: "" -SectionCode: acm -Children: [] -Controls: - - aws_foundational_security_acm_1 - - aws_foundational_security_acm_2 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ACM - type: - - Benchmark +control-group: + id: aws_foundational_security_acm + title: ACM + description: ACM + section-code: acm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ACM + type: + - Benchmark + controls: + - aws_foundational_security_acm_1 + - aws_foundational_security_acm_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_apigateway.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_apigateway.yaml index be2ace31d..02f85b572 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_apigateway.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_apigateway.yaml @@ -1,24 +1,29 @@ -ID: aws_foundational_security_apigateway -Title: API Gateway -Description: "" -SectionCode: apigateway -Children: [] -Controls: - - aws_foundational_security_apigateway_1 - - aws_foundational_security_apigateway_2 - - aws_foundational_security_apigateway_3 - - aws_foundational_security_apigateway_4 - - aws_foundational_security_apigateway_5 - - aws_foundational_security_apigateway_8 - - aws_foundational_security_apigateway_9 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/APIGateway - type: - - Benchmark +control-group: + id: aws_foundational_security_apigateway + title: API Gateway + description: API Gateway + section-code: apigateway + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/APIGateway + type: + - Benchmark + controls: + - aws_foundational_security_apigateway_1 + - aws_foundational_security_apigateway_2 + - aws_foundational_security_apigateway_3 + - aws_foundational_security_apigateway_4 + - aws_foundational_security_apigateway_5 + - aws_foundational_security_apigateway_8 + - aws_foundational_security_apigateway_9 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_appsync.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_appsync.yaml index 6f5932f28..16a84cb8d 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_appsync.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_appsync.yaml @@ -1,8 +1,13 @@ -ID: aws_foundational_security_appsync -Title: AppSync -Description: "" -SectionCode: appsync -Children: [] -Controls: - - aws_foundational_security_appsync_2 -Tags: {} +control-group: + id: aws_foundational_security_appsync + title: AppSync + description: AppSync + section-code: appsync + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_appsync_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_athena.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_athena.yaml index 5abece051..868dba091 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_athena.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_athena.yaml @@ -1,8 +1,13 @@ -ID: aws_foundational_security_athena -Title: Athena -Description: "" -SectionCode: athena -Children: [] -Controls: - - aws_foundational_security_athena_1 -Tags: {} +control-group: + id: aws_foundational_security_athena + title: Athena + description: Athena + section-code: athena + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_athena_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_autoscaling.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_autoscaling.yaml index 6fb04fba2..18dd566eb 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_autoscaling.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_autoscaling.yaml @@ -1,24 +1,29 @@ -ID: aws_foundational_security_autoscaling -Title: Auto Scaling -Description: "" -SectionCode: autoscaling -Children: [] -Controls: - - aws_foundational_security_autoscaling_1 - - aws_foundational_security_autoscaling_2 - - aws_foundational_security_autoscaling_3 - - aws_foundational_security_autoscaling_4 - - aws_foundational_security_autoscaling_5 - - aws_foundational_security_autoscaling_6 - - aws_foundational_security_autoscaling_9 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/AutoScaling - type: - - Benchmark +control-group: + id: aws_foundational_security_autoscaling + title: Auto Scaling + description: Auto Scaling + section-code: autoscaling + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/AutoScaling + type: + - Benchmark + controls: + - aws_foundational_security_autoscaling_1 + - aws_foundational_security_autoscaling_2 + - aws_foundational_security_autoscaling_3 + - aws_foundational_security_autoscaling_4 + - aws_foundational_security_autoscaling_5 + - aws_foundational_security_autoscaling_6 + - aws_foundational_security_autoscaling_9 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_backup.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_backup.yaml index 79f984202..26d6c612e 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_backup.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_backup.yaml @@ -1,8 +1,13 @@ -ID: aws_foundational_security_backup -Title: Backup -Description: "" -SectionCode: backup -Children: [] -Controls: - - aws_foundational_security_backup_1 -Tags: {} +control-group: + id: aws_foundational_security_backup + title: Backup + description: Backup + section-code: backup + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_backup_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudformation.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudformation.yaml index 228c2a66a..b47951327 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudformation.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudformation.yaml @@ -1,18 +1,23 @@ -ID: aws_foundational_security_cloudformation -Title: CloudFormation -Description: "" -SectionCode: cloudformation -Children: [] -Controls: - - aws_foundational_security_cloudformation_1 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/CloudFormation - type: - - Benchmark +control-group: + id: aws_foundational_security_cloudformation + title: CloudFormation + description: CloudFormation + section-code: cloudformation + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/CloudFormation + type: + - Benchmark + controls: + - aws_foundational_security_cloudformation_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudfront.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudfront.yaml index 320efb390..1f73ba1fb 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudfront.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudfront.yaml @@ -1,26 +1,31 @@ -ID: aws_foundational_security_cloudfront -Title: CloudFront -Description: "" -SectionCode: cloudfront -Children: [] -Controls: - - aws_foundational_security_cloudfront_1 - - aws_foundational_security_cloudfront_3 - - aws_foundational_security_cloudfront_4 - - aws_foundational_security_cloudfront_5 - - aws_foundational_security_cloudfront_6 - - aws_foundational_security_cloudfront_7 - - aws_foundational_security_cloudfront_8 - - aws_foundational_security_cloudfront_10 - - aws_foundational_security_cloudfront_12 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/CloudFront - type: - - Benchmark +control-group: + id: aws_foundational_security_cloudfront + title: CloudFront + description: CloudFront + section-code: cloudfront + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/CloudFront + type: + - Benchmark + controls: + - aws_foundational_security_cloudfront_1 + - aws_foundational_security_cloudfront_3 + - aws_foundational_security_cloudfront_4 + - aws_foundational_security_cloudfront_5 + - aws_foundational_security_cloudfront_6 + - aws_foundational_security_cloudfront_7 + - aws_foundational_security_cloudfront_8 + - aws_foundational_security_cloudfront_10 + - aws_foundational_security_cloudfront_12 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudtrail.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudtrail.yaml index 9ef794638..939731420 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudtrail.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_cloudtrail.yaml @@ -1,21 +1,26 @@ -ID: aws_foundational_security_cloudtrail -Title: CloudTrail -Description: "" -SectionCode: cloudtrail -Children: [] -Controls: - - aws_foundational_security_cloudtrail_1 - - aws_foundational_security_cloudtrail_2 - - aws_foundational_security_cloudtrail_4 - - aws_foundational_security_cloudtrail_5 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark +control-group: + id: aws_foundational_security_cloudtrail + title: CloudTrail + description: CloudTrail + section-code: cloudtrail + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + controls: + - aws_foundational_security_cloudtrail_1 + - aws_foundational_security_cloudtrail_2 + - aws_foundational_security_cloudtrail_4 + - aws_foundational_security_cloudtrail_5 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_codebuild.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_codebuild.yaml index 751843bef..21e8e6596 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_codebuild.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_codebuild.yaml @@ -1,22 +1,27 @@ -ID: aws_foundational_security_codebuild -Title: CodeBuild -Description: "" -SectionCode: codebuild -Children: [] -Controls: - - aws_foundational_security_codebuild_1 - - aws_foundational_security_codebuild_2 - - aws_foundational_security_codebuild_3 - - aws_foundational_security_codebuild_4 - - aws_foundational_security_codebuild_5 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/CodeBuild - type: - - Benchmark +control-group: + id: aws_foundational_security_codebuild + title: CodeBuild + description: CodeBuild + section-code: codebuild + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/CodeBuild + type: + - Benchmark + controls: + - aws_foundational_security_codebuild_1 + - aws_foundational_security_codebuild_2 + - aws_foundational_security_codebuild_3 + - aws_foundational_security_codebuild_4 + - aws_foundational_security_codebuild_5 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_config.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_config.yaml index 2ae5d212f..34d809317 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_config.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_config.yaml @@ -1,18 +1,23 @@ -ID: aws_foundational_security_config -Title: Config -Description: "" -SectionCode: config -Children: [] -Controls: - - aws_foundational_security_config_1 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/Config - type: - - Benchmark +control-group: + id: aws_foundational_security_config + title: Config + description: Config + section-code: config + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/Config + type: + - Benchmark + controls: + - aws_foundational_security_config_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dms.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dms.yaml index 5fe60e49d..4c5caedfe 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dms.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dms.yaml @@ -1,21 +1,26 @@ -ID: aws_foundational_security_dms -Title: DMS -Description: "" -SectionCode: dms -Children: [] -Controls: - - aws_foundational_security_dms_1 - - aws_foundational_security_dms_6 - - aws_foundational_security_dms_8 - - aws_foundational_security_dms_9 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/DMS - type: - - Benchmark +control-group: + id: aws_foundational_security_dms + title: DMS + description: DMS + section-code: dms + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/DMS + type: + - Benchmark + controls: + - aws_foundational_security_dms_1 + - aws_foundational_security_dms_6 + - aws_foundational_security_dms_8 + - aws_foundational_security_dms_9 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_docdb.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_docdb.yaml index a90b7765e..8c29a9846 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_docdb.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_docdb.yaml @@ -1,11 +1,16 @@ -ID: aws_foundational_security_docdb -Title: DocumentDB -Description: "" -SectionCode: docdb -Children: [] -Controls: - - aws_foundational_security_docdb_1 - - aws_foundational_security_docdb_2 - - aws_foundational_security_docdb_4 - - aws_foundational_security_docdb_5 -Tags: {} +control-group: + id: aws_foundational_security_docdb + title: DocumentDB + description: DocumentDB + section-code: docdb + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_docdb_1 + - aws_foundational_security_docdb_2 + - aws_foundational_security_docdb_4 + - aws_foundational_security_docdb_5 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dynamodb.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dynamodb.yaml index 5c6865987..cb8b7fd80 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dynamodb.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_dynamodb.yaml @@ -1,21 +1,26 @@ -ID: aws_foundational_security_dynamodb -Title: DynamoDB -Description: "" -SectionCode: dynamodb -Children: [] -Controls: - - aws_foundational_security_dynamodb_1 - - aws_foundational_security_dynamodb_2 - - aws_foundational_security_dynamodb_3 - - aws_foundational_security_dynamodb_6 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/DynamoDB - type: - - Benchmark +control-group: + id: aws_foundational_security_dynamodb + title: DynamoDB + description: DynamoDB + section-code: dynamodb + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/DynamoDB + type: + - Benchmark + controls: + - aws_foundational_security_dynamodb_1 + - aws_foundational_security_dynamodb_2 + - aws_foundational_security_dynamodb_3 + - aws_foundational_security_dynamodb_6 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ec2.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ec2.yaml index 5797cf120..12d7d0abf 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ec2.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ec2.yaml @@ -1,33 +1,38 @@ -ID: aws_foundational_security_ec2 -Title: EC2 -Description: "" -SectionCode: ec2 -Children: [] -Controls: - - aws_foundational_security_ec2_1 - - aws_foundational_security_ec2_2 - - aws_foundational_security_ec2_3 - - aws_foundational_security_ec2_4 - - aws_foundational_security_ec2_7 - - aws_foundational_security_ec2_8 - - aws_foundational_security_ec2_9 - - aws_foundational_security_ec2_15 - - aws_foundational_security_ec2_16 - - aws_foundational_security_ec2_17 - - aws_foundational_security_ec2_18 - - aws_foundational_security_ec2_19 - - aws_foundational_security_ec2_20 - - aws_foundational_security_ec2_23 - - aws_foundational_security_ec2_24 - - aws_foundational_security_ec2_51 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/EC2 - type: - - Benchmark +control-group: + id: aws_foundational_security_ec2 + title: EC2 + description: EC2 + section-code: ec2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/EC2 + type: + - Benchmark + controls: + - aws_foundational_security_ec2_1 + - aws_foundational_security_ec2_2 + - aws_foundational_security_ec2_3 + - aws_foundational_security_ec2_4 + - aws_foundational_security_ec2_7 + - aws_foundational_security_ec2_8 + - aws_foundational_security_ec2_9 + - aws_foundational_security_ec2_15 + - aws_foundational_security_ec2_16 + - aws_foundational_security_ec2_17 + - aws_foundational_security_ec2_18 + - aws_foundational_security_ec2_19 + - aws_foundational_security_ec2_20 + - aws_foundational_security_ec2_23 + - aws_foundational_security_ec2_24 + - aws_foundational_security_ec2_51 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecr.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecr.yaml index 7dba0c344..b0b074914 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecr.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecr.yaml @@ -1,20 +1,25 @@ -ID: aws_foundational_security_ecr -Title: Elastic Container Registry -Description: "" -SectionCode: ecr -Children: [] -Controls: - - aws_foundational_security_ecr_1 - - aws_foundational_security_ecr_2 - - aws_foundational_security_ecr_3 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ECR - type: - - Benchmark +control-group: + id: aws_foundational_security_ecr + title: Elastic Container Registry + description: Elastic Container Registry + section-code: ecr + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ECR + type: + - Benchmark + controls: + - aws_foundational_security_ecr_1 + - aws_foundational_security_ecr_2 + - aws_foundational_security_ecr_3 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecs.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecs.yaml index a956da773..f08576d79 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecs.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ecs.yaml @@ -1,26 +1,31 @@ -ID: aws_foundational_security_ecs -Title: Elastic Container Service -Description: "" -SectionCode: ecs -Children: [] -Controls: - - aws_foundational_security_ecs_1 - - aws_foundational_security_ecs_2 - - aws_foundational_security_ecs_3 - - aws_foundational_security_ecs_4 - - aws_foundational_security_ecs_5 - - aws_foundational_security_ecs_8 - - aws_foundational_security_ecs_9 - - aws_foundational_security_ecs_10 - - aws_foundational_security_ecs_12 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ECS - type: - - Benchmark +control-group: + id: aws_foundational_security_ecs + title: Elastic Container Service + description: Elastic Container Service + section-code: ecs + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ECS + type: + - Benchmark + controls: + - aws_foundational_security_ecs_1 + - aws_foundational_security_ecs_2 + - aws_foundational_security_ecs_3 + - aws_foundational_security_ecs_4 + - aws_foundational_security_ecs_5 + - aws_foundational_security_ecs_8 + - aws_foundational_security_ecs_9 + - aws_foundational_security_ecs_10 + - aws_foundational_security_ecs_12 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_efs.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_efs.yaml index aec2e2e8e..efc84dfc2 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_efs.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_efs.yaml @@ -1,21 +1,26 @@ -ID: aws_foundational_security_efs -Title: EFS -Description: "" -SectionCode: efs -Children: [] -Controls: - - aws_foundational_security_efs_1 - - aws_foundational_security_efs_2 - - aws_foundational_security_efs_3 - - aws_foundational_security_efs_4 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/EFS - type: - - Benchmark +control-group: + id: aws_foundational_security_efs + title: EFS + description: EFS + section-code: efs + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/EFS + type: + - Benchmark + controls: + - aws_foundational_security_efs_1 + - aws_foundational_security_efs_2 + - aws_foundational_security_efs_3 + - aws_foundational_security_efs_4 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eks.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eks.yaml index 882c60609..6033bfb3d 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eks.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eks.yaml @@ -1,20 +1,25 @@ -ID: aws_foundational_security_eks -Title: EKS -Description: "" -SectionCode: eks -Children: [] -Controls: - - aws_foundational_security_eks_1 - - aws_foundational_security_eks_2 - - aws_foundational_security_eks_8 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/EKS - type: - - Benchmark +control-group: + id: aws_foundational_security_eks + title: EKS + description: EKS + section-code: eks + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/EKS + type: + - Benchmark + controls: + - aws_foundational_security_eks_1 + - aws_foundational_security_eks_2 + - aws_foundational_security_eks_8 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticache.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticache.yaml index fa5b2dbf4..af8126f7e 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticache.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticache.yaml @@ -1,24 +1,29 @@ -ID: aws_foundational_security_elasticache -Title: ElastiCache -Description: "" -SectionCode: elasticache -Children: [] -Controls: - - aws_foundational_security_elasticache_1 - - aws_foundational_security_elasticache_2 - - aws_foundational_security_elasticache_3 - - aws_foundational_security_elasticache_4 - - aws_foundational_security_elasticache_5 - - aws_foundational_security_elasticache_6 - - aws_foundational_security_elasticache_7 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ElastiCache - type: - - Benchmark +control-group: + id: aws_foundational_security_elasticache + title: ElastiCache + description: ElastiCache + section-code: elasticache + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ElastiCache + type: + - Benchmark + controls: + - aws_foundational_security_elasticache_1 + - aws_foundational_security_elasticache_2 + - aws_foundational_security_elasticache_3 + - aws_foundational_security_elasticache_4 + - aws_foundational_security_elasticache_5 + - aws_foundational_security_elasticache_6 + - aws_foundational_security_elasticache_7 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticbeanstalk.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticbeanstalk.yaml index c87f9cfdd..675312c43 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticbeanstalk.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elasticbeanstalk.yaml @@ -1,19 +1,24 @@ -ID: aws_foundational_security_elasticbeanstalk -Title: Elastic Beanstalk -Description: "" -SectionCode: elasticbeanstalk -Children: [] -Controls: - - aws_foundational_security_elasticbeanstalk_1 - - aws_foundational_security_elasticbeanstalk_3 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ElasticBeanstalk - type: - - Benchmark +control-group: + id: aws_foundational_security_elasticbeanstalk + title: Elastic Beanstalk + description: Elastic Beanstalk + section-code: elasticbeanstalk + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ElasticBeanstalk + type: + - Benchmark + controls: + - aws_foundational_security_elasticbeanstalk_1 + - aws_foundational_security_elasticbeanstalk_3 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elb.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elb.yaml index 03ea76f5a..3910dc639 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elb.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_elb.yaml @@ -1,26 +1,31 @@ -ID: aws_foundational_security_elb -Title: ELB -Description: "" -SectionCode: elb -Children: [] -Controls: - - aws_foundational_security_elb_1 - - aws_foundational_security_elb_2 - - aws_foundational_security_elb_4 - - aws_foundational_security_elb_6 - - aws_foundational_security_elb_7 - - aws_foundational_security_elb_9 - - aws_foundational_security_elb_10 - - aws_foundational_security_elb_12 - - aws_foundational_security_elb_14 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ELB - type: - - Benchmark +control-group: + id: aws_foundational_security_elb + title: ELB + description: ELB + section-code: elb + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ELB + type: + - Benchmark + controls: + - aws_foundational_security_elb_1 + - aws_foundational_security_elb_2 + - aws_foundational_security_elb_4 + - aws_foundational_security_elb_6 + - aws_foundational_security_elb_7 + - aws_foundational_security_elb_9 + - aws_foundational_security_elb_10 + - aws_foundational_security_elb_12 + - aws_foundational_security_elb_14 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_emr.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_emr.yaml index 97b76c743..a08e2faef 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_emr.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_emr.yaml @@ -1,19 +1,24 @@ -ID: aws_foundational_security_emr -Title: EMR -Description: "" -SectionCode: emr -Children: [] -Controls: - - aws_foundational_security_emr_1 - - aws_foundational_security_emr_2 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/EMR - type: - - Benchmark +control-group: + id: aws_foundational_security_emr + title: EMR + description: EMR + section-code: emr + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/EMR + type: + - Benchmark + controls: + - aws_foundational_security_emr_1 + - aws_foundational_security_emr_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_es.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_es.yaml index a38feeffc..105b4a9c0 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_es.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_es.yaml @@ -1,25 +1,30 @@ -ID: aws_foundational_security_es -Title: Elasticsearch -Description: "" -SectionCode: es -Children: [] -Controls: - - aws_foundational_security_es_1 - - aws_foundational_security_es_2 - - aws_foundational_security_es_3 - - aws_foundational_security_es_4 - - aws_foundational_security_es_5 - - aws_foundational_security_es_6 - - aws_foundational_security_es_7 - - aws_foundational_security_es_8 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/ES - type: - - Benchmark +control-group: + id: aws_foundational_security_es + title: Elasticsearch + description: Elasticsearch + section-code: es + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/ES + type: + - Benchmark + controls: + - aws_foundational_security_es_1 + - aws_foundational_security_es_2 + - aws_foundational_security_es_3 + - aws_foundational_security_es_4 + - aws_foundational_security_es_5 + - aws_foundational_security_es_6 + - aws_foundational_security_es_7 + - aws_foundational_security_es_8 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eventbridge.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eventbridge.yaml index a8a3a54b2..8fec7cee3 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eventbridge.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_eventbridge.yaml @@ -1,8 +1,13 @@ -ID: aws_foundational_security_eventbridge -Title: EventBridge -Description: "" -SectionCode: eventbridge -Children: [] -Controls: - - aws_foundational_security_eventbridge_3 -Tags: {} +control-group: + id: aws_foundational_security_eventbridge + title: EventBridge + description: EventBridge + section-code: eventbridge + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_eventbridge_3 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_fsx.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_fsx.yaml index 2609b2f0b..fb8d329f0 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_fsx.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_fsx.yaml @@ -1,8 +1,13 @@ -ID: aws_foundational_security_fsx -Title: FSx -Description: "" -SectionCode: fsx -Children: [] -Controls: - - aws_foundational_security_fsx_1 -Tags: {} +control-group: + id: aws_foundational_security_fsx + title: FSx + description: FSx + section-code: fsx + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_fsx_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_guardduty.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_guardduty.yaml index 2a6f48022..bfc9e21db 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_guardduty.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_guardduty.yaml @@ -1,17 +1,21 @@ -ID: aws_foundational_security_guardduty -Title: GuardDuty -Description: "" -SectionCode: guardduty -Children: [] -Controls: null -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_foundational_security_guardduty + title: GuardDuty + description: GuardDuty + section-code: guardduty + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_iam.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_iam.yaml index a2a6c5fe2..88f268076 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_iam.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_iam.yaml @@ -1,24 +1,29 @@ -ID: aws_foundational_security_iam -Title: IAM -Description: "" -SectionCode: iam -Children: [] -Controls: - - aws_foundational_security_iam_1 - - aws_foundational_security_iam_2 - - aws_foundational_security_iam_3 - - aws_foundational_security_iam_4 - - aws_foundational_security_iam_5 - - aws_foundational_security_iam_8 - - aws_foundational_security_iam_21 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_foundational_security_iam + title: IAM + description: IAM + section-code: iam + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_foundational_security_iam_1 + - aws_foundational_security_iam_2 + - aws_foundational_security_iam_3 + - aws_foundational_security_iam_4 + - aws_foundational_security_iam_5 + - aws_foundational_security_iam_8 + - aws_foundational_security_iam_21 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kinesis.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kinesis.yaml index 0e348c665..fbb65f39f 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kinesis.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kinesis.yaml @@ -1,18 +1,23 @@ -ID: aws_foundational_security_kinesis -Title: Kinesis -Description: "" -SectionCode: kinesis -Children: [] -Controls: - - aws_foundational_security_kinesis_1 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/Kinesis - type: - - Benchmark +control-group: + id: aws_foundational_security_kinesis + title: Kinesis + description: Kinesis + section-code: kinesis + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/Kinesis + type: + - Benchmark + controls: + - aws_foundational_security_kinesis_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kms.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kms.yaml index ef18bb74a..9401b8edd 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kms.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_kms.yaml @@ -1,19 +1,24 @@ -ID: aws_foundational_security_kms -Title: KMS -Description: "" -SectionCode: kms -Children: [] -Controls: - - aws_foundational_security_kms_1 - - aws_foundational_security_kms_3 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark +control-group: + id: aws_foundational_security_kms + title: KMS + description: KMS + section-code: kms + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark + controls: + - aws_foundational_security_kms_1 + - aws_foundational_security_kms_3 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_lambda.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_lambda.yaml index 6805d4dc5..447bac5c1 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_lambda.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_lambda.yaml @@ -1,19 +1,24 @@ -ID: aws_foundational_security_lambda -Title: Lambda -Description: "" -SectionCode: lambda -Children: [] -Controls: - - aws_foundational_security_lambda_1 - - aws_foundational_security_lambda_2 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/Lambda - type: - - Benchmark +control-group: + id: aws_foundational_security_lambda + title: Lambda + description: Lambda + section-code: lambda + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/Lambda + type: + - Benchmark + controls: + - aws_foundational_security_lambda_1 + - aws_foundational_security_lambda_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_msk.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_msk.yaml index b959a950c..6a1924b13 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_msk.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_msk.yaml @@ -1,8 +1,13 @@ -ID: aws_foundational_security_msk -Title: MSK -Description: "" -SectionCode: msk -Children: [] -Controls: - - aws_foundational_security_msk_1 -Tags: {} +control-group: + id: aws_foundational_security_msk + title: MSK + description: MSK + section-code: msk + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_msk_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_neptune.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_neptune.yaml index bd4b0ed3b..e97d73dfe 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_neptune.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_neptune.yaml @@ -1,15 +1,20 @@ -ID: aws_foundational_security_neptune -Title: Neptune -Description: "" -SectionCode: neptune -Children: [] -Controls: - - aws_foundational_security_neptune_1 - - aws_foundational_security_neptune_2 - - aws_foundational_security_neptune_3 - - aws_foundational_security_neptune_4 - - aws_foundational_security_neptune_5 - - aws_foundational_security_neptune_6 - - aws_foundational_security_neptune_7 - - aws_foundational_security_neptune_8 -Tags: {} +control-group: + id: aws_foundational_security_neptune + title: Neptune + description: Neptune + section-code: neptune + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_neptune_1 + - aws_foundational_security_neptune_2 + - aws_foundational_security_neptune_3 + - aws_foundational_security_neptune_4 + - aws_foundational_security_neptune_5 + - aws_foundational_security_neptune_6 + - aws_foundational_security_neptune_7 + - aws_foundational_security_neptune_8 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_networkfirewall.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_networkfirewall.yaml index c088dccfa..8c1b7786f 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_networkfirewall.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_networkfirewall.yaml @@ -1,23 +1,28 @@ -ID: aws_foundational_security_networkfirewall -Title: Network Firewall -Description: "" -SectionCode: networkfirewall -Children: [] -Controls: - - aws_foundational_security_networkfirewall_2 - - aws_foundational_security_networkfirewall_3 - - aws_foundational_security_networkfirewall_4 - - aws_foundational_security_networkfirewall_5 - - aws_foundational_security_networkfirewall_6 - - aws_foundational_security_networkfirewall_9 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/NetworkFirewall - type: - - Benchmark +control-group: + id: aws_foundational_security_networkfirewall + title: Network Firewall + description: Network Firewall + section-code: networkfirewall + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/NetworkFirewall + type: + - Benchmark + controls: + - aws_foundational_security_networkfirewall_2 + - aws_foundational_security_networkfirewall_3 + - aws_foundational_security_networkfirewall_4 + - aws_foundational_security_networkfirewall_5 + - aws_foundational_security_networkfirewall_6 + - aws_foundational_security_networkfirewall_9 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_opensearch.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_opensearch.yaml index 0687e34b2..59d999eb3 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_opensearch.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_opensearch.yaml @@ -1,26 +1,31 @@ -ID: aws_foundational_security_opensearch -Title: Opensearch -Description: "" -SectionCode: opensearch -Children: [] -Controls: - - aws_foundational_security_opensearch_1 - - aws_foundational_security_opensearch_2 - - aws_foundational_security_opensearch_3 - - aws_foundational_security_opensearch_4 - - aws_foundational_security_opensearch_5 - - aws_foundational_security_opensearch_6 - - aws_foundational_security_opensearch_7 - - aws_foundational_security_opensearch_8 - - aws_foundational_security_opensearch_10 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/OpenSearch - type: - - Benchmark +control-group: + id: aws_foundational_security_opensearch + title: Opensearch + description: Opensearch + section-code: opensearch + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/OpenSearch + type: + - Benchmark + controls: + - aws_foundational_security_opensearch_1 + - aws_foundational_security_opensearch_2 + - aws_foundational_security_opensearch_3 + - aws_foundational_security_opensearch_4 + - aws_foundational_security_opensearch_5 + - aws_foundational_security_opensearch_6 + - aws_foundational_security_opensearch_7 + - aws_foundational_security_opensearch_8 + - aws_foundational_security_opensearch_10 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_pca.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_pca.yaml index 03ca726dd..fbe5c6c78 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_pca.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_pca.yaml @@ -1,8 +1,13 @@ -ID: aws_foundational_security_pca -Title: Private Certificate Authority -Description: "" -SectionCode: pca -Children: [] -Controls: - - aws_foundational_security_pca_1 -Tags: {} +control-group: + id: aws_foundational_security_pca + title: Private Certificate Authority + description: Private Certificate Authority + section-code: pca + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_pca_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_rds.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_rds.yaml index c1a4f89bb..ef6b833ad 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_rds.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_rds.yaml @@ -1,31 +1,36 @@ -ID: aws_foundational_security_rds -Title: RDS -Description: "" -SectionCode: rds -Children: [] -Controls: - - aws_foundational_security_rds_2 - - aws_foundational_security_rds_3 - - aws_foundational_security_rds_5 - - aws_foundational_security_rds_7 - - aws_foundational_security_rds_8 - - aws_foundational_security_rds_9 - - aws_foundational_security_rds_20 - - aws_foundational_security_rds_21 - - aws_foundational_security_rds_22 - - aws_foundational_security_rds_24 - - aws_foundational_security_rds_25 - - aws_foundational_security_rds_27 - - aws_foundational_security_rds_34 - - aws_foundational_security_rds_35 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/RDS - type: - - Benchmark +control-group: + id: aws_foundational_security_rds + title: RDS + description: RDS + section-code: rds + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/RDS + type: + - Benchmark + controls: + - aws_foundational_security_rds_2 + - aws_foundational_security_rds_3 + - aws_foundational_security_rds_5 + - aws_foundational_security_rds_7 + - aws_foundational_security_rds_8 + - aws_foundational_security_rds_9 + - aws_foundational_security_rds_20 + - aws_foundational_security_rds_21 + - aws_foundational_security_rds_22 + - aws_foundational_security_rds_24 + - aws_foundational_security_rds_25 + - aws_foundational_security_rds_27 + - aws_foundational_security_rds_34 + - aws_foundational_security_rds_35 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_redshift.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_redshift.yaml index 04348e73c..ea6808e7e 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_redshift.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_redshift.yaml @@ -1,26 +1,31 @@ -ID: aws_foundational_security_redshift -Title: Redshift -Description: "" -SectionCode: redshift -Children: [] -Controls: - - aws_foundational_security_redshift_1 - - aws_foundational_security_redshift_2 - - aws_foundational_security_redshift_3 - - aws_foundational_security_redshift_4 - - aws_foundational_security_redshift_6 - - aws_foundational_security_redshift_7 - - aws_foundational_security_redshift_8 - - aws_foundational_security_redshift_9 - - aws_foundational_security_redshift_10 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/Redshift - type: - - Benchmark +control-group: + id: aws_foundational_security_redshift + title: Redshift + description: Redshift + section-code: redshift + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/Redshift + type: + - Benchmark + controls: + - aws_foundational_security_redshift_1 + - aws_foundational_security_redshift_2 + - aws_foundational_security_redshift_3 + - aws_foundational_security_redshift_4 + - aws_foundational_security_redshift_6 + - aws_foundational_security_redshift_7 + - aws_foundational_security_redshift_8 + - aws_foundational_security_redshift_9 + - aws_foundational_security_redshift_10 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_route53.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_route53.yaml index c66e2c645..32c03edbd 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_route53.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_route53.yaml @@ -1,8 +1,13 @@ -ID: aws_foundational_security_route53 -Title: Route53 -Description: "" -SectionCode: route53 -Children: [] -Controls: - - aws_foundational_security_route53_2 -Tags: {} +control-group: + id: aws_foundational_security_route53 + title: Route53 + description: Route53 + section-code: route53 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_route53_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_s3.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_s3.yaml index 6c3355892..ecddf5a82 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_s3.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_s3.yaml @@ -1,27 +1,32 @@ -ID: aws_foundational_security_s3 -Title: S3 -Description: "" -SectionCode: s3 -Children: [] -Controls: - - aws_foundational_security_s3_1 - - aws_foundational_security_s3_5 - - aws_foundational_security_s3_6 - - aws_foundational_security_s3_8 - - aws_foundational_security_s3_9 - - aws_foundational_security_s3_10 - - aws_foundational_security_s3_11 - - aws_foundational_security_s3_12 - - aws_foundational_security_s3_13 - - aws_foundational_security_s3_19 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_foundational_security_s3 + title: S3 + description: S3 + section-code: s3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_foundational_security_s3_1 + - aws_foundational_security_s3_5 + - aws_foundational_security_s3_6 + - aws_foundational_security_s3_8 + - aws_foundational_security_s3_9 + - aws_foundational_security_s3_10 + - aws_foundational_security_s3_11 + - aws_foundational_security_s3_12 + - aws_foundational_security_s3_13 + - aws_foundational_security_s3_19 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sagemaker.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sagemaker.yaml index d16e9704c..54adeb80c 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sagemaker.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sagemaker.yaml @@ -1,20 +1,25 @@ -ID: aws_foundational_security_sagemaker -Title: SageMaker -Description: "" -SectionCode: sagemaker -Children: [] -Controls: - - aws_foundational_security_sagemaker_1 - - aws_foundational_security_sagemaker_2 - - aws_foundational_security_sagemaker_3 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/SageMaker - type: - - Benchmark +control-group: + id: aws_foundational_security_sagemaker + title: SageMaker + description: SageMaker + section-code: sagemaker + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/SageMaker + type: + - Benchmark + controls: + - aws_foundational_security_sagemaker_1 + - aws_foundational_security_sagemaker_2 + - aws_foundational_security_sagemaker_3 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_secretsmanager.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_secretsmanager.yaml index db519fb24..68b8889f8 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_secretsmanager.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_secretsmanager.yaml @@ -1,21 +1,26 @@ -ID: aws_foundational_security_secretsmanager -Title: Secrets Manager -Description: "" -SectionCode: secretsmanager -Children: [] -Controls: - - aws_foundational_security_secretsmanager_1 - - aws_foundational_security_secretsmanager_2 - - aws_foundational_security_secretsmanager_3 - - aws_foundational_security_secretsmanager_4 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/SecretsManager - type: - - Benchmark +control-group: + id: aws_foundational_security_secretsmanager + title: Secrets Manager + description: Secrets Manager + section-code: secretsmanager + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/SecretsManager + type: + - Benchmark + controls: + - aws_foundational_security_secretsmanager_1 + - aws_foundational_security_secretsmanager_2 + - aws_foundational_security_secretsmanager_3 + - aws_foundational_security_secretsmanager_4 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sfn.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sfn.yaml index 9a34ec3fc..c589f57e7 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sfn.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sfn.yaml @@ -1,8 +1,13 @@ -ID: aws_foundational_security_sfn -Title: Step Functions -Description: "" -SectionCode: sfn -Children: [] -Controls: - - aws_foundational_security_sfn_1 -Tags: {} +control-group: + id: aws_foundational_security_sfn + title: Step Functions + description: Step Functions + section-code: sfn + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_foundational_security_sfn_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sns.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sns.yaml index 5e2031207..1e4ad857c 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sns.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sns.yaml @@ -1,19 +1,24 @@ -ID: aws_foundational_security_sns -Title: SNS -Description: "" -SectionCode: sns -Children: [] -Controls: - - aws_foundational_security_sns_1 - - aws_foundational_security_sns_2 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/SNS - type: - - Benchmark +control-group: + id: aws_foundational_security_sns + title: SNS + description: SNS + section-code: sns + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/SNS + type: + - Benchmark + controls: + - aws_foundational_security_sns_1 + - aws_foundational_security_sns_2 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sqs.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sqs.yaml index 701a59a38..432c209f1 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sqs.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_sqs.yaml @@ -1,18 +1,23 @@ -ID: aws_foundational_security_sqs -Title: SQS -Description: "" -SectionCode: sqs -Children: [] -Controls: - - aws_foundational_security_sqs_1 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/SQS - type: - - Benchmark +control-group: + id: aws_foundational_security_sqs + title: SQS + description: SQS + section-code: sqs + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/SQS + type: + - Benchmark + controls: + - aws_foundational_security_sqs_1 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ssm.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ssm.yaml index 3674cc169..a657b6b23 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ssm.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_ssm.yaml @@ -1,21 +1,26 @@ -ID: aws_foundational_security_ssm -Title: SSM -Description: "" -SectionCode: ssm -Children: [] -Controls: - - aws_foundational_security_ssm_1 - - aws_foundational_security_ssm_2 - - aws_foundational_security_ssm_3 - - aws_foundational_security_ssm_4 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/SSM - type: - - Benchmark +control-group: + id: aws_foundational_security_ssm + title: SSM + description: SSM + section-code: ssm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/SSM + type: + - Benchmark + controls: + - aws_foundational_security_ssm_1 + - aws_foundational_security_ssm_2 + - aws_foundational_security_ssm_3 + - aws_foundational_security_ssm_4 diff --git a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_waf.yaml b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_waf.yaml index 23bad08f1..2f136d81e 100755 --- a/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_waf.yaml +++ b/compliance/frameworks/aws/aws_foundational_security/aws_foundational_security_waf.yaml @@ -1,26 +1,31 @@ -ID: aws_foundational_security_waf -Title: WAF -Description: "" -SectionCode: waf -Children: [] -Controls: - - aws_foundational_security_waf_1 - - aws_foundational_security_waf_2 - - aws_foundational_security_waf_3 - - aws_foundational_security_waf_4 - - aws_foundational_security_waf_6 - - aws_foundational_security_waf_7 - - aws_foundational_security_waf_8 - - aws_foundational_security_waf_10 - - aws_foundational_security_waf_12 -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - plugin: - - aws - service: - - AWS/WAF - type: - - Benchmark +control-group: + id: aws_foundational_security_waf + title: WAF + description: WAF + section-code: waf + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + aws_foundational_security: + - "true" + category: + - Compliance + plugin: + - aws + service: + - AWS/WAF + type: + - Benchmark + controls: + - aws_foundational_security_waf_1 + - aws_foundational_security_waf_2 + - aws_foundational_security_waf_3 + - aws_foundational_security_waf_4 + - aws_foundational_security_waf_6 + - aws_foundational_security_waf_7 + - aws_foundational_security_waf_8 + - aws_foundational_security_waf_10 + - aws_foundational_security_waf_12 diff --git a/compliance/frameworks/aws/aws_foundational_security/root.yaml b/compliance/frameworks/aws/aws_foundational_security/root.yaml deleted file mode 100755 index 8ecc27988..000000000 --- a/compliance/frameworks/aws/aws_foundational_security/root.yaml +++ /dev/null @@ -1,73 +0,0 @@ -ID: aws_foundational_security -Title: AWS Foundational Security Best Practices -Description: The AWS Foundational Security Best Practices standard is a set of controls that detect when your deployed accounts and resources deviate from security best practices. -SectionCode: aws_foundational_security -Children: - - aws_foundational_security_account - - aws_foundational_security_acm - - aws_foundational_security_apigateway - - aws_foundational_security_appsync - - aws_foundational_security_athena - - aws_foundational_security_autoscaling - - aws_foundational_security_backup - - aws_foundational_security_cloudformation - - aws_foundational_security_cloudfront - - aws_foundational_security_cloudtrail - - aws_foundational_security_codebuild - - aws_foundational_security_config - - aws_foundational_security_dms - - aws_foundational_security_docdb - - aws_foundational_security_dynamodb - - aws_foundational_security_ec2 - - aws_foundational_security_ecr - - aws_foundational_security_ecs - - aws_foundational_security_efs - - aws_foundational_security_eks - - aws_foundational_security_elasticache - - aws_foundational_security_elasticbeanstalk - - aws_foundational_security_elb - - aws_foundational_security_emr - - aws_foundational_security_es - - aws_foundational_security_eventbridge - - aws_foundational_security_fsx - - aws_foundational_security_guardduty - - aws_foundational_security_iam - - aws_foundational_security_kinesis - - aws_foundational_security_kms - - aws_foundational_security_lambda - - aws_foundational_security_msk - - aws_foundational_security_neptune - - aws_foundational_security_networkfirewall - - aws_foundational_security_opensearch - - aws_foundational_security_pca - - aws_foundational_security_rds - - aws_foundational_security_redshift - - aws_foundational_security_route53 - - aws_foundational_security_s3 - - aws_foundational_security_sagemaker - - aws_foundational_security_secretsmanager - - aws_foundational_security_sfn - - aws_foundational_security_sns - - aws_foundational_security_sqs - - aws_foundational_security_ssm - - aws_foundational_security_waf -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - aws_foundational_security: - - "true" - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_gdpr/aws_article_25.yaml b/compliance/frameworks/aws/aws_gdpr/aws_article_25.yaml index 8876eaf7d..397ded4ff 100755 --- a/compliance/frameworks/aws/aws_gdpr/aws_article_25.yaml +++ b/compliance/frameworks/aws/aws_gdpr/aws_article_25.yaml @@ -1,58 +1,63 @@ -ID: aws_article_25 -Title: Article 25 Data protection by design and by default -Description: "" -SectionCode: aws_article_25 -Children: [] -Controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_config_enabled_all_regions - - aws_iam_account_password_policy_min_length_14 - - aws_iam_account_password_policy_one_lowercase_letter - - aws_iam_account_password_policy_one_number - - aws_iam_account_password_policy_one_symbol - - aws_iam_account_password_policy_one_uppercase_letter - - aws_iam_account_password_policy_reuse_24 - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_support_role - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - gdpr: - - "true" - gdpr_article: - - "25" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_article_25 + title: Article 25 Data protection by design and by default + description: Article 25 Data protection by design and by default + section-code: aws_article_25 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gdpr: + - "true" + gdpr_article: + - "25" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_config_enabled_all_regions + - aws_iam_account_password_policy_min_length_14 + - aws_iam_account_password_policy_one_lowercase_letter + - aws_iam_account_password_policy_one_number + - aws_iam_account_password_policy_one_symbol + - aws_iam_account_password_policy_one_uppercase_letter + - aws_iam_account_password_policy_reuse_24 + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_support_role + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_kms_cmk_rotation_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_gdpr/aws_article_30.yaml b/compliance/frameworks/aws/aws_gdpr/aws_article_30.yaml index 3a127ce9d..222f8966a 100755 --- a/compliance/frameworks/aws/aws_gdpr/aws_article_30.yaml +++ b/compliance/frameworks/aws/aws_gdpr/aws_article_30.yaml @@ -1,29 +1,34 @@ -ID: aws_article_30 -Title: Article 30 Records of processing activities -Description: "" -SectionCode: aws_article_30 -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_config_enabled_all_regions - - aws_elb_application_classic_lb_logging_enabled - - aws_kms_cmk_rotation_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - gdpr: - - "true" - gdpr_article: - - "30" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_article_30 + title: Article 30 Records of processing activities + description: Article 30 Records of processing activities + section-code: aws_article_30 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gdpr: + - "true" + gdpr_article: + - "30" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_security_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_config_enabled_all_regions + - aws_elb_application_classic_lb_logging_enabled + - aws_kms_cmk_rotation_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_gdpr/aws_article_32.yaml b/compliance/frameworks/aws/aws_gdpr/aws_article_32.yaml index 42f92ab57..1b1594e69 100755 --- a/compliance/frameworks/aws/aws_gdpr/aws_article_32.yaml +++ b/compliance/frameworks/aws/aws_gdpr/aws_article_32.yaml @@ -1,51 +1,56 @@ -ID: aws_article_32 -Title: Article 32 Security of processing -Description: "" -SectionCode: aws_article_32 -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_volume_encryption_at_rest_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - gdpr: - - "true" - gdpr_article: - - "32" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_article_32 + title: Article 32 Security of processing + description: Article 32 Security of processing + section-code: aws_article_32 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gdpr: + - "true" + gdpr_article: + - "32" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_volume_encryption_at_rest_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_logging_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_gdpr/aws_gdpr.yaml b/compliance/frameworks/aws/aws_gdpr/aws_gdpr.yaml new file mode 100644 index 000000000..a5bd47c0b --- /dev/null +++ b/compliance/frameworks/aws/aws_gdpr/aws_gdpr.yaml @@ -0,0 +1,29 @@ +framework: + id: aws_gdpr + title: General Data Protection Regulation (GDPR) + description: The European Union’s General Data Protection Regulation (GDPR) protects European Union (EU) individuals’ fundamental right to privacy and the protection of personal data. The GDPR includes robust requirements that raise and harmonize standards for data protection, security, and compliance. + section-code: aws_gdpr + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gdpr: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Privacy + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_article_25 + - id: aws_article_30 + - id: aws_article_32 diff --git a/compliance/frameworks/aws/aws_gdpr/root.yaml b/compliance/frameworks/aws/aws_gdpr/root.yaml deleted file mode 100755 index c5bbba470..000000000 --- a/compliance/frameworks/aws/aws_gdpr/root.yaml +++ /dev/null @@ -1,28 +0,0 @@ -ID: aws_gdpr -Title: General Data Protection Regulation (GDPR) -Description: The European Union’s General Data Protection Regulation (GDPR) protects European Union (EU) individuals’ fundamental right to privacy and the protection of personal data. The GDPR includes robust requirements that raise and harmonize standards for data protection, security, and compliance. -SectionCode: aws_gdpr -Children: - - aws_article_25 - - aws_article_30 - - aws_article_32 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - gdpr: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Privacy - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11.yaml new file mode 100644 index 000000000..96f3e656f --- /dev/null +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11.yaml @@ -0,0 +1,30 @@ +framework: + id: aws_gxp_21_cfr_part_11 + title: GxP 21 CFR Part 11 + description: The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions. + section-code: aws_gxp_21_cfr_part_11 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_21_cfr_part_11_11_10 + - id: aws_gxp_21_cfr_part_11_11_30 + - id: aws_gxp_21_cfr_part_11_11_200 + - id: aws_gxp_21_cfr_part_11_11_300 diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10.yaml index 9a01ea34b..1367e1c1e 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10.yaml @@ -1,35 +1,41 @@ -ID: aws_gxp_21_cfr_part_11_11_10 -Title: Controls for closed systems -Description: Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. -SectionCode: "11_10" -Children: - - aws_gxp_21_cfr_part_11_11_10_a - - aws_gxp_21_cfr_part_11_11_10_c - - aws_gxp_21_cfr_part_11_11_10_d - - aws_gxp_21_cfr_part_11_11_10_e - - aws_gxp_21_cfr_part_11_11_10_g - - aws_gxp_21_cfr_part_11_11_10_h - - aws_gxp_21_cfr_part_11_11_10_k -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_10 + title: Controls for closed systems + description: Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. + section-code: "11_10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_21_cfr_part_11_11_10_a + - id: aws_gxp_21_cfr_part_11_11_10_c + - id: aws_gxp_21_cfr_part_11_11_10_d + - id: aws_gxp_21_cfr_part_11_11_10_e + - id: aws_gxp_21_cfr_part_11_11_10_g + - id: aws_gxp_21_cfr_part_11_11_10_h + - id: aws_gxp_21_cfr_part_11_11_10_k + controls: + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_a.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_a.yaml index 0822b2688..cea9c2b07 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_a.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_a.yaml @@ -1,53 +1,58 @@ -ID: aws_gxp_21_cfr_part_11_11_10_a -Title: 10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records -Description: 'Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.' -SectionCode: a -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_validation_enabled - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ebs_volume_unused - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_versioning_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_10_a + title: 10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records + description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_cloudtrail_security_trail_enabled + - aws_cloudtrail_trail_validation_enabled + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ebs_volume_unused + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_versioning_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_c.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_c.yaml index 44f668d94..4ca64af7e 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_c.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_c.yaml @@ -1,48 +1,53 @@ -ID: aws_gxp_21_cfr_part_11_11_10_c -Title: 10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period -Description: 'Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.' -SectionCode: c -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ecr_repository_lifecycle_policy_configured - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled - - aws_s3_bucket_versioning_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_10_c + title: 10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period + description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ecr_repository_lifecycle_policy_configured + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_snapshot_encrypted_at_rest + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_lifecycle_policy_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_bucket_versioning_and_lifecycle_policy_enabled + - aws_s3_bucket_versioning_enabled + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_d.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_d.yaml index dce38d5ae..d9dad9dce 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_d.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_d.yaml @@ -1,72 +1,77 @@ -ID: aws_gxp_21_cfr_part_11_11_10_d -Title: 10(d) Limiting system access to authorized individuals -Description: 'Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (d) Limiting system access to authorized individuals.' -SectionCode: d -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_efs_file_system_encrypt_data_at_rest - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_managed_policy_attached_to_role - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_10_d + title: 10(d) Limiting system access to authorized individuals + description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (d) Limiting system access to authorized individuals." + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_dms_replication_instance_not_publicly_accessible + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_user_for_host_mode_check + - aws_efs_file_system_encrypt_data_at_rest + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_managed_policy_attached_to_role + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_ssm_document_prohibit_public_access + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_e.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_e.yaml index ba10ef954..639da6d30 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_e.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_e.yaml @@ -1,44 +1,49 @@ -ID: aws_gxp_21_cfr_part_11_11_10_e -Title: 10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records -Description: 'Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.' -SectionCode: e -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_10_e + title: 10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records + description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying." + section-code: e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_g.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_g.yaml index d00d5e6db..dabd9aa94 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_g.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_g.yaml @@ -1,73 +1,78 @@ -ID: aws_gxp_21_cfr_part_11_11_10_g -Title: 10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand -Description: 'Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.' -SectionCode: g -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_efs_file_system_encrypt_data_at_rest - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_10_g + title: 10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand + description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand." + section-code: g + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_dms_replication_instance_not_publicly_accessible + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_user_for_host_mode_check + - aws_efs_file_system_encrypt_data_at_rest + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_ssm_document_prohibit_public_access + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_h.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_h.yaml index 8062ffd1f..ead29520e 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_h.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_h.yaml @@ -1,20 +1,25 @@ -ID: aws_gxp_21_cfr_part_11_11_10_h -Title: 10(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction -Description: 'Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.' -SectionCode: h -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_10_h + title: 10(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction + description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction." + section-code: h + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_k.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_k.yaml index 2041ceb81..a073cfc36 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_k.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_10_k.yaml @@ -1,39 +1,44 @@ -ID: aws_gxp_21_cfr_part_11_11_10_k -Title: 10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance -Description: 'Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.' -SectionCode: k -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_emr_cluster_master_nodes_no_public_ip - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_10_k + title: 10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance + description: "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation." + section-code: k + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_emr_cluster_master_nodes_no_public_ip + - aws_rds_db_instance_logging_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200.yaml index 2c6523513..a396bfcef 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_21_cfr_part_11_11_200 -Title: Electronic signature components and controls -Description: Electronic signatures that are not biometric (i.e., not based on a physical feature, like a fingerprint) must be made up of at least two distinct parts (i.e.,user ID and password). Biometric electronic signature (e.g., fingerprint scan, retinal scan) can only be used by the individuals to whom they are assigned. -SectionCode: "11_200" -Children: - - aws_gxp_21_cfr_part_11_11_200_a -Controls: [] -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_200 + title: Electronic signature components and controls + description: Electronic signatures that are not biometric (i.e., not based on a physical feature, like a fingerprint) must be made up of at least two distinct parts (i.e.,user ID and password). Biometric electronic signature (e.g., fingerprint scan, retinal scan) can only be used by the individuals to whom they are assigned. + section-code: "11_200" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_21_cfr_part_11_11_200_a diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200_a.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200_a.yaml index 0d616dc5c..b2e670271 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200_a.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_200_a.yaml @@ -1,24 +1,29 @@ -ID: aws_gxp_21_cfr_part_11_11_200_a -Title: 200(a) Biometric electronic signature components and controls -Description: '(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual''s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.' -SectionCode: a -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_200_a + title: 200(a) Biometric electronic signature components and controls + description: "(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_30.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_30.yaml index 4145d8d54..e2e907969 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_30.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_30.yaml @@ -1,54 +1,59 @@ -ID: aws_gxp_21_cfr_part_11_11_30 -Title: Controls for open systems -Description: Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. -SectionCode: "11_30" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_backup_recovery_point_encryption_enabled - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_artifact_encryption_enabled - - aws_codebuild_project_s3_logs_encryption_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_kinesis_stream_server_side_encryption_enabled - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_30 + title: Controls for open systems + description: Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. + section-code: "11_30" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_backup_recovery_point_encryption_enabled + - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled + - aws_cloudfront_distribution_no_deprecated_ssl_protocol + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_codebuild_project_artifact_encryption_enabled + - aws_codebuild_project_s3_logs_encryption_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_kinesis_stream_server_side_encryption_enabled + - aws_kms_cmk_rotation_enabled + - aws_kms_key_not_pending_deletion + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300.yaml index b7ed1e701..8a4385652 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300.yaml @@ -1,19 +1,24 @@ -ID: aws_gxp_21_cfr_part_11_11_300 -Title: Controls for identification codes/passwords -Description: Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include the following benchmarks. -SectionCode: "11_300" -Children: - - aws_gxp_21_cfr_part_11_11_300_b - - aws_gxp_21_cfr_part_11_11_300_d -Controls: [] -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_300 + title: Controls for identification codes/passwords + description: Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include the following benchmarks. + section-code: "11_300" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_21_cfr_part_11_11_300_b + - id: aws_gxp_21_cfr_part_11_11_300_d diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_b.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_b.yaml index f418f9e4c..4d645942c 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_b.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_b.yaml @@ -1,23 +1,28 @@ -ID: aws_gxp_21_cfr_part_11_11_300_b -Title: 300(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging) -Description: 'Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).' -SectionCode: b -Children: [] -Controls: - - aws_emr_cluster_kerberos_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_access_key_age_90 - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_300_b + title: 300(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging) + description: "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging)." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_emr_cluster_kerberos_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_user_access_key_age_90 + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_d.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_d.yaml index 01eb3b9fa..e3e1c1a6a 100755 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_d.yaml +++ b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/aws_gxp_21_cfr_part_11_11_300_d.yaml @@ -1,21 +1,26 @@ -ID: aws_gxp_21_cfr_part_11_11_300_d -Title: 300(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management -Description: 'Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.' -SectionCode: d -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_21_cfr_part_11_11_300_d + title: 300(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management + description: "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management." + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_21_cfr_part_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/root.yaml b/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/root.yaml deleted file mode 100755 index 100d1884c..000000000 --- a/compliance/frameworks/aws/aws_gxp_21_cfr_part_11/root.yaml +++ /dev/null @@ -1,29 +0,0 @@ -ID: aws_gxp_21_cfr_part_11 -Title: GxP 21 CFR Part 11 -Description: The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions. -SectionCode: aws_gxp_21_cfr_part_11 -Children: - - aws_gxp_21_cfr_part_11_11_10 - - aws_gxp_21_cfr_part_11_11_30 - - aws_gxp_21_cfr_part_11_11_200 - - aws_gxp_21_cfr_part_11_11_300 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - gxp_21_cfr_part_11: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11.yaml new file mode 100644 index 000000000..d0bdff597 --- /dev/null +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11.yaml @@ -0,0 +1,29 @@ +framework: + id: aws_gxp_eu_annex_11 + title: GxP EU Annex 11 + description: EU Annex 11 is the European equivalent to FDA 21 CFR part 11 for the United States. This annex applies to all forms of computerized systems used as part of a GMP regulated activities. A computerized system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process. + section-code: aws_gxp_eu_annex_11 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_eu_annex_11_general + - id: aws_gxp_eu_annex_11_operational_phase + - id: aws_gxp_eu_annex_11_project_phase diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general.yaml index dcd6e2f47..be2650165 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_general -Title: General -Description: This section focuses on more human oriented checks that leverages risk management, personnel verification of process owners, suppliers and service providers agreement reviews, supplier audit and review documentation for COTS. -SectionCode: general -Children: - - aws_gxp_eu_annex_11_general_1 -Controls: [] -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_general + title: General + description: This section focuses on more human oriented checks that leverages risk management, personnel verification of process owners, suppliers and service providers agreement reviews, supplier audit and review documentation for COTS. + section-code: general + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_eu_annex_11_general_1 diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general_1.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general_1.yaml index b1aefe4c6..4929745bb 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general_1.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_general_1.yaml @@ -1,20 +1,25 @@ -ID: aws_gxp_eu_annex_11_general_1 -Title: Risk Management -Description: Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_config_enabled_all_regions - - aws_securityhub_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_general_1 + title: Risk Management + description: Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_config_enabled_all_regions + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase.yaml index 232f7bf51..1e64723fe 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase.yaml @@ -1,26 +1,31 @@ -ID: aws_gxp_eu_annex_11_operational_phase -Title: Operational Phase -Description: This section focuses on various operational phases of data, such as data accuracy, secure storage, authorized access and backup. -SectionCode: operational_phase -Children: - - aws_gxp_eu_annex_11_operational_phase_5 - - aws_gxp_eu_annex_11_operational_phase_7 - - aws_gxp_eu_annex_11_operational_phase_8 - - aws_gxp_eu_annex_11_operational_phase_9 - - aws_gxp_eu_annex_11_operational_phase_10 - - aws_gxp_eu_annex_11_operational_phase_12 - - aws_gxp_eu_annex_11_operational_phase_13 - - aws_gxp_eu_annex_11_operational_phase_16 - - aws_gxp_eu_annex_11_operational_phase_17 -Controls: [] -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase + title: Operational Phase + description: This section focuses on various operational phases of data, such as data accuracy, secure storage, authorized access and backup. + section-code: operational_phase + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_eu_annex_11_operational_phase_5 + - id: aws_gxp_eu_annex_11_operational_phase_7 + - id: aws_gxp_eu_annex_11_operational_phase_8 + - id: aws_gxp_eu_annex_11_operational_phase_9 + - id: aws_gxp_eu_annex_11_operational_phase_10 + - id: aws_gxp_eu_annex_11_operational_phase_12 + - id: aws_gxp_eu_annex_11_operational_phase_13 + - id: aws_gxp_eu_annex_11_operational_phase_16 + - id: aws_gxp_eu_annex_11_operational_phase_17 diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_10.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_10.yaml index f0afb9d30..64841117a 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_10.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_10.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_operational_phase_10 -Title: Change and Configuration Management -Description: Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure. -SectionCode: "10" -Children: [] -Controls: - - aws_config_enabled_all_regions -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_10 + title: Change and Configuration Management + description: Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12.yaml index ad137c574..2ed2459a5 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_operational_phase_12 -Title: Security -Description: For enhanced security, access to physical and logical controls should be restricted to authorized individuals. Management systems should be created to record the identity of persons entering, changing, confirming, or deleting data by time and date. -SectionCode: "12" -Children: - - aws_gxp_eu_annex_11_operational_phase_12_4 -Controls: [] -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_12 + title: Security + description: For enhanced security, access to physical and logical controls should be restricted to authorized individuals. Management systems should be created to record the identity of persons entering, changing, confirming, or deleting data by time and date. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_eu_annex_11_operational_phase_12_4 diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12_4.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12_4.yaml index ef4a17d4a..dd6d464f1 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12_4.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_12_4.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_operational_phase_12_4 -Title: Security - Audit Trail -Description: Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time. -SectionCode: "4" -Children: [] -Controls: - - aws_cloudtrail_s3_data_events_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_12_4 + title: Security - Audit Trail + description: Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_s3_data_events_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_13.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_13.yaml index 1ea9a1bf9..37b609d73 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_13.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_13.yaml @@ -1,22 +1,27 @@ -ID: aws_gxp_eu_annex_11_operational_phase_13 -Title: Incident Management -Description: All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions. -SectionCode: "13" -Children: [] -Controls: - - aws_cloudtrail_security_trail_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_13 + title: Incident Management + description: All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions. + section-code: "13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_security_trail_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_16.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_16.yaml index f8c448706..bc8cfb722 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_16.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_16.yaml @@ -1,40 +1,45 @@ -ID: aws_gxp_eu_annex_11_operational_phase_16 -Title: Business Continuity -Description: For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested. -SectionCode: "16" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_16 + title: Business Continuity + description: For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested. + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_17.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_17.yaml index f0576f176..3f2132d30 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_17.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_17.yaml @@ -1,39 +1,44 @@ -ID: aws_gxp_eu_annex_11_operational_phase_17 -Title: Archiving -Description: Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested. -SectionCode: "17" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_17 + title: Archiving + description: Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested. + section-code: "17" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_5.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_5.yaml index 4b57e3e74..41375622a 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_5.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_5.yaml @@ -1,39 +1,44 @@ -ID: aws_gxp_eu_annex_11_operational_phase_5 -Title: Data -Description: Computerised systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks. -SectionCode: "5" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_5 + title: Data + description: Computerised systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7.yaml index 1e13ded84..84dfc4e22 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7.yaml @@ -1,19 +1,24 @@ -ID: aws_gxp_eu_annex_11_operational_phase_7 -Title: Data Storage -Description: Data must be secure against damage, yet remain accessible, readable, and accurate throughout the retention period. Regular backups are expected and should be verified and monitored. -SectionCode: "7" -Children: - - aws_gxp_eu_annex_11_operational_phase_7_1 - - aws_gxp_eu_annex_11_operational_phase_7_2 -Controls: [] -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_7 + title: Data Storage + description: Data must be secure against damage, yet remain accessible, readable, and accurate throughout the retention period. Regular backups are expected and should be verified and monitored. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_eu_annex_11_operational_phase_7_1 + - id: aws_gxp_eu_annex_11_operational_phase_7_2 diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_1.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_1.yaml index 6aa18ab45..7aaa8f738 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_1.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_1.yaml @@ -1,57 +1,62 @@ -ID: aws_gxp_eu_annex_11_operational_phase_7_1 -Title: Data Storage - Damage Protection -Description: Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period. -SectionCode: "1" -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_codebuild_project_artifact_encryption_enabled - - aws_codebuild_project_s3_logs_encryption_enabled - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_encrypt_data_at_rest - - aws_efs_file_system_in_backup_plan - - aws_eks_cluster_secrets_encrypted - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_network_lb_use_ssl_certificate - - aws_es_domain_encryption_at_rest_enabled - - aws_kinesis_stream_server_side_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_versioning_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_7_1 + title: Data Storage - Damage Protection + description: Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled + - aws_cloudfront_distribution_no_deprecated_ssl_protocol + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_codebuild_project_artifact_encryption_enabled + - aws_codebuild_project_s3_logs_encryption_enabled + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_encrypt_data_at_rest + - aws_efs_file_system_in_backup_plan + - aws_eks_cluster_secrets_encrypted + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_network_lb_use_ssl_certificate + - aws_es_domain_encryption_at_rest_enabled + - aws_kinesis_stream_server_side_encryption_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_versioning_enabled + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_2.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_2.yaml index 68522be90..5d5f9b410 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_2.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_7_2.yaml @@ -1,39 +1,44 @@ -ID: aws_gxp_eu_annex_11_operational_phase_7_2 -Title: Data Storage - Backups -Description: Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. -SectionCode: "2" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_7_2 + title: Data Storage - Backups + description: Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8.yaml index 592b75fe8..32bc46555 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_operational_phase_8 -Title: Printouts -Description: Clear printed copies of electronically stored data should be easily available. Any changes to data should be indicated. -SectionCode: "8" -Children: - - aws_gxp_eu_annex_11_operational_phase_8_2 -Controls: [] -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_8 + title: Printouts + description: Clear printed copies of electronically stored data should be easily available. Any changes to data should be indicated. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_eu_annex_11_operational_phase_8_2 diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8_2.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8_2.yaml index 27cf7b2ee..899878275 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8_2.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_8_2.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_operational_phase_8_2 -Title: Printouts - Data Changes -Description: For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry. -SectionCode: "2" -Children: [] -Controls: - - aws_cloudtrail_s3_data_events_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_8_2 + title: Printouts - Data Changes + description: For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_s3_data_events_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_9.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_9.yaml index 4198009a8..1f24e9732 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_9.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_operational_phase_9.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_operational_phase_9 -Title: Audit Trails -Description: Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated 'audit trail'). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed. -SectionCode: "9" -Children: [] -Controls: - - aws_cloudtrail_s3_data_events_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_operational_phase_9 + title: Audit Trails + description: Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated 'audit trail'). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_s3_data_events_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase.yaml index 7b49b0ad9..7a4595a39 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_project_phase -Title: Project Phase -Description: This section focuses combination of both human-oriented and automated process that leverages documentation validation and reports for good manufacturing practice (GMP) life cycle process, change control and deviations, systems inventory, user requirement specifications, quality management system, procedure for customized systems, evidence of appropriate test methods and data transfer validation (automated). -SectionCode: project_phase -Children: - - aws_gxp_eu_annex_11_project_phase_4 -Controls: [] -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_project_phase + title: Project Phase + description: This section focuses combination of both human-oriented and automated process that leverages documentation validation and reports for good manufacturing practice (GMP) life cycle process, change control and deviations, systems inventory, user requirement specifications, quality management system, procedure for customized systems, evidence of appropriate test methods and data transfer validation (automated). + section-code: project_phase + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_eu_annex_11_project_phase_4 diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4.yaml index c79f1873d..0adb3f332 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4.yaml @@ -1,21 +1,26 @@ -ID: aws_gxp_eu_annex_11_project_phase_4 -Title: Validation -Description: The second principle of Annex 11 requires manufacturers to validate the application and qualify the system's IT infrastructure. Enhanced documentation and process evidence must be submitted, and computer system validations must be performed periodically and when migrating to another system. -SectionCode: "4" -Children: - - aws_gxp_eu_annex_11_project_phase_4_2 - - aws_gxp_eu_annex_11_project_phase_4_5 - - aws_gxp_eu_annex_11_project_phase_4_6 - - aws_gxp_eu_annex_11_project_phase_4_8 -Controls: [] -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_project_phase_4 + title: Validation + description: The second principle of Annex 11 requires manufacturers to validate the application and qualify the system's IT infrastructure. Enhanced documentation and process evidence must be submitted, and computer system validations must be performed periodically and when migrating to another system. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_gxp_eu_annex_11_project_phase_4_2 + - id: aws_gxp_eu_annex_11_project_phase_4_5 + - id: aws_gxp_eu_annex_11_project_phase_4_6 + - id: aws_gxp_eu_annex_11_project_phase_4_8 diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_2.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_2.yaml index 247c14cc2..5251aef9b 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_2.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_2.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_project_phase_4_2 -Title: Validation - Documentation Change Control -Description: Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process. -SectionCode: "2" -Children: [] -Controls: - - aws_cloudtrail_trail_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_project_phase_4_2 + title: Validation - Documentation Change Control + description: Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_5.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_5.yaml index 262b2822e..35a671498 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_5.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_5.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_project_phase_4_5 -Title: Validation - Development Quality -Description: The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately. -SectionCode: "5" -Children: [] -Controls: - - aws_config_enabled_all_regions -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_project_phase_4_5 + title: Validation - Development Quality + description: The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_6.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_6.yaml index 673c42a0e..bf592e112 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_6.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_6.yaml @@ -1,18 +1,23 @@ -ID: aws_gxp_eu_annex_11_project_phase_4_6 -Title: Validation - Quality and Performance -Description: For the validation of bespoke or customised computerised systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system. -SectionCode: "6" -Children: [] -Controls: - - aws_config_enabled_all_regions -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_project_phase_4_6 + title: Validation - Quality and Performance + description: For the validation of bespoke or customised computerised systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_8.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_8.yaml index e088d826f..4055a186d 100755 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_8.yaml +++ b/compliance/frameworks/aws/aws_gxp_eu_annex_11/aws_gxp_eu_annex_11_project_phase_4_8.yaml @@ -1,40 +1,45 @@ -ID: aws_gxp_eu_annex_11_project_phase_4_8 -Title: Validation - Data Transfer -Description: If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process. -SectionCode: "8" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_ecr_repository_lifecycle_policy_configured - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_gxp_eu_annex_11_project_phase_4_8 + title: Validation - Data Transfer + description: If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + gxp_eu_annex_11: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_ecr_repository_lifecycle_policy_configured + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_gxp_eu_annex_11/root.yaml b/compliance/frameworks/aws/aws_gxp_eu_annex_11/root.yaml deleted file mode 100755 index 119b42d9a..000000000 --- a/compliance/frameworks/aws/aws_gxp_eu_annex_11/root.yaml +++ /dev/null @@ -1,28 +0,0 @@ -ID: aws_gxp_eu_annex_11 -Title: GxP EU Annex 11 -Description: EU Annex 11 is the European equivalent to FDA 21 CFR part 11 for the United States. This annex applies to all forms of computerized systems used as part of a GMP regulated activities. A computerized system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process. -SectionCode: aws_gxp_eu_annex_11 -Children: - - aws_gxp_eu_annex_11_general - - aws_gxp_eu_annex_11_operational_phase - - aws_gxp_eu_annex_11_project_phase -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - gxp_eu_annex_11: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013.yaml new file mode 100644 index 000000000..fc86b57d3 --- /dev/null +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013.yaml @@ -0,0 +1,31 @@ +framework: + id: aws_hipaa_final_omnibus_security_rule_2013 + title: HIPAA Final Omnibus Security Rule 2013 + description: The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a business associate and covered entity. The Final Omnibus Rule provides additional guidance to the 2003 Security Rule and implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA. + section-code: aws_hipaa_final_omnibus_security_rule_2013 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Laws & Regulations + - Privacy + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308 + - id: aws_hipaa_final_omnibus_security_rule_2013_164_310 + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312 + - id: aws_hipaa_final_omnibus_security_rule_2013_164_314 diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308.yaml index d7be80e79..ee444f871 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308.yaml @@ -1,40 +1,45 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308 -Title: Administrative Safeguards -Description: An important step in strengthening the protection of health information, especially in electronic form, as well as give patients more access to their individual health information. The HIPAA Omnibus Rule is a set of final regulations that modifies the existing HIPAA rules and implements a variety of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. -SectionCode: "164_308" -Children: - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c - - aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8 -Controls: [] -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308 + title: Administrative Safeguards + description: An important step in strengthening the protection of health information, especially in electronic form, as well as give patients more access to their individual health information. The HIPAA Omnibus Rule is a set of final regulations that modifies the existing HIPAA rules and implements a variety of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. + section-code: "164_308" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c + - id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8 diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a.yaml index 8840be531..a12006a62 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a.yaml @@ -1,24 +1,29 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a -Title: 308(a)(1)(ii)(A) Risk analysis -Description: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. -SectionCode: a_1_ii_a -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_config_enabled_all_regions - - aws_guardduty_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_1_ii_a - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_a + title: 308(a)(1)(ii)(A) Risk analysis + description: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. + section-code: a_1_ii_a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_1_ii_a + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_config_enabled_all_regions + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b.yaml index 916636fe2..ac93480e4 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b.yaml @@ -1,81 +1,86 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b -Title: 308(a)(1)(ii)(B) Risk management -Description: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a). -SectionCode: a_1_ii_b -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_efs_file_system_encrypt_data_at_rest - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_kms_key_not_pending_deletion - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_versioning_enabled - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_1_ii_b - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b + title: 308(a)(1)(ii)(B) Risk management + description: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a). + section-code: a_1_ii_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_1_ii_b + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_dms_replication_instance_not_publicly_accessible + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_efs_file_system_encrypt_data_at_rest + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_in_vpc + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_kms_key_not_pending_deletion + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_bucket_versioning_enabled + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d.yaml index aef42419f..e69a7105f 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d.yaml @@ -1,39 +1,44 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d -Title: 308(a)(1)(ii)(D) Information system activity review -Description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. -SectionCode: a_1_ii_d -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_logging_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_1_ii_d - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d + title: 308(a)(1)(ii)(D) Information system activity review + description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. + section-code: a_1_ii_d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_1_ii_d + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_codebuild_project_logging_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i.yaml index 5e5841358..4d0151c97 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i.yaml @@ -1,57 +1,62 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i -Title: 308(a)(3)(i) Workforce security -Description: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. -SectionCode: a_3_i -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_3_i - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_i + title: 308(a)(3)(i) Workforce security + description: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. + section-code: a_3_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_3_i + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_user_for_host_mode_check + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a.yaml index e5b59f923..81f82573f 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a.yaml @@ -1,48 +1,53 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a -Title: 308(a)(3)(ii)(A) Authorization and/or supervision -Description: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. -SectionCode: a_3_ii_a -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_user_for_host_mode_check - - aws_elb_application_classic_lb_logging_enabled - - aws_emr_cluster_kerberos_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_iam_authentication_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_3_ii_a - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a + title: 308(a)(3)(ii)(A) Authorization and/or supervision + description: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. + section-code: a_3_ii_a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_3_ii_a + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_user_for_host_mode_check + - aws_elb_application_classic_lb_logging_enabled + - aws_emr_cluster_kerberos_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_guardduty_enabled + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_iam_authentication_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_policy_restrict_public_access + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b.yaml index a602155db..98674ee29 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b.yaml @@ -1,35 +1,40 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b -Title: 308(a)(3)(ii)(B) Workforce clearance procedure -Description: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. -SectionCode: a_3_ii_b -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_emr_cluster_kerberos_enabled - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_s3_bucket_policy_restrict_public_access - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_3_ii_b - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_b + title: 308(a)(3)(ii)(B) Workforce clearance procedure + description: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. + section-code: a_3_ii_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_3_ii_b + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_emr_cluster_kerberos_enabled + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_s3_bucket_policy_restrict_public_access + - aws_ssm_document_prohibit_public_access + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c.yaml index 334de74d1..5cd88b538 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c.yaml @@ -1,22 +1,27 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c -Title: 308(a)(3)(ii)(C) Termination procedures -Description: Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. -SectionCode: a_3_ii_c -Children: [] -Controls: - - aws_iam_user_access_key_age_90 -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_3_ii_c - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_c + title: 308(a)(3)(ii)(C) Termination procedures + description: Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. + section-code: a_3_ii_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_3_ii_c + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_user_access_key_age_90 diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i.yaml index 7a87fc66c..f6a92c123 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i.yaml @@ -1,33 +1,38 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i -Title: 308(a)(4)(i) Information access management -Description: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. -SectionCode: a_4_i -Children: [] -Controls: - - aws_emr_cluster_kerberos_enabled - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_4_i - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_i + title: 308(a)(4)(i) Information access management + description: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. + section-code: a_4_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_4_i + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_emr_cluster_kerberos_enabled + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_rds_db_instance_iam_authentication_enabled + - aws_s3_bucket_policy_restrict_public_access + - aws_ssm_document_prohibit_public_access + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a.yaml index dd433fdf5..f2103978f 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a.yaml @@ -1,54 +1,59 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a -Title: 308(a)(4)(ii)(A) Isolating healthcare clearing house functions -Description: If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. -SectionCode: a_4_ii_a -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_4_ii_a - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a + title: 308(a)(4)(ii)(A) Isolating healthcare clearing house functions + description: If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. + section-code: a_4_ii_a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_4_ii_a + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_logging_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b.yaml index adf87abf8..ef4fc5b07 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b.yaml @@ -1,41 +1,46 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b -Title: 308(a)(4)(ii)(B) Access authorization -Description: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. -SectionCode: a_4_ii_b -Children: [] -Controls: - - aws_ec2_instance_iam_profile_attached - - aws_emr_cluster_kerberos_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_s3_bucket_policy_restrict_public_access - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_last_changed_90_day - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_4_ii_b - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_b + title: 308(a)(4)(ii)(B) Access authorization + description: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. + section-code: a_4_ii_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_4_ii_b + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_iam_profile_attached + - aws_emr_cluster_kerberos_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_user_access_key_age_90 + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_s3_bucket_policy_restrict_public_access + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_last_changed_90_day + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day + - aws_ssm_document_prohibit_public_access + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c.yaml index 172ab5796..7b699f840 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c.yaml @@ -1,60 +1,65 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c -Title: 308(a)(4)(ii)(C) Access establishment and modification -Description: Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. -SectionCode: a_4_ii_c -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_unused_90_day - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_4_ii_c - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_c + title: 308(a)(4)(ii)(C) Access establishment and modification + description: Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. + section-code: a_4_ii_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_4_ii_c + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_user_for_host_mode_check + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_unused_90_day + - aws_ssm_document_prohibit_public_access + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b.yaml index d6f1df9ec..0923aafc0 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b.yaml @@ -1,24 +1,29 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b -Title: 308(a)(5)(ii)(B) Protection from malicious software -Description: Procedures for guarding against, detecting, and reporting malicious software. -SectionCode: a_5_ii_b -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_5_ii_b - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_b + title: 308(a)(5)(ii)(B) Protection from malicious software + description: Procedures for guarding against, detecting, and reporting malicious software. + section-code: a_5_ii_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_5_ii_b + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c.yaml index 64c77e513..d9875cada 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c.yaml @@ -1,26 +1,31 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c -Title: 308(a)(5)(ii)(C) Log-in monitoring -Description: Procedures for monitoring log-in attempts and reporting discrepancies. -SectionCode: a_5_ii_c -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_guardduty_enabled - - aws_log_metric_filter_console_authentication_failure -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_5_ii_c - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_c + title: 308(a)(5)(ii)(C) Log-in monitoring + description: Procedures for monitoring log-in attempts and reporting discrepancies. + section-code: a_5_ii_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_5_ii_c + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_validation_enabled + - aws_guardduty_enabled + - aws_log_metric_filter_console_authentication_failure diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d.yaml index 4f12316a3..6cd2effc2 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d.yaml @@ -1,27 +1,32 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d -Title: 308(a)(5)(ii)(D) Password management -Description: Procedures for creating, changing, and safeguarding passwords. -SectionCode: a_5_ii_d -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_access_key_age_90 - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_last_changed_90_day - - aws_secretsmanager_secret_rotated_as_scheduled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_5_ii_d - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_5_ii_d + title: 308(a)(5)(ii)(D) Password management + description: Procedures for creating, changing, and safeguarding passwords. + section-code: a_5_ii_d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_5_ii_d + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_user_access_key_age_90 + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_last_changed_90_day + - aws_secretsmanager_secret_rotated_as_scheduled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i.yaml index 6f76a94e0..fb682e7f8 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i.yaml @@ -1,27 +1,32 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i -Title: 308(a)(6)(i) Security incident procedures -Description: Implement policies and procedures to address security incidents. -SectionCode: a_6_i -Children: [] -Controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_lambda_function_dead_letter_queue_configured - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_root_login - - aws_securityhub_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_6_i - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_i + title: 308(a)(6)(i) Security incident procedures + description: Implement policies and procedures to address security incidents. + section-code: a_6_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_6_i + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_lambda_function_dead_letter_queue_configured + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_root_login + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii.yaml index 0de1b8d76..6f459f387 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii.yaml @@ -1,35 +1,40 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii -Title: 308(a)(6)(ii) Response and reporting -Description: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. -SectionCode: a_6_ii -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_root_login - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_6_ii - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_6_ii + title: 308(a)(6)(ii) Response and reporting + description: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. + section-code: a_6_ii + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_6_ii + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_validation_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_root_login + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i.yaml index 70ef49ee8..e6e9bae4b 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i.yaml @@ -1,50 +1,55 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i -Title: 308(a)(7)(i) Contingency plan -Description: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. -SectionCode: a_7_i -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_7_i - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_i + title: 308(a)(7)(i) Contingency plan + description: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. + section-code: a_7_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_7_i + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a.yaml index 7cae9d56a..25af3e8da 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a.yaml @@ -1,48 +1,53 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a -Title: 308(a)(7)(ii)(A) Data backup plan -Description: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. -SectionCode: a_7_ii_a -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_7_ii_a - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_a + title: 308(a)(7)(ii)(A) Data backup plan + description: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. + section-code: a_7_ii_a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_7_ii_a + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_maintenance_settings_check + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b.yaml index 5db40fb8b..6f7b3746a 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b -Title: 308(a)(7)(ii)(B) Disaster recovery plan -Description: Establish (and implement as needed) procedures to restore any loss of data. -SectionCode: a_7_ii_b -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_7_ii_b - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_b + title: 308(a)(7)(ii)(B) Disaster recovery plan + description: Establish (and implement as needed) procedures to restore any loss of data. + section-code: a_7_ii_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_7_ii_b + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c.yaml index 307cc989b..2357eb531 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c.yaml @@ -1,50 +1,55 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c -Title: 308(a)(7)(ii)(C) Emergency mode operation plan -Description: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. -SectionCode: a_7_ii_c -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_7_ii_c - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_7_ii_c + title: 308(a)(7)(ii)(C) Emergency mode operation plan + description: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. + section-code: a_7_ii_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_7_ii_c + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8.yaml index e44c2db3a..687bd9aa2 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8.yaml @@ -1,23 +1,28 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8 -Title: 308(a)(8) Evaluation -Description: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. -SectionCode: a_8 -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_308_a_8 - hipaa_section: - - "164_308" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_308_a_8 + title: 308(a)(8) Evaluation + description: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. + section-code: a_8 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_308_a_8 + hipaa_section: + - "164_308" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310.yaml index 62874bbd2..3a1137e58 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310.yaml @@ -1,20 +1,25 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_310 -Title: Physical Safeguards -Description: The Security Rule defines physical safeguards to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. -SectionCode: "164_310" -Children: - - aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv -Controls: [] -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_section: - - "164_310" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_310 + title: Physical Safeguards + description: The Security Rule defines physical safeguards to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. + section-code: "164_310" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_section: + - "164_310" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv.yaml index c90f0d848..72b7bf45b 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv.yaml @@ -1,43 +1,48 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv -Title: 310(d)(2)(iv) Data backup and storage -Description: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. -SectionCode: d_2_iv -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_310_d_2_iv - hipaa_section: - - "164_310" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_310_d_2_iv + title: 310(d)(2)(iv) Data backup and storage + description: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. + section-code: d_2_iv + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_310_d_2_iv + hipaa_section: + - "164_310" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312.yaml index 0ecfd57c7..99e1c49df 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312.yaml @@ -1,30 +1,35 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312 -Title: Technical Safeguards -Description: The Security Rule defines technical safeguards in 164.304 as `the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.` -SectionCode: "164_312" -Children: - - aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1 - - aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i - - aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii - - aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv - - aws_hipaa_final_omnibus_security_rule_2013_164_312_b - - aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1 - - aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2 - - aws_hipaa_final_omnibus_security_rule_2013_164_312_d - - aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1 - - aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i - - aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii -Controls: [] -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312 + title: Technical Safeguards + description: The Security Rule defines technical safeguards in 164.304 as `the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.` + section-code: "164_312" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1 + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_b + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1 + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2 + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_d + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1 + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i + - id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1.yaml index 3277fce6c..49f91ed21 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1.yaml @@ -1,57 +1,62 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1 -Title: 312(a)(1) Access control -Description: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). -SectionCode: a_1 -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_a_1 - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_1 + title: 312(a)(1) Access control + description: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). + section-code: a_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_a_1 + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_user_for_host_mode_check + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i.yaml index 3ce73e295..eb105dd34 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i.yaml @@ -1,24 +1,29 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i -Title: 312(a)(2)(i) Unique user identification -Description: Assign a unique name and/or number for identifying and tracking user identity. -SectionCode: a_2_i -Children: [] -Controls: - - aws_cloudtrail_s3_data_events_enabled - - aws_iam_root_user_no_access_keys - - aws_s3_bucket_restrict_public_read_access -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_a_2_i - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_i + title: 312(a)(2)(i) Unique user identification + description: Assign a unique name and/or number for identifying and tracking user identity. + section-code: a_2_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_a_2_i + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_s3_data_events_enabled + - aws_iam_root_user_no_access_keys + - aws_s3_bucket_restrict_public_read_access diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii.yaml index 106499023..9e3cc03d3 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii.yaml @@ -1,43 +1,48 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii -Title: 312(a)(2)(ii) Emergency access procedure -Description: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. -SectionCode: a_2_ii -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_a_2_ii - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_ii + title: 312(a)(2)(ii) Emergency access procedure + description: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. + section-code: a_2_ii + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_a_2_ii + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv.yaml index 80b40954a..95cc1fb07 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv.yaml @@ -1,54 +1,59 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv -Title: 312(a)(2)(iv) Encryption and decryption -Description: Implement a mechanism to encrypt and decrypt electronic protected health information. -SectionCode: a_2_iv -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_a_2_iv - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv + title: 312(a)(2)(iv) Encryption and decryption + description: Implement a mechanism to encrypt and decrypt electronic protected health information. + section-code: a_2_iv + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_a_2_iv + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_b.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_b.yaml index c2fb35733..ac0ba0e62 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_b.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_b -Title: 312(b) Audit controls -Description: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. -SectionCode: b -Children: [] -Controls: - - aws_apigateway_rest_api_stage_xray_tracing_enabled - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_b - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_b + title: 312(b) Audit controls + description: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_b + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_xray_tracing_enabled + - aws_apigateway_stage_logging_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_ec2_instance_detailed_monitoring_enabled + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1.yaml index b7a127492..0603dbb59 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1.yaml @@ -1,42 +1,47 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1 -Title: 312(c)(1) Integrity -Description: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. -SectionCode: c_1 -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_c_1 - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_1 + title: 312(c)(1) Integrity + description: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. + section-code: c_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_c_1 + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_eks_cluster_secrets_encrypted + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2.yaml index a01bb82b2..4fdd29a66 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2.yaml @@ -1,28 +1,33 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2 -Title: 312(c)(2) Mechanism to authenticate electronic protected health information -Description: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. -SectionCode: c_2 -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_c_2 - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_c_2 + title: 312(c)(2) Mechanism to authenticate electronic protected health information + description: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. + section-code: c_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_c_2 + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_versioning_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_d.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_d.yaml index a0bcd4f33..0455133e4 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_d.yaml @@ -1,26 +1,31 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_d -Title: 312(d) Person or entity authentication -Description: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. -SectionCode: d -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_d - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_d + title: 312(d) Person or entity authentication + description: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_d + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1.yaml index d9c013e46..f9674b7f5 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1.yaml @@ -1,56 +1,61 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1 -Title: 312(e)(1) Transmission security -Description: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. -SectionCode: e_1 -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 1.64312e+06 - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_1 + title: 312(e)(1) Transmission security + description: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. + section-code: e_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - "1.64312e+06" + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_autoscaling_launch_config_public_ip_disabled + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i.yaml index af6c1e8a5..43aa8351c 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i.yaml @@ -1,34 +1,39 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i -Title: 312(e)(2)(i) Integrity controls -Description: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. -SectionCode: e_2_i -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_guardduty_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_e_2_i - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_i + title: 312(e)(2)(i) Integrity controls + description: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. + section-code: e_2_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_e_2_i + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_guardduty_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii.yaml index dc566312d..e99804b3f 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii.yaml @@ -1,52 +1,57 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii -Title: 312(e)(2)(ii) Encryption -Description: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. -SectionCode: e_2_ii -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_312_e_2_ii - hipaa_section: - - "164_312" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii + title: 312(e)(2)(ii) Encryption + description: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. + section-code: e_2_ii + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_312_e_2_ii + hipaa_section: + - "164_312" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314.yaml index 05b724f8a..f741e1e69 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314.yaml @@ -1,25 +1,30 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_314 -Title: Organizational Requirements -Description: The Security Rule includes the Standard, Business associate contracts or other arrangements. A covered entity is not in compliance with the standard if the it knows of a pattern of an activity or practice of the business associate that constitutes a material breach or violation of the business associate's obligation to safeguard ePHI (under the contract or other arrangement), unless the covered entity takes reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, the covered entity is required to terminate the contract or arrangement, if feasible or if termination is not feasible, report the problem to the Secretary (HHS). -SectionCode: "164_314" -Children: - - aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1 - - aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2 - - aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i - - aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii - - aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii - - aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv -Controls: [] -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_314 + title: Organizational Requirements + description: The Security Rule includes the Standard, Business associate contracts or other arrangements. A covered entity is not in compliance with the standard if the it knows of a pattern of an activity or practice of the business associate that constitutes a material breach or violation of the business associate's obligation to safeguard ePHI (under the contract or other arrangement), unless the covered entity takes reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, the covered entity is required to terminate the contract or arrangement, if feasible or if termination is not feasible, report the problem to the Secretary (HHS). + section-code: "164_314" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1 + - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2 + - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i + - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii + - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii + - id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1.yaml index d6b2f4d70..9b151b273 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1 -Title: 314(b)(1) Requirements for group health plans -Description: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. -SectionCode: b_1 -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_1 - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_1 + title: 314(b)(1) Requirements for group health plans + description: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. + section-code: b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_1 + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_eks_cluster_secrets_encrypted + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2.yaml index b01dac897..ce0bc4118 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2 -Title: 314(b)(2) Implementation specifications -Description: The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to? -SectionCode: b_2 -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_2 - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2 + title: 314(b)(2) Implementation specifications + description: The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to? + section-code: b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_2 + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_eks_cluster_secrets_encrypted + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i.yaml index f20cf9b13..cde3beccd 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i -Title: 314(b)(2)(i) -Description: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan. -SectionCode: b_2_i -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_2_i - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_i + title: 314(b)(2)(i) + description: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan. + section-code: b_2_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_2_i + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_eks_cluster_secrets_encrypted + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii.yaml index cc7dd623f..c0b1a30fc 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii -Title: 314(b)(2)(ii) -Description: Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures. -SectionCode: b_2_ii -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_2_ii - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_ii + title: 314(b)(2)(ii) + description: Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures. + section-code: b_2_ii + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_2_ii + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_eks_cluster_secrets_encrypted + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii.yaml index 5ce502dc5..69bcfdda8 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii -Title: 314(b)(2)(iii) -Description: Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information. -SectionCode: b_2_iii -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_2_iii - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iii + title: 314(b)(2)(iii) + description: Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information. + section-code: b_2_iii + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_2_iii + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_eks_cluster_secrets_encrypted + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv.yaml index 5a1e42202..5fb2f054d 100755 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv.yaml +++ b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv -Title: 314(b)(2)(iv) -Description: Report to the group health plan any security incident of which it becomes aware. -SectionCode: b_2_iv -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - hipaa_final_omnibus_security_rule_2013_item_id: - - 164_314_b_2_iv - hipaa_section: - - "164_314" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_final_omnibus_security_rule_2013_164_314_b_2_iv + title: 314(b)(2)(iv) + description: Report to the group health plan any security incident of which it becomes aware. + section-code: b_2_iv + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_final_omnibus_security_rule_2013: + - "true" + hipaa_final_omnibus_security_rule_2013_item_id: + - 164_314_b_2_iv + hipaa_section: + - "164_314" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_eks_cluster_secrets_encrypted + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/root.yaml b/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/root.yaml deleted file mode 100755 index 1aa5ea72e..000000000 --- a/compliance/frameworks/aws/aws_hipaa_final_omnibus_security_rule_2013/root.yaml +++ /dev/null @@ -1,30 +0,0 @@ -ID: aws_hipaa_final_omnibus_security_rule_2013 -Title: HIPAA Final Omnibus Security Rule 2013 -Description: The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a business associate and covered entity. The Final Omnibus Rule provides additional guidance to the 2003 Security Rule and implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA. -SectionCode: aws_hipaa_final_omnibus_security_rule_2013 -Children: - - aws_hipaa_final_omnibus_security_rule_2013_164_308 - - aws_hipaa_final_omnibus_security_rule_2013_164_310 - - aws_hipaa_final_omnibus_security_rule_2013_164_312 - - aws_hipaa_final_omnibus_security_rule_2013_164_314 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - hipaa_final_omnibus_security_rule_2013: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Laws & Regulations - - Privacy - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003.yaml new file mode 100644 index 000000000..3fe6274f9 --- /dev/null +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003.yaml @@ -0,0 +1,31 @@ +framework: + id: aws_hipaa_security_rule_2003 + title: HIPAA Security Rule 2003 + description: The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. + section-code: aws_hipaa_security_rule_2003 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_security_rule_2003: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Laws & Regulations + - Privacy + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_hipaa_security_rule_2003_164_308 + - id: aws_hipaa_security_rule_2003_164_310 + - id: aws_hipaa_security_rule_2003_164_312 + - id: aws_hipaa_security_rule_2003_164_314 diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308.yaml index 97a1d6dc8..a109f90b5 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308.yaml @@ -1,40 +1,45 @@ -ID: aws_hipaa_security_rule_2003_164_308 -Title: Administrative Safeguards -Description: An important step in protecting electronic protected health information (EPHI) is to implement reasonable and appropriate administrative safeguards that establish the foundation for a covered entity's security program. The Administrative Safeguards standards in the Security Rule, at § 164.308, were developed to accomplish this purpose. -SectionCode: "164_308" -Children: - - aws_hipaa_security_rule_2003_164_308_a_1_ii_a - - aws_hipaa_security_rule_2003_164_308_a_1_ii_b - - aws_hipaa_security_rule_2003_164_308_a_1_ii_d - - aws_hipaa_security_rule_2003_164_308_a_3_i - - aws_hipaa_security_rule_2003_164_308_a_3_ii_a - - aws_hipaa_security_rule_2003_164_308_a_3_ii_b - - aws_hipaa_security_rule_2003_164_308_a_3_ii_c - - aws_hipaa_security_rule_2003_164_308_a_4_i - - aws_hipaa_security_rule_2003_164_308_a_4_ii_a - - aws_hipaa_security_rule_2003_164_308_a_4_ii_b - - aws_hipaa_security_rule_2003_164_308_a_4_ii_c - - aws_hipaa_security_rule_2003_164_308_a_5_ii_b - - aws_hipaa_security_rule_2003_164_308_a_5_ii_c - - aws_hipaa_security_rule_2003_164_308_a_5_ii_d - - aws_hipaa_security_rule_2003_164_308_a_6_i - - aws_hipaa_security_rule_2003_164_308_a_6_ii - - aws_hipaa_security_rule_2003_164_308_a_7_i - - aws_hipaa_security_rule_2003_164_308_a_7_ii_a - - aws_hipaa_security_rule_2003_164_308_a_7_ii_b - - aws_hipaa_security_rule_2003_164_308_a_7_ii_c - - aws_hipaa_security_rule_2003_164_308_a_8 -Controls: [] -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308 + title: Administrative Safeguards + description: An important step in protecting electronic protected health information (EPHI) is to implement reasonable and appropriate administrative safeguards that establish the foundation for a covered entity's security program. The Administrative Safeguards standards in the Security Rule, at § 164.308, were developed to accomplish this purpose. + section-code: "164_308" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_hipaa_security_rule_2003_164_308_a_1_ii_a + - id: aws_hipaa_security_rule_2003_164_308_a_1_ii_b + - id: aws_hipaa_security_rule_2003_164_308_a_1_ii_d + - id: aws_hipaa_security_rule_2003_164_308_a_3_i + - id: aws_hipaa_security_rule_2003_164_308_a_3_ii_a + - id: aws_hipaa_security_rule_2003_164_308_a_3_ii_b + - id: aws_hipaa_security_rule_2003_164_308_a_3_ii_c + - id: aws_hipaa_security_rule_2003_164_308_a_4_i + - id: aws_hipaa_security_rule_2003_164_308_a_4_ii_a + - id: aws_hipaa_security_rule_2003_164_308_a_4_ii_b + - id: aws_hipaa_security_rule_2003_164_308_a_4_ii_c + - id: aws_hipaa_security_rule_2003_164_308_a_5_ii_b + - id: aws_hipaa_security_rule_2003_164_308_a_5_ii_c + - id: aws_hipaa_security_rule_2003_164_308_a_5_ii_d + - id: aws_hipaa_security_rule_2003_164_308_a_6_i + - id: aws_hipaa_security_rule_2003_164_308_a_6_ii + - id: aws_hipaa_security_rule_2003_164_308_a_7_i + - id: aws_hipaa_security_rule_2003_164_308_a_7_ii_a + - id: aws_hipaa_security_rule_2003_164_308_a_7_ii_b + - id: aws_hipaa_security_rule_2003_164_308_a_7_ii_c + - id: aws_hipaa_security_rule_2003_164_308_a_8 diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_a.yaml index f9abba474..c76729f8b 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_a.yaml @@ -1,24 +1,29 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_1_ii_a -Title: 308(a)(1)(ii)(A) Risk analysis -Description: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. -SectionCode: a_1_ii_a -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_config_enabled_all_regions - - aws_guardduty_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_1_ii_a - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_1_ii_a + title: 308(a)(1)(ii)(A) Risk analysis + description: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. + section-code: a_1_ii_a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_1_ii_a + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_config_enabled_all_regions + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_b.yaml index 2074303df..93e727d13 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_b.yaml @@ -1,81 +1,86 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_1_ii_b -Title: 308(a)(1)(ii)(B) Risk management -Description: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a). -SectionCode: a_1_ii_b -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_efs_file_system_encrypt_data_at_rest - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_kms_key_not_pending_deletion - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_versioning_enabled - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_1_ii_b - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_1_ii_b + title: 308(a)(1)(ii)(B) Risk management + description: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a). + section-code: a_1_ii_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_1_ii_b + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_dms_replication_instance_not_publicly_accessible + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_efs_file_system_encrypt_data_at_rest + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_in_vpc + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_kms_key_not_pending_deletion + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_bucket_versioning_enabled + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_d.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_d.yaml index ba5182c13..d38cd5c49 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_1_ii_d.yaml @@ -1,39 +1,44 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_1_ii_d -Title: 308(a)(1)(ii)(D) Information system activity review -Description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. -SectionCode: a_1_ii_d -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudfront_distribution_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_codebuild_project_logging_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_1_ii_d - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_1_ii_d + title: 308(a)(1)(ii)(D) Information system activity review + description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. + section-code: a_1_ii_d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_1_ii_d + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudfront_distribution_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_codebuild_project_logging_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_i.yaml index 88cf24901..5f6640c5c 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_i.yaml @@ -1,42 +1,47 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_3_i -Title: 308(a)(3)(i) Workforce security -Description: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. -SectionCode: a_3_i -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_3_i - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_3_i + title: 308(a)(3)(i) Workforce security + description: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. + section-code: a_3_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_3_i + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_es_domain_in_vpc + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_a.yaml index 407258097..ca3de87ed 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_a.yaml @@ -1,36 +1,41 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_3_ii_a -Title: 308(a)(3)(ii)(A) Authorization and/or supervision -Description: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. -SectionCode: a_3_ii_a -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_emr_cluster_kerberos_enabled - - aws_guardduty_enabled - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_iam_authentication_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_3_ii_a - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_3_ii_a + title: 308(a)(3)(ii)(A) Authorization and/or supervision + description: Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. + section-code: a_3_ii_a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_3_ii_a + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_emr_cluster_kerberos_enabled + - aws_guardduty_enabled + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_iam_authentication_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_b.yaml index a170593a2..f30d7b913 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_b.yaml @@ -1,28 +1,33 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_3_ii_b -Title: 308(a)(3)(ii)(B) Workforce clearance procedure -Description: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. -SectionCode: a_3_ii_b -Children: [] -Controls: - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_s3_bucket_policy_restrict_public_access -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_3_ii_b - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_3_ii_b + title: 308(a)(3)(ii)(B) Workforce clearance procedure + description: Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. + section-code: a_3_ii_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_3_ii_b + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_s3_bucket_policy_restrict_public_access diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_c.yaml index a67dcec5c..4ff2e0862 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_3_ii_c.yaml @@ -1,22 +1,27 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_3_ii_c -Title: 308(a)(3)(ii)(C) Termination procedures -Description: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. -SectionCode: a_3_ii_c -Children: [] -Controls: - - aws_iam_user_access_key_age_90 -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_3_ii_c - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_3_ii_c + title: 308(a)(3)(ii)(C) Termination procedures + description: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. + section-code: a_3_ii_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_3_ii_c + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_user_access_key_age_90 diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_i.yaml index 9cf1516db..0b3952a38 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_i.yaml @@ -1,26 +1,31 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_4_i -Title: 308(a)(4)(i) Information access management -Description: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. -SectionCode: a_4_i -Children: [] -Controls: - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_rds_db_instance_iam_authentication_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_4_i - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_4_i + title: 308(a)(4)(i) Information access management + description: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. + section-code: a_4_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_4_i + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_rds_db_instance_iam_authentication_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_a.yaml index 2d77ce817..0ce264382 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_a.yaml @@ -1,54 +1,59 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_4_ii_a -Title: 308(a)(4)(ii)(A) Isolating healthcare clearing house functions -Description: If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. -SectionCode: a_4_ii_a -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_logging_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_4_ii_a - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_4_ii_a + title: 308(a)(4)(ii)(A) Isolating healthcare clearing house functions + description: If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. + section-code: a_4_ii_a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_4_ii_a + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_logging_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_b.yaml index 0f4b19eab..8497775d1 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_b.yaml @@ -1,26 +1,31 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_4_ii_b -Title: 308(a)(4)(ii)(B) Access authorization -Description: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. -SectionCode: a_4_ii_b -Children: [] -Controls: - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_s3_bucket_policy_restrict_public_access -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_4_ii_b - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_4_ii_b + title: 308(a)(4)(ii)(B) Access authorization + description: Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. + section-code: a_4_ii_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_4_ii_b + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_s3_bucket_policy_restrict_public_access diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_c.yaml index d1eed5817..7a2230db9 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_4_ii_c.yaml @@ -1,31 +1,36 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_4_ii_c -Title: 308(a)(4)(ii)(C) Access establishment and modification -Description: Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. -SectionCode: a_4_ii_c -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_s3_bucket_policy_restrict_public_access - - aws_secretsmanager_secret_automatic_rotation_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_4_ii_c - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_4_ii_c + title: 308(a)(4)(ii)(C) Access establishment and modification + description: Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. + section-code: a_4_ii_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_4_ii_c + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_s3_bucket_policy_restrict_public_access + - aws_secretsmanager_secret_automatic_rotation_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_b.yaml index d279fc324..30541c60b 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_b.yaml @@ -1,24 +1,29 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_5_ii_b -Title: 308(a)(5)(ii)(B) Protection from malicious software -Description: Procedures for guarding against, detecting, and reporting malicious software. -SectionCode: a_5_ii_b -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_5_ii_b - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_5_ii_b + title: 308(a)(5)(ii)(B) Protection from malicious software + description: Procedures for guarding against, detecting, and reporting malicious software. + section-code: a_5_ii_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_5_ii_b + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_c.yaml index 00abd9c21..2f59a64b9 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_c.yaml @@ -1,26 +1,31 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_5_ii_c -Title: 308(a)(5)(ii)(C) Log-in monitoring -Description: Procedures for monitoring log-in attempts and reporting discrepancies. -SectionCode: a_5_ii_c -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_guardduty_enabled - - aws_log_metric_filter_console_authentication_failure -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_5_ii_c - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_5_ii_c + title: 308(a)(5)(ii)(C) Log-in monitoring + description: Procedures for monitoring log-in attempts and reporting discrepancies. + section-code: a_5_ii_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_5_ii_c + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_validation_enabled + - aws_guardduty_enabled + - aws_log_metric_filter_console_authentication_failure diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_d.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_d.yaml index 436109abc..8a19f627d 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_5_ii_d.yaml @@ -1,27 +1,32 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_5_ii_d -Title: 308(a)(5)(ii)(D) Password management -Description: Procedures for creating, changing, and safeguarding passwords. -SectionCode: a_5_ii_d -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_access_key_age_90 - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_last_changed_90_day - - aws_secretsmanager_secret_rotated_as_scheduled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_5_ii_d - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_5_ii_d + title: 308(a)(5)(ii)(D) Password management + description: Procedures for creating, changing, and safeguarding passwords. + section-code: a_5_ii_d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_5_ii_d + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_user_access_key_age_90 + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_last_changed_90_day + - aws_secretsmanager_secret_rotated_as_scheduled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_i.yaml index ddc2c47c1..45cf60786 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_i.yaml @@ -1,27 +1,32 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_6_i -Title: 308(a)(6)(i) Security incident procedures -Description: Implement policies and procedures to address security incidents. -SectionCode: a_6_i -Children: [] -Controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_lambda_function_dead_letter_queue_configured - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_root_login - - aws_securityhub_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_6_i - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_6_i + title: 308(a)(6)(i) Security incident procedures + description: Implement policies and procedures to address security incidents. + section-code: a_6_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_6_i + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_lambda_function_dead_letter_queue_configured + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_root_login + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_ii.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_ii.yaml index d0eaf16d9..0108fc883 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_6_ii.yaml @@ -1,35 +1,40 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_6_ii -Title: 308(a)(6)(ii) Response and Reporting -Description: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. -SectionCode: a_6_ii -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_root_login - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_6_ii - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_6_ii + title: 308(a)(6)(ii) Response and Reporting + description: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. + section-code: a_6_ii + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_6_ii + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_validation_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_root_login + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_i.yaml index b88ecfd58..3f706d611 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_i.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_7_i -Title: 308(a)(7)(i) Contingency plan -Description: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. -SectionCode: a_7_i -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_7_i - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_7_i + title: 308(a)(7)(i) Contingency plan + description: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. + section-code: a_7_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_7_i + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_a.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_a.yaml index 8dd2dda5e..5115c7997 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_a.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_a.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_7_ii_a -Title: 308(a)(7)(ii)(A) Data backup plan -Description: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. -SectionCode: a_7_ii_a -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_7_ii_a - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_7_ii_a + title: 308(a)(7)(ii)(A) Data backup plan + description: Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. + section-code: a_7_ii_a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_7_ii_a + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_b.yaml index d8137ccba..2a5aca4d8 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_b.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_7_ii_b -Title: 308(a)(7)(ii)(B) Disaster recovery plan -Description: Establish (and implement as needed) procedures to restore any loss of data. -SectionCode: a_7_ii_b -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_7_ii_b - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_7_ii_b + title: 308(a)(7)(ii)(B) Disaster recovery plan + description: Establish (and implement as needed) procedures to restore any loss of data. + section-code: a_7_ii_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_7_ii_b + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_c.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_c.yaml index ba142ae13..0aa05a104 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_c.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_7_ii_c.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_7_ii_c -Title: 308(a)(7)(ii)(C) Emergency mode operation plan -Description: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. -SectionCode: a_7_ii_c -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_7_ii_c - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_7_ii_c + title: 308(a)(7)(ii)(C) Emergency mode operation plan + description: Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. + section-code: a_7_ii_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_7_ii_c + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_8.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_8.yaml index 8a321adea..65f0db5be 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_8.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_308_a_8.yaml @@ -1,23 +1,28 @@ -ID: aws_hipaa_security_rule_2003_164_308_a_8 -Title: 308(a)(8) Evaluation -Description: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart. -SectionCode: a_8 -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_308" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_308_a_8 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_308_a_8 + title: 308(a)(8) Evaluation + description: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart. + section-code: a_8 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_308" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_308_a_8 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310.yaml index d17670fb2..4aa31f367 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310.yaml @@ -1,20 +1,25 @@ -ID: aws_hipaa_security_rule_2003_164_310 -Title: Physical Safeguards -Description: The Security Rule defines physical safeguards to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. -SectionCode: "164_310" -Children: - - aws_hipaa_security_rule_2003_164_310_d_2_iv -Controls: [] -Tags: - category: - - Compliance - hipaa_section: - - "164_310" - hipaa_security_rule_2003: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_310 + title: Physical Safeguards + description: The Security Rule defines physical safeguards to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. + section-code: "164_310" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_310" + hipaa_security_rule_2003: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_hipaa_security_rule_2003_164_310_d_2_iv diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310_d_2_iv.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310_d_2_iv.yaml index a5fdf8c25..fa9e8e504 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310_d_2_iv.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_310_d_2_iv.yaml @@ -1,43 +1,48 @@ -ID: aws_hipaa_security_rule_2003_164_310_d_2_iv -Title: 310(d)(2)(iv) Data backup and storage -Description: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. -SectionCode: d_2_iv -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_310" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_310_d_2_iv - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_310_d_2_iv + title: 310(d)(2)(iv) Data backup and storage + description: Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. + section-code: d_2_iv + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_310" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_310_d_2_iv + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312.yaml index d8845688d..88da53e30 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312.yaml @@ -1,30 +1,35 @@ -ID: aws_hipaa_security_rule_2003_164_312 -Title: Technical Safeguards -Description: The Security Rule defines technical safeguards in § 164.304 as `the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.` -SectionCode: "164_312" -Children: - - aws_hipaa_security_rule_2003_164_312_a_1 - - aws_hipaa_security_rule_2003_164_312_a_2_i - - aws_hipaa_security_rule_2003_164_312_a_2_ii - - aws_hipaa_security_rule_2003_164_312_a_2_iv - - aws_hipaa_security_rule_2003_164_312_b - - aws_hipaa_security_rule_2003_164_312_c_1 - - aws_hipaa_security_rule_2003_164_312_c_2 - - aws_hipaa_security_rule_2003_164_312_d - - aws_hipaa_security_rule_2003_164_312_e_1 - - aws_hipaa_security_rule_2003_164_312_e_2_i - - aws_hipaa_security_rule_2003_164_312_e_2_ii -Controls: [] -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312 + title: Technical Safeguards + description: The Security Rule defines technical safeguards in § 164.304 as `the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.` + section-code: "164_312" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_hipaa_security_rule_2003_164_312_a_1 + - id: aws_hipaa_security_rule_2003_164_312_a_2_i + - id: aws_hipaa_security_rule_2003_164_312_a_2_ii + - id: aws_hipaa_security_rule_2003_164_312_a_2_iv + - id: aws_hipaa_security_rule_2003_164_312_b + - id: aws_hipaa_security_rule_2003_164_312_c_1 + - id: aws_hipaa_security_rule_2003_164_312_c_2 + - id: aws_hipaa_security_rule_2003_164_312_d + - id: aws_hipaa_security_rule_2003_164_312_e_1 + - id: aws_hipaa_security_rule_2003_164_312_e_2_i + - id: aws_hipaa_security_rule_2003_164_312_e_2_ii diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_1.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_1.yaml index 491b92ccd..be00cd8ba 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_1.yaml @@ -1,44 +1,49 @@ -ID: aws_hipaa_security_rule_2003_164_312_a_1 -Title: 312(a)(1) Access control -Description: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). -SectionCode: a_1 -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_a_1 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_a_1 + title: 312(a)(1) Access control + description: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). + section-code: a_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_a_1 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_i.yaml index 2d0dfbac4..992370e5c 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_i.yaml @@ -1,24 +1,29 @@ -ID: aws_hipaa_security_rule_2003_164_312_a_2_i -Title: 312(a)(2)(i) Unique user identification -Description: Assign a unique name and/or number for identifying and tracking user identity. -SectionCode: a_2_i -Children: [] -Controls: - - aws_cloudtrail_s3_data_events_enabled - - aws_iam_root_user_no_access_keys - - aws_s3_bucket_restrict_public_read_access -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_a_2_i - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_a_2_i + title: 312(a)(2)(i) Unique user identification + description: Assign a unique name and/or number for identifying and tracking user identity. + section-code: a_2_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_a_2_i + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_s3_data_events_enabled + - aws_iam_root_user_no_access_keys + - aws_s3_bucket_restrict_public_read_access diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_ii.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_ii.yaml index 6d10d98e4..b1be3db56 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_ii.yaml @@ -1,43 +1,48 @@ -ID: aws_hipaa_security_rule_2003_164_312_a_2_ii -Title: 312(a)(2)(ii) Emergency access procedure -Description: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. -SectionCode: a_2_ii -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_a_2_ii - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_a_2_ii + title: 312(a)(2)(ii) Emergency access procedure + description: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. + section-code: a_2_ii + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_a_2_ii + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_iv.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_iv.yaml index 9daed8e5a..0b71509c5 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_iv.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_a_2_iv.yaml @@ -1,43 +1,48 @@ -ID: aws_hipaa_security_rule_2003_164_312_a_2_iv -Title: 312(a)(2)(iv) Encryption and decryption -Description: Implement a mechanism to encrypt and decrypt electronic protected health information. -SectionCode: a_2_iv -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_a_2_iv - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_a_2_iv + title: 312(a)(2)(iv) Encryption and decryption + description: Implement a mechanism to encrypt and decrypt electronic protected health information. + section-code: a_2_iv + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_a_2_iv + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_es_domain_encryption_at_rest_enabled + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_b.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_b.yaml index 2c64a04f3..59d384482 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_b.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_b.yaml @@ -1,33 +1,38 @@ -ID: aws_hipaa_security_rule_2003_164_312_b -Title: 312(b) Audit controls -Description: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. -SectionCode: b -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_b - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_b + title: 312(b) Audit controls + description: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_b + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_1.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_1.yaml index 6905d901d..46ac68ee1 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_1.yaml @@ -1,42 +1,47 @@ -ID: aws_hipaa_security_rule_2003_164_312_c_1 -Title: 312(c)(1) Integrity -Description: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. -SectionCode: c_1 -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_c_1 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_c_1 + title: 312(c)(1) Integrity + description: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. + section-code: c_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_c_1 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_eks_cluster_secrets_encrypted + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_2.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_2.yaml index cf2feb19e..0d3f67d0e 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_2.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_c_2.yaml @@ -1,27 +1,32 @@ -ID: aws_hipaa_security_rule_2003_164_312_c_2 -Title: 312(c)(2) Mechanism to authenticate electronic protected health information -Description: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. -SectionCode: c_2 -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_c_2 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_c_2 + title: 312(c)(2) Mechanism to authenticate electronic protected health information + description: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. + section-code: c_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_c_2 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_versioning_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_d.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_d.yaml index 828655e8a..bba77e456 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_d.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_d.yaml @@ -1,26 +1,31 @@ -ID: aws_hipaa_security_rule_2003_164_312_d -Title: 312(d) Person or entity authentication -Description: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. -SectionCode: d -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_d - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_d + title: 312(d) Person or entity authentication + description: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_d + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_1.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_1.yaml index 81706a907..f233a202a 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_1.yaml @@ -1,31 +1,36 @@ -ID: aws_hipaa_security_rule_2003_164_312_e_1 -Title: 312(e)(1) Transmission security -Description: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. -SectionCode: e_1 -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 1.64312e+06 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_e_1 + title: 312(e)(1) Transmission security + description: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. + section-code: e_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - "1.64312e+06" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_i.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_i.yaml index b43fecc87..4e353e8e7 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_i.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_i.yaml @@ -1,32 +1,37 @@ -ID: aws_hipaa_security_rule_2003_164_312_e_2_i -Title: 312(e)(2)(i) Integrity controls -Description: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. -SectionCode: e_2_i -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_guardduty_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_e_2_i - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_e_2_i + title: 312(e)(2)(i) Integrity controls + description: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. + section-code: e_2_i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_e_2_i + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_guardduty_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_ii.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_ii.yaml index 8fa13c773..3cee282d8 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_ii.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_312_e_2_ii.yaml @@ -1,41 +1,46 @@ -ID: aws_hipaa_security_rule_2003_164_312_e_2_ii -Title: 312(e)(2)(ii) Encryption -Description: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. -SectionCode: e_2_ii -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - hipaa_section: - - "164_312" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_312_e_2_ii - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_312_e_2_ii + title: 312(e)(2)(ii) Encryption + description: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. + section-code: e_2_ii + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_312" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_312_e_2_ii + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314.yaml index 826e0679e..b69a4b24f 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314.yaml @@ -1,21 +1,26 @@ -ID: aws_hipaa_security_rule_2003_164_314 -Title: Organizational Requirements -Description: The Security Rule includes the Standard, Business associate contracts or other arrangements. A covered entity is not in compliance with the standard if the it knows of a pattern of an activity or practice of the business associate that constitutes a material breach or violation of the business associate's obligation to safeguard ePHI (under the contract or other arrangement), unless the covered entity takes reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, the covered entity is required to terminate the contract or arrangement, if feasible or if termination is not feasible, report the problem to the Secretary (HHS). -SectionCode: "164_314" -Children: - - aws_hipaa_security_rule_2003_164_314_b_1 - - aws_hipaa_security_rule_2003_164_314_b_2 -Controls: [] -Tags: - category: - - Compliance - hipaa_section: - - "164_314" - hipaa_security_rule_2003: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_314 + title: Organizational Requirements + description: The Security Rule includes the Standard, Business associate contracts or other arrangements. A covered entity is not in compliance with the standard if the it knows of a pattern of an activity or practice of the business associate that constitutes a material breach or violation of the business associate's obligation to safeguard ePHI (under the contract or other arrangement), unless the covered entity takes reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, the covered entity is required to terminate the contract or arrangement, if feasible or if termination is not feasible, report the problem to the Secretary (HHS). + section-code: "164_314" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_314" + hipaa_security_rule_2003: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_hipaa_security_rule_2003_164_314_b_1 + - id: aws_hipaa_security_rule_2003_164_314_b_2 diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_1.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_1.yaml index dfec101f8..3928bfe68 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_1.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_1.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_security_rule_2003_164_314_b_1 -Title: 314(b)(1) Requirements for group health plans -Description: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. -SectionCode: b_1 -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints -Tags: - category: - - Compliance - hipaa_section: - - "164_314" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_314_b_1 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_314_b_1 + title: 314(b)(1) Requirements for group health plans + description: Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan. + section-code: b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_314" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_314_b_1 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_eks_cluster_secrets_encrypted + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_2.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_2.yaml index b494b7fc9..28ae772cc 100755 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_2.yaml +++ b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/aws_hipaa_security_rule_2003_164_314_b_2.yaml @@ -1,47 +1,52 @@ -ID: aws_hipaa_security_rule_2003_164_314_b_2 -Title: 314(b)(2) Implementation specifications -Description: The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to — (i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; (ii) Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures; (iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and (iv) Report to the group health plan any security incident of which it becomes aware. -SectionCode: b_2 -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_eks_cluster_secrets_encrypted - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_opensearch_domain_https_required - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_vpc_configured_to_use_vpc_endpoints -Tags: - category: - - Compliance - hipaa_section: - - "164_314" - hipaa_security_rule_2003: - - "true" - hipaa_security_rule_2003_item_id: - - 164_314_b_2 - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_hipaa_security_rule_2003_164_314_b_2 + title: 314(b)(2) Implementation specifications + description: The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to — (i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; (ii) Ensure that the adequate separation required by 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures; (iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and (iv) Report to the group health plan any security incident of which it becomes aware. + section-code: b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_section: + - "164_314" + hipaa_security_rule_2003: + - "true" + hipaa_security_rule_2003_item_id: + - 164_314_b_2 + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_eks_cluster_secrets_encrypted + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_opensearch_domain_https_required + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_vpc_configured_to_use_vpc_endpoints diff --git a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/root.yaml b/compliance/frameworks/aws/aws_hipaa_security_rule_2003/root.yaml deleted file mode 100755 index f0f61937b..000000000 --- a/compliance/frameworks/aws/aws_hipaa_security_rule_2003/root.yaml +++ /dev/null @@ -1,30 +0,0 @@ -ID: aws_hipaa_security_rule_2003 -Title: HIPAA Security Rule 2003 -Description: The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. -SectionCode: aws_hipaa_security_rule_2003 -Children: - - aws_hipaa_security_rule_2003_164_308 - - aws_hipaa_security_rule_2003_164_310 - - aws_hipaa_security_rule_2003_164_312 - - aws_hipaa_security_rule_2003_164_314 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - hipaa_security_rule_2003: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Laws & Regulations - - Privacy - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2.yaml new file mode 100644 index 000000000..13e5a0e8f --- /dev/null +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2.yaml @@ -0,0 +1,37 @@ +framework: + id: aws_nist_800_171_rev_2 + title: NIST 800-171 Revision 2 + description: NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. NIST 800-171 is a publication that outlines the required security standards and practices for non-federal organizations that handle CUI on their networks. + section-code: aws_nist_800_171_rev_2 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_2 + - id: aws_nist_800_171_rev_2_3_1 + - id: aws_nist_800_171_rev_2_3_3 + - id: aws_nist_800_171_rev_2_3_4 + - id: aws_nist_800_171_rev_2_3_5 + - id: aws_nist_800_171_rev_2_3_6 + - id: aws_nist_800_171_rev_2_3_8 + - id: aws_nist_800_171_rev_2_3_11 + - id: aws_nist_800_171_rev_2_3_12 + - id: aws_nist_800_171_rev_2_3_13 + - id: aws_nist_800_171_rev_2_3_14 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2.yaml index f19a39bbd..d32b697d3 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_2 -Title: System Enviornment -Description: 'Include a detailed topology narrative and graphic that clearly depicts the system boundaries, system interconnections, and key devices. (Note: this does not require depicting every workstation or desktop, but include an instance for each operating system in use, an instance for portable components (if applicable), all virtual and physical servers (e.g., file, print, web, database, application), as well as any networked workstations (e.g., Unix, Windows, Mac, Linux), firewalls, routers, switches, copiers, printers, lab equipment, handhelds). If components of other systems that interconnect/interface with this system need to be shown on the diagram, denote the system boundaries by referencing the security plans or names and owners of the other system(s) in the diagram. [Insert a system topology graphic. Provide a narrative consistent with the graphic that clearly lists and describes each system component.]' -SectionCode: "2" -Children: - - aws_nist_800_171_rev_2_2_2 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_2 + title: System Enviornment + description: "Include a detailed topology narrative and graphic that clearly depicts the system boundaries, system interconnections, and key devices. (Note: this does not require depicting every workstation or desktop, but include an instance for each operating system in use, an instance for portable components (if applicable), all virtual and physical servers (e.g., file, print, web, database, application), as well as any networked workstations (e.g., Unix, Windows, Mac, Linux), firewalls, routers, switches, copiers, printers, lab equipment, handhelds). If components of other systems that interconnect/interface with this system need to be shown on the diagram, denote the system boundaries by referencing the security plans or names and owners of the other system(s) in the diagram. [Insert a system topology graphic. Provide a narrative consistent with the graphic that clearly lists and describes each system component.]" + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_2_2 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2_2.yaml index 8dac37b93..8bddc3b87 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_2_2.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_171_rev_2_2_2 -Title: 2. List all software components installed on the system -Description: List all software components installed on the system. -SectionCode: "2" -Children: [] -Controls: - - aws_config_enabled_all_regions - - aws_ec2_instance_ssm_managed -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_2_2 + title: 2. List all software components installed on the system + description: List all software components installed on the system. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_config_enabled_all_regions + - aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1.yaml index 7d8ae0a47..a36a5bd8c 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_171_rev_2_3_1 -Title: Access Control -Description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. -SectionCode: "3_1" -Children: - - aws_nist_800_171_rev_2_3_1_1 - - aws_nist_800_171_rev_2_3_1_2 - - aws_nist_800_171_rev_2_3_1_3 - - aws_nist_800_171_rev_2_3_1_4 - - aws_nist_800_171_rev_2_3_1_5 - - aws_nist_800_171_rev_2_3_1_6 - - aws_nist_800_171_rev_2_3_1_7 - - aws_nist_800_171_rev_2_3_1_12 - - aws_nist_800_171_rev_2_3_1_13 - - aws_nist_800_171_rev_2_3_1_14 - - aws_nist_800_171_rev_2_3_1_20 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1 + title: Access Control + description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. + section-code: "3_1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_3_1_1 + - id: aws_nist_800_171_rev_2_3_1_2 + - id: aws_nist_800_171_rev_2_3_1_3 + - id: aws_nist_800_171_rev_2_3_1_4 + - id: aws_nist_800_171_rev_2_3_1_5 + - id: aws_nist_800_171_rev_2_3_1_6 + - id: aws_nist_800_171_rev_2_3_1_7 + - id: aws_nist_800_171_rev_2_3_1_12 + - id: aws_nist_800_171_rev_2_3_1_13 + - id: aws_nist_800_171_rev_2_3_1_14 + - id: aws_nist_800_171_rev_2_3_1_20 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11.yaml index 3375b1dc0..e0068949b 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_171_rev_2_3_11 -Title: Risk Assessment -Description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. -SectionCode: "3_11" -Children: - - aws_nist_800_171_rev_2_3_11_2 - - aws_nist_800_171_rev_2_3_11_3 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_11 + title: Risk Assessment + description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. + section-code: "3_11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_3_11_2 + - id: aws_nist_800_171_rev_2_3_11_3 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_2.yaml index a31538b0f..a82555175 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_2.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_171_rev_2_3_11_2 -Title: 11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified -Description: 'Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning.' -SectionCode: "2" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_11_2 + title: 11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified + description: "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_3.yaml index 8bdd8706b..395107059 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_11_3.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_171_rev_2_3_11_3 -Title: 11.3 Remediate vulnerabilities in accordance with risk assessments -Description: Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. -SectionCode: "3" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_11_3 + title: 11.3 Remediate vulnerabilities in accordance with risk assessments + description: Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12.yaml index 535b93d7c..fc234cc3d 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_171_rev_2_3_12 -Title: Assessment, Authorization, and Monitoring -Description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. -SectionCode: "3_12" -Children: - - aws_nist_800_171_rev_2_3_12_1 - - aws_nist_800_171_rev_2_3_12_3 - - aws_nist_800_171_rev_2_3_12_4 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_12 + title: Assessment, Authorization, and Monitoring + description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. + section-code: "3_12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_3_12_1 + - id: aws_nist_800_171_rev_2_3_12_3 + - id: aws_nist_800_171_rev_2_3_12_4 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_1.yaml index 2b299dc11..59ebaf2bd 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_1.yaml @@ -1,45 +1,50 @@ -ID: aws_nist_800_171_rev_2_3_12_1 -Title: 12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application -Description: Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_config_enabled_all_regions - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_12_1 + title: 12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application + description: Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_multi_region_read_write_enabled + - aws_cloudtrail_s3_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_config_enabled_all_regions + - aws_ec2_instance_detailed_monitoring_enabled + - aws_guardduty_enabled + - aws_kms_cmk_rotation_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_3.yaml index 94a415e12..85b6d978f 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_3.yaml @@ -1,45 +1,50 @@ -ID: aws_nist_800_171_rev_2_3_12_3 -Title: 12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls -Description: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. -SectionCode: "3" -Children: [] -Controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_config_enabled_all_regions - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_12_3 + title: 12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls + description: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_multi_region_read_write_enabled + - aws_cloudtrail_s3_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_config_enabled_all_regions + - aws_ec2_instance_detailed_monitoring_enabled + - aws_guardduty_enabled + - aws_kms_cmk_rotation_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_4.yaml index e17d3ff57..b1ebdbfa1 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_12_4.yaml @@ -1,45 +1,50 @@ -ID: aws_nist_800_171_rev_2_3_12_4 -Title: 12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems -Description: System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. -SectionCode: "4" -Children: [] -Controls: - - aws_cloudtrail_bucket_not_public - - aws_cloudtrail_multi_region_read_write_enabled - - aws_cloudtrail_s3_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_cloudwatch_alarm_action_enabled - - aws_config_enabled_all_regions - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_kms_cmk_rotation_enabled - - aws_log_metric_filter_bucket_policy - - aws_log_metric_filter_cloudtrail_configuration - - aws_log_metric_filter_config_configuration - - aws_log_metric_filter_console_authentication_failure - - aws_log_metric_filter_console_login_mfa - - aws_log_metric_filter_disable_or_delete_cmk - - aws_log_metric_filter_iam_policy - - aws_log_metric_filter_network_acl - - aws_log_metric_filter_network_gateway - - aws_log_metric_filter_root_login - - aws_log_metric_filter_route_table - - aws_log_metric_filter_security_group - - aws_log_metric_filter_unauthorized_api - - aws_log_metric_filter_vpc - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_12_4 + title: 12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems + description: System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_bucket_not_public + - aws_cloudtrail_multi_region_read_write_enabled + - aws_cloudtrail_s3_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_cloudwatch_alarm_action_enabled + - aws_config_enabled_all_regions + - aws_ec2_instance_detailed_monitoring_enabled + - aws_guardduty_enabled + - aws_kms_cmk_rotation_enabled + - aws_log_metric_filter_bucket_policy + - aws_log_metric_filter_cloudtrail_configuration + - aws_log_metric_filter_config_configuration + - aws_log_metric_filter_console_authentication_failure + - aws_log_metric_filter_console_login_mfa + - aws_log_metric_filter_disable_or_delete_cmk + - aws_log_metric_filter_iam_policy + - aws_log_metric_filter_network_acl + - aws_log_metric_filter_network_gateway + - aws_log_metric_filter_root_login + - aws_log_metric_filter_route_table + - aws_log_metric_filter_security_group + - aws_log_metric_filter_unauthorized_api + - aws_log_metric_filter_vpc + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13.yaml index 35aac0702..118eda4a3 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_171_rev_2_3_13 -Title: System and Communications Protection -Description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. -SectionCode: "3_13" -Children: - - aws_nist_800_171_rev_2_3_13_1 - - aws_nist_800_171_rev_2_3_13_2 - - aws_nist_800_171_rev_2_3_13_3 - - aws_nist_800_171_rev_2_3_13_4 - - aws_nist_800_171_rev_2_3_13_5 - - aws_nist_800_171_rev_2_3_13_6 - - aws_nist_800_171_rev_2_3_13_8 - - aws_nist_800_171_rev_2_3_13_10 - - aws_nist_800_171_rev_2_3_13_11 - - aws_nist_800_171_rev_2_3_13_15 - - aws_nist_800_171_rev_2_3_13_16 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13 + title: System and Communications Protection + description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. + section-code: "3_13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_3_13_1 + - id: aws_nist_800_171_rev_2_3_13_2 + - id: aws_nist_800_171_rev_2_3_13_3 + - id: aws_nist_800_171_rev_2_3_13_4 + - id: aws_nist_800_171_rev_2_3_13_5 + - id: aws_nist_800_171_rev_2_3_13_6 + - id: aws_nist_800_171_rev_2_3_13_8 + - id: aws_nist_800_171_rev_2_3_13_10 + - id: aws_nist_800_171_rev_2_3_13_11 + - id: aws_nist_800_171_rev_2_3_13_15 + - id: aws_nist_800_171_rev_2_3_13_16 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_1.yaml index 58380518a..4a553cedc 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_1.yaml @@ -1,50 +1,55 @@ -ID: aws_nist_800_171_rev_2_3_13_1 -Title: 13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems -Description: Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. -SectionCode: "1" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_validation_enabled - - aws_ec2_instance_in_vpc - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_in_vpc - - aws_guardduty_enabled - - aws_lambda_function_in_vpc - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_logging_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_public_access_block_bucket - - aws_securityhub_enabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_flow_logs_enabled - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_1 + title: 13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems + description: Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_validation_enabled + - aws_ec2_instance_in_vpc + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_lb_waf_enabled + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_in_vpc + - aws_guardduty_enabled + - aws_lambda_function_in_vpc + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_logging_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_logging_enabled + - aws_s3_public_access_block_bucket + - aws_securityhub_enabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_flow_logs_enabled + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_10.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_10.yaml index 419cb4819..b21574770 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_10.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_171_rev_2_3_13_10 -Title: 13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems -Description: Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. -SectionCode: "10" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_10 + title: 13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems + description: Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_kms_cmk_rotation_enabled + - aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_11.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_11.yaml index 32ac342e4..fb44215fd 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_11.yaml @@ -1,35 +1,40 @@ -ID: aws_nist_800_171_rev_2_3_13_11 -Title: 13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI -Description: Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography. -SectionCode: "11" -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_11 + title: 13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI + description: Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography. + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_15.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_15.yaml index c334cee10..3ea729e72 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_15.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_15.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_171_rev_2_3_13_15 -Title: 13.15 Protect the authenticity of communications sessions -Description: Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. -SectionCode: "15" -Children: [] -Controls: - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_15 + title: 13.15 Protect the authenticity of communications sessions + description: Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. + section-code: "15" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_16.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_16.yaml index db5229665..bf5545233 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_16.yaml @@ -1,35 +1,40 @@ -ID: aws_nist_800_171_rev_2_3_13_16 -Title: 13.16 Protect the confidentiality of CUI at rest -Description: Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. -SectionCode: "16" -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_kms_key_not_pending_deletion - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_object_lock_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_16 + title: 13.16 Protect the confidentiality of CUI at rest + description: Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_es_domain_encryption_at_rest_enabled + - aws_kms_key_not_pending_deletion + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_object_lock_enabled + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_2.yaml index 356b2fee4..b64b94a7a 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_2.yaml @@ -1,64 +1,69 @@ -ID: aws_nist_800_171_rev_2_3_13_2 -Title: 13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems -Description: Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. -SectionCode: "2" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_autoscaling_group_with_lb_use_health_check - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_cloudtrail_security_trail_enabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_fsx_file_system_protected_by_backup_plan - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_instance_protected_by_backup_plan - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_2 + title: 13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems + description: Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_autoscaling_group_with_lb_use_health_check + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_cloudtrail_security_trail_enabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_snapshot_not_publicly_restorable + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_fsx_file_system_protected_by_backup_plan + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_instance_protected_by_backup_plan + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_3.yaml index 6a968f12f..924a9c177 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_3.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_171_rev_2_3_13_3 -Title: 13.3 Separate user functionality from system management functionality -Description: System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. -SectionCode: "3" -Children: [] -Controls: - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_3 + title: 13.3 Separate user functionality from system management functionality + description: System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_4.yaml index cc0a02c4a..882de9305 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_3_13_4 -Title: 13.4 Prevent unauthorized and unintended information transfer via shared system resources -Description: The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles. -SectionCode: "4" -Children: [] -Controls: - - aws_ebs_volume_unused -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_4 + title: 13.4 Prevent unauthorized and unintended information transfer via shared system resources + description: The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ebs_volume_unused diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_5.yaml index 3b88816ad..cc7f9ed10 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_5.yaml @@ -1,47 +1,52 @@ -ID: aws_nist_800_171_rev_2_3_13_5 -Title: 13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks -Description: Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. -SectionCode: "5" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_5 + title: 13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks + description: Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_lb_waf_enabled + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_6.yaml index 95cf9d7d6..408d2d593 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_6.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_171_rev_2_3_13_6 -Title: 13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception) -Description: This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. -SectionCode: "6" -Children: [] -Controls: - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_6 + title: 13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception) + description: This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_8.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_8.yaml index 0d0ad5242..6efaa8305 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_13_8.yaml @@ -1,27 +1,32 @@ -ID: aws_nist_800_171_rev_2_3_13_8 -Title: 13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards -Description: This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. -SectionCode: "8" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_13_8 + title: 13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards + description: This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14.yaml index a417e0a79..0ace68a3e 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_171_rev_2_3_14 -Title: System and Information integrity -Description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. -SectionCode: "3_14" -Children: - - aws_nist_800_171_rev_2_3_14_1 - - aws_nist_800_171_rev_2_3_14_2 - - aws_nist_800_171_rev_2_3_14_3 - - aws_nist_800_171_rev_2_3_14_4 - - aws_nist_800_171_rev_2_3_14_6 - - aws_nist_800_171_rev_2_3_14_7 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_14 + title: System and Information integrity + description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. + section-code: "3_14" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_3_14_1 + - id: aws_nist_800_171_rev_2_3_14_2 + - id: aws_nist_800_171_rev_2_3_14_3 + - id: aws_nist_800_171_rev_2_3_14_4 + - id: aws_nist_800_171_rev_2_3_14_6 + - id: aws_nist_800_171_rev_2_3_14_7 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_1.yaml index 86b50830b..f7bedc1aa 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_171_rev_2_3_14_1 -Title: 14.1 Identify, report, and correct system flaws in a timely manner -Description: Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_14_1 + title: 14.1 Identify, report, and correct system flaws in a timely manner + description: Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_2.yaml index 34f3b0aa0..0d7b64b77 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_2.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_171_rev_2_3_14_2 -Title: 14.2 Provide protection from malicious code at designated locations within organizational systems -Description: Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. -SectionCode: "2" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_14_2 + title: 14.2 Provide protection from malicious code at designated locations within organizational systems + description: Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_elb_application_lb_waf_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_3.yaml index aa98bf3ad..041c4b69f 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_3.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_171_rev_2_3_14_3 -Title: 14.3 Monitor system security alerts and advisories and take action in response -Description: There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. -SectionCode: "3" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_14_3 + title: 14.3 Monitor system security alerts and advisories and take action in response + description: There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_securityhub_enabled + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_4.yaml index 798e33b1c..5c1cd9029 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_3_14_4 -Title: 14.4 Update malicious code protection mechanisms when new releases are available -Description: Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. -SectionCode: "4" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_14_4 + title: 14.4 Update malicious code protection mechanisms when new releases are available + description: Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_6.yaml index 90cd1f7b5..8084553f5 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_6.yaml @@ -1,31 +1,36 @@ -ID: aws_nist_800_171_rev_2_3_14_6 -Title: 14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks -Description: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. -SectionCode: "6" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_apigateway_stage_use_waf_web_acl - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_14_6 + title: 14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks + description: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_apigateway_stage_use_waf_web_acl + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_elb_application_lb_waf_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_7.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_7.yaml index dca26208b..05e583b2f 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_14_7.yaml @@ -1,30 +1,35 @@ -ID: aws_nist_800_171_rev_2_3_14_7 -Title: 14.7 Identify unauthorized use of organizational systems -Description: System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. -SectionCode: "7" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_14_7 + title: 14.7 Identify unauthorized use of organizational systems + description: System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_1.yaml index a18346bd4..f8db9a27d 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_1.yaml @@ -1,52 +1,57 @@ -ID: aws_nist_800_171_rev_2_3_1_1 -Title: 1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems) -Description: Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. -SectionCode: "1" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_1 + title: 1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems) + description: Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_12.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_12.yaml index 06a9a5798..1c2de843d 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_12.yaml @@ -1,30 +1,35 @@ -ID: aws_nist_800_171_rev_2_3_1_12 -Title: 1.12 Monitor and control remote access sessions -Description: Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). -SectionCode: "12" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_vpc_igw_attached_to_authorized_vpc - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_12 + title: 1.12 Monitor and control remote access sessions + description: Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_vpc_igw_attached_to_authorized_vpc + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_13.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_13.yaml index 50c7a397d..1b5333847 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_13.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_171_rev_2_3_1_13 -Title: 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions -Description: Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. -SectionCode: "13" -Children: [] -Controls: - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_13 + title: 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions + description: Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. + section-code: "13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_14.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_14.yaml index 0cd47d41a..176c2d31d 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_14.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_171_rev_2_3_1_14 -Title: 1.14 Route remote access via managed access control points -Description: Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI. -SectionCode: "14" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_user_console_access_mfa_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_14 + title: 1.14 Route remote access via managed access control points + description: Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI. + section-code: "14" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_user_console_access_mfa_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_2.yaml index 8683982ae..b4d6b1062 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_2.yaml @@ -1,59 +1,64 @@ -ID: aws_nist_800_171_rev_2_3_1_2 -Title: 1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute -Description: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). -SectionCode: "2" -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ecs_task_definition_user_for_host_mode_check - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_2 + title: 1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute + description: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ecs_task_definition_user_for_host_mode_check + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_20.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_20.yaml index d7b778dfd..bf07c3824 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_20.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_20.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_171_rev_2_3_1_20 -Title: 1.20 Verify and control/limit connections to and use of external systems -Description: External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization's direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered 'external' to that system. -SectionCode: "20" -Children: [] -Controls: - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_public_access_block_account - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_20 + title: 1.20 Verify and control/limit connections to and use of external systems + description: External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization's direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered 'external' to that system. + section-code: "20" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_public_access_block_account + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_3.yaml index 327f0e620..97b6911f1 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_3.yaml @@ -1,40 +1,45 @@ -ID: aws_nist_800_171_rev_2_3_1_3 -Title: 1.3 Control the flow of CUI in accordance with approved authorizations -Description: 'Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.' -SectionCode: "3" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_3 + title: 1.3 Control the flow of CUI in accordance with approved authorizations + description: "Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_4.yaml index cff0e810d..1dc0c9b93 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_4.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_171_rev_2_3_1_4 -Title: 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion -Description: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. -SectionCode: "4" -Children: [] -Controls: - - aws_ec2_instance_iam_profile_attached - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_kerberos_enabled - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_policy_restrict_public_access -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_4 + title: 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion + description: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_iam_profile_attached + - aws_ecs_task_definition_user_for_host_mode_check + - aws_emr_cluster_kerberos_enabled + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_instance_iam_authentication_enabled + - aws_s3_bucket_policy_restrict_public_access diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_5.yaml index 3641c4c40..98e1fe33b 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_5.yaml @@ -1,32 +1,37 @@ -ID: aws_nist_800_171_rev_2_3_1_5 -Title: 1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts -Description: Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. -SectionCode: "5" -Children: [] -Controls: - - aws_ec2_instance_iam_profile_attached - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions - - aws_iam_policy_no_star_star - - aws_iam_policy_unused - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_rds_db_cluster_iam_authentication_enabled - - aws_rds_db_instance_iam_authentication_enabled - - aws_s3_bucket_policy_restrict_public_access -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_5 + title: 1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts + description: Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_iam_profile_attached + - aws_emr_cluster_kerberos_enabled + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions + - aws_iam_policy_no_star_star + - aws_iam_policy_unused + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_rds_db_cluster_iam_authentication_enabled + - aws_rds_db_instance_iam_authentication_enabled + - aws_s3_bucket_policy_restrict_public_access diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_6.yaml index adb505741..fa6a454d9 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_6.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_171_rev_2_3_1_6 -Title: 1.6 Use non-privileged accounts or roles when accessing nonsecurity functions -Description: This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. -SectionCode: "6" -Children: [] -Controls: - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_6 + title: 1.6 Use non-privileged accounts or roles when accessing nonsecurity functions + description: This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_7.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_7.yaml index 8b246f469..01623c27a 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_1_7.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_171_rev_2_3_1_7 -Title: 1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs -Description: Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat. -SectionCode: "7" -Children: [] -Controls: - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_s3_bucket_policy_restrict_public_access -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_1_7 + title: 1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs + description: Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_emr_cluster_kerberos_enabled + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_s3_bucket_policy_restrict_public_access diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3.yaml index a7fba4f4a..ae96514bf 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_171_rev_2_3_3 -Title: Audit and Accountability -Description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. -SectionCode: "3_3" -Children: - - aws_nist_800_171_rev_2_3_3_1 - - aws_nist_800_171_rev_2_3_3_2 - - aws_nist_800_171_rev_2_3_3_3 - - aws_nist_800_171_rev_2_3_3_4 - - aws_nist_800_171_rev_2_3_3_5 - - aws_nist_800_171_rev_2_3_3_8 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_3 + title: Audit and Accountability + description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. + section-code: "3_3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_3_3_1 + - id: aws_nist_800_171_rev_2_3_3_2 + - id: aws_nist_800_171_rev_2_3_3_3 + - id: aws_nist_800_171_rev_2_3_3_4 + - id: aws_nist_800_171_rev_2_3_3_5 + - id: aws_nist_800_171_rev_2_3_3_8 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_1.yaml index ba18a25e1..7634ab74d 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_1.yaml @@ -1,31 +1,36 @@ -ID: aws_nist_800_171_rev_2_3_3_1 -Title: 3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity -Description: An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. -SectionCode: "1" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_3_1 + title: 3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity + description: An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_2.yaml index 2c8de69dd..47539cbe1 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_2.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_171_rev_2_3_3_2 -Title: 3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions -Description: This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_3_2 + title: 3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions + description: This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_3.yaml index d20699b5c..9db290cae 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_3.yaml @@ -1,27 +1,32 @@ -ID: aws_nist_800_171_rev_2_3_3_3 -Title: 3.3 Review and update logged events -Description: The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient. -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_3_3 + title: 3.3 Review and update logged events + description: The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_4.yaml index 1977076e0..147fd74a8 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_4.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_171_rev_2_3_3_4 -Title: 3.4 Alert in the event of an audit logging process failure -Description: Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. -SectionCode: "4" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_3_4 + title: 3.4 Alert in the event of an audit logging process failure + description: Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_5.yaml index 16322631e..c2ad7c91b 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_5.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_171_rev_2_3_3_5 -Title: 3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity -Description: Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems. -SectionCode: "5" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_3_5 + title: 3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity + description: Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_8.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_8.yaml index 9f0ee9b90..3c0684e89 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_3_8.yaml @@ -1,27 +1,32 @@ -ID: aws_nist_800_171_rev_2_3_3_8 -Title: 3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion -Description: Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. -SectionCode: "8" -Children: [] -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_object_lock_enabled - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_bucket_versioning_enabled - - aws_s3_public_access_block_account -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_3_8 + title: 3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion + description: Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_object_lock_enabled + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_bucket_versioning_enabled + - aws_s3_public_access_block_account diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4.yaml index 3defcddfb..83c40f6c9 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4.yaml @@ -1,25 +1,30 @@ -ID: aws_nist_800_171_rev_2_3_4 -Title: Configuration Management -Description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. -SectionCode: "3_4" -Children: - - aws_nist_800_171_rev_2_3_4_1 - - aws_nist_800_171_rev_2_3_4_2 - - aws_nist_800_171_rev_2_3_4_3 - - aws_nist_800_171_rev_2_3_4_4 - - aws_nist_800_171_rev_2_3_4_5 - - aws_nist_800_171_rev_2_3_4_6 - - aws_nist_800_171_rev_2_3_4_7 - - aws_nist_800_171_rev_2_3_4_9 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_4 + title: Configuration Management + description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. + section-code: "3_4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_3_4_1 + - id: aws_nist_800_171_rev_2_3_4_2 + - id: aws_nist_800_171_rev_2_3_4_3 + - id: aws_nist_800_171_rev_2_3_4_4 + - id: aws_nist_800_171_rev_2_3_4_5 + - id: aws_nist_800_171_rev_2_3_4_6 + - id: aws_nist_800_171_rev_2_3_4_7 + - id: aws_nist_800_171_rev_2_3_4_9 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_1.yaml index 351db4460..bdfc9b635 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_1.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_171_rev_2_3_4_1 -Title: 4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles -Description: Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_security_trail_enabled - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_eip_associated - - aws_vpc_security_group_associated_to_eni - - aws_vpc_security_group_restrict_ingress_common_ports_all -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_4_1 + title: 4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles + description: Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_security_trail_enabled + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_eip_associated + - aws_vpc_security_group_associated_to_eni + - aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_2.yaml index be84beb6b..1e2e51190 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_2.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_171_rev_2_3_4_2 -Title: 4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems -Description: 'Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors.' -SectionCode: "2" -Children: [] -Controls: - - aws_config_enabled_all_regions - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_associated_to_eni -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_4_2 + title: 4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems + description: "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_config_enabled_all_regions + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_associated_to_eni diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_3.yaml index f5d0385da..62de08ff1 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_3.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_3_4_3 -Title: 4.3 Track, review, approve or disapprove, and log changes to organizational systems -Description: Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. -SectionCode: "3" -Children: [] -Controls: - - aws_config_enabled_all_regions -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_4_3 + title: 4.3 Track, review, approve or disapprove, and log changes to organizational systems + description: Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_4.yaml index bdcb092e9..8808b8679 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_3_4_4 -Title: 4.4 Analyze the security impact of changes prior to implementation -Description: Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required. -SectionCode: "4" -Children: [] -Controls: - - aws_config_enabled_all_regions -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_4_4 + title: 4.4 Analyze the security impact of changes prior to implementation + description: Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_5.yaml index 555f429d5..2e3c93f61 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_5.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_3_4_5 -Title: 4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems -Description: Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. -SectionCode: "5" -Children: [] -Controls: - - aws_config_enabled_all_regions -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_4_5 + title: 4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems + description: Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_6.yaml index ed40faacf..3ed133b84 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_6.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_171_rev_2_3_4_6 -Title: 4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities -Description: Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. -SectionCode: "6" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_restrict_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_4_6 + title: 4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities + description: Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies + - aws_lambda_function_restrict_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_7.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_7.yaml index 66d4d23d0..c546a0cab 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_7.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_171_rev_2_3_4_7 -Title: 4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services -Description: Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. -SectionCode: "7" -Children: [] -Controls: - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_4_7 + title: 4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services + description: Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_9.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_9.yaml index 37fc62f85..bd1624d6c 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_4_9.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_171_rev_2_3_4_9 -Title: 4.9 Control and monitor user-installed software -Description: Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved 'app stores.' Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. -SectionCode: "9" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_4_9 + title: 4.9 Control and monitor user-installed software + description: Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved 'app stores.' Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5.yaml index b9863b486..69dff52b5 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_171_rev_2_3_5 -Title: Identification and Authentication -Description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. -SectionCode: "3_5" -Children: - - aws_nist_800_171_rev_2_3_5_1 - - aws_nist_800_171_rev_2_3_5_2 - - aws_nist_800_171_rev_2_3_5_3 - - aws_nist_800_171_rev_2_3_5_4 - - aws_nist_800_171_rev_2_3_5_5 - - aws_nist_800_171_rev_2_3_5_6 - - aws_nist_800_171_rev_2_3_5_7 - - aws_nist_800_171_rev_2_3_5_8 - - aws_nist_800_171_rev_2_3_5_9 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_5 + title: Identification and Authentication + description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. + section-code: "3_5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_3_5_1 + - id: aws_nist_800_171_rev_2_3_5_2 + - id: aws_nist_800_171_rev_2_3_5_3 + - id: aws_nist_800_171_rev_2_3_5_4 + - id: aws_nist_800_171_rev_2_3_5_5 + - id: aws_nist_800_171_rev_2_3_5_6 + - id: aws_nist_800_171_rev_2_3_5_7 + - id: aws_nist_800_171_rev_2_3_5_8 + - id: aws_nist_800_171_rev_2_3_5_9 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_1.yaml index 7341c4391..782f116f5 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_1.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_171_rev_2_3_5_1 -Title: 5.1 Identify system users, processes acting on behalf of users, and devices -Description: Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. -SectionCode: "1" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_5_1 + title: 5.1 Identify system users, processes acting on behalf of users, and devices + description: Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_2.yaml index 948344307..b5a59ff7f 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_2.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_171_rev_2_3_5_2 -Title: 5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems -Description: 'Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords.' -SectionCode: "2" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_5_2 + title: 5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems + description: "Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_3.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_3.yaml index 13e241261..31974fc4e 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_3.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_171_rev_2_3_5_3 -Title: 5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts -Description: Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. -SectionCode: "3" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_5_3 + title: 5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts + description: Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_4.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_4.yaml index 88c2c8adc..ddb714ebe 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_4.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_171_rev_2_3_5_4 -Title: 5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts -Description: Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. -SectionCode: "4" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_5_4 + title: 5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts + description: Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or challenge-response one-time authenticators. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_5.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_5.yaml index 93217e8b0..9b1ff85d8 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_5.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_3_5_5 -Title: 5.5 Prevent reuse of identifiers for a defined period -Description: Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. -SectionCode: "5" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_5_5 + title: 5.5 Prevent reuse of identifiers for a defined period + description: Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_6.yaml index 0af52190c..bf12a47cd 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_6.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_171_rev_2_3_5_6 -Title: 5.6 Disable identifiers after a defined period of inactivity -Description: Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. -SectionCode: "6" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_5_6 + title: 5.6 Disable identifiers after a defined period of inactivity + description: Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_7.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_7.yaml index 94ded683d..900244c9f 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_7.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_3_5_7 -Title: 5.7 Enforce a minimum password complexity and change of characters when new passwords are created -Description: This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. -SectionCode: "7" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_5_7 + title: 5.7 Enforce a minimum password complexity and change of characters when new passwords are created + description: This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_8.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_8.yaml index 66b4d0d30..c2e1e64d4 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_8.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_3_5_8 -Title: 5.8 Prohibit password reuse for a specified number of generations -Description: Password lifetime restrictions do not apply to temporary passwords. -SectionCode: "8" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_5_8 + title: 5.8 Prohibit password reuse for a specified number of generations + description: Password lifetime restrictions do not apply to temporary passwords. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_9.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_9.yaml index 49e197eea..377be3eeb 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_5_9.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_3_5_9 -Title: 5.9 Allow temporary password use for system logons with an immediate change to a permanent password -Description: Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises. -SectionCode: "9" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_5_9 + title: 5.9 Allow temporary password use for system logons with an immediate change to a permanent password + description: Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6.yaml index aaeb74939..75e437777 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_171_rev_2_3_6 -Title: Incident Response -Description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. -SectionCode: "3_6" -Children: - - aws_nist_800_171_rev_2_3_6_1 - - aws_nist_800_171_rev_2_3_6_2 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_6 + title: Incident Response + description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. + section-code: "3_6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_3_6_1 + - id: aws_nist_800_171_rev_2_3_6_2 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_1.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_1.yaml index db143d305..71ce685d8 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_1.yaml @@ -1,31 +1,36 @@ -ID: aws_nist_800_171_rev_2_3_6_1 -Title: 6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities -Description: Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. -SectionCode: "1" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_6_1 + title: 6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities + description: Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_security_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_2.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_2.yaml index 87afc8b63..721dfd6d7 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_6_2.yaml @@ -1,31 +1,36 @@ -ID: aws_nist_800_171_rev_2_3_6_2 -Title: 6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization -Description: Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_security_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_6_2 + title: 6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization + description: Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_security_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8.yaml index 5f1a6a805..5485d9b2f 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_171_rev_2_3_8 -Title: Media Protection -Description: This control family help organizations control access to sensitive media. Requirements cover best practice storage or destruction of sensitive information and media in both physical and digital formats. -SectionCode: "3_8" -Children: - - aws_nist_800_171_rev_2_3_8_9 -Controls: [] -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_8 + title: Media Protection + description: This control family help organizations control access to sensitive media. Requirements cover best practice storage or destruction of sensitive information and media in both physical and digital formats. + section-code: "3_8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_171_rev_2_3_8_9 diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8_9.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8_9.yaml index 32efb9cf7..4fffa6e9e 100755 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_171_rev_2/aws_nist_800_171_rev_2_3_8_9.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_171_rev_2_3_8_9 -Title: 8.9 Protect the confidentiality of backup CUI at storage locations -Description: Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. -SectionCode: "9" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_171_rev_2_3_8_9 + title: 8.9 Protect the confidentiality of backup CUI at storage locations + description: Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_171_rev_2: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_171_rev_2/root.yaml b/compliance/frameworks/aws/aws_nist_800_171_rev_2/root.yaml deleted file mode 100755 index d7b8e386f..000000000 --- a/compliance/frameworks/aws/aws_nist_800_171_rev_2/root.yaml +++ /dev/null @@ -1,36 +0,0 @@ -ID: aws_nist_800_171_rev_2 -Title: NIST 800-171 Revision 2 -Description: NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. NIST 800-171 is a publication that outlines the required security standards and practices for non-federal organizations that handle CUI on their networks. -SectionCode: aws_nist_800_171_rev_2 -Children: - - aws_nist_800_171_rev_2_2 - - aws_nist_800_171_rev_2_3_1 - - aws_nist_800_171_rev_2_3_3 - - aws_nist_800_171_rev_2_3_4 - - aws_nist_800_171_rev_2_3_5 - - aws_nist_800_171_rev_2_3_6 - - aws_nist_800_171_rev_2_3_8 - - aws_nist_800_171_rev_2_3_11 - - aws_nist_800_171_rev_2_3_12 - - aws_nist_800_171_rev_2_3_13 - - aws_nist_800_171_rev_2_3_14 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - nist_800_171_rev_2: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172.yaml new file mode 100644 index 000000000..5ba47d1d0 --- /dev/null +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172.yaml @@ -0,0 +1,18 @@ +framework: + id: aws_nist_800_172 + title: NIST 800-172 + description: NIST Special Publication (SP) 800-172 provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of controlled unclassified information (CUI) in nonfederal systems and organizations from the advanced persistent threat when the CUI is associated with a critical program or high value asset. + section-code: aws_nist_800_172 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_nist_800_172_3_1 + - id: aws_nist_800_172_3_4 + - id: aws_nist_800_172_3_5 + - id: aws_nist_800_172_3_11 + - id: aws_nist_800_172_3_13 + - id: aws_nist_800_172_3_14 diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1.yaml index a3ca6843c..c3bde4498 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1.yaml @@ -1,8 +1,13 @@ -ID: aws_nist_800_172_3_1 -Title: Access Control -Description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. -SectionCode: "3_1" -Children: - - aws_nist_800_172_3_1_3_e -Controls: [] -Tags: {} +control-group: + id: aws_nist_800_172_3_1 + title: Access Control + description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. + section-code: "3_1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_nist_800_172_3_1_3_e diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11.yaml index 0a371ec00..4ade23e96 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11.yaml @@ -1,9 +1,14 @@ -ID: aws_nist_800_172_3_11 -Title: Risk Assessment -Description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. -SectionCode: "3_11" -Children: - - aws_nist_800_172_3_11_1_e - - aws_nist_800_172_3_11_2_e -Controls: [] -Tags: {} +control-group: + id: aws_nist_800_172_3_11 + title: Risk Assessment + description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. + section-code: "3_11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_nist_800_172_3_11_1_e + - id: aws_nist_800_172_3_11_2_e diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_1_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_1_e.yaml index 0988e9eb4..124225b17 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_1_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_1_e.yaml @@ -1,8 +1,13 @@ -ID: aws_nist_800_172_3_11_1_e -Title: '11.1e Employ [Assignment: organization-defined sources of threat intelligence] as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities' -Description: The constant evolution and increased sophistication of adversaries, especially the APT, makes it more likely that adversaries can successfully compromise or breach organizational systems. Accordingly, threat intelligence can be integrated into each step of the risk management process throughout the system development life cycle. This risk management process includes defining system security requirements, developing system and security architectures, selecting security solutions, monitoring (including threat hunting), and remediation efforts. -SectionCode: 1_e -Children: [] -Controls: - - aws_guardduty_enabled -Tags: {} +control-group: + id: aws_nist_800_172_3_11_1_e + title: "11.1e Employ [Assignment: organization-defined sources of threat intelligence] as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities" + description: The constant evolution and increased sophistication of adversaries, especially the APT, makes it more likely that adversaries can successfully compromise or breach organizational systems. Accordingly, threat intelligence can be integrated into each step of the risk management process throughout the system development life cycle. This risk management process includes defining system security requirements, developing system and security architectures, selecting security solutions, monitoring (including threat hunting), and remediation efforts. + section-code: 1_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_2_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_2_e.yaml index a32bfcb6b..1b907bc0c 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_2_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_11_2_e.yaml @@ -1,7 +1,11 @@ -ID: aws_nist_800_172_3_11_2_e -Title: '11.2e Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organizationdefined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing controls' -Description: Threat hunting is an active means of defense that contrasts with traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management (SIEM) technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indicators of compromise are forensic artifacts from intrusions that are identified on organizational systems at the host or network level and can include unusual network traffic, unusual file changes, and the presence of malicious code. -SectionCode: 2_e -Children: [] -Controls: [] -Tags: {} +control-group: + id: aws_nist_800_172_3_11_2_e + title: "11.2e Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organizationdefined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing controls" + description: Threat hunting is an active means of defense that contrasts with traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management (SIEM) technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indicators of compromise are forensic artifacts from intrusions that are identified on organizational systems at the host or network level and can include unusual network traffic, unusual file changes, and the presence of malicious code. + section-code: 2_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13.yaml index 35269255b..3e8c9b205 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13.yaml @@ -1,8 +1,13 @@ -ID: aws_nist_800_172_3_13 -Title: System and Communications Protection -Description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. -SectionCode: "3_13" -Children: - - aws_nist_800_172_3_13_4_e -Controls: [] -Tags: {} +control-group: + id: aws_nist_800_172_3_13 + title: System and Communications Protection + description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. + section-code: "3_13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_nist_800_172_3_13_4_e diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13_4_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13_4_e.yaml index 0e64b4a49..1eb4cf548 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13_4_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_13_4_e.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_172_3_13_4_e -Title: '13.4e Employ [Selection: (one or more): [Assignment: organization-defined physical isolation techniques]; [Assignment: organization-defined logical isolation techniques]] in organizational systems and system components' -Description: A mix of physical and logical isolation techniques (described below) implemented as part of the system architecture can limit the unauthorized flow of CUI, reduce the system attack surface, constrain the number of system components that must be secure, and impede the movement of an adversary. When implemented with a set of managed interfaces, physical and logical isolation techniques for organizational systems and components can isolate CUI into separate security domains where additional protections can be implemented. Any communications across the managed interfaces (i.e., across security domains), including for management or administrative purposes, constitutes remote access even if the communications remain within the organization. Separating system components with boundary protection mechanisms allows for the increased protection of individual components and more effective control of information flows between those components. This enhanced protection limits the potential harm from and susceptibility to hostile cyber-attacks and errors. The degree of isolation can vary depending on the boundary protection mechanisms selected. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization and micro-virtualization techniques; encrypting information flows among system components using distinct encryption keys; cross-domain devices separating subnetworks; and complete physical separation (i.e., air gaps). -SectionCode: 4_e -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_allows_ingress_authorized_ports - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_vpc_network_acl_remote_administration -Tags: {} +control-group: + id: aws_nist_800_172_3_13_4_e + title: "13.4e Employ [Selection: (one or more): [Assignment: organization-defined physical isolation techniques]; [Assignment: organization-defined logical isolation techniques]] in organizational systems and system components" + description: A mix of physical and logical isolation techniques (described below) implemented as part of the system architecture can limit the unauthorized flow of CUI, reduce the system attack surface, constrain the number of system components that must be secure, and impede the movement of an adversary. When implemented with a set of managed interfaces, physical and logical isolation techniques for organizational systems and components can isolate CUI into separate security domains where additional protections can be implemented. Any communications across the managed interfaces (i.e., across security domains), including for management or administrative purposes, constitutes remote access even if the communications remain within the organization. Separating system components with boundary protection mechanisms allows for the increased protection of individual components and more effective control of information flows between those components. This enhanced protection limits the potential harm from and susceptibility to hostile cyber-attacks and errors. The degree of isolation can vary depending on the boundary protection mechanisms selected. Boundary protection mechanisms include routers, gateways, and firewalls separating system components into physically separate networks or subnetworks; virtualization and micro-virtualization techniques; encrypting information flows among system components using distinct encryption keys; cross-domain devices separating subnetworks; and complete physical separation (i.e., air gaps). + section-code: 4_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_allows_ingress_authorized_ports + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_subnet_auto_assign_public_ip_disabled + - aws_vpc_network_acl_remote_administration diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14.yaml index 9cf7d8e5a..8a6ab8388 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14.yaml @@ -1,11 +1,16 @@ -ID: aws_nist_800_172_3_14 -Title: System and Information integrity -Description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. -SectionCode: "3_14" -Children: - - aws_nist_800_172_3_14_1_e - - aws_nist_800_172_3_14_2_e - - aws_nist_800_172_3_14_6_e - - aws_nist_800_172_3_14_7_e -Controls: [] -Tags: {} +control-group: + id: aws_nist_800_172_3_14 + title: System and Information integrity + description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. + section-code: "3_14" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_nist_800_172_3_14_1_e + - id: aws_nist_800_172_3_14_2_e + - id: aws_nist_800_172_3_14_6_e + - id: aws_nist_800_172_3_14_7_e diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_1_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_1_e.yaml index c10227703..5bc2ac25f 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_1_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_1_e.yaml @@ -1,8 +1,13 @@ -ID: aws_nist_800_172_3_14_1_e -Title: '14.1e Verify the integrity of [Assignment: organization-defined security critical or essential software] using root of trust mechanisms or cryptographic signatures' -Description: Verifying the integrity of the organization’s security-critical or essential software is an important capability since corrupted software is the primary attack vector used by adversaries to undermine or disrupt the proper functioning of organizational systems. There are many ways to verify software integrity throughout the system development life cycle. Root of trust mechanisms (e.g., secure boot, trusted platform modules, Unified Extensible Firmware Interface [UEFI]), verify that only trusted code is executed during boot processes. This capability helps system components protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of updates to the firmware prior to applying changes to the system component and preventing unauthorized processes from modifying the boot firmware. The employment of cryptographic signatures ensures the integrity and authenticity of critical and essential software that stores, processes, or transmits, CUI. Cryptographic signatures include digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Hardware roots of trust are considered to be more secure. -SectionCode: 1_e -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: {} +control-group: + id: aws_nist_800_172_3_14_1_e + title: "14.1e Verify the integrity of [Assignment: organization-defined security critical or essential software] using root of trust mechanisms or cryptographic signatures" + description: Verifying the integrity of the organization’s security-critical or essential software is an important capability since corrupted software is the primary attack vector used by adversaries to undermine or disrupt the proper functioning of organizational systems. There are many ways to verify software integrity throughout the system development life cycle. Root of trust mechanisms (e.g., secure boot, trusted platform modules, Unified Extensible Firmware Interface [UEFI]), verify that only trusted code is executed during boot processes. This capability helps system components protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of updates to the firmware prior to applying changes to the system component and preventing unauthorized processes from modifying the boot firmware. The employment of cryptographic signatures ensures the integrity and authenticity of critical and essential software that stores, processes, or transmits, CUI. Cryptographic signatures include digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Hardware roots of trust are considered to be more secure. + section-code: 1_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_2_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_2_e.yaml index a821bd154..390d04adf 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_2_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_2_e.yaml @@ -1,14 +1,19 @@ -ID: aws_nist_800_172_3_14_2_e -Title: 14.2e Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior -Description: Monitoring is used to identify unusual, suspicious, or unauthorized activities or conditions related to organizational systems and system components. Such activities or conditions can include unusual internal systems communications traffic, unauthorized exporting of information,signaling to external systems, large file transfers, long-time persistent connections, attempts to access information from unexpected locations, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. The correlation of physical, time, or geolocation audit record information to the audit records from systems may assist organizations in identifying examples of anomalous behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional information that the individual was not present at the facility when the logical access occurred is indicative of anomalous behavior. -SectionCode: 2_e -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled -Tags: {} +control-group: + id: aws_nist_800_172_3_14_2_e + title: 14.2e Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior + description: Monitoring is used to identify unusual, suspicious, or unauthorized activities or conditions related to organizational systems and system components. Such activities or conditions can include unusual internal systems communications traffic, unauthorized exporting of information,signaling to external systems, large file transfers, long-time persistent connections, attempts to access information from unexpected locations, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. The correlation of physical, time, or geolocation audit record information to the audit records from systems may assist organizations in identifying examples of anomalous behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional information that the individual was not present at the facility when the logical access occurred is indicative of anomalous behavior. + section-code: 2_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_6_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_6_e.yaml index b2e8ae35f..e9a15b855 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_6_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_6_e.yaml @@ -1,8 +1,13 @@ -ID: aws_nist_800_172_3_14_6_e -Title: '14.6e Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting' -Description: Threat information related to specific threat events (e.g., TTPs, targets) that organizations have experienced, threat mitigations that organizations have found to be effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) are sourced from and shared with trusted organizations. This threat information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTPs from organizations participating in threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, CISA/US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified nonfederal organizations from government sources. -SectionCode: 6_e -Children: [] -Controls: - - aws_guardduty_enabled -Tags: {} +control-group: + id: aws_nist_800_172_3_14_6_e + title: "14.6e Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting" + description: Threat information related to specific threat events (e.g., TTPs, targets) that organizations have experienced, threat mitigations that organizations have found to be effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) are sourced from and shared with trusted organizations. This threat information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTPs from organizations participating in threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, CISA/US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified nonfederal organizations from government sources. + section-code: 6_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_7_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_7_e.yaml index 3bff4f7a3..67965e4e3 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_7_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_14_7_e.yaml @@ -1,12 +1,17 @@ -ID: aws_nist_800_172_3_14_7_e -Title: '14.7e Verify the correctness of [Assignment: organization-defined security critical or essential software, firmware, and hardware components] using [Assignment: organization-defined verification methods or techniques].' -Description: Verification methods have varying degrees of rigor in determining the correctness of software, firmware, and hardware components. For example, formal verification involves proving that a software program satisfies some formal property or set of properties. The nature of formal verification is generally time-consuming and not employed for commercial operating systems and applications. Therefore, it would likely only be applied to some very limited uses, such as verifying cryptographic protocols. However, in cases where software, firmware, or hardware components exist with formal verification of the component’s security properties, such components provide greater assurance and trustworthiness and are preferred over similar components that have not been formally verified. -SectionCode: 7_e -Children: [] -Controls: - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant - - aws_ec2_instance_ssm_managed - - aws_ecs_service_fargate_using_latest_platform_version - - aws_ecr_repository_image_scan_on_push_enabled -Tags: {} +control-group: + id: aws_nist_800_172_3_14_7_e + title: "14.7e Verify the correctness of [Assignment: organization-defined security critical or essential software, firmware, and hardware components] using [Assignment: organization-defined verification methods or techniques]." + description: Verification methods have varying degrees of rigor in determining the correctness of software, firmware, and hardware components. For example, formal verification involves proving that a software program satisfies some formal property or set of properties. The nature of formal verification is generally time-consuming and not employed for commercial operating systems and applications. Therefore, it would likely only be applied to some very limited uses, such as verifying cryptographic protocols. However, in cases where software, firmware, or hardware components exist with formal verification of the component’s security properties, such components provide greater assurance and trustworthiness and are preferred over similar components that have not been formally verified. + section-code: 7_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant + - aws_ec2_instance_ssm_managed + - aws_ecs_service_fargate_using_latest_platform_version + - aws_ecr_repository_image_scan_on_push_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1_3_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1_3_e.yaml index ff93064e2..7eaecd6b9 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1_3_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_1_3_e.yaml @@ -1,47 +1,52 @@ -ID: aws_nist_800_172_3_1_3_e -Title: '1.3e Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems' -Description: Organizations employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems in different security domains with different security policies introduces the risk that the transfers violate one or more domain security policies. In such situations, information owners or information stewards provide guidance at designated policy enforcement points between connected systems. Organizations mandate specific architectural solutions when required to enforce logical or physical separation between systems in different security domains. Enforcement includes prohibiting information transfers between connected systems, employing hardware mechanisms to enforce one-way information flows, verifying write permissions before accepting information from another security domain or connected system, and implementing trustworthy regrading mechanisms to reassign security attributes and labels. -SectionCode: 3_e -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_desync_mitigation_mode - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_desync_mitigation_mode - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_https_required - - aws_opensearch_domain_in_vpc - - aws_opensearch_domain_node_to_node_encryption_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_allows_ingress_authorized_ports - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_vpc_network_acl_remote_administration -Tags: {} +control-group: + id: aws_nist_800_172_3_1_3_e + title: "1.3e Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems" + description: Organizations employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems in different security domains with different security policies introduces the risk that the transfers violate one or more domain security policies. In such situations, information owners or information stewards provide guidance at designated policy enforcement points between connected systems. Organizations mandate specific architectural solutions when required to enforce logical or physical separation between systems in different security domains. Enforcement includes prohibiting information transfers between connected systems, employing hardware mechanisms to enforce one-way information flows, verifying write permissions before accepting information from another security domain or connected system, and implementing trustworthy regrading mechanisms to reassign security attributes and labels. + section-code: 3_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_elb_application_lb_desync_mitigation_mode + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_desync_mitigation_mode + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_https_required + - aws_opensearch_domain_in_vpc + - aws_opensearch_domain_node_to_node_encryption_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_ssm_document_prohibit_public_access + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_allows_ingress_authorized_ports + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_subnet_auto_assign_public_ip_disabled + - aws_vpc_network_acl_remote_administration diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4.yaml index 285055e93..5add35445 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4.yaml @@ -1,9 +1,14 @@ -ID: aws_nist_800_172_3_4 -Title: Configuration Management -Description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. -SectionCode: "3_4" -Children: - - aws_nist_800_172_3_4_2_e - - aws_nist_800_172_3_4_3_e -Controls: [] -Tags: {} +control-group: + id: aws_nist_800_172_3_4 + title: Configuration Management + description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. + section-code: "3_4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_nist_800_172_3_4_2_e + - id: aws_nist_800_172_3_4_3_e diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_2_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_2_e.yaml index fa844c585..2ab826a1a 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_2_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_2_e.yaml @@ -1,10 +1,15 @@ -ID: aws_nist_800_172_3_4_2_e -Title: '4.2e Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, [Selection (one or more): remove the components; place the components in a quarantine or remediation network] to facilitate patching, re-configuration, or other mitigations' -Description: System components used to process, store, transmit, or protect CUI are monitored and checked against the authoritative source (i.e., hardware and software inventory and associated baseline configurations). From an automated assessment perspective, the system description provided by the authoritative source is referred to as the desired state. Using automated tools, the desired state is compared to the actual state to check for compliance or deviations. Security responses to system components that are unknown or that deviate from approved configurations can include removing the components; halting system functions or processing; placing the system components in a quarantine or remediation network that facilitates patching, re-configuration, or other mitigations; or issuing alerts and/or notifications to personnel when there is an unauthorized modification of an organization-defined configuration item. Responses can be automated, manual, or procedural. Components that are removed from the system are rebuilt from the trusted configuration baseline established by the authoritative source. -SectionCode: 2_e -Children: [] -Controls: - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_nist_800_172_3_4_2_e + title: "4.2e Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, [Selection (one or more): remove the components; place the components in a quarantine or remediation network] to facilitate patching, re-configuration, or other mitigations" + description: System components used to process, store, transmit, or protect CUI are monitored and checked against the authoritative source (i.e., hardware and software inventory and associated baseline configurations). From an automated assessment perspective, the system description provided by the authoritative source is referred to as the desired state. Using automated tools, the desired state is compared to the actual state to check for compliance or deviations. Security responses to system components that are unknown or that deviate from approved configurations can include removing the components; halting system functions or processing; placing the system components in a quarantine or remediation network that facilitates patching, re-configuration, or other mitigations; or issuing alerts and/or notifications to personnel when there is an unauthorized modification of an organization-defined configuration item. Responses can be automated, manual, or procedural. Components that are removed from the system are rebuilt from the trusted configuration baseline established by the authoritative source. + section-code: 2_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_3_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_3_e.yaml index 58a570bfc..d9e0856e0 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_3_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_4_3_e.yaml @@ -1,12 +1,17 @@ -ID: aws_nist_800_172_3_4_3_e -Title: 4.3e Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components -Description: The system component inventory includes system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items in accordance with the authoritative source. The information necessary for effective accountability of system components includes the system name, hardware and software component owners,hardware inventory specifications,software license information,software version numbers, and—for networked components—the machine names and network addresses. Inventory specifications include the manufacturer, supplier information, component type, date of receipt, cost, model, serial number, and physical location. Organizations also use automated mechanisms to implement and maintain authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for systems that include hardware and software inventory tools, configuration management tools, and network management tools. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. -SectionCode: 3_e -Children: [] -Controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_vpc_eip_associated - - aws_vpc_network_acl_unused -Tags: {} +control-group: + id: aws_nist_800_172_3_4_3_e + title: 4.3e Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components + description: The system component inventory includes system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items in accordance with the authoritative source. The information necessary for effective accountability of system components includes the system name, hardware and software component owners,hardware inventory specifications,software license information,software version numbers, and—for networked components—the machine names and network addresses. Inventory specifications include the manufacturer, supplier information, component type, date of receipt, cost, model, serial number, and physical location. Organizations also use automated mechanisms to implement and maintain authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for systems that include hardware and software inventory tools, configuration management tools, and network management tools. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. + section-code: 3_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_vpc_eip_associated + - aws_vpc_network_acl_unused diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5.yaml index a166d63e4..3c0dd52d2 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5.yaml @@ -1,8 +1,13 @@ -ID: aws_nist_800_172_3_5 -Title: Identification and Authentication -Description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. -SectionCode: "3_5" -Children: - - aws_nist_800_172_3_5_2_e -Controls: [] -Tags: {} +control-group: + id: aws_nist_800_172_3_5 + title: Identification and Authentication + description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. + section-code: "3_5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_nist_800_172_3_5_2_e diff --git a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5_2_e.yaml b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5_2_e.yaml index fe0a91f6b..36b0bc4a8 100755 --- a/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5_2_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_172/aws_nist_800_172_3_5_2_e.yaml @@ -1,10 +1,15 @@ -ID: aws_nist_800_172_3_5_2_e -Title: 5.2e Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management -Description: In situations where static passwords or personal identification numbers (PIN) are used (e.g., certain system components do not support multifactor authentication or complex account management, such as separate system accounts for each user and logging), automated mechanisms (e.g., password managers) can automatically generate, rotate, manage, and store strong and different passwords for users and device accounts. For example, a router might have one administrator account, but an organization typically has multiple network administrators. Therefore, access management and accountability are problematic. A password manager uses techniques such as automated password rotation (in this example, for the router password) to allow a specific user to temporarily gain access to a device by checking out a temporary password and then checking the password back in to end the access. The password manager simultaneously logs these actions. One of the risks in using password managers is that an adversary may target the collection of passwords that the device generates. Therefore, it is important that these passwords are secured. Methods for protecting passwords include the use of multi-factor authentication to the password manager, encryption, or secured hardware (e.g., a hardware security module). -SectionCode: 2_e -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_automatic_rotation_enabled -Tags: {} +control-group: + id: aws_nist_800_172_3_5_2_e + title: 5.2e Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management + description: In situations where static passwords or personal identification numbers (PIN) are used (e.g., certain system components do not support multifactor authentication or complex account management, such as separate system accounts for each user and logging), automated mechanisms (e.g., password managers) can automatically generate, rotate, manage, and store strong and different passwords for users and device accounts. For example, a router might have one administrator account, but an organization typically has multiple network administrators. Therefore, access management and accountability are problematic. A password manager uses techniques such as automated password rotation (in this example, for the router password) to allow a specific user to temporarily gain access to a device by checking out a temporary password and then checking the password back in to end the access. The password manager simultaneously logs these actions. One of the risks in using password managers is that an adversary may target the collection of passwords that the device generates. Therefore, it is important that these passwords are secured. Methods for protecting passwords include the use of multi-factor authentication to the password manager, encryption, or secured hardware (e.g., a hardware security module). + section-code: 2_e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_automatic_rotation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_172/root.yaml b/compliance/frameworks/aws/aws_nist_800_172/root.yaml deleted file mode 100755 index 48551719c..000000000 --- a/compliance/frameworks/aws/aws_nist_800_172/root.yaml +++ /dev/null @@ -1,17 +0,0 @@ -ID: aws_nist_800_172 -Title: NIST 800-172 -Description: NIST Special Publication (SP) 800-172 provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of controlled unclassified information (CUI) in nonfederal systems and organizations from the advanced persistent threat when the CUI is associated with a critical program or high value asset. -SectionCode: aws_nist_800_172 -Children: - - aws_nist_800_172_3_1 - - aws_nist_800_172_3_4 - - aws_nist_800_172_3_5 - - aws_nist_800_172_3_11 - - aws_nist_800_172_3_13 - - aws_nist_800_172_3_14 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: {} diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4.yaml new file mode 100644 index 000000000..e8820e98f --- /dev/null +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4.yaml @@ -0,0 +1,37 @@ +framework: + id: aws_nist_800_53_rev_4 + title: NIST 800-53 Revision 4 + description: NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. + section-code: aws_nist_800_53_rev_4 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ac + - id: aws_nist_800_53_rev_4_au + - id: aws_nist_800_53_rev_4_ca + - id: aws_nist_800_53_rev_4_cm + - id: aws_nist_800_53_rev_4_cp + - id: aws_nist_800_53_rev_4_ia + - id: aws_nist_800_53_rev_4_ir + - id: aws_nist_800_53_rev_4_ra + - id: aws_nist_800_53_rev_4_sa + - id: aws_nist_800_53_rev_4_sc + - id: aws_nist_800_53_rev_4_si diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac.yaml index 4e400c4a6..b2a811c74 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_4_ac -Title: Access Control (AC) -Description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. -SectionCode: ac -Children: - - aws_nist_800_53_rev_4_ac_2 - - aws_nist_800_53_rev_4_ac_3 - - aws_nist_800_53_rev_4_ac_4 - - aws_nist_800_53_rev_4_ac_5 - - aws_nist_800_53_rev_4_ac_6 - - aws_nist_800_53_rev_4_ac_17 - - aws_nist_800_53_rev_4_ac_21 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac + title: Access Control (AC) + description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. + section-code: ac + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ac_2 + - id: aws_nist_800_53_rev_4_ac_3 + - id: aws_nist_800_53_rev_4_ac_4 + - id: aws_nist_800_53_rev_4_ac_5 + - id: aws_nist_800_53_rev_4_ac_6 + - id: aws_nist_800_53_rev_4_ac_17 + - id: aws_nist_800_53_rev_4_ac_21 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17.yaml index 4a77522ff..852f37895 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_4_ac_17 -Title: Remote Access (AC-17) -Description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. -SectionCode: "17" -Children: - - aws_nist_800_53_rev_4_ac_17_1 - - aws_nist_800_53_rev_4_ac_17_2 - - aws_nist_800_53_rev_4_ac_17_3 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_17 + title: Remote Access (AC-17) + description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. + section-code: "17" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ac_17_1 + - id: aws_nist_800_53_rev_4_ac_17_2 + - id: aws_nist_800_53_rev_4_ac_17_3 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_1.yaml index 83484f2b6..135f2d14e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_ac_17_1 -Title: AC-17(1) Automated Monitoring/Control -Description: The information system monitors and controls remote access methods. -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_17_1 + title: AC-17(1) Automated Monitoring/Control + description: The information system monitors and controls remote access methods. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_2.yaml index b106e8c49..7b22c253c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_2.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_4_ac_17_2 -Title: AC-17(2) Protection Of Confidentiality/Integrity Using Encryption -Description: The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. -SectionCode: "2" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_17_2 + title: AC-17(2) Protection Of Confidentiality/Integrity Using Encryption + description: The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_3.yaml index 033769d84..8f82b770b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_17_3.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ac_17_3 -Title: AC-17(3) Managed Access Control Points -Description: The information system routes all remote accesses through organization-defined managed network access control points. -SectionCode: "3" -Children: [] -Controls: - - aws_vpc_igw_attached_to_authorized_vpc -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_17_3 + title: AC-17(3) Managed Access Control Points + description: The information system routes all remote accesses through organization-defined managed network access control points. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/VPC + type: + - Benchmark + controls: + - aws_vpc_igw_attached_to_authorized_vpc diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2.yaml index c586be268..60d3f3637 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2.yaml @@ -1,40 +1,46 @@ -ID: aws_nist_800_53_rev_4_ac_2 -Title: Account Management (AC-2) -Description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. -SectionCode: "2" -Children: - - aws_nist_800_53_rev_4_ac_2_1 - - aws_nist_800_53_rev_4_ac_2_3 - - aws_nist_800_53_rev_4_ac_2_4 - - aws_nist_800_53_rev_4_ac_2_12 -Controls: - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_emr_cluster_kerberos_enabled - - aws_guardduty_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_2 + title: Account Management (AC-2) + description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ac_2_1 + - id: aws_nist_800_53_rev_4_ac_2_3 + - id: aws_nist_800_53_rev_4_ac_2_4 + - id: aws_nist_800_53_rev_4_ac_2_12 + controls: + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_emr_cluster_kerberos_enabled + - aws_guardduty_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_21.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_21.yaml index 21653f697..b2032dc86 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_21.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_21.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_4_ac_21 -Title: Information Sharing (AC-21) -Description: Facilitate information sharing. Enable authorized users to grant access to partners. -SectionCode: "21" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_21 + title: Information Sharing (AC-21) + description: Facilitate information sharing. Enable authorized users to grant access to partners. + section-code: "21" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_bucket_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_1.yaml index 050da5d96..d604c7291 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_1.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_4_ac_2_1 -Title: AC-2(1) Automated System Account Management -Description: The organization employs automated mechanisms to support the management of information system accounts. -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_access_key_age_90 - - aws_iam_user_in_group - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_2_1 + title: AC-2(1) Automated System Account Management + description: The organization employs automated mechanisms to support the management of information system accounts. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_user_access_key_age_90 + - aws_iam_user_in_group + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_12.yaml index 4564eed73..a1603f172 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_12.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_ac_2_12 -Title: AC-2(12) Account Monitoring -Description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. -SectionCode: "12" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_2_12 + title: AC-2(12) Account Monitoring + description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_3.yaml index fae5e0b8c..4e23f55ef 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_3.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ac_2_3 -Title: AC-2(3) Disable Inactive Accounts -Description: The information system automatically disables inactive accounts after 90 days for user accounts. -SectionCode: "3" -Children: [] -Controls: - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_2_3 + title: AC-2(3) Disable Inactive Accounts + description: The information system automatically disables inactive accounts after 90 days for user accounts. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_4.yaml index b9235bb43..70d963bdd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_2_4.yaml @@ -1,25 +1,30 @@ -ID: aws_nist_800_53_rev_4_ac_2_4 -Title: AC-2(4) Automated Audit Actions -Description: 'The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].' -SectionCode: "4" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_2_4 + title: AC-2(4) Automated Audit Actions + description: "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_3.yaml index 7e42da959..1009b9992 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_3.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_4_ac_3 -Title: Access Enforcement (AC-3) -Description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. -SectionCode: "3" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_restrict_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket_account -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_3 + title: Access Enforcement (AC-3) + description: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_emr_cluster_kerberos_enabled + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_restrict_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_bucket_account diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_4.yaml index 95411151e..2019e8ba0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_4.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_4_ac_4 -Title: Information Flow Enforcement (AC-4) -Description: The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies. -SectionCode: "4" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_4 + title: Information Flow Enforcement (AC-4) + description: The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_bucket_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_5.yaml index 89d46068f..bcbcaddfb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_5.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_4_ac_5 -Title: Separation Of Duties (AC-5) -Description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. -SectionCode: "5" -Children: [] -Controls: - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star - - aws_iam_user_no_inline_attached_policies -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_5 + title: Separation Of Duties (AC-5) + description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_emr_cluster_kerberos_enabled + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star + - aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6.yaml index fc0b67d9a..da0684714 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6.yaml @@ -1,39 +1,45 @@ -ID: aws_nist_800_53_rev_4_ac_6 -Title: Least Privilege (AC-6) -Description: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. -SectionCode: "6" -Children: - - aws_nist_800_53_rev_4_ac_6_10 -Controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_kerberos_enabled - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_6 + title: Least Privilege (AC-6) + description: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ac_6_10 + controls: + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_emr_cluster_kerberos_enabled + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_bucket_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6_10.yaml index 0148ebe3c..5e2e5bb5d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ac_6_10.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ac_6_10 -Title: AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions -Description: The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. -SectionCode: "10" -Children: [] -Controls: - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ac_6_10 + title: AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions + description: The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au.yaml index 2cc0ccb29..3da5371f6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_4_au -Title: Audit and Accountability (AU) -Description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. -SectionCode: au -Children: - - aws_nist_800_53_rev_4_au_2 - - aws_nist_800_53_rev_4_au_3 - - aws_nist_800_53_rev_4_au_6 - - aws_nist_800_53_rev_4_au_7 - - aws_nist_800_53_rev_4_au_9 - - aws_nist_800_53_rev_4_au_11 - - aws_nist_800_53_rev_4_au_12 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au + title: Audit and Accountability (AU) + description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. + section-code: au + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_au_2 + - id: aws_nist_800_53_rev_4_au_3 + - id: aws_nist_800_53_rev_4_au_6 + - id: aws_nist_800_53_rev_4_au_7 + - id: aws_nist_800_53_rev_4_au_9 + - id: aws_nist_800_53_rev_4_au_11 + - id: aws_nist_800_53_rev_4_au_12 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_11.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_11.yaml index 7eaa45b17..0e3a12e1b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_11.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_au_11 -Title: Audit Record Retention (AU-11) -Description: 'The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.' -SectionCode: "11" -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_11 + title: Audit Record Retention (AU-11) + description: "The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements." + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_12.yaml index 9e5e3206f..b044c9a5d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_12.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_4_au_12 -Title: Audit Generation (AU-12) -Description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. -SectionCode: "12" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_12 + title: Audit Generation (AU-12) + description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_2.yaml index e8a3344f0..5fc21d0c8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_2.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_4_au_2 -Title: Event Logging (AU-2) -Description: Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events. -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_2 + title: Event Logging (AU-2) + description: Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_3.yaml index 89cd70b54..990e0d147 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_3.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_4_au_3 -Title: Content of Audit Records (AU-3) -Description: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_3 + title: Content of Audit Records (AU-3) + description: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6.yaml index 1b66a705a..80147559e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_au_6 -Title: Audit Review, Analysis And Reporting (AU-6) -Description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. -SectionCode: "6" -Children: - - aws_nist_800_53_rev_4_au_6_1 - - aws_nist_800_53_rev_4_au_6_3 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_6 + title: Audit Review, Analysis And Reporting (AU-6) + description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_au_6_1 + - id: aws_nist_800_53_rev_4_au_6_3 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_1.yaml index eb26b770a..d6137d0d0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_1.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_4_au_6_1 -Title: AU-6(1) Process Integration -Description: The organization employs automated mechanisms to integrate audit review, analysis,and reporting processes to support organizational processes for investigation and response to suspicious activities. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_6_1 + title: AU-6(1) Process Integration + description: The organization employs automated mechanisms to integrate audit review, analysis,and reporting processes to support organizational processes for investigation and response to suspicious activities. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_3.yaml index 87bce7528..a80707fe9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_6_3.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_4_au_6_3 -Title: AU-6(3) Correlate Audit Repositories -Description: The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. -SectionCode: "3" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_6_3 + title: AU-6(3) Correlate Audit Repositories + description: The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7.yaml index 98a54e80f..bb6327c9e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_au_7 -Title: Audit Reduction And Report Generation (AU-7) -Description: Support for real-time audit review, analysis, and reporting requirements without altering original audit records. -SectionCode: "7" -Children: - - aws_nist_800_53_rev_4_au_7_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_7 + title: Audit Reduction And Report Generation (AU-7) + description: Support for real-time audit review, analysis, and reporting requirements without altering original audit records. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_au_7_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7_1.yaml index 1caddaebc..5d5b971fb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_7_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_au_7_1 -Title: AU-7(1) Automatic Processing -Description: 'The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].' -SectionCode: "1" -Children: [] -Controls: - - aws_cloudwatch_alarm_action_enabled - - aws_cloudtrail_trail_integrated_with_logs -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_7_1 + title: AU-7(1) Automatic Processing + description: "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_alarm_action_enabled + - aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9.yaml index aed0346a1..f87ae3c03 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9.yaml @@ -1,20 +1,26 @@ -ID: aws_nist_800_53_rev_4_au_9 -Title: Protection of Audit Information (AU-9) -Description: The information system protects audit information and audit tools from unauthorized access, modification, and deletion. -SectionCode: "9" -Children: - - aws_nist_800_53_rev_4_au_9_2 -Controls: - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_log_group_encryption_at_rest_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_9 + title: Protection of Audit Information (AU-9) + description: The information system protects audit information and audit tools from unauthorized access, modification, and deletion. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_au_9_2 + controls: + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_log_group_encryption_at_rest_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9_2.yaml index bf999c3f6..7dcf54a90 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_au_9_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_au_9_2 -Title: AU-9(2) Audit Backup On Separate Physical Systems / Components -Description: 'The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.' -SectionCode: "2" -Children: [] -Controls: - - aws_s3_bucket_cross_region_replication_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_au_9_2 + title: AU-9(2) Audit Backup On Separate Physical Systems / Components + description: "The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca.yaml index 439fc1182..95a6e4651 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ca -Title: Security Assessment And Authorization (CA) -Description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. -SectionCode: ca -Children: - - aws_nist_800_53_rev_4_ca_7 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ca + title: Security Assessment And Authorization (CA) + description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. + section-code: ca + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ca_7 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca_7.yaml index 755340fa2..5f9f418d8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ca_7.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_4_ca_7 -Title: Continuous Monitoring (CA-7) -Description: Continuously monitor configuration management processes. Determine security impact, environment and operational risks. -SectionCode: "7" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ca_7 + title: Continuous Monitoring (CA-7) + description: Continuously monitor configuration management processes. Determine security impact, environment and operational risks. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm.yaml index cb8799d9c..fb9606449 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_4_cm -Title: Configuration Management (CM) -Description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. -SectionCode: cm -Children: - - aws_nist_800_53_rev_4_cm_2 - - aws_nist_800_53_rev_4_cm_7 - - aws_nist_800_53_rev_4_cm_8 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_cm + title: Configuration Management (CM) + description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. + section-code: cm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_cm_2 + - id: aws_nist_800_53_rev_4_cm_7 + - id: aws_nist_800_53_rev_4_cm_8 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_2.yaml index 1834965de..cafaa12d1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_2.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_4_cm_2 -Title: Baseline Configuration (CM-2) -Description: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. -SectionCode: "2" -Children: [] -Controls: - - aws_cloudtrail_security_trail_enabled - - aws_ebs_attached_volume_delete_on_termination_enabled - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_cm_2 + title: Baseline Configuration (CM-2) + description: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_security_trail_enabled + - aws_ebs_attached_volume_delete_on_termination_enabled + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_7.yaml index 679ec5922..4a3749c20 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_7.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_cm_7 -Title: Least Functionality (CM-7) -Description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. -SectionCode: "7" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_cm_7 + title: Least Functionality (CM-7) + description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8.yaml index c4b0ccd3f..41b2d87d8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_cm_8 -Title: Information System Component Inventory (CM-8) -Description: The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory. -SectionCode: "8" -Children: - - aws_nist_800_53_rev_4_cm_8_1 - - aws_nist_800_53_rev_4_cm_8_3 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_cm_8 + title: Information System Component Inventory (CM-8) + description: The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_cm_8_1 + - id: aws_nist_800_53_rev_4_cm_8_3 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_1.yaml index d0ba9d07a..fa5b1625b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_cm_8_1 -Title: CM-8(1) Updates During Installation / Removals -Description: The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. -SectionCode: "1" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/EC2 - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_cm_8_1 + title: CM-8(1) Updates During Installation / Removals + description: The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/EC2 + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_3.yaml index 3007d74a3..077a31e3d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cm_8_3.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_4_cm_8_3 -Title: CM-8(3) Automated Unauthorized Component Detection -Description: The organization employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system and takes actions (disables network access by such components, isolates the components etc) when unauthorized components are detected. -SectionCode: "3" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_cm_8_3 + title: CM-8(3) Automated Unauthorized Component Detection + description: The organization employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system and takes actions (disables network access by such components, isolates the components etc) when unauthorized components are detected. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp.yaml index 898986ab3..02c025b04 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_cp -Title: Contingency Planning (CP) -Description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. -SectionCode: cp -Children: - - aws_nist_800_53_rev_4_cp_9 - - aws_nist_800_53_rev_4_cp_10 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_cp + title: Contingency Planning (CP) + description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. + section-code: cp + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_cp_9 + - id: aws_nist_800_53_rev_4_cp_10 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_10.yaml index f057ac4e4..c169e51af 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_10.yaml @@ -1,31 +1,36 @@ -ID: aws_nist_800_53_rev_4_cp_10 -Title: Information System Recovery And Reconstitution (CP-10) -Description: The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. -SectionCode: "10" -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_cp_10 + title: Information System Recovery And Reconstitution (CP-10) + description: The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_9.yaml index 33c3b2761..913f7cf76 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_cp_9.yaml @@ -1,25 +1,30 @@ -ID: aws_nist_800_53_rev_4_cp_9 -Title: Information System Backup (CP-9) -Description: The organization conducts backups of user-level information, system-level information and information system documentation including security-related documentation contained in the information system and protects the confidentiality, integrity, and availability of backup information at storage locations. -SectionCode: "9" -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_s3_bucket_cross_region_replication_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_cp_9 + title: Information System Backup (CP-9) + description: The organization conducts backups of user-level information, system-level information and information system documentation including security-related documentation contained in the information system and protects the confidentiality, integrity, and availability of backup information at storage locations. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia.yaml index 78dfa69ce..81af982f3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_ia -Title: Identification and Authentication (IA) -Description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. -SectionCode: ia -Children: - - aws_nist_800_53_rev_4_ia_2 - - aws_nist_800_53_rev_4_ia_5 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ia + title: Identification and Authentication (IA) + description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. + section-code: ia + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ia_2 + - id: aws_nist_800_53_rev_4_ia_5 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2.yaml index 30726c022..b74a240a2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2.yaml @@ -1,21 +1,27 @@ -ID: aws_nist_800_53_rev_4_ia_2 -Title: Identification and Authentication (Organizational users) (IA-2) -Description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). -SectionCode: "2" -Children: - - aws_nist_800_53_rev_4_ia_2_1 - - aws_nist_800_53_rev_4_ia_2_2 - - aws_nist_800_53_rev_4_ia_2_11 -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ia_2 + title: Identification and Authentication (Organizational users) (IA-2) + description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ia_2_1 + - id: aws_nist_800_53_rev_4_ia_2_2 + - id: aws_nist_800_53_rev_4_ia_2_11 + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_1.yaml index 0509a6c20..518f321be 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_1.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_4_ia_2_1 -Title: IA-2(1) Network Access To Privileged Accounts -Description: The information system implements multi-factor authentication for network access to privileged accounts. -SectionCode: "1" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ia_2_1 + title: IA-2(1) Network Access To Privileged Accounts + description: The information system implements multi-factor authentication for network access to privileged accounts. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_11.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_11.yaml index acf3b77d3..625caf1f8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_11.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_4_ia_2_11 -Title: IA-2(11) Remote Access - Separate Device -Description: 'The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].' -SectionCode: "11" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ia_2_11 + title: IA-2(11) Remote Access - Separate Device + description: "The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]." + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_2.yaml index 2a1d11efb..85225cfb4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_2_2.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_ia_2_2 -Title: IA-2(2) Network Access To Non-Privileged Accounts -Description: The information system implements multifactor authentication for network access to non-privileged accounts. -SectionCode: "2" -Children: [] -Controls: - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ia_2_2 + title: IA-2(2) Network Access To Non-Privileged Accounts + description: The information system implements multifactor authentication for network access to non-privileged accounts. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5.yaml index 8cf41352c..aba684e18 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_4_ia_5 -Title: Authenticator Management (IA-5) -Description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. -SectionCode: "5" -Children: - - aws_nist_800_53_rev_4_ia_5_1 - - aws_nist_800_53_rev_4_ia_5_4 - - aws_nist_800_53_rev_4_ia_5_7 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ia_5 + title: Authenticator Management (IA-5) + description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ia_5_1 + - id: aws_nist_800_53_rev_4_ia_5_4 + - id: aws_nist_800_53_rev_4_ia_5_7 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_1.yaml index 9ff118fbe..d3e7c34d2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ia_5_1 -Title: IA-5(1) Password-Based Authentication -Description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. -SectionCode: "1" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ia_5_1 + title: IA-5(1) Password-Based Authentication + description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_4.yaml index c36ba8622..07dd74ded 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ia_5_4 -Title: IA-5(4) Automated Support For Password Strength Determination -Description: 'The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].' -SectionCode: "4" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ia_5_4 + title: IA-5(4) Automated Support For Password Strength Determination + description: "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_7.yaml index dbf1c58eb..7e44bf283 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ia_5_7.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ia_5_7 -Title: IA-5(7) No Embedded Unencrypted Static Authenticators -Description: The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. -SectionCode: "7" -Children: [] -Controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/CodeBuild - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ia_5_7 + title: IA-5(7) No Embedded Unencrypted Static Authenticators + description: The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/CodeBuild + type: + - Benchmark + controls: + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir.yaml index 90003fa38..f3359c53f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_4_ir -Title: Incident Response (IR) -Description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. -SectionCode: ir -Children: - - aws_nist_800_53_rev_4_ir_4 - - aws_nist_800_53_rev_4_ir_6 - - aws_nist_800_53_rev_4_ir_7 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ir + title: Incident Response (IR) + description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. + section-code: ir + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ir_4 + - id: aws_nist_800_53_rev_4_ir_6 + - id: aws_nist_800_53_rev_4_ir_7 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4.yaml index 58a2534b7..922974596 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ir_4 -Title: Incident Handling (IR-4) -Description: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery, coordinates incident handling activities with contingency planning activities and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly. -SectionCode: "4" -Children: - - aws_nist_800_53_rev_4_ir_4_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ir_4 + title: Incident Handling (IR-4) + description: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery, coordinates incident handling activities with contingency planning activities and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ir_4_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4_1.yaml index a21f454e5..a7e9d644d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_4_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_ir_4_1 -Title: IR-4(1) Automated Incident Handling Processes -Description: The organization employs automated mechanisms to support the incident handling process. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_finding_archived -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ir_4_1 + title: IR-4(1) Automated Incident Handling Processes + description: The organization employs automated mechanisms to support the incident handling process. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6.yaml index 1c10c7b00..124283de4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ir_6 -Title: Incident Reporting (IR-6) -Description: The organization report suspected security incidents to the organizational incident response capability within organization-defined time period. -SectionCode: "6" -Children: - - aws_nist_800_53_rev_4_ir_6_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ir_6 + title: Incident Reporting (IR-6) + description: The organization report suspected security incidents to the organizational incident response capability within organization-defined time period. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ir_6_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6_1.yaml index e192e1704..2f2f193c3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_6_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ir_6_1 -Title: IR-6(1) Automated Reporting -Description: The organization employs automated mechanisms to assist in the reporting of security incidents. -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_finding_archived -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ir_6_1 + title: IR-6(1) Automated Reporting + description: The organization employs automated mechanisms to assist in the reporting of security incidents. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7.yaml index 3f8bc78b6..9efceb4f9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ir_7 -Title: Incident Response Assistance (IR-7) -Description: The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. -SectionCode: "7" -Children: - - aws_nist_800_53_rev_4_ir_7_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ir_7 + title: Incident Response Assistance (IR-7) + description: The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ir_7_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7_1.yaml index b41fa9107..5d8d07076 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ir_7_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ir_7_1 -Title: IR-7(1) Automation Support For Availability Of Information / Support -Description: The organization employs automated mechanisms to increase the availability of incident response-related information and support. -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_finding_archived -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ir_7_1 + title: IR-7(1) Automation Support For Availability Of Information / Support + description: The organization employs automated mechanisms to increase the availability of incident response-related information and support. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra.yaml index 480b93650..d87bd2641 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_ra -Title: Risk Assessment (RA) -Description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. -SectionCode: ra -Children: - - aws_nist_800_53_rev_4_ra_5 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ra + title: Risk Assessment (RA) + description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. + section-code: ra + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_ra_5 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra_5.yaml index 0ee17d14f..e6e61de4b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_ra_5.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_ra_5 -Title: Vulnerability Scanning (RA-5) -Description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. -SectionCode: "5" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_ra_5 + title: Vulnerability Scanning (RA-5) + description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa.yaml index 007c6fa5d..c0618805c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_sa -Title: System and Services Acquisition (SA) -Description: The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls. -SectionCode: sa -Children: - - aws_nist_800_53_rev_4_sa_3 - - aws_nist_800_53_rev_4_sa_10 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sa + title: System and Services Acquisition (SA) + description: The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls. + section-code: sa + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_sa_3 + - id: aws_nist_800_53_rev_4_sa_10 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_10.yaml index a50cc524d..972a56c02 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_10.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_4_sa_10 -Title: Developer Configuration Management (SA-10) -Description: 'The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].' -SectionCode: "10" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sa_10 + title: Developer Configuration Management (SA-10) + description: "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]." + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_3.yaml index 8d00f8af9..01fbe70a4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sa_3.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_4_sa_3 -Title: System Development Life Cycle (SA-3) -Description: The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities. -SectionCode: "3" -Children: [] -Controls: - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_ec2_instance_ssm_managed -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sa_3 + title: System Development Life Cycle (SA-3) + description: The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc.yaml index 0df0770fe..2b0585bba 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_53_rev_4_sc -Title: System and Communications Protection (SC) -Description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. -SectionCode: sc -Children: - - aws_nist_800_53_rev_4_sc_2 - - aws_nist_800_53_rev_4_sc_4 - - aws_nist_800_53_rev_4_sc_5 - - aws_nist_800_53_rev_4_sc_7 - - aws_nist_800_53_rev_4_sc_8 - - aws_nist_800_53_rev_4_sc_12 - - aws_nist_800_53_rev_4_sc_13 - - aws_nist_800_53_rev_4_sc_23 - - aws_nist_800_53_rev_4_sc_28 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc + title: System and Communications Protection (SC) + description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. + section-code: sc + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_sc_2 + - id: aws_nist_800_53_rev_4_sc_4 + - id: aws_nist_800_53_rev_4_sc_5 + - id: aws_nist_800_53_rev_4_sc_7 + - id: aws_nist_800_53_rev_4_sc_8 + - id: aws_nist_800_53_rev_4_sc_12 + - id: aws_nist_800_53_rev_4_sc_13 + - id: aws_nist_800_53_rev_4_sc_23 + - id: aws_nist_800_53_rev_4_sc_28 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_12.yaml index 72f7d76f7..97dd728d3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_12.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_4_sc_12 -Title: Cryptographic Key Establishment And Management (SC-12) -Description: 'The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].' -SectionCode: "12" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_12 + title: Cryptographic Key Establishment And Management (SC-12) + description: "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_kms_cmk_rotation_enabled + - aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_13.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_13.yaml index caedd1c11..f1d1ac693 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_13.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_sc_13 -Title: Cryptographic Protection (SC-13) -Description: 'The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.' -SectionCode: "13" -Children: [] -Controls: - - aws_dynamodb_table_encrypted_with_kms -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/DynamoDB - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_13 + title: Cryptographic Protection (SC-13) + description: "The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards." + section-code: "13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/DynamoDB + type: + - Benchmark + controls: + - aws_dynamodb_table_encrypted_with_kms diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_2.yaml index fa90d4a9d..3dad21969 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_2.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_sc_2 -Title: Application Partitioning (SC-2) -Description: The information system separates user functionality (including user interface services) from information system management functionality. -SectionCode: "2" -Children: [] -Controls: - - aws_iam_group_not_empty - - aws_iam_policy_no_star_star -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_2 + title: Application Partitioning (SC-2) + description: The information system separates user functionality (including user interface services) from information system management functionality. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_group_not_empty + - aws_iam_policy_no_star_star diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_23.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_23.yaml index f7d6028b2..6472268b4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_23.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_23.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_4_sc_23 -Title: Session Authenticity (SC-23) -Description: TThe information system protects the authenticity of communications sessions. -SectionCode: "23" -Children: [] -Controls: - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_tls_https_listeners -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/ELB - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_23 + title: Session Authenticity (SC-23) + description: TThe information system protects the authenticity of communications sessions. + section-code: "23" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/ELB + type: + - Benchmark + controls: + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_tls_https_listeners diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_28.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_28.yaml index 1d1171f41..2e11ef130 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_28.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_28.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_4_sc_28 -Title: Protection Of Information At Rest (SC-28) -Description: 'The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].' -SectionCode: "28" -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_kms_key_not_pending_deletion - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_object_lock_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_28 + title: Protection Of Information At Rest (SC-28) + description: "The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]." + section-code: "28" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_es_domain_encryption_at_rest_enabled + - aws_kms_key_not_pending_deletion + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_object_lock_enabled + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_4.yaml index 9d0c93ec3..1d4d04bd8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_sc_4 -Title: Information In Shared Resources (SC-4) -Description: The information system prevents unauthorized and unintended information transfer via shared system resources. -SectionCode: "4" -Children: [] -Controls: - - aws_ebs_attached_volume_delete_on_termination_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/EBS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_4 + title: Information In Shared Resources (SC-4) + description: The information system prevents unauthorized and unintended information transfer via shared system resources. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/EBS + type: + - Benchmark + controls: + - aws_ebs_attached_volume_delete_on_termination_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_5.yaml index 8fea2a92d..69899b4f6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_5.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_4_sc_5 -Title: Denial Of Service Protection (SC-5) -Description: 'The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].' -SectionCode: "5" -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_s3_bucket_cross_region_replication_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_5 + title: Denial Of Service Protection (SC-5) + description: "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards]." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7.yaml index 65ff5ca49..4c5003140 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7.yaml @@ -1,47 +1,53 @@ -ID: aws_nist_800_53_rev_4_sc_7 -Title: Boundary Protection (SC-7) -Description: 'The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.' -SectionCode: "7" -Children: - - aws_nist_800_53_rev_4_sc_7_3 -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_7 + title: Boundary Protection (SC-7) + description: "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_sc_7_3 + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_lb_waf_enabled + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7_3.yaml index dd6285d74..d3047cbfd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_7_3.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_53_rev_4_sc_7_3 -Title: SC-7(3) Access Points -Description: The organization limits the number of external network connections to the information system. -SectionCode: "3" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_7_3 + title: SC-7(3) Access Points + description: The organization limits the number of external network connections to the information system. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8.yaml index 8d989efbe..ca6327459 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8.yaml @@ -1,25 +1,31 @@ -ID: aws_nist_800_53_rev_4_sc_8 -Title: Transmission Confidentiality And Integrity (SC-8) -Description: 'The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.' -SectionCode: "8" -Children: - - aws_nist_800_53_rev_4_sc_8_1 -Controls: - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_8 + title: Transmission Confidentiality And Integrity (SC-8) + description: "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_sc_8_1 + controls: + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8_1.yaml index 0e8d88286..4aa38a7db 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_sc_8_1.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_4_sc_8_1 -Title: SC-8(1) Cryptographic Or Alternate Physical Protection -Description: 'The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].' -SectionCode: "1" -Children: [] -Controls: - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_sc_8_1 + title: SC-8(1) Cryptographic Or Alternate Physical Protection + description: "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si.yaml index a2ca8e94e..8d6cfb399 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_4_si -Title: System and Information Integrity (SI) -Description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. -SectionCode: si -Children: - - aws_nist_800_53_rev_4_si_2 - - aws_nist_800_53_rev_4_si_4 - - aws_nist_800_53_rev_4_si_7 - - aws_nist_800_53_rev_4_si_12 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si + title: System and Information Integrity (SI) + description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. + section-code: si + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_si_2 + - id: aws_nist_800_53_rev_4_si_4 + - id: aws_nist_800_53_rev_4_si_7 + - id: aws_nist_800_53_rev_4_si_12 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_12.yaml index 25f368dcb..7b6bbaf30 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_12.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_53_rev_4_si_12 -Title: Information Handling and Retention (SI-12) -Description: The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. -SectionCode: "12" -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_12 + title: Information Handling and Retention (SI-12) + description: The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2.yaml index 915307db4..108c5dfb0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_si_2 -Title: Flaw Remediation (SI-2) -Description: 'The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process.' -SectionCode: "2" -Children: - - aws_nist_800_53_rev_4_si_2_2 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_2 + title: Flaw Remediation (SI-2) + description: "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_si_2_2 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2_2.yaml index 53f7eb959..4fa01fe97 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_2_2.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_4_si_2_2 -Title: SI-2(2) Automates Flaw Remediation Status -Description: The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation. -SectionCode: "2" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_2_2 + title: SI-2(2) Automates Flaw Remediation Status + description: The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4.yaml index be02c87e5..c54afe057 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4.yaml @@ -1,30 +1,36 @@ -ID: aws_nist_800_53_rev_4_si_4 -Title: Information System Monitoring (SI-4) -Description: 'The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].' -SectionCode: "4" -Children: - - aws_nist_800_53_rev_4_si_4_1 - - aws_nist_800_53_rev_4_si_4_2 - - aws_nist_800_53_rev_4_si_4_4 - - aws_nist_800_53_rev_4_si_4_5 - - aws_nist_800_53_rev_4_si_4_16 -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_4 + title: Information System Monitoring (SI-4) + description: "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_si_4_1 + - id: aws_nist_800_53_rev_4_si_4_2 + - id: aws_nist_800_53_rev_4_si_4_4 + - id: aws_nist_800_53_rev_4_si_4_5 + - id: aws_nist_800_53_rev_4_si_4_16 + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_elb_application_lb_waf_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_1.yaml index e4eda7c1a..f38fb375b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_4_si_4_1 -Title: SI-4(1) System-Wide Intrusion Detection System -Description: The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_4_1 + title: SI-4(1) System-Wide Intrusion Detection System + description: The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_16.yaml index a3e16529c..f22f18a80 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_16.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_4_si_4_16 -Title: SI-4(16) Correlate Monitoring Information -Description: The organization correlates information from monitoring tools employed throughout the information system. -SectionCode: "16" -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_4_16 + title: SI-4(16) Correlate Monitoring Information + description: The organization correlates information from monitoring tools employed throughout the information system. + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_2.yaml index 6a1a69808..4e2842c27 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_2.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_4_si_4_2 -Title: SI-4(2) Automated Tools For Real-Time Analysis -Description: The organization employs automated tools to support near real-time analysis of events. -SectionCode: "2" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_4_2 + title: SI-4(2) Automated Tools For Real-Time Analysis + description: The organization employs automated tools to support near real-time analysis of events. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_4.yaml index 6423726ed..b41cf9d6f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_4.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_4_si_4_4 -Title: SI-4(4) Inbound and Outbound Communications Traffic -Description: The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions. -SectionCode: "4" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_4_4 + title: SI-4(4) Inbound and Outbound Communications Traffic + description: The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_5.yaml index 13d118001..a804579d6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_4_5.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_4_si_4_5 -Title: SI-4(5) System-Generated Alerts -Description: 'The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].' -SectionCode: "5" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_4_5 + title: SI-4(5) System-Generated Alerts + description: "The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators]." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7.yaml index 18cc0a7b5..57747f95d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7.yaml @@ -1,19 +1,25 @@ -ID: aws_nist_800_53_rev_4_si_7 -Title: Software, Firmware, and Information Integrity (SI-7) -Description: 'The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].' -SectionCode: "7" -Children: - - aws_nist_800_53_rev_4_si_7_1 -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_7 + title: Software, Firmware, and Information Integrity (SI-7) + description: "The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_4_si_7_1 + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7_1.yaml index 68dcfe1e5..f5eba7458 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_4/aws_nist_800_53_rev_4_si_7_1.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_4_si_7_1 -Title: SI-7(1) Integrity Checks -Description: The information system performs an integrity check of security relevant events at least monthly. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_4_si_7_1 + title: SI-7(1) Integrity Checks + description: The information system performs an integrity check of security relevant events at least monthly. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_4: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_4/root.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_4/root.yaml deleted file mode 100755 index 97fb97843..000000000 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_4/root.yaml +++ /dev/null @@ -1,36 +0,0 @@ -ID: aws_nist_800_53_rev_4 -Title: NIST 800-53 Revision 4 -Description: NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. -SectionCode: aws_nist_800_53_rev_4 -Children: - - aws_nist_800_53_rev_4_ac - - aws_nist_800_53_rev_4_au - - aws_nist_800_53_rev_4_ca - - aws_nist_800_53_rev_4_cm - - aws_nist_800_53_rev_4_cp - - aws_nist_800_53_rev_4_ia - - aws_nist_800_53_rev_4_ir - - aws_nist_800_53_rev_4_ra - - aws_nist_800_53_rev_4_sa - - aws_nist_800_53_rev_4_sc - - aws_nist_800_53_rev_4_si -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - nist_800_53_rev_4: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5.yaml new file mode 100644 index 000000000..b4f46fd68 --- /dev/null +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5.yaml @@ -0,0 +1,41 @@ +framework: + id: aws_nist_800_53_rev_5 + title: NIST 800-53 Revision 5 + description: NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. + section-code: aws_nist_800_53_rev_5 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac + - id: aws_nist_800_53_rev_5_au + - id: aws_nist_800_53_rev_5_ca + - id: aws_nist_800_53_rev_5_cm + - id: aws_nist_800_53_rev_5_cp + - id: aws_nist_800_53_rev_5_ia + - id: aws_nist_800_53_rev_5_ir + - id: aws_nist_800_53_rev_5_ma + - id: aws_nist_800_53_rev_5_mp + - id: aws_nist_800_53_rev_5_pe + - id: aws_nist_800_53_rev_5_pm + - id: aws_nist_800_53_rev_5_ra + - id: aws_nist_800_53_rev_5_sa + - id: aws_nist_800_53_rev_5_sc + - id: aws_nist_800_53_rev_5_si diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac.yaml index 1b6180cd1..22d87d94b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_53_rev_5_ac -Title: Access Control (AC) -Description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. -SectionCode: ac -Children: - - aws_nist_800_53_rev_5_ac_2 - - aws_nist_800_53_rev_5_ac_3 - - aws_nist_800_53_rev_5_ac_4 - - aws_nist_800_53_rev_5_ac_5 - - aws_nist_800_53_rev_5_ac_6 - - aws_nist_800_53_rev_5_ac_7 - - aws_nist_800_53_rev_5_ac_16 - - aws_nist_800_53_rev_5_ac_17 - - aws_nist_800_53_rev_5_ac_24 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac + title: Access Control (AC) + description: The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. + section-code: ac + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_2 + - id: aws_nist_800_53_rev_5_ac_3 + - id: aws_nist_800_53_rev_5_ac_4 + - id: aws_nist_800_53_rev_5_ac_5 + - id: aws_nist_800_53_rev_5_ac_6 + - id: aws_nist_800_53_rev_5_ac_7 + - id: aws_nist_800_53_rev_5_ac_16 + - id: aws_nist_800_53_rev_5_ac_17 + - id: aws_nist_800_53_rev_5_ac_24 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16.yaml index 96e1b2da6..b2c8e0b65 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_16 -Title: Security And Privacy Attributes (AC-16) -Description: 'a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b. Ensure that the attribute associations are made and retained with the information; c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes].' -SectionCode: "16" -Children: - - aws_nist_800_53_rev_5_ac_16_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_16 + title: Security And Privacy Attributes (AC-16) + description: "a.\u2003Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b.\u2003Ensure that the attribute associations are made and retained with the information; c.\u2003Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes]." + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_16_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16_b.yaml index 3196a22e6..920a13aa4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_16_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_16_b -Title: AC-16(b) -Description: Ensure that the attribute associations are made and retained with the information. -SectionCode: b -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_16_b + title: AC-16(b) + description: Ensure that the attribute associations are made and retained with the information. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17.yaml index dbc1f3d38..57b22a746 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_ac_17 -Title: Remote Access (AC-17) -Description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. -SectionCode: "17" -Children: - - aws_nist_800_53_rev_5_ac_17_1 - - aws_nist_800_53_rev_5_ac_17_2 - - aws_nist_800_53_rev_5_ac_17_4 - - aws_nist_800_53_rev_5_ac_17_9 - - aws_nist_800_53_rev_5_ac_17_10 - - aws_nist_800_53_rev_5_ac_17_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_17 + title: Remote Access (AC-17) + description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. + section-code: "17" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_17_1 + - id: aws_nist_800_53_rev_5_ac_17_2 + - id: aws_nist_800_53_rev_5_ac_17_4 + - id: aws_nist_800_53_rev_5_ac_17_9 + - id: aws_nist_800_53_rev_5_ac_17_10 + - id: aws_nist_800_53_rev_5_ac_17_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_1.yaml index e6ec2619d..e91e4620d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_1.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_ac_17_1 -Title: AC-17(1) Monitoring And Control -Description: Employ automated mechanisms to monitor and control remote access methods. -SectionCode: "1" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_17_1 + title: AC-17(1) Monitoring And Control + description: Employ automated mechanisms to monitor and control remote access methods. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_10.yaml index 2dbbd53f0..4c060beca 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_10.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_ac_17_10 -Title: AC-17(10) Authenticate Remote Commands -Description: 'Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].' -SectionCode: "10" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_17_10 + title: AC-17(10) Authenticate Remote Commands + description: "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_2.yaml index 658e12146..bcc571387 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_2.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_ac_17_2 -Title: AC-17(2) Protection Of Confidentiality And Integrity Using Encryption -Description: Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_17_2 + title: AC-17(2) Protection Of Confidentiality And Integrity Using Encryption + description: Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4.yaml index bcdb8a5ba..2602c7fbb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_17_4 -Title: AC-17(4) Privileged Commands And Access -Description: 'a. Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and b. Document the rationale for remote access in the security plan for the system.' -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_ac_17_4_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_17_4 + title: AC-17(4) Privileged Commands And Access + description: "a.\u2003Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and b.\u2003Document the rationale for remote access in the security plan for the system." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_17_4_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4_a.yaml index fc1eecd15..a3c927fba 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_4_a.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_ac_17_4_a -Title: AC-17(4)(a) -Description: 'Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];' -SectionCode: a -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_17_4_a + title: AC-17(4)(a) + description: "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];" + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_9.yaml index b3035b697..b14fb2b6c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_9.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_ac_17_9 -Title: AC-17(9) Disconnect Or Disable Access -Description: 'Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].' -SectionCode: "9" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_17_9 + title: AC-17(9) Disconnect Or Disable Access + description: "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_b.yaml index ef5ba6f3e..eed67b1c4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_17_b.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_ac_17_b -Title: AC-17(b) -Description: Authorize each type of remote access to the system prior to allowing such connections. -SectionCode: b -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_17_b + title: AC-17(b) + description: Authorize each type of remote access to the system prior to allowing such connections. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2.yaml index 320cc5c28..73af15e17 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_53_rev_5_ac_2 -Title: Account Management (AC-2) -Description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. -SectionCode: "2" -Children: - - aws_nist_800_53_rev_5_ac_2_1 - - aws_nist_800_53_rev_5_ac_2_3 - - aws_nist_800_53_rev_5_ac_2_4 - - aws_nist_800_53_rev_5_ac_2_6 - - aws_nist_800_53_rev_5_ac_2_12 - - aws_nist_800_53_rev_5_ac_2_d_1 - - aws_nist_800_53_rev_5_ac_2_g - - aws_nist_800_53_rev_5_ac_2_i_2 - - aws_nist_800_53_rev_5_ac_2_j -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2 + title: Account Management (AC-2) + description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_2_1 + - id: aws_nist_800_53_rev_5_ac_2_3 + - id: aws_nist_800_53_rev_5_ac_2_4 + - id: aws_nist_800_53_rev_5_ac_2_6 + - id: aws_nist_800_53_rev_5_ac_2_12 + - id: aws_nist_800_53_rev_5_ac_2_d_1 + - id: aws_nist_800_53_rev_5_ac_2_g + - id: aws_nist_800_53_rev_5_ac_2_i_2 + - id: aws_nist_800_53_rev_5_ac_2_j diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24.yaml index 2d22876aa..bfde6a245 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24.yaml @@ -1,34 +1,40 @@ -ID: aws_nist_800_53_rev_5_ac_24 -Title: Access Control Decisions (AC-24) -Description: '[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.' -SectionCode: "24" -Children: - - aws_nist_800_53_rev_5_ac_24_1 -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_24 + title: Access Control Decisions (AC-24) + description: "[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement." + section-code: "24" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_24_1 + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24_1.yaml index e2b88a6fc..cdf380431 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_24_1.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_ac_24_1 -Title: AC-24(1) -Description: 'Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions.' -SectionCode: "1" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_24_1 + title: AC-24(1) + description: "Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_1.yaml index 9b7cfffbf..61f5d503b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_1.yaml @@ -1,32 +1,37 @@ -ID: aws_nist_800_53_rev_5_ac_2_1 -Title: AC-2(1) Automated System Account Management -Description: 'Support the management of system accounts using [Assignment: organization-defined automated mechanisms].' -SectionCode: "1" -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_1 + title: AC-2(1) Automated System Account Management + description: "Support the management of system accounts using [Assignment: organization-defined automated mechanisms]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12.yaml index ca648d388..9d6ce2b04 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_2_12 -Title: AC-2(12) Account Monitoring -Description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. -SectionCode: "12" -Children: - - aws_nist_800_53_rev_5_ac_2_12_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_12 + title: AC-2(12) Account Monitoring + description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_2_12_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12_a.yaml index 5fc497eae..bf613877c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_12_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_2_12_a -Title: AC-2(12)(a) -Description: 'Monitor system accounts for [Assignment: organization-defined atypical usage].' -SectionCode: a -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_12_a + title: AC-2(12)(a) + description: "Monitor system accounts for [Assignment: organization-defined atypical usage]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3.yaml index 8c7bbc9d3..9d3969d98 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3.yaml @@ -1,23 +1,29 @@ -ID: aws_nist_800_53_rev_5_ac_2_3 -Title: AC-2(3) Disable Accounts -Description: 'Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period].' -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_ac_2_3_a - - aws_nist_800_53_rev_5_ac_2_3_b - - aws_nist_800_53_rev_5_ac_2_3_c - - aws_nist_800_53_rev_5_ac_2_3_d -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_3 + title: AC-2(3) Disable Accounts + description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_2_3_a + - id: aws_nist_800_53_rev_5_ac_2_3_b + - id: aws_nist_800_53_rev_5_ac_2_3_c + - id: aws_nist_800_53_rev_5_ac_2_3_d + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_a.yaml index c64f7aef6..372da220e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_a.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ac_2_3_a -Title: AC-2(3)(a) -Description: 'Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired.' -SectionCode: a -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_3_a + title: AC-2(3)(a) + description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_b.yaml index ee6861ee4..a7f8659ca 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_b.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ac_2_3_b -Title: AC-2(3)(b) -Description: 'Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual.' -SectionCode: b -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_3_b + title: AC-2(3)(b) + description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_c.yaml index ab91fa216..ed951b843 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_c.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ac_2_3_c -Title: AC-2(3)(c) -Description: 'Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy.' -SectionCode: c -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_3_c + title: AC-2(3)(c) + description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_d.yaml index a6986b300..116d2baf5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_3_d.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ac_2_3_d -Title: AC-2(3)(d) -Description: 'Disable accounts within [Assignment: organization-defined time period] when the accounts: (d) Have been inactive for [Assignment: organization-defined time period].' -SectionCode: d -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_3_d + title: AC-2(3)(d) + description: "Disable accounts within [Assignment: organization-defined time period] when the accounts: (d) Have been inactive for [Assignment: organization-defined time period]." + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_4.yaml index a4d78ae9c..e0615b054 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_4.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_ac_2_4 -Title: AC-2(4) Automated Audit Actions -Description: Automatically audit account creation, modification, enabling, disabling, and removal actions. -SectionCode: "4" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_4 + title: AC-2(4) Automated Audit Actions + description: Automatically audit account creation, modification, enabling, disabling, and removal actions. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_6.yaml index d6f65aa85..8f74e55b5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_6.yaml @@ -1,41 +1,46 @@ -ID: aws_nist_800_53_rev_5_ac_2_6 -Title: AC-2(6) Dynamic Privilege Management -Description: 'Implement [Assignment: organization-defined dynamic privilege management capabilities].' -SectionCode: "6" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_6 + title: AC-2(6) Dynamic Privilege Management + description: "Implement [Assignment: organization-defined dynamic privilege management capabilities]." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_d_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_d_1.yaml index 692ad5265..89433a763 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_d_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_d_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_2_d_1 -Title: AC-2(d)(1) -Description: 'd. Specify: 1. Authorized users of the system;personnel termination and transfer processes.' -SectionCode: d_1 -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_d_1 + title: AC-2(d)(1) + description: "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes." + section-code: d_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_g.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_g.yaml index bfd583078..71b57f280 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_g.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_g.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_2_g -Title: AC-2(g) -Description: 'The organization: g. Monitors the use of information system accounts.' -SectionCode: g -Children: [] -Controls: - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_g + title: AC-2(g) + description: "The organization: g. Monitors the use of information system accounts." + section-code: g + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_i_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_i_2.yaml index 960e6c2e8..b55fcd69a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_i_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_i_2.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_ac_2_i_2 -Title: AC-2(i)(2) -Description: 'i. Authorize access to the system based on: 2. Intended system usage.' -SectionCode: i_2 -Children: [] -Controls: - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_i_2 + title: AC-2(i)(2) + description: "i. Authorize access to the system based on: 2. Intended system usage." + section-code: i_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_j.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_j.yaml index 1279fac91..71265bf25 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_j.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_2_j.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_2_j -Title: AC-2(j) -Description: 'The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency].' -SectionCode: j -Children: [] -Controls: - - aws_iam_user_unused_credentials_90 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_2_j + title: AC-2(j) + description: "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." + section-code: j + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3.yaml index a09954677..ff3adacf1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3.yaml @@ -1,53 +1,59 @@ -ID: aws_nist_800_53_rev_5_ac_3 -Title: Access Enforcement (AC-3) -Description: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_ac_3_1 - - aws_nist_800_53_rev_5_ac_3_2 - - aws_nist_800_53_rev_5_ac_3_3 - - aws_nist_800_53_rev_5_ac_3_4 - - aws_nist_800_53_rev_5_ac_3_7 - - aws_nist_800_53_rev_5_ac_3_8 - - aws_nist_800_53_rev_5_ac_3_10 - - aws_nist_800_53_rev_5_ac_3_12 - - aws_nist_800_53_rev_5_ac_3_13 - - aws_nist_800_53_rev_5_ac_3_15 -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3 + title: Access Enforcement (AC-3) + description: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_3_1 + - id: aws_nist_800_53_rev_5_ac_3_2 + - id: aws_nist_800_53_rev_5_ac_3_3 + - id: aws_nist_800_53_rev_5_ac_3_4 + - id: aws_nist_800_53_rev_5_ac_3_7 + - id: aws_nist_800_53_rev_5_ac_3_8 + - id: aws_nist_800_53_rev_5_ac_3_10 + - id: aws_nist_800_53_rev_5_ac_3_12 + - id: aws_nist_800_53_rev_5_ac_3_13 + - id: aws_nist_800_53_rev_5_ac_3_15 + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_user_for_host_mode_check + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_1.yaml index 164b042bd..73f78f133 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_1.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_ac_3_1 -Title: AC-3(1) Restricted Access To Privileged Functions -Description: 'Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].' -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_1 + title: AC-3(1) Restricted Access To Privileged Functions + description: "Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_10.yaml index c2d9a7c9e..5a06b2071 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_10.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_ac_3_10 -Title: AC-3(10) Audited Override Of Access Control Mechanisms -Description: 'Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].' -SectionCode: "10" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_10 + title: AC-3(10) Audited Override Of Access Control Mechanisms + description: "Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12.yaml index f05e8a402..3194947ef 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ac_3_12 -Title: AC-3(12) Assert And Enforce Application Access -Description: 'a. Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];b. Provide an enforcement mechanism to prevent unauthorized access; and c. Approve access changes after initial installation of the application.' -SectionCode: "12" -Children: - - aws_nist_800_53_rev_5_ac_3_12_a - - aws_nist_800_53_rev_5_ac_3_12_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_12 + title: AC-3(12) Assert And Enforce Application Access + description: "a.\u2003Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];b.\u2003Provide an enforcement mechanism to prevent unauthorized access; and c.\u2003Approve access changes after initial installation of the application." + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_3_12_a + - id: aws_nist_800_53_rev_5_ac_3_12_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_a.yaml index 7d9bac8cb..0f6ebe212 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_a.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_12_a -Title: AC-3(12)(a) -Description: 'Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions].' -SectionCode: a -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_12_a + title: AC-3(12)(a) + description: "Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_b.yaml index 274713f22..b6d3ec486 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_12_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_3_12_b -Title: AC-3(12)(b) -Description: Provide an enforcement mechanism to prevent unauthorized access; -SectionCode: b -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_12_b + title: AC-3(12)(b) + description: Provide an enforcement mechanism to prevent unauthorized access; + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_13.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_13.yaml index 17baa5b61..0d0143d8c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_13.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_13 -Title: AC-3(13) Attribute-Based Access Control -Description: 'Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].' -SectionCode: "13" -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_13 + title: AC-3(13) Attribute-Based Access Control + description: "Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]." + section-code: "13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15.yaml index 8d7f0f139..7f1f0a71d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ac_3_15 -Title: AC-3(15) Discretionary And Mandatory Access Control -Description: 'a. Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and b. Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.' -SectionCode: "15" -Children: - - aws_nist_800_53_rev_5_ac_3_15_a - - aws_nist_800_53_rev_5_ac_3_15_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_15 + title: AC-3(15) Discretionary And Mandatory Access Control + description: "a.\u2003Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and b.\u2003Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." + section-code: "15" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_3_15_a + - id: aws_nist_800_53_rev_5_ac_3_15_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_a.yaml index 0191a4194..a6a76cbf3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_a.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_15_a -Title: AC-3(15)(a) -Description: 'Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy.' -SectionCode: a -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_15_a + title: AC-3(15)(a) + description: "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_b.yaml index 93784f515..120d36b7a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_15_b.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_15_b -Title: AC-3(15)(b) -Description: 'Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.' -SectionCode: b -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_15_b + title: AC-3(15)(b) + description: "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_2.yaml index f8ccbb3c8..857de5ea0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_2.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_ac_3_2 -Title: AC-3(2) Dual Authorization -Description: 'Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].' -SectionCode: "2" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_2 + title: AC-3(2) Dual Authorization + description: "Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3.yaml index 30bfc05cc..32f7f6ede 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3.yaml @@ -1,40 +1,46 @@ -ID: aws_nist_800_53_rev_5_ac_3_3 -Title: AC-3(3) Mandatory Access Control -Description: 'Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.' -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_ac_3_3_a - - aws_nist_800_53_rev_5_ac_3_3_b_1 - - aws_nist_800_53_rev_5_ac_3_3_b_2 - - aws_nist_800_53_rev_5_ac_3_3_b_3 - - aws_nist_800_53_rev_5_ac_3_3_b_4 - - aws_nist_800_53_rev_5_ac_3_3_b_5 - - aws_nist_800_53_rev_5_ac_3_3_c -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_3 + title: AC-3(3) Mandatory Access Control + description: "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_3_3_a + - id: aws_nist_800_53_rev_5_ac_3_3_b_1 + - id: aws_nist_800_53_rev_5_ac_3_3_b_2 + - id: aws_nist_800_53_rev_5_ac_3_3_b_3 + - id: aws_nist_800_53_rev_5_ac_3_3_b_4 + - id: aws_nist_800_53_rev_5_ac_3_3_b_5 + - id: aws_nist_800_53_rev_5_ac_3_3_c + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_a.yaml index 9aee9cdc7..088433132 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_a.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_3_a -Title: AC-3(3)(a) -Description: 'Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system.' -SectionCode: a -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_3_a + title: AC-3(3)(a) + description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_1.yaml index 7572f4f81..db96fc0bf 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_1.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_3_b_1 -Title: AC-3(3)(b)(1) -Description: 'Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects.' -SectionCode: b_1 -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_3_b_1 + title: AC-3(3)(b)(1) + description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects." + section-code: b_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_2.yaml index 848e172e1..3fd253797 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_2.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_3_b_2 -Title: AC-3(3)(b)(2) -Description: 'Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects.' -SectionCode: b_2 -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_3_b_2 + title: AC-3(3)(b)(2) + description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects." + section-code: b_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_3.yaml index e30a7c117..d2991aa1a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_3.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_3_b_3 -Title: AC-3(3)(b)(3) -Description: 'Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components.' -SectionCode: b_3 -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_3_b_3 + title: AC-3(3)(b)(3) + description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components." + section-code: b_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_4.yaml index cc87dcfc2..f8d4bbcaa 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_4.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_3_b_4 -Title: AC-3(3)(b)(4) -Description: 'Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects.' -SectionCode: b_4 -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_3_b_4 + title: AC-3(3)(b)(4) + description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects." + section-code: b_4 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_5.yaml index 6565a51d0..4f1afb740 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_b_5.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_3_b_5 -Title: AC-3(3)(b)(5) -Description: 'Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access.' -SectionCode: b_5 -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_3_b_5 + title: AC-3(3)(b)(5) + description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access." + section-code: b_5 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_c.yaml index a7be92ba7..1e4124fe6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_3_c.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_3_c -Title: AC-3(3)(c) -Description: 'Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.' -SectionCode: c -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_3_c + title: AC-3(3)(c) + description: "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4.yaml index e3ea63eac..fd2f494c3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4.yaml @@ -1,38 +1,44 @@ -ID: aws_nist_800_53_rev_5_ac_3_4 -Title: AC-3(4) Discretionary Access Control -Description: 'Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control.' -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_ac_3_4_a - - aws_nist_800_53_rev_5_ac_3_4_b - - aws_nist_800_53_rev_5_ac_3_4_c - - aws_nist_800_53_rev_5_ac_3_4_d - - aws_nist_800_53_rev_5_ac_3_4_e -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_4 + title: AC-3(4) Discretionary Access Control + description: "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_3_4_a + - id: aws_nist_800_53_rev_5_ac_3_4_b + - id: aws_nist_800_53_rev_5_ac_3_4_c + - id: aws_nist_800_53_rev_5_ac_3_4_d + - id: aws_nist_800_53_rev_5_ac_3_4_e + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_a.yaml index 62db8a4ad..143592823 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_a.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_4_a -Title: AC-3(4)(a) -Description: 'Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects.' -SectionCode: a -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_4_a + title: AC-3(4)(a) + description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_b.yaml index 12eff9ef4..0d35360c3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_b.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_4_b -Title: AC-3(4)(b) -Description: 'Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects.' -SectionCode: b -Children: [] -Controls: - - aws_secretsmanager_secret_unused_90_day - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_iam_user_unused_credentials_90 - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_access_key_age_90 - - aws_iam_root_user_no_access_keys - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_policy_no_star_star - - aws_iam_group_user_role_no_inline_policies - - aws_iam_account_password_policy_min_length_14 - - aws_ec2_instance_uses_imdsv2 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_4_b + title: AC-3(4)(b) + description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_secretsmanager_secret_unused_90_day + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_iam_user_unused_credentials_90 + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_access_key_age_90 + - aws_iam_root_user_no_access_keys + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_policy_no_star_star + - aws_iam_group_user_role_no_inline_policies + - aws_iam_account_password_policy_min_length_14 + - aws_ec2_instance_uses_imdsv2 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_c.yaml index 8345ccfb2..bbbc9871e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_c.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_4_c -Title: AC-3(4)(c) -Description: 'Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components.' -SectionCode: c -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_4_c + title: AC-3(4)(c) + description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_d.yaml index c6cfe6d2f..cd1225cad 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_d.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_4_d -Title: AC-3(4)(d) -Description: 'Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects.' -SectionCode: d -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_4_d + title: AC-3(4)(d) + description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects." + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_e.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_e.yaml index fb181cf27..37d3c988b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_4_e.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_4_e -Title: AC-3(4)(e) -Description: 'Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (e) Change the rules governing access.' -SectionCode: e -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_4_e + title: AC-3(4)(e) + description: "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (e) Change the rules governing access." + section-code: e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_7.yaml index 71d41214a..d1f452915 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_7.yaml @@ -1,41 +1,46 @@ -ID: aws_nist_800_53_rev_5_ac_3_7 -Title: AC-3(7) Role-Based Access Control -Description: 'Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].' -SectionCode: "7" -Children: [] -Controls: - - aws_s3_bucket_restrict_public_read_access - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_7 + title: AC-3(7) Role-Based Access Control + description: "Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_s3_bucket_restrict_public_read_access + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_8.yaml index 906fa7299..0c3641e31 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_3_8.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_3_8 -Title: AC-3(8) Revocation Of Access Authorizations -Description: 'Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].' -SectionCode: "8" -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_3_8 + title: AC-3(8) Revocation Of Access Authorizations + description: "Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4.yaml index a8baf42ba..8e4f05baa 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4.yaml @@ -1,28 +1,34 @@ -ID: aws_nist_800_53_rev_5_ac_4 -Title: Information Flow Enforcement (AC-4) -Description: 'Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].' -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_ac_4_21 - - aws_nist_800_53_rev_5_ac_4_22 - - aws_nist_800_53_rev_5_ac_4_26 - - aws_nist_800_53_rev_5_ac_4_28 -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_4 + title: Information Flow Enforcement (AC-4) + description: "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_4_21 + - id: aws_nist_800_53_rev_5_ac_4_22 + - id: aws_nist_800_53_rev_5_ac_4_26 + - id: aws_nist_800_53_rev_5_ac_4_28 + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_21.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_21.yaml index 7934f0dde..850c4efec 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_21.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_21.yaml @@ -1,42 +1,47 @@ -ID: aws_nist_800_53_rev_5_ac_4_21 -Title: AC-4(21) Physical Or Logical Separation Of Infomation Flows -Description: 'Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].' -SectionCode: "21" -Children: [] -Controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_elb_application_lb_waf_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_4_21 + title: AC-4(21) Physical Or Logical Separation Of Infomation Flows + description: "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]." + section-code: "21" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_use_waf_web_acl + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_elb_application_lb_waf_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_22.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_22.yaml index 0a5c13dcc..a24cc6207 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_22.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_22.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_ac_4_22 -Title: AC-4(22) Access Only -Description: Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. -SectionCode: "22" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_4_22 + title: AC-4(22) Access Only + description: Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. + section-code: "22" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_26.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_26.yaml index 3d8318165..c8992ee6d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_26.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_26.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_ac_4_26 -Title: AC-4(26) Audit Filtering Actions -Description: When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. -SectionCode: "26" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_4_26 + title: AC-4(26) Audit Filtering Actions + description: When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. + section-code: "26" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_28.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_28.yaml index be0b45038..df0674e51 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_28.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_4_28.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_ac_4_28 -Title: AC-4(28) Linear Filter Pipelines -Description: When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. -SectionCode: "28" -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_4_28 + title: AC-4(28) Linear Filter Pipelines + description: When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. + section-code: "28" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5.yaml index 942606b67..1270e773d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_5 -Title: Separation Of Duties (AC-5) -Description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. -SectionCode: "5" -Children: - - aws_nist_800_53_rev_5_ac_5_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_5 + title: Separation Of Duties (AC-5) + description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_5_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5_b.yaml index 3fe18d08e..4aaecc34b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_5_b.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_ac_5_b -Title: AC-5(b) -Description: Define system access authorizations to support separation of duties. -SectionCode: b -Children: [] -Controls: - - aws_ecs_task_definition_user_for_host_mode_check - - aws_iam_all_policy_no_service_wild_card - - aws_iam_policy_no_star_star -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_5_b + title: AC-5(b) + description: Define system access authorizations to support separation of duties. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ecs_task_definition_user_for_host_mode_check + - aws_iam_all_policy_no_service_wild_card + - aws_iam_policy_no_star_star diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6.yaml index 6505bace0..eb64990e4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6.yaml @@ -1,45 +1,51 @@ -ID: aws_nist_800_53_rev_5_ac_6 -Title: Least Privilege (AC-6) -Description: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. -SectionCode: "6" -Children: - - aws_nist_800_53_rev_5_ac_6_2 - - aws_nist_800_53_rev_5_ac_6_3 - - aws_nist_800_53_rev_5_ac_6_9 - - aws_nist_800_53_rev_5_ac_6_10 -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_6 + title: Least Privilege (AC-6) + description: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_6_2 + - id: aws_nist_800_53_rev_5_ac_6_3 + - id: aws_nist_800_53_rev_5_ac_6_9 + - id: aws_nist_800_53_rev_5_ac_6_10 + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_10.yaml index f4d8d05b7..1fb10fc07 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_10.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_ac_6_10 -Title: AC-6(10) -Description: Prevent non-privileged users from executing privileged functions. -SectionCode: "10" -Children: [] -Controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_6_10 + title: AC-6(10) + description: Prevent non-privileged users from executing privileged functions. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_all_policy_no_service_wild_card + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_2.yaml index f9b7e11fe..1c12ceb5e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_2.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_ac_6_2 -Title: AC-6(2) -Description: 'Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.' -SectionCode: "2" -Children: [] -Controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_6_2 + title: AC-6(2) + description: "Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_all_policy_no_service_wild_card + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_3.yaml index f1d42d833..611006efc 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_3.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_ac_6_3 -Title: AC-6(3) -Description: 'Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.' -SectionCode: "3" -Children: [] -Controls: - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_6_3 + title: AC-6(3) + description: "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_9.yaml index b7d2ad933..cfd4dc208 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_6_9.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_ac_6_9 -Title: AC-6(9) -Description: Log the execution of privileged functions. -SectionCode: "9" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_6_9 + title: AC-6(9) + description: Log the execution of privileged functions. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7.yaml index ca5b5bb88..82dfd8a74 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ac_7 -Title: Unsuccessful Logon Attempts (AC-7) -Description: 'a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment:organization-defined time period]; and b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other[Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded.' -SectionCode: "7" -Children: - - aws_nist_800_53_rev_5_ac_7_4 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_7 + title: Unsuccessful Logon Attempts (AC-7) + description: "a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment:organization-defined time period]; and b.\u2003Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other[Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_7_4 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4.yaml index 80fafcaf7..afb838d17 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4.yaml @@ -1,23 +1,29 @@ -ID: aws_nist_800_53_rev_5_ac_7_4 -Title: AC-7(4) Use Of Alternate Authentication Factor -Description: 'a. Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and b. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period].' -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_ac_7_4_a -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_7_4 + title: AC-7(4) Use Of Alternate Authentication Factor + description: "a.\u2003Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and b.\u2003Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ac_7_4_a + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4_a.yaml index 1ec0aa749..6f7048c58 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ac_7_4_a.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_ac_7_4_a -Title: AC-7(4)(a) -Description: 'Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded.' -SectionCode: a -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ac_7_4_a + title: AC-7(4)(a) + description: "Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au.yaml index 2ee3f731a..fe2fdfe1e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_au -Title: Audit and Accountability (AU) -Description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. -SectionCode: au -Children: - - aws_nist_800_53_rev_5_au_2 - - aws_nist_800_53_rev_5_au_3 - - aws_nist_800_53_rev_5_au_4 - - aws_nist_800_53_rev_5_au_6 - - aws_nist_800_53_rev_5_au_7 - - aws_nist_800_53_rev_5_au_8 - - aws_nist_800_53_rev_5_au_9 - - aws_nist_800_53_rev_5_au_10 - - aws_nist_800_53_rev_5_au_11 - - aws_nist_800_53_rev_5_au_12 - - aws_nist_800_53_rev_5_au_14 - - aws_nist_800_53_rev_5_au_16 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au + title: Audit and Accountability (AU) + description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. + section-code: au + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_2 + - id: aws_nist_800_53_rev_5_au_3 + - id: aws_nist_800_53_rev_5_au_4 + - id: aws_nist_800_53_rev_5_au_6 + - id: aws_nist_800_53_rev_5_au_7 + - id: aws_nist_800_53_rev_5_au_8 + - id: aws_nist_800_53_rev_5_au_9 + - id: aws_nist_800_53_rev_5_au_10 + - id: aws_nist_800_53_rev_5_au_11 + - id: aws_nist_800_53_rev_5_au_12 + - id: aws_nist_800_53_rev_5_au_14 + - id: aws_nist_800_53_rev_5_au_16 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_10.yaml index a2570d758..0a3a4847f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_10.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_au_10 -Title: Non-Repudiation (AU-10) -Description: 'Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].' -SectionCode: "10" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_10 + title: Non-Repudiation (AU-10) + description: "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]." + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11.yaml index d7cf96c68..a50dcacf7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11.yaml @@ -1,19 +1,25 @@ -ID: aws_nist_800_53_rev_5_au_11 -Title: Audit Record Retention (AU-11) -Description: 'Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.' -SectionCode: "11" -Children: - - aws_nist_800_53_rev_5_au_11_1 -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_11 + title: Audit Record Retention (AU-11) + description: "Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_11_1 + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11_1.yaml index ce6a8d26f..b5b0615a5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_11_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_au_11_1 -Title: AU-11(1) Long-Term Retrieval Capability -Description: 'Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved.' -SectionCode: "1" -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_11_1 + title: AU-11(1) Long-Term Retrieval Capability + description: "Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12.yaml index ae0cd48d1..3d555b7e3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_au_12 -Title: Audit Record Generation (AU-12) -Description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. -SectionCode: "12" -Children: - - aws_nist_800_53_rev_5_au_12_1 - - aws_nist_800_53_rev_5_au_12_2 - - aws_nist_800_53_rev_5_au_12_3 - - aws_nist_800_53_rev_5_au_12_4 - - aws_nist_800_53_rev_5_au_12_a - - aws_nist_800_53_rev_5_au_12_c -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_12 + title: Audit Record Generation (AU-12) + description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_12_1 + - id: aws_nist_800_53_rev_5_au_12_2 + - id: aws_nist_800_53_rev_5_au_12_3 + - id: aws_nist_800_53_rev_5_au_12_4 + - id: aws_nist_800_53_rev_5_au_12_a + - id: aws_nist_800_53_rev_5_au_12_c diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_1.yaml index e2cf58a5a..ec0e9df4a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_1.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_au_12_1 -Title: AU-12(1) System-Wide And Time-Correlated Audit Trial -Description: 'Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].' -SectionCode: "1" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_12_1 + title: AU-12(1) System-Wide And Time-Correlated Audit Trial + description: "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_2.yaml index c8eb6628c..f8ed8b83b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_2.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_au_12_2 -Title: AU-12(2) Standardized Formats -Description: Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_12_2 + title: AU-12(2) Standardized Formats + description: Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_3.yaml index db9579486..1cbc8cfc1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_3.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_53_rev_5_au_12_3 -Title: AU-12(3) Changes By Authorized Individuals -Description: 'Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].' -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_12_3 + title: AU-12(3) Changes By Authorized Individuals + description: "Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_4.yaml index 36106e0d2..438acf1ae 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_4.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_12_4 -Title: AU-12(4) Query Parameter Audits Of Personally Identifiable Information -Description: Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. -SectionCode: "4" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_12_4 + title: AU-12(4) Query Parameter Audits Of Personally Identifiable Information + description: Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_a.yaml index 629a5b3b1..d4edc5a90 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_a.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_12_a -Title: AU-12(a) -Description: 'Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components].' -SectionCode: a -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_12_a + title: AU-12(a) + description: "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_c.yaml index 89e7ac37a..106b605b2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_12_c.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_12_c -Title: AU-12(c) -Description: Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. -SectionCode: c -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_12_c + title: AU-12(c) + description: Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14.yaml index 53a95ef34..1c6bc3fbb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_au_14 -Title: Session Audit (AU-14) -Description: Capture, record and log user sessions. Remotely view all content related to a user session that starts at system start-up. -SectionCode: "14" -Children: - - aws_nist_800_53_rev_5_au_14_3 - - aws_nist_800_53_rev_5_au_14_a - - aws_nist_800_53_rev_5_au_14_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_14 + title: Session Audit (AU-14) + description: Capture, record and log user sessions. Remotely view all content related to a user session that starts at system start-up. + section-code: "14" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_14_3 + - id: aws_nist_800_53_rev_5_au_14_a + - id: aws_nist_800_53_rev_5_au_14_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_3.yaml index 50733f1ad..75c10acac 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_3.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_14_3 -Title: AU-14(3) Remote Viewing And Listening -Description: Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_14_3 + title: AU-14(3) Remote Viewing And Listening + description: Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_a.yaml index 106386aa9..1ebb203c3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_a.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_53_rev_5_au_14_a -Title: AU-14(a) -Description: 'Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances].' -SectionCode: a -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_14_a + title: AU-14(a) + description: "Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_b.yaml index 4721fd713..a3d9ae0cb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_14_b.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_53_rev_5_au_14_b -Title: AU-14(b) -Description: Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. -SectionCode: b -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_14_b + title: AU-14(b) + description: Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_16.yaml index f3712d6f8..ace757273 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_16.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_au_16 -Title: Cross-Organizational Audit Logging (AU-16) -Description: 'Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.' -SectionCode: "16" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_16 + title: Cross-Organizational Audit Logging (AU-16) + description: "Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries." + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2.yaml index b7fd479b1..bd0309c2b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_au_2 -Title: Event Logging (AU-2) -Description: Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events. -SectionCode: "2" -Children: - - aws_nist_800_53_rev_5_au_2_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_2 + title: Event Logging (AU-2) + description: Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_2_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2_b.yaml index e1f5f8480..138a43704 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_2_b.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_2_b -Title: AU-2(b) -Description: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged. -SectionCode: b -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_2_b + title: AU-2(b) + description: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3.yaml index 7fcc45a60..d81ed3303 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_au_3 -Title: Content of Audit Records (AU-3) -Description: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_au_3_1 - - aws_nist_800_53_rev_5_au_3_a - - aws_nist_800_53_rev_5_au_3_b - - aws_nist_800_53_rev_5_au_3_c - - aws_nist_800_53_rev_5_au_3_d - - aws_nist_800_53_rev_5_au_3_e - - aws_nist_800_53_rev_5_au_3_f -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_3 + title: Content of Audit Records (AU-3) + description: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_3_1 + - id: aws_nist_800_53_rev_5_au_3_a + - id: aws_nist_800_53_rev_5_au_3_b + - id: aws_nist_800_53_rev_5_au_3_c + - id: aws_nist_800_53_rev_5_au_3_d + - id: aws_nist_800_53_rev_5_au_3_e + - id: aws_nist_800_53_rev_5_au_3_f diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_1.yaml index b2eb45563..590f18168 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_au_3_1 -Title: AU-3(1) Additional Audit Information -Description: 'Generate audit records containing the following additional information: [Assignment: organization-defined additional information].' -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_3_1 + title: AU-3(1) Additional Audit Information + description: "Generate audit records containing the following additional information: [Assignment: organization-defined additional information]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_enabled + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_a.yaml index fd56f5f49..0d82b4d83 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_a.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_3_a -Title: AU-3(a) -Description: 'Ensure that audit records contain information that establishes the following: a. What type of event occurred.' -SectionCode: a -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_3_a + title: AU-3(a) + description: "Ensure that audit records contain information that establishes the following: a. What type of event occurred." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_b.yaml index 52f3f4f6d..d23de73ec 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_b.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_3_b -Title: AU-3(b) -Description: 'Ensure that audit records contain information that establishes the following: b. When the event occurred.' -SectionCode: b -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_3_b + title: AU-3(b) + description: "Ensure that audit records contain information that establishes the following: b. When the event occurred." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_c.yaml index 1323ac803..7ff481960 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_c.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_3_c -Title: AU-3(c) -Description: 'Ensure that audit records contain information that establishes the following: c. Where the event occurred.' -SectionCode: c -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_3_c + title: AU-3(c) + description: "Ensure that audit records contain information that establishes the following: c. Where the event occurred." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_d.yaml index f68a376c5..c184f4101 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_d.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_3_d -Title: AU-3(d) -Description: 'Ensure that audit records contain information that establishes the following: d. Source of the event.' -SectionCode: d -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_3_d + title: AU-3(d) + description: "Ensure that audit records contain information that establishes the following: d. Source of the event." + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_e.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_e.yaml index 5bc1ffc5a..cdcf544bd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_e.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_3_e -Title: AU-3(e) -Description: 'Ensure that audit records contain information that establishes the following: e. Outcome of the event.' -SectionCode: e -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_3_e + title: AU-3(e) + description: "Ensure that audit records contain information that establishes the following: e. Outcome of the event." + section-code: e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_f.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_f.yaml index ce8b149b7..27adb568c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_f.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_3_f.yaml @@ -1,27 +1,32 @@ -ID: aws_nist_800_53_rev_5_au_3_f -Title: AU-3(f) -Description: 'Ensure that audit records contain information that establishes the following: e. Outcome of the event.' -SectionCode: f -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_3_f + title: AU-3(f) + description: "Ensure that audit records contain information that establishes the following: e. Outcome of the event." + section-code: f + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4.yaml index 9c3d923d9..09654071a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_au_4 -Title: Audit Log Stprage Capacity (AU-4) -Description: 'Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements].' -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_au_4_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_4 + title: Audit Log Stprage Capacity (AU-4) + description: "Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_4_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4_1.yaml index 30f14b9ac..e5aeb64c0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_4_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_au_4_1 -Title: AU-4(1) Transfer To Alternate Storage -Description: 'Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging.' -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_4_1 + title: AU-4(1) Transfer To Alternate Storage + description: "Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6.yaml index b82a36dfc..acf88c9c7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_au_6 -Title: Audit Record Review, Analysis And Reporting (AU-6) -Description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. -SectionCode: "6" -Children: - - aws_nist_800_53_rev_5_au_6_1 - - aws_nist_800_53_rev_5_au_6_3 - - aws_nist_800_53_rev_5_au_6_4 - - aws_nist_800_53_rev_5_au_6_5 - - aws_nist_800_53_rev_5_au_6_6 - - aws_nist_800_53_rev_5_au_6_9 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_6 + title: Audit Record Review, Analysis And Reporting (AU-6) + description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_6_1 + - id: aws_nist_800_53_rev_5_au_6_3 + - id: aws_nist_800_53_rev_5_au_6_4 + - id: aws_nist_800_53_rev_5_au_6_5 + - id: aws_nist_800_53_rev_5_au_6_6 + - id: aws_nist_800_53_rev_5_au_6_9 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_1.yaml index 99811040f..6259daaa3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_1.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_au_6_1 -Title: AU-6(1) Automated Process Integration -Description: 'Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms].' -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_6_1 + title: AU-6(1) Automated Process Integration + description: "Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_3.yaml index 79a015bba..b646ff5f9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_3.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_au_6_3 -Title: AU-6(3) Correlate Audit Record Repositories -Description: Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_6_3 + title: AU-6(3) Correlate Audit Record Repositories + description: Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_4.yaml index 1b618263e..0265bbc5d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_4.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_au_6_4 -Title: AU-6(4) Central Review And Analysis -Description: Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. -SectionCode: "4" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_6_4 + title: AU-6(4) Central Review And Analysis + description: Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_5.yaml index 4c20a2dd2..f850deaa0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_5.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_au_6_5 -Title: AU-6(5) Central Review And Analysis -Description: 'Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.' -SectionCode: "5" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_6_5 + title: AU-6(5) Central Review And Analysis + description: "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_6.yaml index d29e24e32..961180eed 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_6.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_au_6_6 -Title: AU-6(6) Correletion With Physical Monitoring -Description: Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. -SectionCode: "6" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_6_6 + title: AU-6(6) Correletion With Physical Monitoring + description: Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_9.yaml index 58009e3d3..054197ef2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_6_9.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_au_6_9 -Title: AU-6(9) Correletion With From Nontechnical Sources -Description: Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. -SectionCode: "9" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_6_9 + title: AU-6(9) Correletion With From Nontechnical Sources + description: Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7.yaml index 0fa0343d2..4d40fed79 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_au_7 -Title: Audit Record Reduction And Report Generation (AU-7) -Description: Support for real-time audit review, analysis, and reporting requirements without altering original audit records. -SectionCode: "7" -Children: - - aws_nist_800_53_rev_5_au_7_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_7 + title: Audit Record Reduction And Report Generation (AU-7) + description: Support for real-time audit review, analysis, and reporting requirements without altering original audit records. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_7_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7_1.yaml index 55d9a9a38..66a761449 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_7_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_au_7_1 -Title: AU-7(1) Automatic Processing -Description: 'Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records].' -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_7_1 + title: AU-7(1) Automatic Processing + description: "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8.yaml index 5415766ac..ed7348d24 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_au_8 -Title: Time Stamps (AU-8) -Description: Use internal system clocks to generate time stamps for audit records. -SectionCode: "8" -Children: - - aws_nist_800_53_rev_5_au_8_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_8 + title: Time Stamps (AU-8) + description: Use internal system clocks to generate time stamps for audit records. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_8_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8_b.yaml index 056bc99fc..c75949416 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_8_b.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_au_8_b -Title: AU-8(b) -Description: 'Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.' -SectionCode: b -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_8_b + title: AU-8(b) + description: "Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9.yaml index 86a5c0d84..92bc17be9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_au_9 -Title: Protection of Audit Information (AU-9) -Description: Protect audit information & tools from unauthorized access, modification & deletion. -SectionCode: "9" -Children: - - aws_nist_800_53_rev_5_au_9_2 - - aws_nist_800_53_rev_5_au_9_3 - - aws_nist_800_53_rev_5_au_9_7 - - aws_nist_800_53_rev_5_au_9_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_9 + title: Protection of Audit Information (AU-9) + description: Protect audit information & tools from unauthorized access, modification & deletion. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_au_9_2 + - id: aws_nist_800_53_rev_5_au_9_3 + - id: aws_nist_800_53_rev_5_au_9_7 + - id: aws_nist_800_53_rev_5_au_9_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_2.yaml index 1c1a69ce3..7b3013c29 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_2.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_au_9_2 -Title: AU-9(2) Store On Separate Physical Systems Or Components -Description: 'Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited.' -SectionCode: "2" -Children: [] -Controls: - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/S3 - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_9_2 + title: AU-9(2) Store On Separate Physical Systems Or Components + description: "Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/S3 + type: + - Benchmark + controls: + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_3.yaml index a12744b68..b1448d494 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_3.yaml @@ -1,41 +1,46 @@ -ID: aws_nist_800_53_rev_5_au_9_3 -Title: AU-9(3) Cryptographic Protection -Description: Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_volume_encryption_at_rest_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_9_3 + title: AU-9(3) Cryptographic Protection + description: Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_volume_encryption_at_rest_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_7.yaml index 7c6b5b353..f4682d45c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_7.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_au_9_7 -Title: AU-9(7) Store On Component With Different Operation Systems -Description: Store audit information on a component running a different operating system than the system or component being audited. -SectionCode: "7" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_9_7 + title: AU-9(7) Store On Component With Different Operation Systems + description: Store audit information on a component running a different operating system than the system or component being audited. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_integrated_with_logs diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_a.yaml index 04453cd10..1141acbe8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_au_9_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_au_9_a -Title: AU-9(a) -Description: Protect audit information and audit logging tools from unauthorized access, modification, and deletion. -SectionCode: a -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_au_9_a + title: AU-9(a) + description: Protect audit information and audit logging tools from unauthorized access, modification, and deletion. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca.yaml index 2084228a7..7c1515084 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_ca -Title: Assessment, Authorization, And Monitoring (CA) -Description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. -SectionCode: ca -Children: - - aws_nist_800_53_rev_5_ca_2 - - aws_nist_800_53_rev_5_ca_7 - - aws_nist_800_53_rev_5_ca_9 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ca + title: Assessment, Authorization, And Monitoring (CA) + description: The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections. + section-code: ca + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ca_2 + - id: aws_nist_800_53_rev_5_ca_7 + - id: aws_nist_800_53_rev_5_ca_9 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2.yaml index 56b654e38..c3900f11b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ca_2 -Title: Control Assessments (CA-2) -Description: Assess security controls to determine effectiveness and produce security reports, documentation, and graphs. -SectionCode: "2" -Children: - - aws_nist_800_53_rev_5_ca_2_2 - - aws_nist_800_53_rev_5_ca_2_d -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ca_2 + title: Control Assessments (CA-2) + description: Assess security controls to determine effectiveness and produce security reports, documentation, and graphs. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ca_2_2 + - id: aws_nist_800_53_rev_5_ca_2_d diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_2.yaml index 3d50ba57f..1f916d62a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_2.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_ca_2_2 -Title: CA-2(2) Specialized Assessments -Description: 'Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]].' -SectionCode: "2" -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ca_2_2 + title: CA-2(2) Specialized Assessments + description: "Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudwatch_alarm_action_enabled + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_d.yaml index f1d75c4f5..210f3a5c3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_2_d.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ca_2_d -Title: CA-2(d) -Description: 'Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements.' -SectionCode: d -Children: [] -Controls: - - aws_guardduty_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ca_2_d + title: CA-2(d) + description: "Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements." + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7.yaml index 36c010319..dc00ebf23 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7.yaml @@ -1,27 +1,33 @@ -ID: aws_nist_800_53_rev_5_ca_7 -Title: Continuous Monitoring (CA-7) -Description: Continuously monitor configuration management processes. Determine security impact, environment and operational risks. -SectionCode: "7" -Children: - - aws_nist_800_53_rev_5_ca_7_4 - - aws_nist_800_53_rev_5_ca_7_b -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_securityhub_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ca_7 + title: Continuous Monitoring (CA-7) + description: Continuously monitor configuration management processes. Determine security impact, environment and operational risks. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ca_7_4 + - id: aws_nist_800_53_rev_5_ca_7_b + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudwatch_alarm_action_enabled + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_securityhub_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4.yaml index afc237ae2..b717ccb37 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ca_7_4 -Title: CA-7(4) Risk Monitoring -Description: 'Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: a. Effectiveness monitoring; b. Compliance monitoring; and c. Change monitoring.' -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_ca_7_4_c -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ca_7_4 + title: CA-7(4) Risk Monitoring + description: "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: a.\u2003Effectiveness monitoring; b.\u2003Compliance monitoring; and c.\u2003Change monitoring." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ca_7_4_c diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4_c.yaml index 15c22f0aa..e4750cc9f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_4_c.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ca_7_4_c -Title: CA-7(4)(c) -Description: 'Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (c) Change monitoring.' -SectionCode: c -Children: [] -Controls: - - aws_elb_application_lb_deletion_protection_enabled - - aws_rds_db_instance_deletion_protection_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ca_7_4_c + title: CA-7(4)(c) + description: "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (c) Change monitoring." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elb_application_lb_deletion_protection_enabled + - aws_rds_db_instance_deletion_protection_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_b.yaml index 3c4f46e60..9e172c734 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_7_b.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_53_rev_5_ca_7_b -Title: CA-7(b) -Description: 'Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness.' -SectionCode: b -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ca_7_b + title: CA-7(b) + description: "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9.yaml index 5fd8e09c4..acb4b8b94 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ca_9 -Title: Internal System Connections (CA-9) -Description: 'a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c. Terminate internal system connections after [Assignment: organization-defined conditions]; and d. Review [Assignment: organization-defined frequency] the continued need for each internal connection.' -SectionCode: "9" -Children: - - aws_nist_800_53_rev_5_ca_9_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ca_9 + title: Internal System Connections (CA-9) + description: "a.\u2003Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; b.\u2003Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c.\u2003Terminate internal system connections after [Assignment: organization-defined conditions]; and d.\u2003Review [Assignment: organization-defined frequency] the continued need for each internal connection." + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ca_9_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9_b.yaml index 578664dc2..1b1c2d181 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ca_9_b.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_ca_9_b -Title: CA-9(b) -Description: Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated. -SectionCode: b -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ca_9_b + title: CA-9(b) + description: Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm.yaml index b222e4d6b..d7656c418 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm.yaml @@ -1,25 +1,30 @@ -ID: aws_nist_800_53_rev_5_cm -Title: Configuration Management (CM) -Description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. -SectionCode: cm -Children: - - aws_nist_800_53_rev_5_cm_2 - - aws_nist_800_53_rev_5_cm_3 - - aws_nist_800_53_rev_5_cm_5 - - aws_nist_800_53_rev_5_cm_6 - - aws_nist_800_53_rev_5_cm_7 - - aws_nist_800_53_rev_5_cm_8 - - aws_nist_800_53_rev_5_cm_9 - - aws_nist_800_53_rev_5_cm_12 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm + title: Configuration Management (CM) + description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. + section-code: cm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_2 + - id: aws_nist_800_53_rev_5_cm_3 + - id: aws_nist_800_53_rev_5_cm_5 + - id: aws_nist_800_53_rev_5_cm_6 + - id: aws_nist_800_53_rev_5_cm_7 + - id: aws_nist_800_53_rev_5_cm_8 + - id: aws_nist_800_53_rev_5_cm_9 + - id: aws_nist_800_53_rev_5_cm_12 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12.yaml index b89403e17..4da0e8c27 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_cm_12 -Title: Information Location (CM-12) -Description: 'a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; b. Identify and document the users who have access to the system and system components where the information is processed and stored; and c. Document changes to the location (i.e., system or system components) where the information is processed and stored.' -SectionCode: "12" -Children: - - aws_nist_800_53_rev_5_cm_12_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_12 + title: Information Location (CM-12) + description: "a.\u2003Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; b.\u2003Identify and document the users who have access to the system and system components where the information is processed and stored; and c.\u2003Document changes to the location (i.e., system or system components) where the information is processed and stored." + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_12_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12_b.yaml index c7b034d64..fbabe2f2f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_12_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_cm_12_b -Title: CM-12(b) -Description: Identify and document the users who have access to the system and system components where the information is processed and stored. -SectionCode: b -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_12_b + title: CM-12(b) + description: Identify and document the users who have access to the system and system components where the information is processed and stored. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2.yaml index 5f0ecf1a5..a47725c89 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_cm_2 -Title: Baseline Configuration (CM-2) -Description: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. -SectionCode: "2" -Children: - - aws_nist_800_53_rev_5_cm_2_2 - - aws_nist_800_53_rev_5_cm_2_a - - aws_nist_800_53_rev_5_cm_2_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_2 + title: Baseline Configuration (CM-2) + description: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_2_2 + - id: aws_nist_800_53_rev_5_cm_2_a + - id: aws_nist_800_53_rev_5_cm_2_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_2.yaml index f1c26222b..05f410489 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_2.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cm_2_2 -Title: CM-2(2) Automation Support For Accuracy And Currency -Description: 'Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].' -SectionCode: "2" -Children: [] -Controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_2_2 + title: CM-2(2) Automation Support For Accuracy And Currency + description: "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_a.yaml index 1eb26ecfe..19c8cc2f7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_a.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cm_2_a -Title: CM-2(a) -Description: Develop, document, and maintain under configuration control, a current baseline configuration of the system. -SectionCode: a -Children: [] -Controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_2_a + title: CM-2(a) + description: Develop, document, and maintain under configuration control, a current baseline configuration of the system. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b.yaml index 02693acfa..b1aa7e486 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b.yaml @@ -1,26 +1,32 @@ -ID: aws_nist_800_53_rev_5_cm_2_b -Title: CM-2(b) -Description: 'Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded.' -SectionCode: b -Children: - - aws_nist_800_53_rev_5_cm_2_b_1 - - aws_nist_800_53_rev_5_cm_2_b_2 - - aws_nist_800_53_rev_5_cm_2_b_3 -Controls: - - aws_account_part_of_organizations - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_2_b + title: CM-2(b) + description: "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_2_b_1 + - id: aws_nist_800_53_rev_5_cm_2_b_2 + - id: aws_nist_800_53_rev_5_cm_2_b_3 + controls: + - aws_account_part_of_organizations + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_1.yaml index 98a1da06a..a9ed8ad6d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_1.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cm_2_b_1 -Title: CM-2(b)(1) -Description: 'Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency].' -SectionCode: "1" -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_2_b_1 + title: CM-2(b)(1) + description: "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_2.yaml index f320f3ba0..35a569f6b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_2.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cm_2_b_2 -Title: CM-2(b)(2) -Description: 'Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances].' -SectionCode: "2" -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_2_b_2 + title: CM-2(b)(2) + description: "Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances]." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_3.yaml index 0efd4ae10..9b5528abd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_2_b_3.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cm_2_b_3 -Title: CM-2(b)(3) -Description: 'Review and update the baseline configuration of the system: 3 When system components are installed or upgraded.' -SectionCode: "3" -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_2_b_3 + title: CM-2(b)(3) + description: "Review and update the baseline configuration of the system: 3 When system components are installed or upgraded." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3.yaml index 28724c487..a5ae20455 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_3 -Title: Configuration Change Control (CM-3) -Description: The organization authorizes, documents, and controls changes to the information system. -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_cm_3_3 - - aws_nist_800_53_rev_5_cm_3_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_3 + title: Configuration Change Control (CM-3) + description: The organization authorizes, documents, and controls changes to the information system. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_3_3 + - id: aws_nist_800_53_rev_5_cm_3_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_3.yaml index 32598f27d..f0d02b45e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_3.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cm_3_3 -Title: CM-3(3) Automated Change Implementation -Description: 'Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms].' -SectionCode: "3" -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_3_3 + title: CM-3(3) Automated Change Implementation + description: "Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_a.yaml index 793ba9112..42bd67934 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_3_a.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_3_a -Title: CM-3(a) -Description: Determine and document the types of changes to the system that are configuration-controlled. -SectionCode: a -Children: [] -Controls: - - aws_elb_application_lb_deletion_protection_enabled - - aws_rds_db_instance_deletion_protection_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_3_a + title: CM-3(a) + description: Determine and document the types of changes to the system that are configuration-controlled. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elb_application_lb_deletion_protection_enabled + - aws_rds_db_instance_deletion_protection_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5.yaml index 6dcafac3b..056ceda91 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_cm_5 -Title: Access Restrictions For Change (CM-5) -Description: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. -SectionCode: "5" -Children: - - aws_nist_800_53_rev_5_cm_5_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_5 + title: Access Restrictions For Change (CM-5) + description: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_5_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1.yaml index 7ec67ad69..c983cd260 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_5_1 -Title: CM-5(1) Automated Access Enforcement And Audit Records -Description: 'a. Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and b. Automatically generate audit records of the enforcement actions.' -SectionCode: "1" -Children: - - aws_nist_800_53_rev_5_cm_5_1_a - - aws_nist_800_53_rev_5_cm_5_1_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_5_1 + title: CM-5(1) Automated Access Enforcement And Audit Records + description: "a.\u2003Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and b.\u2003Automatically generate audit records of the enforcement actions." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_5_1_a + - id: aws_nist_800_53_rev_5_cm_5_1_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_a.yaml index 0a8d02d6e..4b08b8303 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_a.yaml @@ -1,35 +1,40 @@ -ID: aws_nist_800_53_rev_5_cm_5_1_a -Title: CM-5(1)(a) -Description: 'Enforce access restrictions using [Assignment: organization-defined automated mechanisms].' -SectionCode: a -Children: [] -Controls: - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_uses_imdsv2 - - aws_ecs_task_definition_user_for_host_mode_check - - aws_iam_account_password_policy_min_length_14 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_5_1_a + title: CM-5(1)(a) + description: "Enforce access restrictions using [Assignment: organization-defined automated mechanisms]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_uses_imdsv2 + - aws_ecs_task_definition_user_for_host_mode_check + - aws_iam_account_password_policy_min_length_14 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_b.yaml index 29b170eff..3d18b7a08 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_5_1_b.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_cm_5_1_b -Title: CM-5(1)(b) -Description: Automatically generate audit records of the enforcement actions. -SectionCode: b -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_5_1_b + title: CM-5(1)(b) + description: Automatically generate audit records of the enforcement actions. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6.yaml index 81bda3c15..47faef7fb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6.yaml @@ -1,20 +1,26 @@ -ID: aws_nist_800_53_rev_5_cm_6 -Title: Configuration Settings (CM-6) -Description: 'The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system.' -SectionCode: "6" -Children: - - aws_nist_800_53_rev_5_cm_6_a -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_6 + title: Configuration Settings (CM-6) + description: "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_6_a + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6_a.yaml index 7be84a0ce..a9159f7be 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_6_a.yaml @@ -1,50 +1,55 @@ -ID: aws_nist_800_53_rev_5_cm_6_a -Title: CM-6(a) -Description: 'Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations].' -SectionCode: a -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_autoscaling_group_with_lb_use_health_check - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_ec2_instance_iam_profile_attached - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_kms_cmk_rotation_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_flow_logs_enabled - - aws_vpc_security_group_restrict_ingress_common_ports_all -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_6_a + title: CM-6(a) + description: "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_autoscaling_group_with_lb_use_health_check + - aws_autoscaling_launch_config_public_ip_disabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_ec2_instance_iam_profile_attached + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_kms_cmk_rotation_enabled + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_flow_logs_enabled + - aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7.yaml index cf7840902..3476f25a2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_cm_7 -Title: Least Functionality (CM-7) -Description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. -SectionCode: "7" -Children: - - aws_nist_800_53_rev_5_cm_7_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_7 + title: Least Functionality (CM-7) + description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_7_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7_b.yaml index 865bf4268..ac8bd7aab 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_7_b.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_7_b -Title: CM-7(b) -Description: 'Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].' -SectionCode: b -Children: [] -Controls: - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_7_b + title: CM-7(b) + description: "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8.yaml index 8e0f61fdf..fa4640db7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cm_8 -Title: System Component Inventory (CM-8) -Description: The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory. -SectionCode: "8" -Children: - - aws_nist_800_53_rev_5_cm_8_1 - - aws_nist_800_53_rev_5_cm_8_2 - - aws_nist_800_53_rev_5_cm_8_3 - - aws_nist_800_53_rev_5_cm_8_6 - - aws_nist_800_53_rev_5_cm_8_a - - aws_nist_800_53_rev_5_cm_8_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8 + title: System Component Inventory (CM-8) + description: The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_8_1 + - id: aws_nist_800_53_rev_5_cm_8_2 + - id: aws_nist_800_53_rev_5_cm_8_3 + - id: aws_nist_800_53_rev_5_cm_8_6 + - id: aws_nist_800_53_rev_5_cm_8_a + - id: aws_nist_800_53_rev_5_cm_8_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_1.yaml index 9590990c6..771edfd8f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_8_1 -Title: CM-8(1) Updates During Installation And Removals -Description: Update the inventory of system components as part of component installations, removals, and system updates. -SectionCode: "1" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_1 + title: CM-8(1) Updates During Installation And Removals + description: Update the inventory of system components as part of component installations, removals, and system updates. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_2.yaml index ff78392fe..843c8ec45 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_cm_8_2 -Title: CM-8(2) Automated Maintenance -Description: 'Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms].' -SectionCode: "2" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_2 + title: CM-8(2) Automated Maintenance + description: "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms]." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3.yaml index e74877f39..275e20f70 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_cm_8_3 -Title: CM-8(3) Automated Unauthorized Component Detection -Description: 'The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].' -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_cm_8_3_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_3 + title: CM-8(3) Automated Unauthorized Component Detection + description: "The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_8_3_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3_a.yaml index 678e53b21..4969ecf5b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_3_a.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_cm_8_3_a -Title: CM-8(3)(a) -Description: 'Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].' -SectionCode: a -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_3_a + title: CM-8(3)(a) + description: "Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_guardduty_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_6.yaml index ab55779a0..d6f50ef65 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_6.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cm_8_6 -Title: CM-8(6) Assessed Configurations And Approved Deviations -Description: Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. -SectionCode: "6" -Children: [] -Controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_security_group_restrict_ingress_common_ports_all -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_6 + title: CM-8(6) Assessed Configurations And Approved Deviations + description: Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_security_group_restrict_ingress_common_ports_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a.yaml index b3e719b00..fc0ef26e9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a.yaml @@ -1,24 +1,30 @@ -ID: aws_nist_800_53_rev_5_cm_8_a -Title: CM-8(a) -Description: 'Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability].' -SectionCode: a -Children: - - aws_nist_800_53_rev_5_cm_8_a_1 - - aws_nist_800_53_rev_5_cm_8_a_2 - - aws_nist_800_53_rev_5_cm_8_a_3 - - aws_nist_800_53_rev_5_cm_8_a_4 - - aws_nist_800_53_rev_5_cm_8_a_5 -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_a + title: CM-8(a) + description: "Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_8_a_1 + - id: aws_nist_800_53_rev_5_cm_8_a_2 + - id: aws_nist_800_53_rev_5_cm_8_a_3 + - id: aws_nist_800_53_rev_5_cm_8_a_4 + - id: aws_nist_800_53_rev_5_cm_8_a_5 + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_1.yaml index c2aa69e70..b5f9ca677 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_8_a_1 -Title: CM-8(a)(1) -Description: 'Develop and document an inventory of system components that: 1. Accurately reflects the system.' -SectionCode: "1" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_a_1 + title: CM-8(a)(1) + description: "Develop and document an inventory of system components that: 1. Accurately reflects the system." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_2.yaml index e625cb965..e84de2362 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_2.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_8_a_2 -Title: CM-8(a)(2) -Description: 'Develop and document an inventory of system components that: 2. Includes all components within the system.' -SectionCode: "2" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_a_2 + title: CM-8(a)(2) + description: "Develop and document an inventory of system components that: 2. Includes all components within the system." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_3.yaml index f0e53c04c..efd6ad145 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_3.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_8_a_3 -Title: CM-8(a)(3) -Description: 'Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system.' -SectionCode: "3" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_a_3 + title: CM-8(a)(3) + description: "Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_4.yaml index e622212b8..dd920d0d4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_4.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_8_a_4 -Title: CM-8(a)(4) -Description: 'Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting.' -SectionCode: "4" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_a_4 + title: CM-8(a)(4) + description: "Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_5.yaml index 9776dee5a..b34d08191 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_a_5.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_8_a_5 -Title: CM-8(a)(5) -Description: 'Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability].' -SectionCode: "5" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_a_5 + title: CM-8(a)(5) + description: "Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_b.yaml index b5f01d3e9..b9c7f9cff 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_8_b.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cm_8_b -Title: CM-8(b) -Description: 'Review and update the system component inventory [Assignment: organization-defined frequency].' -SectionCode: b -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_8_b + title: CM-8(b) + description: "Review and update the system component inventory [Assignment: organization-defined frequency]." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9.yaml index 7ba8226a3..5824b83c3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_cm_9 -Title: Configuration Management Plan (CM-9) -Description: 'Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e. Protects the configuration management plan from unauthorized disclosure and modification.' -SectionCode: "9" -Children: - - aws_nist_800_53_rev_5_cm_9_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_9 + title: Configuration Management Plan (CM-9) + description: "Develop, document, and implement a configuration management plan for the system that: a.\u2003Addresses roles, responsibilities, and configuration management processes and procedures; b.\u2003Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c.\u2003Defines the configuration items for the system and places the configuration items under configuration management; d.\u2003Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e.\u2003Protects the configuration management plan from unauthorized disclosure and modification." + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cm_9_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9_b.yaml index a9a42254d..6692aae15 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cm_9_b.yaml @@ -1,49 +1,54 @@ -ID: aws_nist_800_53_rev_5_cm_9_b -Title: CM-9(b) -Description: 'Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items.' -SectionCode: b -Children: [] -Controls: - - aws_account_part_of_organizations - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_cloudtrail_trail_validation_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_kms_cmk_rotation_enabled - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_logging_enabled - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_flow_logs_enabled - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cm_9_b + title: CM-9(b) + description: "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_account_part_of_organizations + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_cloudtrail_trail_validation_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_kms_cmk_rotation_enabled + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_logging_enabled + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_flow_logs_enabled + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp.yaml index 86914a20e..a55024c78 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_cp -Title: Contingency Planning (CP) -Description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. -SectionCode: cp -Children: - - aws_nist_800_53_rev_5_cp_1 - - aws_nist_800_53_rev_5_cp_2 - - aws_nist_800_53_rev_5_cp_6 - - aws_nist_800_53_rev_5_cp_9 - - aws_nist_800_53_rev_5_cp_10 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp + title: Contingency Planning (CP) + description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. + section-code: cp + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cp_1 + - id: aws_nist_800_53_rev_5_cp_2 + - id: aws_nist_800_53_rev_5_cp_6 + - id: aws_nist_800_53_rev_5_cp_9 + - id: aws_nist_800_53_rev_5_cp_10 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1.yaml index b4aee830e..15fea8479 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cp_1 -Title: Policy And Procedures (CP-1) -Description: 'a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c. Review and update the current contingency planning: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].' -SectionCode: "1" -Children: - - aws_nist_800_53_rev_5_cp_1_2 - - aws_nist_800_53_rev_5_cp_1_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_1 + title: Policy And Procedures (CP-1) + description: "a.\u2003Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1.\u2003[Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a).\u2003Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b).\u2003Is consistent with applicable laws, executive orders, directives regulations, policies, standards, and guidelines; and 2.\u2003Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b.\u2003Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c.\u2003Review and update the current contingency planning: 1.\u2003Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2.\u2003Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cp_1_2 + - id: aws_nist_800_53_rev_5_cp_1_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10.yaml index 656c1572e..162211110 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10.yaml @@ -1,33 +1,39 @@ -ID: aws_nist_800_53_rev_5_cp_10 -Title: System Recovery And Reconstitution (CP-10) -Description: 'Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.' -SectionCode: "10" -Children: - - aws_nist_800_53_rev_5_cp_10_2 -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_10 + title: System Recovery And Reconstitution (CP-10) + description: "Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure." + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cp_10_2 + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10_2.yaml index 29bdba4d9..807d467ed 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_10_2.yaml @@ -1,27 +1,32 @@ -ID: aws_nist_800_53_rev_5_cp_10_2 -Title: CP-10(2) Transaction Recovery -Description: Implement transaction recovery for systems that are transaction-based. -SectionCode: "2" -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_10_2 + title: CP-10(2) Transaction Recovery + description: Implement transaction recovery for systems that are transaction-based. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_2.yaml index 68792d6d2..31838a1a2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_2.yaml @@ -1,27 +1,32 @@ -ID: aws_nist_800_53_rev_5_cp_1_2 -Title: CP-1(2) -Description: Implement transaction recovery for systems that are transaction-based. -SectionCode: "2" -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_rds_db_instance_backup_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_1_2 + title: CP-1(2) + description: Implement transaction recovery for systems that are transaction-based. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_rds_db_instance_backup_enabled + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a.yaml index ea4d918a2..9099f1843 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_cp_1_a -Title: CP-1(a) -Description: 'a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls.' -SectionCode: a -Children: - - aws_nist_800_53_rev_5_cp_1_a_2 - - aws_nist_800_53_rev_5_cp_1_a_1_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_1_a + title: CP-1(a) + description: "a.\u2003Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1.\u2003[Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a).\u2003Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b).\u2003Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2.\u2003Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cp_1_a_2 + - id: aws_nist_800_53_rev_5_cp_1_a_1_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_1_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_1_b.yaml index 06f2ddc0b..b744b4680 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_1_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_1_b.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cp_1_a_1_b -Title: CP-1(a)(1)(b) -Description: 'a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.' -SectionCode: 1_b -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_1_a_1_b + title: CP-1(a)(1)(b) + description: "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + section-code: 1_b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_2.yaml index 6a3ee6da4..d66fc9f4c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_1_a_2.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cp_1_a_2 -Title: CP-1(a)(2) -Description: 'a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls.' -SectionCode: "2" -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_1_a_2 + title: CP-1(a)(2) + description: "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2.yaml index eee186094..3d6f5dbda 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_cp_2 -Title: Contingency Plan (CP-2) -Description: 'a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinate contingency planning activities with incident handling activities; d. Review the contingency plan for the system [Assignment: organization-defined frequency]; e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h. Protect the contingency plan from unauthorized disclosure and modification.' -SectionCode: "2" -Children: - - aws_nist_800_53_rev_5_cp_2_a - - aws_nist_800_53_rev_5_cp_2_d - - aws_nist_800_53_rev_5_cp_2_e - - aws_nist_800_53_rev_5_cp_2_5 - - aws_nist_800_53_rev_5_cp_2_6 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_2 + title: Contingency Plan (CP-2) + description: "a.\u2003Develop a contingency plan for the system that: 1.\u2003Identifies essential mission and business functions and associated contingency requirements; 2.\u2003Provides recovery objectives, restoration priorities, and metrics; b.\u2003Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c.\u2003Coordinate contingency planning activities with incident handling activities; d.\u2003Review the contingency plan for the system [Assignment: organization-defined frequency]; e.\u2003Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f.\u2003Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g.\u2003Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h.\u2003Protect the contingency plan from unauthorized disclosure and modification." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cp_2_a + - id: aws_nist_800_53_rev_5_cp_2_d + - id: aws_nist_800_53_rev_5_cp_2_e + - id: aws_nist_800_53_rev_5_cp_2_5 + - id: aws_nist_800_53_rev_5_cp_2_6 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_5.yaml index 00aef9a51..92b0b4067 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_5.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_53_rev_5_cp_2_5 -Title: CP-2(5) Continue Mission And Business Functions -Description: 'Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.' -SectionCode: "5" -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_2_5 + title: CP-2(5) Continue Mission And Business Functions + description: "Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_6.yaml index 9af8cc451..e952819a6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_6.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_cp_2_6 -Title: CP-2(6) Alternate Processing And Storage Sites -Description: 'Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.' -SectionCode: "6" -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_2_6 + title: CP-2(6) Alternate Processing And Storage Sites + description: "Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a.yaml index e5537de63..beb8068d1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a.yaml @@ -1,25 +1,31 @@ -ID: aws_nist_800_53_rev_5_cp_2_a -Title: CP-2(a) -Description: 'a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles].' -SectionCode: a -Children: - - aws_nist_800_53_rev_5_cp_2_a_6 - - aws_nist_800_53_rev_5_cp_2_a_7 -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_2_a + title: CP-2(a) + description: "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cp_2_a_6 + - id: aws_nist_800_53_rev_5_cp_2_a_7 + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_6.yaml index ad16f189c..42fae4943 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_6.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cp_2_a_6 -Title: CP-2(a)(6) -Description: 'Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information.' -SectionCode: "6" -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_2_a_6 + title: CP-2(a)(6) + description: "Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_7.yaml index a4b24324c..5ae1b48d0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_a_7.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cp_2_a_7 -Title: CP-2(a)(7) -Description: 'Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles].' -SectionCode: "7" -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_2_a_7 + title: CP-2(a)(7) + description: "Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_d.yaml index fc837be0b..b99af4e35 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_d.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cp_2_d -Title: CP-2(d) -Description: 'Review the contingency plan for the system [Assignment: organization-defined frequency]' -SectionCode: d -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_2_d + title: CP-2(d) + description: "Review the contingency plan for the system [Assignment: organization-defined frequency]" + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_e.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_e.yaml index 1d4545d0b..f19694a2c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_e.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_2_e.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_cp_2_e -Title: CP-2(e) -Description: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. -SectionCode: e -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_2_e + title: CP-2(e) + description: Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing. + section-code: e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6.yaml index 10d76a512..9d6f5bc39 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_cp_6 -Title: Alternate Storage Sites (CP-6) -Description: a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. -SectionCode: "6" -Children: - - aws_nist_800_53_rev_5_cp_6_1 - - aws_nist_800_53_rev_5_cp_6_2 - - aws_nist_800_53_rev_5_cp_6_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_6 + title: Alternate Storage Sites (CP-6) + description: a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cp_6_1 + - id: aws_nist_800_53_rev_5_cp_6_2 + - id: aws_nist_800_53_rev_5_cp_6_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_1.yaml index 82982601e..3cb661e2e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_1.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_53_rev_5_cp_6_1 -Title: CP-6(1) Separation From Primary Site -Description: Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. -SectionCode: "1" -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_6_1 + title: CP-6(1) Separation From Primary Site + description: Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_2.yaml index 76f2cb84a..b7bf9ffd0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_2.yaml @@ -1,31 +1,36 @@ -ID: aws_nist_800_53_rev_5_cp_6_2 -Title: CP-6(2) Recovery Time And Recovery Point Objectives -Description: Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. -SectionCode: "2" -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_multiple_az_enabled - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_6_2 + title: CP-6(2) Recovery Time And Recovery Point Objectives + description: Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_multiple_az_enabled + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_a.yaml index ec2f4b446..a9893416e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_6_a.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_53_rev_5_cp_6_a -Title: CP-6(a) -Description: Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information. -SectionCode: a -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_6_a + title: CP-6(a) + description: Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9.yaml index 3f7e2ec7e..a3bb5946d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_cp_9 -Title: System Backup (CP-9) -Description: 'a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information.' -SectionCode: "9" -Children: - - aws_nist_800_53_rev_5_cp_9_8 - - aws_nist_800_53_rev_5_cp_9_a - - aws_nist_800_53_rev_5_cp_9_b - - aws_nist_800_53_rev_5_cp_9_c - - aws_nist_800_53_rev_5_cp_9_d -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_9 + title: System Backup (CP-9) + description: "a.\u2003Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b.\u2003Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c.\u2003Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d.\u2003Protect the confidentiality, integrity, and availability of backup information." + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_cp_9_8 + - id: aws_nist_800_53_rev_5_cp_9_a + - id: aws_nist_800_53_rev_5_cp_9_b + - id: aws_nist_800_53_rev_5_cp_9_c + - id: aws_nist_800_53_rev_5_cp_9_d diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_8.yaml index 6592d4032..4209d877f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_8.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_cp_9_8 -Title: CP-9(8) Cryptographic Protection -Description: 'Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information].' -SectionCode: "8" -Children: [] -Controls: - - aws_rds_db_snapshot_encrypted_at_rest - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_9_8 + title: CP-9(8) Cryptographic Protection + description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_rds_db_snapshot_encrypted_at_rest + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_a.yaml index d0e2dfc22..f78f93c68 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_a.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_cp_9_a -Title: CP-9(a) -Description: 'Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].' -SectionCode: a -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_9_a + title: CP-9(a) + description: "Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_maintenance_settings_check + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_b.yaml index 9a1825bc7..7d3927e43 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_b.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_cp_9_b -Title: CP-9(b) -Description: 'Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].' -SectionCode: b -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_9_b + title: CP-9(b) + description: "Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_maintenance_settings_check + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_c.yaml index 59d5ab1bd..50046168d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_c.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_cp_9_c -Title: CP-9(c) -Description: 'Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].' -SectionCode: c -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_rds_db_instance_backup_enabled - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ec2_instance_ebs_optimized - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_9_c + title: CP-9(c) + description: "Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_rds_db_instance_backup_enabled + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ec2_instance_ebs_optimized + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_redshift_cluster_maintenance_settings_check + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_d.yaml index d0cb5bc25..afb18eb81 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_cp_9_d.yaml @@ -1,35 +1,40 @@ -ID: aws_nist_800_53_rev_5_cp_9_d -Title: CP-9(d) -Description: Protect the confidentiality, integrity, and availability of backup information. -SectionCode: d -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_in_backup_plan - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_cp_9_d + title: CP-9(d) + description: Protect the confidentiality, integrity, and availability of backup information. + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dynamodb_table_in_backup_plan + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_default_encryption_enabled + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia.yaml index 44550283a..5d32d42e4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_ia -Title: Identification and Authentication (IA) -Description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. -SectionCode: ia -Children: - - aws_nist_800_53_rev_5_ia_2 - - aws_nist_800_53_rev_5_ia_3 - - aws_nist_800_53_rev_5_ia_4 - - aws_nist_800_53_rev_5_ia_5 - - aws_nist_800_53_rev_5_ia_8 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia + title: Identification and Authentication (IA) + description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. + section-code: ia + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_2 + - id: aws_nist_800_53_rev_5_ia_3 + - id: aws_nist_800_53_rev_5_ia_4 + - id: aws_nist_800_53_rev_5_ia_5 + - id: aws_nist_800_53_rev_5_ia_8 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2.yaml index 67d8c9764..d20615670 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2.yaml @@ -1,22 +1,28 @@ -ID: aws_nist_800_53_rev_5_ia_2 -Title: Identification and Authentication (Organizational users) (IA-2) -Description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). -SectionCode: "2" -Children: - - aws_nist_800_53_rev_5_ia_2_1 - - aws_nist_800_53_rev_5_ia_2_2 - - aws_nist_800_53_rev_5_ia_2_6 - - aws_nist_800_53_rev_5_ia_2_8 -Controls: - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_2 + title: Identification and Authentication (Organizational users) (IA-2) + description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_2_1 + - id: aws_nist_800_53_rev_5_ia_2_2 + - id: aws_nist_800_53_rev_5_ia_2_6 + - id: aws_nist_800_53_rev_5_ia_2_8 + controls: + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_1.yaml index 336b207aa..2281578d9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_1.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_ia_2_1 -Title: IA-2(1) Multi-Factor Authentication To Privileged Accounts -Description: Implement multi-factor authentication for access to privileged accounts. -SectionCode: "1" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_2_1 + title: IA-2(1) Multi-Factor Authentication To Privileged Accounts + description: Implement multi-factor authentication for access to privileged accounts. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_2.yaml index 210869e6f..aa3bc3bb6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_2.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_ia_2_2 -Title: IA-2(2) Multi-Factor Authentication To Non-Privileged Accounts -Description: Implement multi-factor authentication for access to non-privileged accounts. -SectionCode: "2" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_2_2 + title: IA-2(2) Multi-Factor Authentication To Non-Privileged Accounts + description: Implement multi-factor authentication for access to non-privileged accounts. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6.yaml index a514c8194..64232cc28 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6.yaml @@ -1,22 +1,28 @@ -ID: aws_nist_800_53_rev_5_ia_2_6 -Title: IA-2(6) Acces To Accounts — Separate Device -Description: 'Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements].' -SectionCode: "6" -Children: - - aws_nist_800_53_rev_5_ia_2_6_a -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_2_6 + title: IA-2(6) Acces To Accounts — Separate Device + description: "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements]." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_2_6_a + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6_a.yaml index 1e6bebf15..184b4c8e5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_6_a.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_ia_2_6_a -Title: IA-2(6)(a) -Description: 'Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access.' -SectionCode: a -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_2_6_a + title: IA-2(6)(a) + description: "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_8.yaml index 24e129df7..cc94ad210 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_2_8.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_ia_2_8 -Title: IA-2(8) Access To Accounts — Replay Resistant -Description: 'Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts].' -SectionCode: "8" -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_2_8 + title: IA-2(8) Access To Accounts — Replay Resistant + description: "Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3.yaml index b101143eb..a3b8d0994 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_3 -Title: Device Identification And Authentication (IA-3) -Description: 'Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.' -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_ia_3_3 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_3 + title: Device Identification And Authentication (IA-3) + description: "Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_3_3 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3.yaml index 829a45453..9320ceacc 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_3_3 -Title: IA-3(3) Dynamic Address Allocation -Description: 'a. Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and b. Audit lease information when assigned to a device.' -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_ia_3_3_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_3_3 + title: IA-3(3) Dynamic Address Allocation + description: "a.\u2003Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and b.\u2003Audit lease information when assigned to a device." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_3_3_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3_b.yaml index 01b7ce594..c5fa94ed4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_3_3_b.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_ia_3_3_b -Title: IA-3(3)(b) -Description: Audit lease information when assigned to a device. -SectionCode: b -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_wafv2_web_acl_logging_enabled - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_3_3_b + title: IA-3(3)(b) + description: Audit lease information when assigned to a device. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_wafv2_web_acl_logging_enabled + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4.yaml index aace46698..b11027d38 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_ia_4 -Title: Identifier Management (IA-4) -Description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_ia_4_8 - - aws_nist_800_53_rev_5_ia_4_b - - aws_nist_800_53_rev_5_ia_4_d - - aws_nist_800_53_rev_5_ia_4_4 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_4 + title: Identifier Management (IA-4) + description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_4_8 + - id: aws_nist_800_53_rev_5_ia_4_b + - id: aws_nist_800_53_rev_5_ia_4_d + - id: aws_nist_800_53_rev_5_ia_4_4 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_4.yaml index 1adc94038..4dea5da98 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_4_4 -Title: IA-4(4) -Description: 'Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].' -SectionCode: "4" -Children: [] -Controls: - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_4_4 + title: IA-4(4) + description: "Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_8.yaml index adc7496bc..3a17da66f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_8.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_4_8 -Title: IA-4(8) -Description: Generate pairwise pseudonymous identifiers. -SectionCode: "8" -Children: [] -Controls: - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_4_8 + title: IA-4(8) + description: Generate pairwise pseudonymous identifiers. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_b.yaml index e479a6a0c..327f84b94 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_4_b -Title: IA-4(b) -Description: 'Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device.' -SectionCode: b -Children: [] -Controls: - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_4_b + title: IA-4(b) + description: "Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_d.yaml index 8c86cedff..622318faa 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_4_d.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_4_d -Title: IA-4(d) -Description: 'Manage system identifiers by: d. Preventing reuse of identifiers for [Assignment: organization-defined time period].' -SectionCode: d -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_4_d + title: IA-4(d) + description: "Manage system identifiers by: d. Preventing reuse of identifiers for [Assignment: organization-defined time period]." + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5.yaml index 37e67f047..c02b526d6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5.yaml @@ -1,26 +1,32 @@ -ID: aws_nist_800_53_rev_5_ia_5 -Title: Authenticator Management (IA-5) -Description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. -SectionCode: "5" -Children: - - aws_nist_800_53_rev_5_ia_5_1 - - aws_nist_800_53_rev_5_ia_5_8 - - aws_nist_800_53_rev_5_ia_5_18 - - aws_nist_800_53_rev_5_ia_5_b - - aws_nist_800_53_rev_5_ia_5_c - - aws_nist_800_53_rev_5_ia_5_d - - aws_nist_800_53_rev_5_ia_5_f - - aws_nist_800_53_rev_5_ia_5_h -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5 + title: Authenticator Management (IA-5) + description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_5_1 + - id: aws_nist_800_53_rev_5_ia_5_8 + - id: aws_nist_800_53_rev_5_ia_5_18 + - id: aws_nist_800_53_rev_5_ia_5_b + - id: aws_nist_800_53_rev_5_ia_5_c + - id: aws_nist_800_53_rev_5_ia_5_d + - id: aws_nist_800_53_rev_5_ia_5_f + - id: aws_nist_800_53_rev_5_ia_5_h + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1.yaml index 62a8a1719..fe1ce35ef 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_ia_5_1 -Title: IA-5(1) Password-Based Authentication -Description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. -SectionCode: "1" -Children: - - aws_nist_800_53_rev_5_ia_5_1_c - - aws_nist_800_53_rev_5_ia_5_1_f - - aws_nist_800_53_rev_5_ia_5_1_g - - aws_nist_800_53_rev_5_ia_5_1_h -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_1 + title: IA-5(1) Password-Based Authentication + description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_5_1_c + - id: aws_nist_800_53_rev_5_ia_5_1_f + - id: aws_nist_800_53_rev_5_ia_5_1_g + - id: aws_nist_800_53_rev_5_ia_5_1_h diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18.yaml index 7cdf5efec..7cb2bf5d7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ia_5_18 -Title: IA-5(18) Password Managers -Description: 'a. Employ [Assignment: organization-defined password managers] to generate and manage passwords; and b. Protect the passwords using [Assignment: organization-defined controls].' -SectionCode: "18" -Children: - - aws_nist_800_53_rev_5_ia_5_18_a - - aws_nist_800_53_rev_5_ia_5_18_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_18 + title: IA-5(18) Password Managers + description: "a.\u2003Employ [Assignment: organization-defined password managers] to generate and manage passwords; and b.\u2003Protect the passwords using [Assignment: organization-defined controls]." + section-code: "18" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_5_18_a + - id: aws_nist_800_53_rev_5_ia_5_18_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_a.yaml index 8e451417f..7e6204dd7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_18_a -Title: IA-5(18)(a) -Description: 'Employ [Assignment: organization-defined password managers] to generate and manage passwords.' -SectionCode: a -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_18_a + title: IA-5(18)(a) + description: "Employ [Assignment: organization-defined password managers] to generate and manage passwords." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_b.yaml index 68d40dee6..b8ef3b3d9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_18_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_18_b -Title: IA-5(18)(b) -Description: 'Protect the passwords using [Assignment: organization-defined controls].' -SectionCode: b -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_18_b + title: IA-5(18)(b) + description: "Protect the passwords using [Assignment: organization-defined controls]." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_c.yaml index c10387d01..972a1e223 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_c.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_ia_5_1_c -Title: IA-5(1)(c) -Description: 'For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels.' -SectionCode: c -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_1_c + title: IA-5(1)(c) + description: "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_f.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_f.yaml index ac50f8470..595e304ff 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_f.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_f.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_1_f -Title: IA-5(1)(f) -Description: 'For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters.' -SectionCode: f -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_1_f + title: IA-5(1)(f) + description: "For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters." + section-code: f + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_g.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_g.yaml index 44ebcbfcd..70f2e978e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_g.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_g.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_1_g -Title: IA-5(1)(g) -Description: 'For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators.' -SectionCode: g -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_1_g + title: IA-5(1)(g) + description: "For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators." + section-code: g + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_h.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_h.yaml index 322a4ee00..b9f9a7f71 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_h.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_1_h.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_1_h -Title: IA-5(1)(h) -Description: 'For password-based authentication: (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].' -SectionCode: h -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_1_h + title: IA-5(1)(h) + description: "For password-based authentication: (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]." + section-code: h + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_8.yaml index 132eb64b8..f27c7a01c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_8.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_8 -Title: IA-5(8) Multiple System Accounts -Description: 'Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems.' -SectionCode: "8" -Children: [] -Controls: - - aws_iam_root_user_no_access_keys -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_8 + title: IA-5(8) Multiple System Accounts + description: "Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_b.yaml index da0cabcae..32c11f5d0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_b -Title: IA-5(b) -Description: 'Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization.' -SectionCode: b -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_b + title: IA-5(b) + description: "Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_c.yaml index e13db44f1..ea19f6c37 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_c.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_c -Title: IA-5(c) -Description: 'Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use.' -SectionCode: c -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_c + title: IA-5(c) + description: "Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_d.yaml index f8fb65aae..5c9af1da6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_d.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_d -Title: IA-5(d) -Description: 'Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators.' -SectionCode: d -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_d + title: IA-5(d) + description: "Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators." + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_f.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_f.yaml index fd59583d7..9d5299de7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_f.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_f.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_f -Title: IA-5(f) -Description: 'Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur.' -SectionCode: f -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_f + title: IA-5(f) + description: "Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur." + section-code: f + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_h.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_h.yaml index 97cdc7072..bfea19fe2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_h.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_5_h.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_5_h -Title: IA-5(h) -Description: 'Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators.' -SectionCode: h -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_5_h + title: IA-5(h) + description: "Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators." + section-code: h + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8.yaml index 964ec2744..ee2059bb3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_8 -Title: Identification And Authentication (Non-Organizational Users) (IA-8) -Description: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. -SectionCode: "8" -Children: - - aws_nist_800_53_rev_5_ia_8_2 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_8 + title: Identification And Authentication (Non-Organizational Users) (IA-8) + description: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_8_2 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2.yaml index 98b08c037..d20e7743e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_8_2 -Title: IA-8(2) Acceptance Of External Authenticators -Description: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. -SectionCode: "2" -Children: - - aws_nist_800_53_rev_5_ia_8_2_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_8_2 + title: IA-8(2) Acceptance Of External Authenticators + description: Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ia_8_2_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2_b.yaml index bc124d5e4..19ed96265 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ia_8_2_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ia_8_2_b -Title: IA-8(2)(b) -Description: Document and maintain a list of accepted external authenticators. -SectionCode: b -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ia_8_2_b + title: IA-8(2)(b) + description: Document and maintain a list of accepted external authenticators. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir.yaml index eeb0d2719..02180f19e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ir -Title: Incident Response (IR) -Description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. -SectionCode: ir -Children: - - aws_nist_800_53_rev_5_ir_4 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ir + title: Incident Response (IR) + description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. + section-code: ir + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ir_4 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4.yaml index 44aaf9956..eb57a1d8d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ir_4 -Title: Incident Handling (IR-4) -Description: a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_ir_4_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ir_4 + title: Incident Handling (IR-4) + description: a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ir_4_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4_a.yaml index 7206c5833..01336085e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ir_4_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ir_4_a -Title: IR-4(a) -Description: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery. -SectionCode: a -Children: [] -Controls: - - aws_guardduty_finding_archived -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ir_4_a + title: IR-4(a) + description: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma.yaml index 3b3c50f4e..3d2a4f5e4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ma -Title: Maintenance (MA) -Description: The MA controls in NIST 800-53 revision five detail requirements for maintaining organizational systems and the tools used. -SectionCode: ma -Children: - - aws_nist_800_53_rev_5_ma_4 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ma + title: Maintenance (MA) + description: The MA controls in NIST 800-53 revision five detail requirements for maintaining organizational systems and the tools used. + section-code: ma + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ma_4 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4.yaml index feb8244b4..f872631de 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ma_4 -Title: Nonlocal Maintenance (MA-4) -Description: a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed. -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_ma_4_1 - - aws_nist_800_53_rev_5_ma_4_c -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ma_4 + title: Nonlocal Maintenance (MA-4) + description: a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ma_4_1 + - id: aws_nist_800_53_rev_5_ma_4_c diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1.yaml index 029f158d9..36d64fb13 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ma_4_1 -Title: MA-4(1) Logging And Review -Description: 'a. Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and b. Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.' -SectionCode: "1" -Children: - - aws_nist_800_53_rev_5_ma_4_1_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ma_4_1 + title: MA-4(1) Logging And Review + description: "a.\u2003Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and b.\u2003Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ma_4_1_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1_a.yaml index cecefd98c..a06a570e2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_1_a.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_ma_4_1_a -Title: MA-4(1)(a) -Description: 'Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions.' -SectionCode: a -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ma_4_1_a + title: MA-4(1)(a) + description: "Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_c.yaml index c2ff38734..abd9f3317 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ma_4_c.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ma_4_c -Title: MA-4(c) -Description: Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions. -SectionCode: c -Children: [] -Controls: - - aws_iam_account_password_policy_min_length_14 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ma_4_c + title: MA-4(c) + description: Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_min_length_14 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp.yaml index 09056bda0..60181c712 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_mp -Title: Media Protection (MP) -Description: The Media Protection control family includes controls specific to access, marking, storage, transport policies, sanitization, and defined organizational media use. -SectionCode: mp -Children: - - aws_nist_800_53_rev_5_mp_2 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_mp + title: Media Protection (MP) + description: The Media Protection control family includes controls specific to access, marking, storage, transport policies, sanitization, and defined organizational media use. + section-code: mp + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_mp_2 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp_2.yaml index 52647d5a7..013f0f396 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_mp_2.yaml @@ -1,41 +1,46 @@ -ID: aws_nist_800_53_rev_5_mp_2 -Title: Media Access (MP-2) -Description: 'Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].' -SectionCode: "2" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_ec2_instance_uses_imdsv2 - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_mp_2 + title: Media Access (MP-2) + description: "Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_ec2_instance_uses_imdsv2 + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe.yaml index 5aa294d10..c4978a501 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_pe -Title: Physical And Environmental Protection (PE) -Description: The Physical and Environmental Protection control family is implemented to protect systems, buildings, and related supporting infrastructure against physical threats. These controls include physical access authorizations, monitoring, visitor records, emergency shutoff, power, lighting, fire protection, and water damage protection. -SectionCode: pe -Children: - - aws_nist_800_53_rev_5_pe_6 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pe + title: Physical And Environmental Protection (PE) + description: The Physical and Environmental Protection control family is implemented to protect systems, buildings, and related supporting infrastructure against physical threats. These controls include physical access authorizations, monitoring, visitor records, emergency shutoff, power, lighting, fire protection, and water damage protection. + section-code: pe + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_pe_6 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6.yaml index df8e3798a..ff1123500 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_pe_6 -Title: Monitoring Physical Access (PE-6) -Description: 'a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b. Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and c. Coordinate results of reviews and investigations with the organizational incident response capability.' -SectionCode: "6" -Children: - - aws_nist_800_53_rev_5_pe_6_2 - - aws_nist_800_53_rev_5_pe_6_4 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pe_6 + title: Monitoring Physical Access (PE-6) + description: "a.\u2003Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b.\u2003Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and c.\u2003Coordinate results of reviews and investigations with the organizational incident response capability." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_pe_6_2 + - id: aws_nist_800_53_rev_5_pe_6_4 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_2.yaml index 1df832257..b9ac4f5b9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_pe_6_2 -Title: PE-6(2) Monitoring Physical Access -Description: 'Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms].' -SectionCode: "2" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pe_6_2 + title: PE-6(2) Monitoring Physical Access + description: "Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms]." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_4.yaml index 440058606..e1753033d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pe_6_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_pe_6_4 -Title: PE-6(4) Monitoring Physical Access -Description: 'Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].' -SectionCode: "4" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pe_6_4 + title: PE-6(4) Monitoring Physical Access + description: "Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm.yaml index b84a5531c..cf70fe466 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_pm -Title: Program Management (PM) -Description: The PM control family is specific to who manages your cybersecurity program and how it operates. This includes, but is not limited to, a critical infrastructure plan, information security program plan, plan of action milestones and processes, risk management strategy, and enterprise architecture. -SectionCode: pm -Children: - - aws_nist_800_53_rev_5_pm_11 - - aws_nist_800_53_rev_5_pm_14 - - aws_nist_800_53_rev_5_pm_16 - - aws_nist_800_53_rev_5_pm_17 - - aws_nist_800_53_rev_5_pm_21 - - aws_nist_800_53_rev_5_pm_31 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm + title: Program Management (PM) + description: The PM control family is specific to who manages your cybersecurity program and how it operates. This includes, but is not limited to, a critical infrastructure plan, information security program plan, plan of action milestones and processes, risk management strategy, and enterprise architecture. + section-code: pm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_pm_11 + - id: aws_nist_800_53_rev_5_pm_14 + - id: aws_nist_800_53_rev_5_pm_16 + - id: aws_nist_800_53_rev_5_pm_17 + - id: aws_nist_800_53_rev_5_pm_21 + - id: aws_nist_800_53_rev_5_pm_31 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11.yaml index 45b9f1e17..d53371a19 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_pm_11 -Title: Mission And Business Process Defination (PM-11) -Description: 'a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c. Review and revise the mission and business processes [Assignment: organization-defined frequency].' -SectionCode: "11" -Children: - - aws_nist_800_53_rev_5_pm_11_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_11 + title: Mission And Business Process Defination (PM-11) + description: "a.\u2003Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b.\u2003Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c.\u2003Review and revise the mission and business processes [Assignment: organization-defined frequency]." + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_pm_11_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11_b.yaml index e897b88fc..0edf70d59 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_11_b.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_pm_11_b -Title: PM-11(b) -Description: Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes. -SectionCode: b -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_11_b + title: PM-11(b) + description: Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14.yaml index cb83e172a..d3b9b0718 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_pm_14 -Title: Testing, Training, And Monitoring (PM-14) -Description: 'a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained; and 2. Continue to be executed; and b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.' -SectionCode: "14" -Children: - - aws_nist_800_53_rev_5_pm_14_a_1 - - aws_nist_800_53_rev_5_pm_14_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_14 + title: Testing, Training, And Monitoring (PM-14) + description: "a.\u2003Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1.\u2003Are developed and maintained; and 2.\u2003Continue to be executed; and b.\u2003Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." + section-code: "14" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_pm_14_a_1 + - id: aws_nist_800_53_rev_5_pm_14_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_a_1.yaml index d37747247..40b868792 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_a_1.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_53_rev_5_pm_14_a_1 -Title: PM-14(a)(1) -Description: 'a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained.' -SectionCode: a_1 -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_14_a_1 + title: PM-14(a)(1) + description: "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained." + section-code: a_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_b.yaml index ffa72f8aa..5b804450e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_14_b.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_53_rev_5_pm_14_b -Title: PM-14(b) -Description: Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. -SectionCode: b -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_14_b + title: PM-14(b) + description: Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_16.yaml index 72492ae7a..417c62f07 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_16.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_pm_16 -Title: Threat Awareness Program (PM-16) -Description: Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. -SectionCode: "16" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_16 + title: Threat Awareness Program (PM-16) + description: Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence. + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17.yaml index 1cd548eb2..7eb6ce94c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_pm_17 -Title: Protecting Controlled Unclassified Information On External Systems (PM-17) -Description: 'a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b. Review and update the policy and procedures [Assignment: organization-defined frequency].' -SectionCode: "17" -Children: - - aws_nist_800_53_rev_5_pm_17_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_17 + title: Protecting Controlled Unclassified Information On External Systems (PM-17) + description: "a.\u2003Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b.\u2003Review and update the policy and procedures [Assignment: organization-defined frequency]." + section-code: "17" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_pm_17_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17_b.yaml index 223d7b842..cdd59e79e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_17_b.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_53_rev_5_pm_17_b -Title: PM-17(b) -Description: 'Review and update the policy and procedures [Assignment: organization-defined frequency].' -SectionCode: b -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_cloudtrail_trail_validation_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_17_b + title: PM-17(b) + description: "Review and update the policy and procedures [Assignment: organization-defined frequency]." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_cloudtrail_trail_validation_enabled + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21.yaml index 7db06e45e..24e576785 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_pm_21 -Title: Accounting Of Disclosures (PM-21) -Description: 'a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: 1. Date, nature, and purpose of each disclosure; and 2. Name and address, or other contact information of the individual or organization to which the disclosure was made; b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.' -SectionCode: "21" -Children: - - aws_nist_800_53_rev_5_pm_21_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_21 + title: Accounting Of Disclosures (PM-21) + description: "a.\u2003Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: 1.\u2003Date, nature, and purpose of each disclosure; and 2.\u2003Name and address, or other contact information of the individual or organization to which the disclosure was made; b.\u2003Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and c.\u2003Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request." + section-code: "21" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_pm_21_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21_b.yaml index 5def8fee3..4914360c9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_21_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_pm_21_b -Title: PM-21(b) -Description: Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer. -SectionCode: b -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_21_b + title: PM-21(b) + description: Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_31.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_31.yaml index f9f4c1cfe..5ea916428 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_31.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_pm_31.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_53_rev_5_pm_31 -Title: Continuous Monitoring Strategy (PM-31) -Description: 'Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].' -SectionCode: "31" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled - - aws_cloudwatch_log_group_retention_period_365 - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_pm_31 + title: Continuous Monitoring Strategy (PM-31) + description: "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]." + section-code: "31" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled + - aws_cloudwatch_log_group_retention_period_365 + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra.yaml index 6ead63e06..296642e89 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_ra -Title: Risk Assessment (RA) -Description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. -SectionCode: ra -Children: - - aws_nist_800_53_rev_5_ra_1 - - aws_nist_800_53_rev_5_ra_3 - - aws_nist_800_53_rev_5_ra_5 - - aws_nist_800_53_rev_5_ra_10 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra + title: Risk Assessment (RA) + description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. + section-code: ra + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ra_1 + - id: aws_nist_800_53_rev_5_ra_3 + - id: aws_nist_800_53_rev_5_ra_5 + - id: aws_nist_800_53_rev_5_ra_10 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1.yaml index 5c9e00772..8af768821 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ra_1 -Title: Policy And Procedures (RA-1) -Description: Track risk assessment policies that address purpose, scope, roles, management, and organizational compliance. -SectionCode: "1" -Children: - - aws_nist_800_53_rev_5_ra_1_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_1 + title: Policy And Procedures (RA-1) + description: Track risk assessment policies that address purpose, scope, roles, management, and organizational compliance. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ra_1_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10.yaml index e3a2e9cf3..0a690ad81 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ra_10 -Title: Threat Hunting (RA-10) -Description: 'a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls; and b. Employ the threat hunting capability [Assignment: organization-defined frequency].' -SectionCode: "10" -Children: - - aws_nist_800_53_rev_5_ra_10_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_10 + title: Threat Hunting (RA-10) + description: "a.\u2003Establish and maintain a cyber threat hunting capability to: 1.\u2003Search for indicators of compromise in organizational systems; and 2.\u2003Detect, track, and disrupt threats that evade existing controls; and b.\u2003Employ the threat hunting capability [Assignment: organization-defined frequency]." + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ra_10_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a.yaml index bf3cda84f..4cf4d3e66 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a.yaml @@ -1,20 +1,26 @@ -ID: aws_nist_800_53_rev_5_ra_10_a -Title: RA-10(a) -Description: 'Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings.' -SectionCode: a -Children: - - aws_nist_800_53_rev_5_ra_10_a_1 - - aws_nist_800_53_rev_5_ra_10_a_2 -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_10_a + title: RA-10(a) + description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ra_10_a_1 + - id: aws_nist_800_53_rev_5_ra_10_a_2 + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_1.yaml index 1d5bc8c2e..5f4615bc3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ra_10_a_1 -Title: RA-10(a)(1) -Description: 'Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings.' -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_10_a_1 + title: RA-10(a)(1) + description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_2.yaml index 339bb30ea..139853671 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_10_a_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ra_10_a_2 -Title: RA-10(a)(2) -Description: 'a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings.' -SectionCode: "2" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_10_a_2 + title: RA-10(a)(2) + description: "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a.yaml index cce0308b6..bb7e672db 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a.yaml @@ -1,20 +1,26 @@ -ID: aws_nist_800_53_rev_5_ra_1_a -Title: RA-1(a) -Description: 'Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls.' -SectionCode: a -Children: - - aws_nist_800_53_rev_5_ra_1_a_1 - - aws_nist_800_53_rev_5_ra_1_a_2 -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_1_a + title: RA-1(a) + description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ra_1_a_1 + - id: aws_nist_800_53_rev_5_ra_1_a_2 + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_1.yaml index b082b1daf..9a57b3882 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ra_1_a_1 -Title: RA-1(a)(1) -Description: 'Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems.' -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_1_a_1 + title: RA-1(a)(1) + description: "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_2.yaml index 2760e490e..48125ce0f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_1_a_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ra_1_a_2 -Title: RA-1(a)(2) -Description: 'a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls.' -SectionCode: "2" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_1_a_2 + title: RA-1(a)(2) + description: "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3.yaml index a24b1a314..cba7a70e9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ra_3 -Title: Risk Assessment (RA-3) -Description: Assess risks and magnitude of unauthorized system access, use, disclosure, disruption, modifications, or destruction. -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_ra_3_4 - - aws_nist_800_53_rev_5_ra_3_a_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_3 + title: Risk Assessment (RA-3) + description: Assess risks and magnitude of unauthorized system access, use, disclosure, disruption, modifications, or destruction. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ra_3_4 + - id: aws_nist_800_53_rev_5_ra_3_a_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_4.yaml index 6f43cbc36..d53b7c77d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ra_3_4 -Title: RA-3(4) Predictive Cyber Analytics -Description: 'Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities].' -SectionCode: "4" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_3_4 + title: RA-3(4) Predictive Cyber Analytics + description: "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_a_1.yaml index fb9086371..77cc6c510 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_3_a_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ra_3_a_1 -Title: RA-3(a)(1) -Description: 'a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system.' -SectionCode: a_1 -Children: [] -Controls: - - aws_guardduty_enabled - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_3_a_1 + title: RA-3(a)(1) + description: "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system." + section-code: a_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5.yaml index ccc68e1bd..0db6bd3f8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_ra_5 -Title: Vulnerability Monitoring And Scanning (RA-5) -Description: 'Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities].' -SectionCode: "5" -Children: - - aws_nist_800_53_rev_5_ra_5_4 - - aws_nist_800_53_rev_5_ra_5_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_5 + title: Vulnerability Monitoring And Scanning (RA-5) + description: "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_ra_5_4 + - id: aws_nist_800_53_rev_5_ra_5_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_4.yaml index 08c043493..1917f6cf8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_4.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ra_5_4 -Title: RA-5(4) Discoverable Information -Description: 'Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions].' -SectionCode: "4" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_5_4 + title: RA-5(4) Discoverable Information + description: "Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_a.yaml index 1e5ef26d7..699df92ad 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_ra_5_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_ra_5_a -Title: RA-5(a) -Description: 'Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported.' -SectionCode: a -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_ra_5_a + title: RA-5(a) + description: "Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa.yaml index 912f4928b..60938cdcf 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_sa -Title: System and Services Acquisition (SA) -Description: The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls. -SectionCode: sa -Children: - - aws_nist_800_53_rev_5_sa_1 - - aws_nist_800_53_rev_5_sa_9 - - aws_nist_800_53_rev_5_sa_10 - - aws_nist_800_53_rev_5_sa_15 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sa + title: System and Services Acquisition (SA) + description: The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls. + section-code: sa + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sa_1 + - id: aws_nist_800_53_rev_5_sa_9 + - id: aws_nist_800_53_rev_5_sa_10 + - id: aws_nist_800_53_rev_5_sa_15 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1.yaml index b8663b728..b3e5de29d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sa_1 -Title: Policy And Procedures (SA-1) -Description: 'The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.' -SectionCode: "1" -Children: - - aws_nist_800_53_rev_5_sa_1_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sa_1 + title: Policy And Procedures (SA-1) + description: "The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sa_1_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10.yaml index 7cf9de3c0..cb08b358d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sa_10 -Title: Developer Configuration Management (SA-10) -Description: 'The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].' -SectionCode: "10" -Children: - - aws_nist_800_53_rev_5_sa_10_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sa_10 + title: Developer Configuration Management (SA-10) + description: "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]." + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sa_10_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10_1.yaml index ac2a10348..f19d16117 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_10_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sa_10_1 -Title: SA-10(1) Software And Firmware Integrity Verification -Description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sa_10_1 + title: SA-10(1) Software And Firmware Integrity Verification + description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15.yaml index 80ec07a9e..43fddb8f4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sa_15 -Title: Development Process, Standards, And Tools (SA-15) -Description: 'a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements].' -SectionCode: "15" -Children: - - aws_nist_800_53_rev_5_sa_15_a_4 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sa_15 + title: Development Process, Standards, And Tools (SA-15) + description: "a.\u2003Require the developer of the system, system component, or system service to follow a documented development process that: 1.\u2003Explicitly addresses security and privacy requirements; 2.\u2003Identifies the standards and tools used in the development process; 3.\u2003Documents the specific tool options and tool configurations used in the development process; and 4.\u2003Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b.\u2003Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements]." + section-code: "15" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sa_15_a_4 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15_a_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15_a_4.yaml index 24fc01452..e21fcc28a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15_a_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_15_a_4.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_sa_15_a_4 -Title: SA-15(a)(4) -Description: 'a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development.' -SectionCode: a_4 -Children: [] -Controls: - - aws_elb_application_lb_deletion_protection_enabled - - aws_rds_db_instance_deletion_protection_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sa_15_a_4 + title: SA-15(a)(4) + description: "a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development." + section-code: a_4 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elb_application_lb_deletion_protection_enabled + - aws_rds_db_instance_deletion_protection_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1_1.yaml index 024faac83..43b1c1531 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_1_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sa_1_1 -Title: SA-1(1) -Description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sa_1_1 + title: SA-1(1) + description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9.yaml index 269fc8385..5c46b3dd3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sa_9 -Title: External System Services (SA-9) -Description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. -SectionCode: "9" -Children: - - aws_nist_800_53_rev_5_sa_9_6 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sa_9 + title: External System Services (SA-9) + description: Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sa_9_6 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9_6.yaml index 68cc6e8c6..0df8b83f7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sa_9_6.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_sa_9_6 -Title: SA-9(6) Organization-Controlled Cryptographic Keys -Description: Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system. -SectionCode: "6" -Children: [] -Controls: - - aws_kms_key_not_pending_deletion - - aws_kms_cmk_rotation_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sa_9_6 + title: SA-9(6) Organization-Controlled Cryptographic Keys + description: Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark + controls: + - aws_kms_key_not_pending_deletion + - aws_kms_cmk_rotation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc.yaml index c744b54ae..6b5846a11 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc.yaml @@ -1,30 +1,35 @@ -ID: aws_nist_800_53_rev_5_sc -Title: System and Communications Protection (SC) -Description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. -SectionCode: sc -Children: - - aws_nist_800_53_rev_5_sc_5 - - aws_nist_800_53_rev_5_sc_6 - - aws_nist_800_53_rev_5_sc_7 - - aws_nist_800_53_rev_5_sc_8 - - aws_nist_800_53_rev_5_sc_12 - - aws_nist_800_53_rev_5_sc_13 - - aws_nist_800_53_rev_5_sc_16 - - aws_nist_800_53_rev_5_sc_22 - - aws_nist_800_53_rev_5_sc_23 - - aws_nist_800_53_rev_5_sc_25 - - aws_nist_800_53_rev_5_sc_28 - - aws_nist_800_53_rev_5_sc_36 - - aws_nist_800_53_rev_5_sc_43 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc + title: System and Communications Protection (SC) + description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. + section-code: sc + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_5 + - id: aws_nist_800_53_rev_5_sc_6 + - id: aws_nist_800_53_rev_5_sc_7 + - id: aws_nist_800_53_rev_5_sc_8 + - id: aws_nist_800_53_rev_5_sc_12 + - id: aws_nist_800_53_rev_5_sc_13 + - id: aws_nist_800_53_rev_5_sc_16 + - id: aws_nist_800_53_rev_5_sc_22 + - id: aws_nist_800_53_rev_5_sc_23 + - id: aws_nist_800_53_rev_5_sc_25 + - id: aws_nist_800_53_rev_5_sc_28 + - id: aws_nist_800_53_rev_5_sc_36 + - id: aws_nist_800_53_rev_5_sc_43 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12.yaml index 29026f8f8..60afbb2c2 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12.yaml @@ -1,21 +1,27 @@ -ID: aws_nist_800_53_rev_5_sc_12 -Title: Cryptographic Key Establishment And Management (SC-12) -Description: 'Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].' -SectionCode: "12" -Children: - - aws_nist_800_53_rev_5_sc_12_2 - - aws_nist_800_53_rev_5_sc_12_6 -Controls: - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_12 + title: Cryptographic Key Establishment And Management (SC-12) + description: "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_12_2 + - id: aws_nist_800_53_rev_5_sc_12_6 + controls: + - aws_kms_cmk_rotation_enabled + - aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_2.yaml index d1eacd2a7..ffc457615 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_2.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_sc_12_2 -Title: SC-12(2) Symmetric Keys -Description: 'Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes.' -SectionCode: "2" -Children: [] -Controls: - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_12_2 + title: SC-12(2) Symmetric Keys + description: "Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark + controls: + - aws_kms_cmk_rotation_enabled + - aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_6.yaml index f7564265f..98efd505e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_12_6.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_sc_12_6 -Title: SC-12(6) Physical Control Of Keys -Description: Maintain physical control of cryptographic keys when stored information is encrypted by external service providers. -SectionCode: "6" -Children: [] -Controls: - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/KMS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_12_6 + title: SC-12(6) Physical Control Of Keys + description: Maintain physical control of cryptographic keys when stored information is encrypted by external service providers. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/KMS + type: + - Benchmark + controls: + - aws_kms_cmk_rotation_enabled + - aws_kms_key_not_pending_deletion diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13.yaml index bce9f8f1b..8686a4ade 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_13 -Title: Cryptographic Protection (SC-13) -Description: 'a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].' -SectionCode: "13" -Children: - - aws_nist_800_53_rev_5_sc_13_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_13 + title: Cryptographic Protection (SC-13) + description: "a.\u2003Determine the [Assignment: organization-defined cryptographic uses]; and b.\u2003Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]." + section-code: "13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_13_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13_a.yaml index c0a3b0604..f0cf071e6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_13_a.yaml @@ -1,42 +1,47 @@ -ID: aws_nist_800_53_rev_5_sc_13_a -Title: SC-13(a) -Description: 'Determine the [Assignment: organization-defined cryptographic uses].' -SectionCode: a -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_13_a + title: SC-13(a) + description: "Determine the [Assignment: organization-defined cryptographic uses]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16.yaml index 1093c437e..02c1e17f0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_16 -Title: Transmission Of Security And Privacy Attributes (SC-16) -Description: 'Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components.' -SectionCode: "16" -Children: - - aws_nist_800_53_rev_5_sc_16_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_16 + title: Transmission Of Security And Privacy Attributes (SC-16) + description: "Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components." + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_16_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16_1.yaml index 8c356e301..0b6ada103 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_16_1.yaml @@ -1,21 +1,26 @@ -ID: aws_nist_800_53_rev_5_sc_16_1 -Title: SC-16(1) Integrity Verification -Description: Verify the integrity of transmitted security and privacy attributes. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_16_1 + title: SC-16(1) Integrity Verification + description: Verify the integrity of transmitted security and privacy attributes. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_22.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_22.yaml index 020a2d368..16b4c01eb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_22.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_22.yaml @@ -1,23 +1,28 @@ -ID: aws_nist_800_53_rev_5_sc_22 -Title: Architecture And Provisioning For Name/Address Resolution Service (SC-22) -Description: Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. -SectionCode: "22" -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_22 + title: Architecture And Provisioning For Name/Address Resolution Service (SC-22) + description: Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. + section-code: "22" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23.yaml index 6744ab10a..12333b18a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23.yaml @@ -1,26 +1,32 @@ -ID: aws_nist_800_53_rev_5_sc_23 -Title: Session Authenticity (SC-23) -Description: Protect the authenticity of communications sessions. -SectionCode: "23" -Children: - - aws_nist_800_53_rev_5_sc_23_3 - - aws_nist_800_53_rev_5_sc_23_5 -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_23 + title: Session Authenticity (SC-23) + description: Protect the authenticity of communications sessions. + section-code: "23" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_23_3 + - id: aws_nist_800_53_rev_5_sc_23_5 + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_3.yaml index 76dc2cd3f..602014468 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_3.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_sc_23_3 -Title: SC-23(3) Unique System-Generated Session Identifiers -Description: 'Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated.' -SectionCode: "3" -Children: [] -Controls: - - aws_ec2_instance_uses_imdsv2 - - aws_iam_account_password_policy_min_length_14 - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_secretsmanager_secret_unused_90_day -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_23_3 + title: SC-23(3) Unique System-Generated Session Identifiers + description: "Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_uses_imdsv2 + - aws_iam_account_password_policy_min_length_14 + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_secretsmanager_secret_unused_90_day diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_5.yaml index 9fb8689ce..7a2004e72 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_23_5.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_sc_23_5 -Title: SC-23(5) Allowed Certificate Authorities -Description: 'Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.' -SectionCode: "5" -Children: [] -Controls: - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/ELB - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_23_5 + title: SC-23(5) Allowed Certificate Authorities + description: "Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/ELB + type: + - Benchmark + controls: + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_25.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_25.yaml index f3ac5b347..3c40f2fea 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_25.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_25.yaml @@ -1,37 +1,42 @@ -ID: aws_nist_800_53_rev_5_sc_25 -Title: Thin Nodes (SC-25) -Description: 'Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components].' -SectionCode: "25" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_25 + title: Thin Nodes (SC-25) + description: "Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]." + section-code: "25" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28.yaml index 99910b1ed..de0c984af 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_sc_28 -Title: Protection Of Information At Rest (SC-28) -Description: 'Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].' -SectionCode: "28" -Children: - - aws_nist_800_53_rev_5_sc_28_1 - - aws_nist_800_53_rev_5_sc_28_2 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_28 + title: Protection Of Information At Rest (SC-28) + description: "Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]." + section-code: "28" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_28_1 + - id: aws_nist_800_53_rev_5_sc_28_2 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_1.yaml index fdd1bd40d..a1a0611ec 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_1.yaml @@ -1,35 +1,40 @@ -ID: aws_nist_800_53_rev_5_sc_28_1 -Title: SC-28(1) Cryptographic Protection -Description: 'Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].' -SectionCode: "1" -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_28_1 + title: SC-28(1) Cryptographic Protection + description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_default_encryption_enabled + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_2.yaml index e3a7aa84f..38ed4132a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_28_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_28_2 -Title: SC-28(2) Offline Storage -Description: 'Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].' -SectionCode: "2" -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_28_2 + title: SC-28(2) Offline Storage + description: "Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information]." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36.yaml index 850310152..bed2ed7b3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36.yaml @@ -1,22 +1,28 @@ -ID: aws_nist_800_53_rev_5_sc_36 -Title: Distributed Processing And Storage (SC-36) -Description: 'Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components].' -SectionCode: "36" -Children: - - aws_nist_800_53_rev_5_sc_36_1_a -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_36 + title: Distributed Processing And Storage (SC-36) + description: "Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]." + section-code: "36" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_36_1_a + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36_1_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36_1_a.yaml index 42d12912d..138cad642 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36_1_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_36_1_a.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_sc_36_1_a -Title: SC-36(1)(a) -Description: 'Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components].' -SectionCode: 1_a -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_36_1_a + title: SC-36(1)(a) + description: "Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]." + section-code: 1_a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudwatch_alarm_action_enabled + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43.yaml index 2041a2a3b..d4033b0de 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_43 -Title: Usage Restrictions (SC-43) -Description: 'a. Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and b. Authorize, monitor, and control the use of such components within the system.' -SectionCode: "43" -Children: - - aws_nist_800_53_rev_5_sc_43_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_43 + title: Usage Restrictions (SC-43) + description: "a.\u2003Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and b.\u2003Authorize, monitor, and control the use of such components within the system." + section-code: "43" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_43_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43_b.yaml index 475da9337..8935ccb0e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_43_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_43_b -Title: SC-43(b) -Description: Authorize, monitor, and control the use of such components within the system. -SectionCode: b -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_43_b + title: SC-43(b) + description: Authorize, monitor, and control the use of such components within the system. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5.yaml index 1a9b5edf0..2c52f0adb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_sc_5 -Title: Denial Of Service Protection (SC-5) -Description: 'The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards].' -SectionCode: "5" -Children: - - aws_nist_800_53_rev_5_sc_5_1 - - aws_nist_800_53_rev_5_sc_5_2 - - aws_nist_800_53_rev_5_sc_5_3 - - aws_nist_800_53_rev_5_sc_5_a - - aws_nist_800_53_rev_5_sc_5_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_5 + title: Denial Of Service Protection (SC-5) + description: "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_5_1 + - id: aws_nist_800_53_rev_5_sc_5_2 + - id: aws_nist_800_53_rev_5_sc_5_3 + - id: aws_nist_800_53_rev_5_sc_5_a + - id: aws_nist_800_53_rev_5_sc_5_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_1.yaml index 578ac4c22..42f0c36dd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_5_1 -Title: SC-5(1) Restrict Ability TO Attack Other Systems -Description: 'Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks].' -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_5_1 + title: SC-5(1) Restrict Ability TO Attack Other Systems + description: "Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_2.yaml index 4173e32c8..3e26ca165 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_2.yaml @@ -1,35 +1,40 @@ -ID: aws_nist_800_53_rev_5_sc_5_2 -Title: SC-5(2) Capacity, Bandwidth, And Redundancy -Description: Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks. -SectionCode: "2" -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_redshift_cluster_maintenance_settings_check - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_5_2 + title: SC-5(2) Capacity, Bandwidth, And Redundancy + description: Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_redshift_cluster_maintenance_settings_check + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3.yaml index ed6023c26..31affc512 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_sc_5_3 -Title: SC-5(3) Detection And Monitoring -Description: 'a. Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and b. Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources].' -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_sc_5_3_a - - aws_nist_800_53_rev_5_sc_5_3_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_5_3 + title: SC-5(3) Detection And Monitoring + description: "a.\u2003Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and b.\u2003Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_5_3_a + - id: aws_nist_800_53_rev_5_sc_5_3_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_a.yaml index bb2c0038f..849503be3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_5_3_a -Title: SC-5(3)(a) -Description: 'Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools].' -SectionCode: a -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_5_3_a + title: SC-5(3)(a) + description: "Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_b.yaml index bb94603d5..308180d5d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_3_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_5_3_b -Title: SC-5(3)(b) -Description: 'Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources].' -SectionCode: b -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_5_3_b + title: SC-5(3)(b) + description: "Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_a.yaml index 4270255de..c691bba9b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_5_a -Title: SC-5(a) -Description: '[Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events].' -SectionCode: a -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_5_a + title: SC-5(a) + description: "[Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_b.yaml index 5080be3dd..3a8e708ee 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_5_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_5_b -Title: SC-5(b) -Description: 'Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].' -SectionCode: b -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_5_b + title: SC-5(b) + description: "Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_6.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_6.yaml index b60e978fe..2a5b44d08 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_6.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_6.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_sc_6 -Title: Resource Availability (SC-6) -Description: 'Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]].' -SectionCode: "6" -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_rds_db_instance_multiple_az_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_6 + title: Resource Availability (SC-6) + description: "Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]]." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_dynamodb_table_auto_scaling_enabled + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_rds_db_instance_multiple_az_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7.yaml index 815f999d8..6f8039e14 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7.yaml @@ -1,36 +1,41 @@ -ID: aws_nist_800_53_rev_5_sc_7 -Title: Boundary Protection (SC-7) -Description: 'The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.' -SectionCode: "7" -Children: - - aws_nist_800_53_rev_5_sc_7_2 - - aws_nist_800_53_rev_5_sc_7_3 - - aws_nist_800_53_rev_5_sc_7_4 - - aws_nist_800_53_rev_5_sc_7_5 - - aws_nist_800_53_rev_5_sc_7_7 - - aws_nist_800_53_rev_5_sc_7_9 - - aws_nist_800_53_rev_5_sc_7_11 - - aws_nist_800_53_rev_5_sc_7_12 - - aws_nist_800_53_rev_5_sc_7_16 - - aws_nist_800_53_rev_5_sc_7_20 - - aws_nist_800_53_rev_5_sc_7_21 - - aws_nist_800_53_rev_5_sc_7_24 - - aws_nist_800_53_rev_5_sc_7_25 - - aws_nist_800_53_rev_5_sc_7_26 - - aws_nist_800_53_rev_5_sc_7_27 - - aws_nist_800_53_rev_5_sc_7_28 - - aws_nist_800_53_rev_5_sc_7_a - - aws_nist_800_53_rev_5_sc_7_b - - aws_nist_800_53_rev_5_sc_7_c -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7 + title: Boundary Protection (SC-7) + description: "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_7_2 + - id: aws_nist_800_53_rev_5_sc_7_3 + - id: aws_nist_800_53_rev_5_sc_7_4 + - id: aws_nist_800_53_rev_5_sc_7_5 + - id: aws_nist_800_53_rev_5_sc_7_7 + - id: aws_nist_800_53_rev_5_sc_7_9 + - id: aws_nist_800_53_rev_5_sc_7_11 + - id: aws_nist_800_53_rev_5_sc_7_12 + - id: aws_nist_800_53_rev_5_sc_7_16 + - id: aws_nist_800_53_rev_5_sc_7_20 + - id: aws_nist_800_53_rev_5_sc_7_21 + - id: aws_nist_800_53_rev_5_sc_7_24 + - id: aws_nist_800_53_rev_5_sc_7_25 + - id: aws_nist_800_53_rev_5_sc_7_26 + - id: aws_nist_800_53_rev_5_sc_7_27 + - id: aws_nist_800_53_rev_5_sc_7_28 + - id: aws_nist_800_53_rev_5_sc_7_a + - id: aws_nist_800_53_rev_5_sc_7_b + - id: aws_nist_800_53_rev_5_sc_7_c diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_11.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_11.yaml index 680fb749a..516e1c188 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_11.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_11.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_sc_7_11 -Title: SC-7(11) Restrict Incoming communications Traffic -Description: 'Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].' -SectionCode: "11" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_11 + title: SC-7(11) Restrict Incoming communications Traffic + description: "Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]." + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_12.yaml index 0968577ba..343e862c0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_12.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_sc_7_12 -Title: SC-7(12) Host-Based Protection -Description: 'Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components].' -SectionCode: "12" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_12 + title: SC-7(12) Host-Based Protection + description: "Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]." + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_16.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_16.yaml index cc9cd11a2..00259d45d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_16.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_16.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_sc_7_16 -Title: SC-7(16) Prevent Discovery Of System Components -Description: Prevent the discovery of specific system components that represent a managed interface. -SectionCode: "16" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_16 + title: SC-7(16) Prevent Discovery Of System Components + description: Prevent the discovery of specific system components that represent a managed interface. + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_2.yaml index 31a028ce4..153ce8f40 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_2.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_53_rev_5_sc_7_2 -Title: SC-7(2) Public Access -Description: 'Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.' -SectionCode: "2" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_2 + title: SC-7(2) Public Access + description: "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_20.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_20.yaml index a7b8f30d1..a5f1f3703 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_20.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_20.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_53_rev_5_sc_7_20 -Title: SC-7(20) Prevent Discovery Of System Components -Description: Prevent the discovery of specific system components that represent a managed interface. -SectionCode: "20" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_20 + title: SC-7(20) Prevent Discovery Of System Components + description: Prevent the discovery of specific system components that represent a managed interface. + section-code: "20" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_21.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_21.yaml index 586428b03..4d1f772ed 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_21.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_21.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_sc_7_21 -Title: SC-7(21) Isolation Of System Components -Description: 'Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].' -SectionCode: "21" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_21 + title: SC-7(21) Isolation Of System Components + description: "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]." + section-code: "21" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24.yaml index 000ffef8f..0fddbcd2b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_sc_7_24 -Title: SC-7(24) Personally Identifiable Information -Description: 'For systems that process personally identifiable information: a. Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];b. Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; c. Document each processing exception; and d. Review and remove exceptions that are no longer supported.' -SectionCode: "24" -Children: - - aws_nist_800_53_rev_5_sc_7_24_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_24 + title: SC-7(24) Personally Identifiable Information + description: "For systems that process personally identifiable information: a.\u2003Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];b.\u2003Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; c.\u2003Document each processing exception; and d.\u2003Review and remove exceptions that are no longer supported." + section-code: "24" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_7_24_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24_b.yaml index 09c9e5821..4f03d3b86 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_24_b.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_sc_7_24_b -Title: SC-7(24)(b) -Description: 'For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system.' -SectionCode: b -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_24_b + title: SC-7(24)(b) + description: "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_25.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_25.yaml index 8d23784e1..05cddf389 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_25.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_25.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_53_rev_5_sc_7_25 -Title: SC-7(25) Unclassified National Security System Connections -Description: 'Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].' -SectionCode: "25" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_25 + title: SC-7(25) Unclassified National Security System Connections + description: "Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." + section-code: "25" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_26.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_26.yaml index 6883639ab..f9861a749 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_26.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_26.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_53_rev_5_sc_7_26 -Title: SC-7(26) Classified National Security System Connections -Description: 'Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device].' -SectionCode: "26" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_26 + title: SC-7(26) Classified National Security System Connections + description: "Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]." + section-code: "26" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_27.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_27.yaml index 35df79db0..7791e383b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_27.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_27.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_53_rev_5_sc_7_27 -Title: SC-7(27) Unclassified Non-National Security System Connections -Description: 'Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].' -SectionCode: "27" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_27 + title: SC-7(27) Unclassified Non-National Security System Connections + description: "Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." + section-code: "27" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_28.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_28.yaml index cb9e439ee..ee391ffa5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_28.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_28.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_53_rev_5_sc_7_28 -Title: SC-7(28) Connections To Public Networks -Description: 'Prohibit the direct connection of [Assignment: organization-defined system] to a public network.' -SectionCode: "28" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_28 + title: SC-7(28) Connections To Public Networks + description: "Prohibit the direct connection of [Assignment: organization-defined system] to a public network." + section-code: "28" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_3.yaml index 14ea9696c..a18cf4db3 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_3.yaml @@ -1,35 +1,40 @@ -ID: aws_nist_800_53_rev_5_sc_7_3 -Title: SC-7(3) Access Points -Description: Limit the number of external network connections to the system. -SectionCode: "3" -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_3 + title: SC-7(3) Access Points + description: Limit the number of external network connections to the system. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4.yaml index a070094fa..8ef7567da 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_sc_7_4 -Title: SC-7(4) External Telecommunications Services -Description: 'a. Implement a managed interface for each external telecommunication service; b. Establish a traffic flow policy for each managed interface; c. Protect the confidentiality and integrity of the information being transmitted across each interface; d. Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; e. Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; f. Prevent unauthorized exchange of control plane traffic with external networks; g. Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and h. Filter unauthorized control plane traffic from external networks.' -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_sc_7_4_b - - aws_nist_800_53_rev_5_sc_7_4_g -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_4 + title: SC-7(4) External Telecommunications Services + description: "a.\u2003Implement a managed interface for each external telecommunication service; b.\u2003Establish a traffic flow policy for each managed interface; c.\u2003Protect the confidentiality and integrity of the information being transmitted across each interface; d.\u2003Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; e.\u2003Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; f.\u2003Prevent unauthorized exchange of control plane traffic with external networks; g.\u2003Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and h.\u2003Filter unauthorized control plane traffic from external networks." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_7_4_b + - id: aws_nist_800_53_rev_5_sc_7_4_g diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_b.yaml index fbf43e505..ecb0b6975 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_b.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_sc_7_4_b -Title: SC-7(4)(b) -Description: Establish a traffic flow policy for each managed interface. -SectionCode: b -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_4_b + title: SC-7(4)(b) + description: Establish a traffic flow policy for each managed interface. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_g.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_g.yaml index 3b8242674..bbb483ce8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_g.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_4_g.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_sc_7_4_g -Title: SC-7(4)(g) -Description: Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks. -SectionCode: g -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_4_g + title: SC-7(4)(g) + description: Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks. + section-code: g + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_5.yaml index 59009a311..b6198aa4e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_5.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_sc_7_5 -Title: SC-7(5) Deny By Default — Allow By Exception -Description: 'Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]].' -SectionCode: "5" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_5 + title: SC-7(5) Deny By Default — Allow By Exception + description: "Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]]." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_7.yaml index 2e42ed548..29d2f0902 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_7.yaml @@ -1,35 +1,40 @@ -ID: aws_nist_800_53_rev_5_sc_7_7 -Title: SC-7(7) Split Tunneling For Remote Devices -Description: 'Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards].' -SectionCode: "7" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_7 + title: SC-7(7) Split Tunneling For Remote Devices + description: "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9.yaml index 47634ac31..dd6e50c57 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_sc_7_9 -Title: SC-7(9) Restrict Threatening Outgoing Communications Traffic -Description: a. Detect and deny outgoing communications traffic posing a threat to external systems; and b. Audit the identity of internal users associated with denied communications. -SectionCode: "9" -Children: - - aws_nist_800_53_rev_5_sc_7_9_a - - aws_nist_800_53_rev_5_sc_7_9_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_9 + title: SC-7(9) Restrict Threatening Outgoing Communications Traffic + description: a. Detect and deny outgoing communications traffic posing a threat to external systems; and b. Audit the identity of internal users associated with denied communications. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_7_9_a + - id: aws_nist_800_53_rev_5_sc_7_9_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_a.yaml index 6fbe363f8..9f3a957e0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_a.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_53_rev_5_sc_7_9_a -Title: SC-7(9)(a) -Description: Detect and deny outgoing communications traffic posing a threat to external systems. -SectionCode: a -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_9_a + title: SC-7(9)(a) + description: Detect and deny outgoing communications traffic posing a threat to external systems. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_b.yaml index 7e1c4f26f..a8278e8b9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_9_b.yaml @@ -1,27 +1,32 @@ -ID: aws_nist_800_53_rev_5_sc_7_9_b -Title: SC-7(9)(b) -Description: Audit the identity of internal users associated with denied communications. -SectionCode: b -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_9_b + title: SC-7(9)(b) + description: Audit the identity of internal users associated with denied communications. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_a.yaml index aca7114d2..4c62f7e1c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_a.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_sc_7_a -Title: SC-7(a) -Description: Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. -SectionCode: a -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_a + title: SC-7(a) + description: Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_b.yaml index 3d67e039e..1eeeb2a68 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_b.yaml @@ -1,35 +1,40 @@ -ID: aws_nist_800_53_rev_5_sc_7_b -Title: SC-7(b) -Description: 'Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks.' -SectionCode: b -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_enhanced_vpc_routing_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_b + title: SC-7(b) + description: "Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_enhanced_vpc_routing_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_c.yaml index 425792cd0..a6534c208 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_7_c.yaml @@ -1,38 +1,43 @@ -ID: aws_nist_800_53_rev_5_sc_7_c -Title: SC-7(c) -Description: Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. -SectionCode: c -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_7_c + title: SC-7(c) + description: Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8.yaml index 0c0e1f793..f65a5ab32 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8.yaml @@ -1,29 +1,35 @@ -ID: aws_nist_800_53_rev_5_sc_8 -Title: Transmission Confidentiality And Integrity (SC-8) -Description: 'Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.' -SectionCode: "8" -Children: - - aws_nist_800_53_rev_5_sc_8_1 - - aws_nist_800_53_rev_5_sc_8_2 - - aws_nist_800_53_rev_5_sc_8_3 - - aws_nist_800_53_rev_5_sc_8_4 - - aws_nist_800_53_rev_5_sc_8_5 -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_8 + title: Transmission Confidentiality And Integrity (SC-8) + description: "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_sc_8_1 + - id: aws_nist_800_53_rev_5_sc_8_2 + - id: aws_nist_800_53_rev_5_sc_8_3 + - id: aws_nist_800_53_rev_5_sc_8_4 + - id: aws_nist_800_53_rev_5_sc_8_5 + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_1.yaml index 98d3cd628..d1059b95c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_1.yaml @@ -1,25 +1,30 @@ -ID: aws_nist_800_53_rev_5_sc_8_1 -Title: SC-8(1) Cryptographic Protection -Description: 'Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.' -SectionCode: "1" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_8_1 + title: SC-8(1) Cryptographic Protection + description: "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_2.yaml index 02ab8cb05..112a3c531 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_2.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_sc_8_2 -Title: SC-8(2) Pre- And Post-Transmission Handling -Description: 'Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.' -SectionCode: "2" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_8_2 + title: SC-8(2) Pre- And Post-Transmission Handling + description: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_3.yaml index 2fb39ca2e..44fc1a9cf 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_3.yaml @@ -1,42 +1,47 @@ -ID: aws_nist_800_53_rev_5_sc_8_3 -Title: SC-8(3) Cryptographic Protection For Message Externals -Description: 'Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls].' -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_8_3 + title: SC-8(3) Cryptographic Protection For Message Externals + description: "Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls]." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_4.yaml index 671987817..19fa4fee8 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_4.yaml @@ -1,42 +1,47 @@ -ID: aws_nist_800_53_rev_5_sc_8_4 -Title: SC-8(4) Conceal Or Ramdomize Communications -Description: 'Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls].' -SectionCode: "4" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk - - aws_sns_topic_encrypted_at_rest -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_8_4 + title: SC-8(4) Conceal Or Ramdomize Communications + description: "Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_5.yaml index 640373c31..0f2ad9c70 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_sc_8_5.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_sc_8_5 -Title: SC-8(5) Protected Distribution System -Description: 'Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.' -SectionCode: "5" -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_sc_8_5 + title: SC-8(5) Protected Distribution System + description: "Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si.yaml index f61c96e9e..5e6b2edda 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si.yaml @@ -1,27 +1,32 @@ -ID: aws_nist_800_53_rev_5_si -Title: System and Information integrity (SI) -Description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. -SectionCode: si -Children: - - aws_nist_800_53_rev_5_si_1 - - aws_nist_800_53_rev_5_si_2 - - aws_nist_800_53_rev_5_si_3 - - aws_nist_800_53_rev_5_si_4 - - aws_nist_800_53_rev_5_si_5 - - aws_nist_800_53_rev_5_si_7 - - aws_nist_800_53_rev_5_si_10 - - aws_nist_800_53_rev_5_si_12 - - aws_nist_800_53_rev_5_si_13 - - aws_nist_800_53_rev_5_si_19 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si + title: System and Information integrity (SI) + description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. + section-code: si + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_1 + - id: aws_nist_800_53_rev_5_si_2 + - id: aws_nist_800_53_rev_5_si_3 + - id: aws_nist_800_53_rev_5_si_4 + - id: aws_nist_800_53_rev_5_si_5 + - id: aws_nist_800_53_rev_5_si_7 + - id: aws_nist_800_53_rev_5_si_10 + - id: aws_nist_800_53_rev_5_si_12 + - id: aws_nist_800_53_rev_5_si_13 + - id: aws_nist_800_53_rev_5_si_19 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1.yaml index 6a9457fc5..e6a46adc9 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_si_1 -Title: Policy And Procedures (SI-1) -Description: 'a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and information integrity policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c. Review and update the current system and information integrity: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].' -SectionCode: "1" -Children: - - aws_nist_800_53_rev_5_si_1_1_c - - aws_nist_800_53_rev_5_si_1_a_2 - - aws_nist_800_53_rev_5_si_1_c_2 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_1 + title: Policy And Procedures (SI-1) + description: "a.\u2003Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1.\u2003[Selection (one or more): Organization-level; Mission/business process-level; System-level] system and information integrity policy that: a).\u2003Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b).\u2003Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2.\u2003Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b.\u2003Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c.\u2003Review and update the current system and information integrity: 1.\u2003Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2.\u2003Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_1_1_c + - id: aws_nist_800_53_rev_5_si_1_a_2 + - id: aws_nist_800_53_rev_5_si_1_c_2 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10.yaml index 77dd67115..8e5bdd103 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_10 -Title: Information Input Validation (SI-10) -Description: 'Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system].' -SectionCode: "10" -Children: - - aws_nist_800_53_rev_5_si_10_1 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_10 + title: Information Input Validation (SI-10) + description: "Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]." + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_10_1 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1.yaml index 8c6498a19..c4a504493 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_10_1 -Title: SI-10(1) Manual Override Capability -Description: 'a. Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)]; b. Restrict the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and c. Audit the use of the manual override capability.' -SectionCode: "1" -Children: - - aws_nist_800_53_rev_5_si_10_1_c -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_10_1 + title: SI-10(1) Manual Override Capability + description: "a.\u2003Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)]; b.\u2003Restrict the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and c.\u2003Audit the use of the manual override capability." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_10_1_c diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1_c.yaml index dcf203664..2f906b443 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_10_1_c.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_si_10_1_c -Title: SI-10(1)(c) -Description: Audit the use of the manual override capability. -SectionCode: c -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_10_1_c + title: SI-10(1)(c) + description: Audit the use of the manual override capability. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_12.yaml index 0317c4697..d2c167966 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_12.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_12 -Title: Information Management and Retention (SI-12) -Description: Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. -SectionCode: "12" -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_12 + title: Information Management and Retention (SI-12) + description: Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13.yaml index e69b64d48..fa6bb5ef6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_13 -Title: Predictable Failure Prevention (SI-13) -Description: 'a. Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and b. Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.[Assignment: organization-defined MTTF substitution criteria].' -SectionCode: "13" -Children: - - aws_nist_800_53_rev_5_si_13_5 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_13 + title: Predictable Failure Prevention (SI-13) + description: "a.\u2003Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and b.\u2003Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.[Assignment: organization-defined MTTF substitution criteria]." + section-code: "13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_13_5 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13_5.yaml index a71000d98..4087f5aec 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_13_5.yaml @@ -1,32 +1,37 @@ -ID: aws_nist_800_53_rev_5_si_13_5 -Title: SI-13(5) Failover Capability -Description: 'Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.' -SectionCode: "5" -Children: [] -Controls: - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled - - aws_vpc_vpn_tunnel_up -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_13_5 + title: SI-13(5) Failover Capability + description: "Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19.yaml index c0323b961..e175d481f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_19 -Title: De-Identification (SI-19) -Description: 'a. Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; and b. Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification.' -SectionCode: "19" -Children: - - aws_nist_800_53_rev_5_si_19_4 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_19 + title: De-Identification (SI-19) + description: "a.\u2003Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; and b.\u2003Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification." + section-code: "19" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_19_4 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19_4.yaml index b8a85a79d..a9f459613 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_19_4.yaml @@ -1,34 +1,39 @@ -ID: aws_nist_800_53_rev_5_si_19_4 -Title: SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers -Description: Remove, mask, encrypt, hash, or replace direct identifiers in a dataset. -SectionCode: "4" -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_secretsmanager_secret_encrypted_with_kms_cmk -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_19_4 + title: SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers + description: Remove, mask, encrypt, hash, or replace direct identifiers in a dataset. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_default_encryption_enabled + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_secretsmanager_secret_encrypted_with_kms_cmk diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_1_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_1_c.yaml index efcdc9ea1..9305a4b9b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_1_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_1_c.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_si_1_1_c -Title: SI-1(1)(c) -Description: Audit the use of the manual override capability. -SectionCode: 1_c -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_1_1_c + title: SI-1(1)(c) + description: Audit the use of the manual override capability. + section-code: 1_c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_a_2.yaml index 8c1ad80da..da84c662a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_a_2.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_53_rev_5_si_1_a_2 -Title: SI-1(a)(2) -Description: 'a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;.' -SectionCode: a_2 -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_cloudtrail_trail_validation_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_1_a_2 + title: SI-1(a)(2) + description: "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;." + section-code: a_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_cloudtrail_trail_validation_enabled + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_c_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_c_2.yaml index 317845c1e..b15f02173 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_c_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_1_c_2.yaml @@ -1,26 +1,31 @@ -ID: aws_nist_800_53_rev_5_si_1_c_2 -Title: SI-1(c)(2) -Description: 'c. Review and update the current system and information integrity: 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].' -SectionCode: c_2 -Children: [] -Controls: - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_cloudtrail_trail_validation_enabled - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_1_c_2 + title: SI-1(c)(2) + description: "c. Review and update the current system and information integrity: 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." + section-code: c_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_cloudtrail_trail_validation_enabled + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2.yaml index 539a2711d..ab837c18b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_si_2 -Title: Flaw Remediation (SI-2) -Description: 'The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process.' -SectionCode: "2" -Children: - - aws_nist_800_53_rev_5_si_2_2 - - aws_nist_800_53_rev_5_si_2_5 - - aws_nist_800_53_rev_5_si_2_a - - aws_nist_800_53_rev_5_si_2_c - - aws_nist_800_53_rev_5_si_2_d -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_2 + title: Flaw Remediation (SI-2) + description: "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_2_2 + - id: aws_nist_800_53_rev_5_si_2_5 + - id: aws_nist_800_53_rev_5_si_2_a + - id: aws_nist_800_53_rev_5_si_2_c + - id: aws_nist_800_53_rev_5_si_2_d diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_2.yaml index c7857cc18..b811f4813 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_2.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_si_2_2 -Title: SI-2(2) Automated Flaw Remediation Status -Description: 'Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].' -SectionCode: "2" -Children: [] -Controls: - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_2_2 + title: SI-2(2) Automated Flaw Remediation Status + description: "Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_5.yaml index 9b3ac3ef9..feee97dfb 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_5.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_si_2_5 -Title: SI-2(5) Automatic Software And Firmware Updated -Description: 'Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].' -SectionCode: "5" -Children: [] -Controls: - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_2_5 + title: SI-2(5) Automatic Software And Firmware Updated + description: "Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_a.yaml index f04d8d84e..2359e4b3c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_a.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_si_2_a -Title: SI-2(a) -Description: Identify, report, and correct system flaws. -SectionCode: a -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_cloudwatch_alarm_action_enabled - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_lambda_function_dead_letter_queue_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_2_a + title: SI-2(a) + description: Identify, report, and correct system flaws. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_cloudwatch_alarm_action_enabled + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_lambda_function_dead_letter_queue_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_c.yaml index 4b7dab589..f49046a40 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_c.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_si_2_c -Title: SI-2(c) -Description: 'Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.' -SectionCode: c -Children: [] -Controls: - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_2_c + title: SI-2(c) + description: "Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_d.yaml index fda792772..4c76095b1 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_2_d.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_si_2_d -Title: SI-2(d) -Description: Incorporate flaw remediation into the organizational configuration management process. -SectionCode: d -Children: [] -Controls: - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_2_d + title: SI-2(d) + description: Incorporate flaw remediation into the organizational configuration management process. + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3.yaml index e8de95890..6108a3f7c 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_si_3 -Title: Malicious Code Protection (SI-3) -Description: 'a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.' -SectionCode: "3" -Children: - - aws_nist_800_53_rev_5_si_3_8 - - aws_nist_800_53_rev_5_si_3_c_2 -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_3 + title: Malicious Code Protection (SI-3) + description: "a.\u2003Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b.\u2003Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c.\u2003Configure malicious code protection mechanisms to: 1.\u2003Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2.\u2003[Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d.\u2003Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_3_8 + - id: aws_nist_800_53_rev_5_si_3_c_2 diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8.yaml index 2c2bfee29..b2e93f92a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_si_3_8 -Title: SI-3(8) Detect Unauthorized Commands -Description: 'a. Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and b. [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command].' -SectionCode: "8" -Children: - - aws_nist_800_53_rev_5_si_3_8_a - - aws_nist_800_53_rev_5_si_3_8_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_3_8 + title: SI-3(8) Detect Unauthorized Commands + description: "a.\u2003Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and b.\u2003[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_3_8_a + - id: aws_nist_800_53_rev_5_si_3_8_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_a.yaml index 47d9bd245..43eef20c7 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_3_8_a -Title: SI-3(8)(a) -Description: 'Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands].' -SectionCode: a -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_3_8_a + title: SI-3(8)(a) + description: "Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_b.yaml index 4c5adffdf..89a067bdf 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_8_b.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_si_3_8_b -Title: SI-3(8)(b) -Description: '[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command].' -SectionCode: b -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_3_8_b + title: SI-3(8)(b) + description: "[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_c_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_c_2.yaml index 05297539c..28a8f15d4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_c_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_3_c_2.yaml @@ -1,20 +1,25 @@ -ID: aws_nist_800_53_rev_5_si_3_c_2 -Title: SI-3(c)(2) -Description: 'c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection.' -SectionCode: c_2 -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_3_c_2 + title: SI-3(c)(2) + description: "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection." + section-code: c_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4.yaml index 99b650233..f0a3bff98 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4.yaml @@ -1,33 +1,38 @@ -ID: aws_nist_800_53_rev_5_si_4 -Title: System Monitoring (SI-4) -Description: 'The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].' -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_si_4_1 - - aws_nist_800_53_rev_5_si_4_2 - - aws_nist_800_53_rev_5_si_4_3 - - aws_nist_800_53_rev_5_si_4_4 - - aws_nist_800_53_rev_5_si_4_10 - - aws_nist_800_53_rev_5_si_4_12 - - aws_nist_800_53_rev_5_si_4_13 - - aws_nist_800_53_rev_5_si_4_14 - - aws_nist_800_53_rev_5_si_4_17 - - aws_nist_800_53_rev_5_si_4_20 - - aws_nist_800_53_rev_5_si_4_23 - - aws_nist_800_53_rev_5_si_4_25 - - aws_nist_800_53_rev_5_si_4_a - - aws_nist_800_53_rev_5_si_4_b - - aws_nist_800_53_rev_5_si_4_c - - aws_nist_800_53_rev_5_si_4_d -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4 + title: System Monitoring (SI-4) + description: "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_4_1 + - id: aws_nist_800_53_rev_5_si_4_2 + - id: aws_nist_800_53_rev_5_si_4_3 + - id: aws_nist_800_53_rev_5_si_4_4 + - id: aws_nist_800_53_rev_5_si_4_10 + - id: aws_nist_800_53_rev_5_si_4_12 + - id: aws_nist_800_53_rev_5_si_4_13 + - id: aws_nist_800_53_rev_5_si_4_14 + - id: aws_nist_800_53_rev_5_si_4_17 + - id: aws_nist_800_53_rev_5_si_4_20 + - id: aws_nist_800_53_rev_5_si_4_23 + - id: aws_nist_800_53_rev_5_si_4_25 + - id: aws_nist_800_53_rev_5_si_4_a + - id: aws_nist_800_53_rev_5_si_4_b + - id: aws_nist_800_53_rev_5_si_4_c + - id: aws_nist_800_53_rev_5_si_4_d diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_1.yaml index 15235cf32..3129a9152 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_1 -Title: SI-4(1) System-Wide Intrusion Detection System -Description: Connect and configure individual intrusion detection tools into a system-wide intrusion detection system. -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_1 + title: SI-4(1) System-Wide Intrusion Detection System + description: Connect and configure individual intrusion detection tools into a system-wide intrusion detection system. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_10.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_10.yaml index 0cd59d2f9..ee95c4118 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_10.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_10.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_10 -Title: SI-4(10) Visibility Of Encrypted Communications -Description: 'Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms].' -SectionCode: "10" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_10 + title: SI-4(10) Visibility Of Encrypted Communications + description: "Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]." + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_12.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_12.yaml index 786b64695..957d9f75f 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_12.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_12.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_12 -Title: SI-4(12) Automated Organization-Generated Alerts -Description: 'Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts].' -SectionCode: "12" -Children: [] -Controls: - - aws_cloudwatch_alarm_action_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudWatch - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_12 + title: SI-4(12) Automated Organization-Generated Alerts + description: "Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]." + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudWatch + type: + - Benchmark + controls: + - aws_cloudwatch_alarm_action_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13.yaml index dfa9a5afb..3fa065f4b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_13 -Title: SI-4(13) Analyze Traffic And Event Patterns -Description: a. Analyze communications traffic and event patterns for the system; b. Develop profiles representing common traffic and event patterns; and c. Use the traffic and event profiles in tuning system-monitoring devices. -SectionCode: "13" -Children: - - aws_nist_800_53_rev_5_si_4_13_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_13 + title: SI-4(13) Analyze Traffic And Event Patterns + description: a. Analyze communications traffic and event patterns for the system; b. Develop profiles representing common traffic and event patterns; and c. Use the traffic and event profiles in tuning system-monitoring devices. + section-code: "13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_4_13_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13_a.yaml index 803594eeb..559593fff 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_13_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_13_a -Title: SI-4(13)(a) -Description: Analyze communications traffic and event patterns for the system. -SectionCode: a -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_13_a + title: SI-4(13)(a) + description: Analyze communications traffic and event patterns for the system. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_14.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_14.yaml index 753be7f93..82cd80c9d 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_14.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_14.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_14 -Title: SI-4(14) Wireless Intrusion Detection -Description: Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. -SectionCode: "14" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_14 + title: SI-4(14) Wireless Intrusion Detection + description: Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system. + section-code: "14" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_17.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_17.yaml index b459fd86e..c7971c28a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_17.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_17.yaml @@ -1,29 +1,34 @@ -ID: aws_nist_800_53_rev_5_si_4_17 -Title: SI-4(17) Integrated Situational Awareness -Description: Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. -SectionCode: "17" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_17 + title: SI-4(17) Integrated Situational Awareness + description: Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. + section-code: "17" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_2.yaml index 9cd87663e..336b433da 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_2.yaml @@ -1,25 +1,30 @@ -ID: aws_nist_800_53_rev_5_si_4_2 -Title: SI-4(2) Automated Tools For Real-Time Analysis -Description: 'Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. Employ automated tools and mechanisms to support near real-time analysis of events.' -SectionCode: "2" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_guardduty_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_2 + title: SI-4(2) Automated Tools For Real-Time Analysis + description: "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. Employ automated tools and mechanisms to support near real-time analysis of events." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_guardduty_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_20.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_20.yaml index 48d59b218..5f02f87ba 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_20.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_20.yaml @@ -1,24 +1,29 @@ -ID: aws_nist_800_53_rev_5_si_4_20 -Title: SI-4(20) Privileged Users -Description: 'Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring].' -SectionCode: "20" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_20 + title: SI-4(20) Privileged Users + description: "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]." + section-code: "20" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_23.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_23.yaml index 0eac3aaa1..575aba2ea 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_23.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_23.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_23 -Title: SI-4(23) Host-Based Devices -Description: 'Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms].' -SectionCode: "23" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_23 + title: SI-4(23) Host-Based Devices + description: "Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms]." + section-code: "23" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_25.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_25.yaml index f0b67b18a..ff96079a0 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_25.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_25.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_25 -Title: SI-4(25) Optimize Network Traffic Analysis -Description: Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. -SectionCode: "25" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_25 + title: SI-4(25) Optimize Network Traffic Analysis + description: Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices. + section-code: "25" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_3.yaml index 13b4eebaf..c805f9535 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_3.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_3 -Title: SI-4(3) Automated Tools And Mechanism Integration -Description: Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms. -SectionCode: "3" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_3 + title: SI-4(3) Automated Tools And Mechanism Integration + description: Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4.yaml index b75ef7e4c..9afdf2b9b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_si_4_4 -Title: SI-4(4) Inbound and Outbound Communications Traffic -Description: The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions. -SectionCode: "4" -Children: - - aws_nist_800_53_rev_5_si_4_4_a - - aws_nist_800_53_rev_5_si_4_4_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_4 + title: SI-4(4) Inbound and Outbound Communications Traffic + description: The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_4_4_a + - id: aws_nist_800_53_rev_5_si_4_4_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_a.yaml index 04474b07d..4e1099090 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_4_a -Title: SI-4(4)(a) -Description: Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic. -SectionCode: a -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_4_a + title: SI-4(4)(a) + description: Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_b.yaml index f3c1008c0..4dd2c1602 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_4_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_4_b -Title: SI-4(4)(b) -Description: 'Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].' -SectionCode: b -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_4_b + title: SI-4(4)(b) + description: "Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a.yaml index 07d05667e..0717729c5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a.yaml @@ -1,20 +1,26 @@ -ID: aws_nist_800_53_rev_5_si_4_a -Title: SI-4(a) -Description: 'Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections.' -SectionCode: a -Children: - - aws_nist_800_53_rev_5_si_4_a_1 - - aws_nist_800_53_rev_5_si_4_a_2 -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_a + title: SI-4(a) + description: "Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_4_a_1 + - id: aws_nist_800_53_rev_5_si_4_a_2 + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_1.yaml index 47f56fce1..a58bdbc91 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_a_1 -Title: SI-4(a)(1) -Description: 'a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections.' -SectionCode: "1" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_a_1 + title: SI-4(a)(1) + description: "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_2.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_2.yaml index b6545d24e..d03fbc9a4 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_2.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_a_2.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_a_2 -Title: SI-4(a)(2) -Description: 'a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections.' -SectionCode: "2" -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_a_2 + title: SI-4(a)(2) + description: "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_b.yaml index 5793bcf4e..090e0ad3b 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_b.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_b -Title: SI-4(b) -Description: 'Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods].' -SectionCode: b -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_b + title: SI-4(b) + description: "Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_c.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_c.yaml index 75ab9e307..c32977878 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_c.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_c.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_c -Title: SI-4(c) -Description: 'c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization.' -SectionCode: c -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/GuardDuty - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_c + title: SI-4(c) + description: "c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/GuardDuty + type: + - Benchmark + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_d.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_d.yaml index 72ca37ba9..cb0f6d834 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_d.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_4_d.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_4_d -Title: SI-4(d) -Description: Analyze detected events and anomalies. -SectionCode: d -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_4_d + title: SI-4(d) + description: Analyze detected events and anomalies. + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5.yaml index a1beeac52..113ea22a5 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_si_5 -Title: Secuity Alerts, Advisories, And Directives (SI-5) -Description: 'a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.' -SectionCode: "5" -Children: - - aws_nist_800_53_rev_5_si_5_1 - - aws_nist_800_53_rev_5_si_5_b -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_5 + title: Secuity Alerts, Advisories, And Directives (SI-5) + description: "a.\u2003Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b.\u2003Generate internal security alerts, advisories, and directives as deemed necessary; c.\u2003Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d.\u2003Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_5_1 + - id: aws_nist_800_53_rev_5_si_5_b diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_1.yaml index 8f20f7ef7..f602f515a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_1.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_si_5_1 -Title: SI-5(1) Automated Alerts And Advisories -Description: 'Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms].' -SectionCode: "1" -Children: [] -Controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_5_1 + title: SI-5(1) Automated Alerts And Advisories + description: "Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_b.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_b.yaml index 71777414d..12ce56c11 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_b.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_5_b.yaml @@ -1,19 +1,24 @@ -ID: aws_nist_800_53_rev_5_si_5_b -Title: SI-5(b) -Description: Generate internal security alerts, advisories, and directives as deemed necessary. -SectionCode: b -Children: [] -Controls: - - aws_cloudwatch_alarm_action_enabled - - aws_guardduty_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_5_b + title: SI-5(b) + description: Generate internal security alerts, advisories, and directives as deemed necessary. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudwatch_alarm_action_enabled + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7.yaml index 2e24bfd99..5381d3dcd 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7.yaml @@ -1,22 +1,27 @@ -ID: aws_nist_800_53_rev_5_si_7 -Title: Software, Firmware, and Information Integrity (SI-7) -Description: 'a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions].' -SectionCode: "7" -Children: - - aws_nist_800_53_rev_5_si_7_1 - - aws_nist_800_53_rev_5_si_7_3 - - aws_nist_800_53_rev_5_si_7_7 - - aws_nist_800_53_rev_5_si_7_8 - - aws_nist_800_53_rev_5_si_7_a -Controls: [] -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_7 + title: Software, Firmware, and Information Integrity (SI-7) + description: "a.\u2003Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and b.\u2003Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions]." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_nist_800_53_rev_5_si_7_1 + - id: aws_nist_800_53_rev_5_si_7_3 + - id: aws_nist_800_53_rev_5_si_7_7 + - id: aws_nist_800_53_rev_5_si_7_8 + - id: aws_nist_800_53_rev_5_si_7_a diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_1.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_1.yaml index 4ede960ea..f3d2f8274 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_1.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_1.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_7_1 -Title: SI-7(1) Integrity Checks -Description: 'Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].' -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_7_1 + title: SI-7(1) Integrity Checks + description: "Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_3.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_3.yaml index 01a0b7d8e..66b7994c6 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_3.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_3.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_7_3 -Title: SI-7(3) Centrally Managed Integrity Tools -Description: Employ centrally managed integrity verification tools. -SectionCode: "3" -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_7_3 + title: SI-7(3) Centrally Managed Integrity Tools + description: Employ centrally managed integrity verification tools. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_7.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_7.yaml index 6925fc9b9..0f77c3868 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_7.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_7.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_7_7 -Title: SI-7(7) Integration Of Detection And Response -Description: 'Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system].' -SectionCode: "7" -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_7_7 + title: SI-7(7) Integration Of Detection And Response + description: "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system]." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_8.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_8.yaml index ef124a693..6762f8a2e 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_8.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_8.yaml @@ -1,28 +1,33 @@ -ID: aws_nist_800_53_rev_5_si_7_8 -Title: SI-7(8) Auditing Capability For Significant Events -Description: 'Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].' -SectionCode: "8" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_wafv2_web_acl_logging_enabled - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_7_8 + title: SI-7(8) Auditing Capability For Significant Events + description: "Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_wafv2_web_acl_logging_enabled + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_a.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_a.yaml index 18d445b7e..26058672a 100755 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_a.yaml +++ b/compliance/frameworks/aws/aws_nist_800_53_rev_5/aws_nist_800_53_rev_5_si_7_a.yaml @@ -1,18 +1,23 @@ -ID: aws_nist_800_53_rev_5_si_7_a -Title: SI-7(a) -Description: 'Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information].' -SectionCode: a -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - plugin: - - aws - service: - - AWS/CloudTrail - type: - - Benchmark +control-group: + id: aws_nist_800_53_rev_5_si_7_a + title: SI-7(a) + description: "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_800_53_rev_5: + - "true" + plugin: + - aws + service: + - AWS/CloudTrail + type: + - Benchmark + controls: + - aws_cloudtrail_trail_validation_enabled diff --git a/compliance/frameworks/aws/aws_nist_800_53_rev_5/root.yaml b/compliance/frameworks/aws/aws_nist_800_53_rev_5/root.yaml deleted file mode 100755 index c61a44458..000000000 --- a/compliance/frameworks/aws/aws_nist_800_53_rev_5/root.yaml +++ /dev/null @@ -1,40 +0,0 @@ -ID: aws_nist_800_53_rev_5 -Title: NIST 800-53 Revision 5 -Description: NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. -SectionCode: aws_nist_800_53_rev_5 -Children: - - aws_nist_800_53_rev_5_ac - - aws_nist_800_53_rev_5_au - - aws_nist_800_53_rev_5_ca - - aws_nist_800_53_rev_5_cm - - aws_nist_800_53_rev_5_cp - - aws_nist_800_53_rev_5_ia - - aws_nist_800_53_rev_5_ir - - aws_nist_800_53_rev_5_ma - - aws_nist_800_53_rev_5_mp - - aws_nist_800_53_rev_5_pe - - aws_nist_800_53_rev_5_pm - - aws_nist_800_53_rev_5_ra - - aws_nist_800_53_rev_5_sa - - aws_nist_800_53_rev_5_sc - - aws_nist_800_53_rev_5_si -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - nist_800_53_rev_5: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321.yaml new file mode 100644 index 000000000..6a33c03ab --- /dev/null +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321.yaml @@ -0,0 +1,22 @@ +framework: + id: aws_pci_dss_v321 + title: PCI DSS v3.2.1 + description: The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. + section-code: aws_pci_dss_v321 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_1 + - id: aws_pci_dss_v321_requirement_2 + - id: aws_pci_dss_v321_requirement_3 + - id: aws_pci_dss_v321_requirement_4 + - id: aws_pci_dss_v321_requirement_5 + - id: aws_pci_dss_v321_requirement_6 + - id: aws_pci_dss_v321_requirement_7 + - id: aws_pci_dss_v321_requirement_8 + - id: aws_pci_dss_v321_requirement_10 + - id: aws_pci_dss_v321_requirement_11 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1.yaml index 107eb5191..d9f0bde73 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_1 -Title: 'Requirement 1: Install and maintain a firewall configuration to protect cardholder data' -Description: A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks. -SectionCode: requirement_1 -Children: - - aws_pci_dss_v321_requirement_1_1 - - aws_pci_dss_v321_requirement_1_2 - - aws_pci_dss_v321_requirement_1_3 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1 + title: "Requirement 1: Install and maintain a firewall configuration to protect cardholder data" + description: A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks. + section-code: requirement_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_1_1 + - id: aws_pci_dss_v321_requirement_1_2 + - id: aws_pci_dss_v321_requirement_1_3 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10.yaml index 37f3be524..3d71462c3 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10.yaml @@ -1,13 +1,18 @@ -ID: aws_pci_dss_v321_requirement_10 -Title: 'Requirement 10: Track and monitor all access to network resources and cardholder data' -Description: Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. -SectionCode: requirement_10 -Children: - - aws_pci_dss_v321_requirement_10_1 - - aws_pci_dss_v321_requirement_10_2 - - aws_pci_dss_v321_requirement_10_3 - - aws_pci_dss_v321_requirement_10_5 - - aws_pci_dss_v321_requirement_10_7 - - aws_pci_dss_v321_requirement_10_8 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10 + title: "Requirement 10: Track and monitor all access to network resources and cardholder data" + description: Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. + section-code: requirement_10 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_10_1 + - id: aws_pci_dss_v321_requirement_10_2 + - id: aws_pci_dss_v321_requirement_10_3 + - id: aws_pci_dss_v321_requirement_10_5 + - id: aws_pci_dss_v321_requirement_10_7 + - id: aws_pci_dss_v321_requirement_10_8 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_1.yaml index 7511cbd63..7fa0de55f 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_1.yaml @@ -1,21 +1,26 @@ -ID: aws_pci_dss_v321_requirement_10_1 -Title: Implement audit trails to link all access to system components to each individual user -Description: 'It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user. This control verifies, through observation and interviewing the system administrator, that: audit trails are enabled and active for system components, access to system components is linked to individual users.' -SectionCode: "1" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_alarm_action_enabled_check - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_1 + title: Implement audit trails to link all access to system components to each individual user + description: "It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user. This control verifies, through observation and interviewing the system administrator, that: audit trails are enabled and active for system components, access to system components is linked to individual users." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_alarm_action_enabled_check + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2.yaml index eec37fa86..021b673cf 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2.yaml @@ -1,18 +1,24 @@ -ID: aws_pci_dss_v321_requirement_10_2 -Title: Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings -Description: 'It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user. This control verifies, through observation and interviewing the system administrator, that: audit trails are enabled and active for system components, access to system components is linked to individual users.' -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_10_2_1 - - aws_pci_dss_v321_requirement_10_2_2 - - aws_pci_dss_v321_requirement_10_2_3 - - aws_pci_dss_v321_requirement_10_2_4 - - aws_pci_dss_v321_requirement_10_2_5 - - aws_pci_dss_v321_requirement_10_2_6 - - aws_pci_dss_v321_requirement_10_2_7 -Controls: - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_redshift_cluster_audit_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_2 + title: Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings + description: "It is critical to have a process or system that links user access to system components accessed. This system generates audit logs and provides the ability to trace back suspicious activity to a specific user. This control verifies, through observation and interviewing the system administrator, that: audit trails are enabled and active for system components, access to system components is linked to individual users." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_10_2_1 + - id: aws_pci_dss_v321_requirement_10_2_2 + - id: aws_pci_dss_v321_requirement_10_2_3 + - id: aws_pci_dss_v321_requirement_10_2_4 + - id: aws_pci_dss_v321_requirement_10_2_5 + - id: aws_pci_dss_v321_requirement_10_2_6 + - id: aws_pci_dss_v321_requirement_10_2_7 + controls: + - aws_es_domain_logs_to_cloudwatch + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch + - aws_redshift_cluster_audit_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_1.yaml index 527a3cb68..0a15ac65b 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_1.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_2_1 -Title: 2.1 All individual user accesses to cardholder data -Description: Malicious individuals could obtain knowledge of a user account with access to systems in the CDE, or they could create a new, unauthorized account in order to access cardholder data. A record of all individual accesses to cardholder data can identify which accounts may have been compromised or misused. This control verifies all individual access to cardholder data is loggedVerify all individual access to cardholder data is logged. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_2_1 + title: 2.1 All individual user accesses to cardholder data + description: Malicious individuals could obtain knowledge of a user account with access to systems in the CDE, or they could create a new, unauthorized account in order to access cardholder data. A record of all individual accesses to cardholder data can identify which accounts may have been compromised or misused. This control verifies all individual access to cardholder data is loggedVerify all individual access to cardholder data is logged. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_2.yaml index 2f509c0c7..103bf1056 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_2.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_2_2 -Title: 2.2 All actions taken by any individual with root or administrative privileges -Description: Accounts with increased privileges, such as the “administrator” or “root” account, have the potential to greatly impact the security or operational functionality of a system. Without a log of the activities performed, an organization is unable to trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and individual. This control verifies all actions taken by any individual with root or administrative privileges are logged. -SectionCode: "2" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_2_2 + title: 2.2 All actions taken by any individual with root or administrative privileges + description: Accounts with increased privileges, such as the “administrator” or “root” account, have the potential to greatly impact the security or operational functionality of a system. Without a log of the activities performed, an organization is unable to trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and individual. This control verifies all actions taken by any individual with root or administrative privileges are logged. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_3.yaml index d86c23b52..c8bbf6614 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_3.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_2_3 -Title: 2.3 Access to all audit trails -Description: Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel. This control verifies access to all audit trails is logged. -SectionCode: "3" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_2_3 + title: 2.3 Access to all audit trails + description: Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel. This control verifies access to all audit trails is logged. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_4.yaml index 97ebda809..f952600b3 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_4.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_2_4 -Title: 2.4 Invalid logical access attempts -Description: Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel. This control verifies access to all audit trails is logged. -SectionCode: "4" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_2_4 + title: 2.4 Invalid logical access attempts + description: Malicious users often attempt to alter audit logs to hide their actions, and a record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having access to logs identifying changes, additions, and deletions can help retrace steps made by unauthorized personnel. This control verifies access to all audit trails is logged. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5.yaml index 96e65d17c..a78cb0d44 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_10_2_5 -Title: 2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges -Description: Without knowing who was logged on at the time of an incident, it is impossible to identify the accounts that may have been used. Additionally, malicious users may attempt to manipulate the authentication controls with the intent of bypassing them or impersonating a valid account. -SectionCode: "5" -Children: - - aws_pci_dss_v321_requirement_10_2_5_a -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_2_5 + title: 2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges + description: Without knowing who was logged on at the time of an incident, it is impossible to identify the accounts that may have been used. Additionally, malicious users may attempt to manipulate the authentication controls with the intent of bypassing them or impersonating a valid account. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_10_2_5_a diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5_a.yaml index 13e354d0b..155a41c9a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_5_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_10_2_5_a -Title: 2.5.a Verify use of identification and authentication mechanisms is logged -Description: Without knowing who was logged on at the time of an incident, it is impossible to identify the accounts that may have been used. Additionally, malicious users may attempt to manipulate the authentication controls with the intent of bypassing them or impersonating a valid account. -SectionCode: a -Children: [] -Controls: - - aws_cloudtrail_trail_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_2_5_a + title: 2.5.a Verify use of identification and authentication mechanisms is logged + description: Without knowing who was logged on at the time of an incident, it is impossible to identify the accounts that may have been used. Additionally, malicious users may attempt to manipulate the authentication controls with the intent of bypassing them or impersonating a valid account. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_trail_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_6.yaml index ed1a59042..0627dc6bd 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_6.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_2_6 -Title: 2.6 Initialization, stopping, or pausing of the audit logs -Description: 'Turning the audit logs off (or pausing them) prior to performing illicit activities is a common practice for malicious users wishing to avoid detection. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions. This control verifies the following are logged: initialization of audit logs, stopping or pausing of audit logs.' -SectionCode: "6" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_2_6 + title: 2.6 Initialization, stopping, or pausing of the audit logs + description: "Turning the audit logs off (or pausing them) prior to performing illicit activities is a common practice for malicious users wishing to avoid detection. Initialization of audit logs could indicate that the log function was disabled by a user to hide their actions. This control verifies the following are logged: initialization of audit logs, stopping or pausing of audit logs." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_7.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_7.yaml index 223b5164d..f628dcfcd 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_7.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_2_7.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_2_7 -Title: 2.7 Creation and deletion of system- level objects -Description: Malicious software, such as malware, often creates or replaces system level objects on the target system in order to control a particular function or operation on that system. By logging when system-level objects, such as database tables or stored procedures, are created or deleted, it will be easier to determine whether such modifications were authorized. This control verifies creation and deletion of system level objects are logged. -SectionCode: "7" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_2_7 + title: 2.7 Creation and deletion of system- level objects + description: Malicious software, such as malware, often creates or replaces system level objects on the target system in order to control a particular function or operation on that system. By logging when system-level objects, such as database tables or stored procedures, are created or deleted, it will be easier to determine whether such modifications were authorized. This control verifies creation and deletion of system level objects are logged. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3.yaml index 59dbb2e27..c08be5d76 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3.yaml @@ -1,20 +1,26 @@ -ID: aws_pci_dss_v321_requirement_10_3 -Title: Record at least the following audit trail entries for all system components for each event -Description: 'By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:' -SectionCode: "3" -Children: - - aws_pci_dss_v321_requirement_10_3_1 - - aws_pci_dss_v321_requirement_10_3_2 - - aws_pci_dss_v321_requirement_10_3_3 - - aws_pci_dss_v321_requirement_10_3_4 - - aws_pci_dss_v321_requirement_10_3_5 - - aws_pci_dss_v321_requirement_10_3_6 -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_3 + title: Record at least the following audit trail entries for all system components for each event + description: "By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:" + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_10_3_1 + - id: aws_pci_dss_v321_requirement_10_3_2 + - id: aws_pci_dss_v321_requirement_10_3_3 + - id: aws_pci_dss_v321_requirement_10_3_4 + - id: aws_pci_dss_v321_requirement_10_3_5 + - id: aws_pci_dss_v321_requirement_10_3_6 + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_1.yaml index 05635f36f..fb00129ce 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_1.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_3_1 -Title: 3.1 User identification -Description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies user identification is included in log entries. -SectionCode: "1" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_3_1 + title: 3.1 User identification + description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies user identification is included in log entries. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_2.yaml index 352e7cdcc..c03a54c4c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_2.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_3_2 -Title: 3.2 Type of event -Description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies event is included in log entries. -SectionCode: "2" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_3_2 + title: 3.2 Type of event + description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies event is included in log entries. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_3.yaml index 395ede6a2..4d7f4881d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_3.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_3_3 -Title: 3.3 Date and time -Description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This verifies date and time stamp is included in log entries. -SectionCode: "3" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_3_3 + title: 3.3 Date and time + description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This verifies date and time stamp is included in log entries. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_4.yaml index b57b29771..9c224dc59 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_4.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_3_4 -Title: 3.4 Success or failure indication -Description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies success or failure indication is included in log entries. -SectionCode: "4" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_3_4 + title: 3.4 Success or failure indication + description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies success or failure indication is included in log entries. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_5.yaml index c071a59d7..20cc0a3e3 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_5.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_3_5 -Title: 3.5 Origination of event -Description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies origination of event is included in log entries. -SectionCode: "5" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_3_5 + title: 3.5 Origination of event + description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies origination of event is included in log entries. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_6.yaml index 5076004b2..93e164024 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_3_6.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_3_6 -Title: 3.6 Identity or name of affected data, system component, or resource -Description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies identity or name of affected data, system component, or resources is included in log entries. -SectionCode: "6" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_3_6 + title: 3.6 Identity or name of affected data, system component, or resource + description: By recording these details for the auditable events at 10.2, a potential compromise can be quickly identified, and with sufficient detail to know who, what, where, when, and how. This control verifies identity or name of affected data, system component, or resources is included in log entries. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5.yaml index 08daf7558..d8cf7dd15 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5.yaml @@ -1,18 +1,24 @@ -ID: aws_pci_dss_v321_requirement_10_5 -Title: Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered -Description: Often a malicious individual who has entered the network will attempt to edit the audit logs in order to hide their activity. Without adequate protection of audit logs, their completeness, accuracy, and integrity cannot be guaranteed, and the audit logs can be rendered useless as an investigation tool after a compromise. This control checks secure audit trails so they cannot be altered. -SectionCode: "5" -Children: - - aws_pci_dss_v321_requirement_10_5_2 - - aws_pci_dss_v321_requirement_10_5_3 - - aws_pci_dss_v321_requirement_10_5_4 - - aws_pci_dss_v321_requirement_10_5_5 -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_5 + title: Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered + description: Often a malicious individual who has entered the network will attempt to edit the audit logs in order to hide their activity. Without adequate protection of audit logs, their completeness, accuracy, and integrity cannot be guaranteed, and the audit logs can be rendered useless as an investigation tool after a compromise. This control checks secure audit trails so they cannot be altered. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_10_5_2 + - id: aws_pci_dss_v321_requirement_10_5_3 + - id: aws_pci_dss_v321_requirement_10_5_4 + - id: aws_pci_dss_v321_requirement_10_5_5 + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_2.yaml index bf43fba45..48cfd7a4c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_2.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_10_5_2 -Title: 5.2 Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation -Description: Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only), and use of physical or network segregation to make the logs harder to find and modify. Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised. Protect audit trail files from unauthorized modifications. -SectionCode: "2" -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled - - aws_config_enabled_all_regions - - aws_s3_bucket_versioning_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_5_2 + title: 5.2 Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation + description: Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only), and use of physical or network segregation to make the logs harder to find and modify. Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised. Protect audit trail files from unauthorized modifications. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_trail_validation_enabled + - aws_config_enabled_all_regions + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_3.yaml index f2d1b8f42..a479d4e06 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_3.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_10_5_3 -Title: 5.3 Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter -Description: Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only), and use of physical or network segregation to make the logs harder to find and modify. Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised. Promptly back up audit trail files to a centralized log server or media that is difficult to alter. -SectionCode: "3" -Children: [] -Controls: - - aws_cloudtrail_trail_integrated_with_logs - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_5_3 + title: 5.3 Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter + description: Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only), and use of physical or network segregation to make the logs harder to find and modify. Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised. Promptly back up audit trail files to a centralized log server or media that is difficult to alter. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_trail_integrated_with_logs + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_4.yaml index 08a6fa65c..e16976543 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_4.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_5_4 -Title: 5.4 Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media -Description: By writing logs from external-facing technologies such as wireless, firewalls, DNS, and mail servers, the risk of those logs being lost or altered is lowered, as they are more secure within the internal network. Logs may be written directly, or offloaded or copied from external systems, to the secure internal system or media. -SectionCode: "4" -Children: [] -Controls: - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_5_4 + title: 5.4 Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media + description: By writing logs from external-facing technologies such as wireless, firewalls, DNS, and mail servers, the risk of those logs being lost or altered is lowered, as they are more secure within the internal network. Logs may be written directly, or offloaded or copied from external systems, to the secure internal system or media. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_5.yaml index 581e399b8..0743f4aaf 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_5_5.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_10_5_5 -Title: 5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs -Description: File-integrity monitoring or change-detection systems check for changes to critical files, and notify when such changes are noted. For file- integrity monitoring purposes, an entity usually monitors files that don't regularly change, but when changed indicate a possible compromise. -SectionCode: "5" -Children: [] -Controls: - - aws_cloudtrail_trail_validation_enabled - - aws_s3_bucket_versioning_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_5_5 + title: 5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs + description: File-integrity monitoring or change-detection systems check for changes to critical files, and notify when such changes are noted. For file- integrity monitoring purposes, an entity usually monitors files that don't regularly change, but when changed indicate a possible compromise. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_trail_validation_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7.yaml index a11b66a9f..07f9060e9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7.yaml @@ -1,11 +1,17 @@ -ID: aws_pci_dss_v321_requirement_10_7 -Title: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup) -Description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. -SectionCode: "7" -Children: - - aws_pci_dss_v321_requirement_10_7_a - - aws_pci_dss_v321_requirement_10_7_b - - aws_pci_dss_v321_requirement_10_7_c -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_7 + title: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup) + description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_10_7_a + - id: aws_pci_dss_v321_requirement_10_7_b + - id: aws_pci_dss_v321_requirement_10_7_c + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_a.yaml index a4225927f..88f4be5bd 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_a.yaml @@ -1,12 +1,17 @@ -ID: aws_pci_dss_v321_requirement_10_7_a -Title: 7.a Examine security policies and procedures to verify that they define audit log retention policies and procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online -Description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. -SectionCode: a -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_s3_bucket_lifecycle_policy_enabled - - aws_s3_bucket_versioning_and_lifecycle_policy_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_7_a + title: 7.a Examine security policies and procedures to verify that they define audit log retention policies and procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online + description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_s3_bucket_lifecycle_policy_enabled + - aws_s3_bucket_versioning_and_lifecycle_policy_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_b.yaml index e4501d117..0fff7d0d0 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_b.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_10_7_b -Title: 7.b Interview personnel and examine audit logs to verify that audit logs are retained for at least one year -Description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. -SectionCode: b -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_7_b + title: 7.b Interview personnel and examine audit logs to verify that audit logs are retained for at least one year + description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_c.yaml index 30de71f14..b07d1ddef 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_7_c.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_10_7_c -Title: 7.c Interview personnel and observe processes to verify that at least the last three months' logs are immediately available for analysis -Description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. -SectionCode: c -Children: [] -Controls: - - aws_cloudwatch_log_group_retention_period_365 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_7_c + title: 7.c Interview personnel and observe processes to verify that at least the last three months' logs are immediately available for analysis + description: Retaining logs for at least a year allows for the fact that it often takes a while to notice that a compromise has occurred or is occurring, and allows investigators sufficient log history to better determine the length of time of a potential breach and potential system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach. Storing logs in off-line locations could prevent them from being readily available, resulting in longer time frames to restore log data, perform analysis, and identify impacted systems or data. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudwatch_log_group_retention_period_365 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8.yaml index 2b9b6d094..77cde188a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_10_8 -Title: Additional requirement for service providers only to implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of firewalls, IDS/IPS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms and segmentation controls -Description: 'Note: This requirement applies only when the entity being assessed is a service provider. Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise systems and steal sensitive data from the cardholder data environment. The specific types of failures may vary depending on the function of the device and technology in use. Typical failures include a system ceasing to perform its security function or not functioning in its intended manner; for example, a firewall erasing all its rules or going offline.' -SectionCode: "8" -Children: - - aws_pci_dss_v321_requirement_10_8_1 - - aws_pci_dss_v321_requirement_10_8_b -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_8 + title: Additional requirement for service providers only to implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of firewalls, IDS/IPS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms and segmentation controls + description: "Note: This requirement applies only when the entity being assessed is a service provider. Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise systems and steal sensitive data from the cardholder data environment. The specific types of failures may vary depending on the function of the device and technology in use. Typical failures include a system ceasing to perform its security function or not functioning in its intended manner; for example, a firewall erasing all its rules or going offline." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_10_8_1 + - id: aws_pci_dss_v321_requirement_10_8_b diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1.yaml index 46243a3eb..8cbef0412 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_10_8_1 -Title: '8.1 Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner' -Description: 'Processes for responding to failures in security controls must include restoring security functions, identifying and documenting the duration (date and time start to end) of the security failure, identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause, identifying and addressing any security issues that arose during the failure, performing a risk assessment to determine whether further actions are required as a result of the security failure, implementing controls to prevent cause of failure from reoccurring and resuming monitoring of security controls. Note: This requirement applies only when the entity being assessed is a service provider. If critical security control failures alerts are not quickly and effectively responded to, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity''s environment. Documented evidence (e.g., records within a problem management system) should support that processes and procedures are in place to respond to security failures. In addition, personnel should be aware of their responsibilities in the event of a failure. Actions and responses to the failure should be captured in the documented evidence.' -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_10_8_1_a -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_8_1 + title: "8.1 Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner" + description: "Processes for responding to failures in security controls must include restoring security functions, identifying and documenting the duration (date and time start to end) of the security failure, identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause, identifying and addressing any security issues that arose during the failure, performing a risk assessment to determine whether further actions are required as a result of the security failure, implementing controls to prevent cause of failure from reoccurring and resuming monitoring of security controls. Note: This requirement applies only when the entity being assessed is a service provider. If critical security control failures alerts are not quickly and effectively responded to, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity's environment. Documented evidence (e.g., records within a problem management system) should support that processes and procedures are in place to respond to security failures. In addition, personnel should be aware of their responsibilities in the event of a failure. Actions and responses to the failure should be captured in the documented evidence." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_10_8_1_a diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1_a.yaml index f533cbb4d..580b7431c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_1_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_10_8_1_a -Title: 8.1.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure -Description: 'This include restoring security functions, identifying and documenting the duration (date and time start to end) of the security failure, identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause, identifying and addressing any security issues that arose during the failure, performing a risk assessment to determine whether further actions are required as a result of the security failure, implementing controls to prevent cause of failure from reoccurring and resuming monitoring of security controls. Note: This requirement applies only when the entity being assessed is a service provider. If critical security control failures alerts are not quickly and effectively responded to, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity''s environment. Documented evidence (e.g., records within a problem management system) should support that processes and procedures are in place to respond to security failures. In addition, personnel should be aware of their responsibilities in the event of a failure. Actions and responses to the failure should be captured in the documented evidence.' -SectionCode: a -Children: [] -Controls: - - aws_cloudwatch_alarm_action_enabled_check -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_8_1_a + title: 8.1.a Examine documented policies and procedures and interview personnel to verify processes are defined and implemented to respond to a security control failure + description: "This include restoring security functions, identifying and documenting the duration (date and time start to end) of the security failure, identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause, identifying and addressing any security issues that arose during the failure, performing a risk assessment to determine whether further actions are required as a result of the security failure, implementing controls to prevent cause of failure from reoccurring and resuming monitoring of security controls. Note: This requirement applies only when the entity being assessed is a service provider. If critical security control failures alerts are not quickly and effectively responded to, attackers may use this time to insert malicious software, gain control of a system, or steal data from the entity's environment. Documented evidence (e.g., records within a problem management system) should support that processes and procedures are in place to respond to security failures. In addition, personnel should be aware of their responsibilities in the event of a failure. Actions and responses to the failure should be captured in the documented evidence." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudwatch_alarm_action_enabled_check diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_b.yaml index 66e4d63b7..191d235de 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_10_8_b.yaml @@ -1,14 +1,19 @@ -ID: aws_pci_dss_v321_requirement_10_8_b -Title: 8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls -Description: 'The failure of a critical security control results in the generation of an alert.10.8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert. Note: This requirement applies only when the entity being assessed is a service provider. Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise systems and steal sensitive data from the cardholder data environment. The specific types of failures may vary depending on the function of the device and technology in use. Typical failures include a system ceasing to perform its security function or not functioning in its intended manner; for example, a firewall erasing all its rules or going offline.' -SectionCode: b -Children: [] -Controls: - - aws_cloudtrail_trail_enabled - - aws_cloudwatch_alarm_action_enabled_check - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_audit_logging_enabled - - aws_opensearch_domain_logs_to_cloudwatch - - aws_redshift_cluster_audit_logging_enabled - - aws_sns_topic_notification_delivery_status_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_10_8_b + title: 8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls + description: "The failure of a critical security control results in the generation of an alert.10.8.b Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert. Note: This requirement applies only when the entity being assessed is a service provider. Without formal processes to detect and alert when critical security controls fail, failures may go undetected for extended periods and provide attackers ample time to compromise systems and steal sensitive data from the cardholder data environment. The specific types of failures may vary depending on the function of the device and technology in use. Typical failures include a system ceasing to perform its security function or not functioning in its intended manner; for example, a firewall erasing all its rules or going offline." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_trail_enabled + - aws_cloudwatch_alarm_action_enabled_check + - aws_es_domain_logs_to_cloudwatch + - aws_opensearch_domain_audit_logging_enabled + - aws_opensearch_domain_logs_to_cloudwatch + - aws_redshift_cluster_audit_logging_enabled + - aws_sns_topic_notification_delivery_status_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11.yaml index cbb1cb57a..ceb935977 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_11 -Title: 'Requirement 11: Regularly test security systems and processes' -Description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. -SectionCode: requirement_11 -Children: - - aws_pci_dss_v321_requirement_11_4 - - aws_pci_dss_v321_requirement_11_5 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_11 + title: "Requirement 11: Regularly test security systems and processes" + description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. + section-code: requirement_11 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_11_4 + - id: aws_pci_dss_v321_requirement_11_5 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4.yaml index c3f9fe48a..5fbd010c0 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4.yaml @@ -1,11 +1,17 @@ -ID: aws_pci_dss_v321_requirement_11_4 -Title: Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network -Description: Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. -SectionCode: "4" -Children: - - aws_pci_dss_v321_requirement_11_4_a - - aws_pci_dss_v321_requirement_11_4_b - - aws_pci_dss_v321_requirement_11_4_c -Controls: - - aws_guardduty_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_11_4 + title: Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network + description: Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_11_4_a + - id: aws_pci_dss_v321_requirement_11_4_b + - id: aws_pci_dss_v321_requirement_11_4_c + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_a.yaml index af480d711..739e34a08 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_11_4_a -Title: 4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic at the perimeter of the cardholder data environment and at critical points in the cardholder data environment -Description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. -SectionCode: a -Children: [] -Controls: - - aws_guardduty_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_11_4_a + title: 4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic at the perimeter of the cardholder data environment and at critical points in the cardholder data environment + description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_b.yaml index 37f2e5c6e..8537adaf1 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_b.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_11_4_b -Title: 4.b Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises -Description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. -SectionCode: b -Children: [] -Controls: - - aws_guardduty_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_11_4_b + title: 4.b Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises + description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_c.yaml index f2650c613..443d8a171 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_4_c.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_11_4_c -Title: 4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion- prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection -Description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. -SectionCode: c -Children: [] -Controls: - - aws_guardduty_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_11_4_c + title: 4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion- prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection + description: Intrusion detection and/or intrusion prevention techniques (such as IDS/IPS) compare the traffic coming into the network with known “signatures” and/or behaviors of thousands of compromise types (hacker tools, Trojans, and other malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these techniques should be monitored so that the attempted intrusions can be stopped. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5.yaml index 2461ee50a..cc713b13d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5.yaml @@ -1,10 +1,16 @@ -ID: aws_pci_dss_v321_requirement_11_5 -Title: Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly -Description: Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing. -SectionCode: "5" -Children: - - aws_pci_dss_v321_requirement_11_5_a - - aws_pci_dss_v321_requirement_11_5_b -Controls: - - aws_config_enabled_all_regions -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_11_5 + title: Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly + description: Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_11_5_a + - id: aws_pci_dss_v321_requirement_11_5_b + controls: + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_a.yaml index 5ec5996a3..2840b6d00 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_11_5_a -Title: 5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities -Description: Examples of files that should be monitored are system executables, application executables, configuration and parameter files, centrally stored, historical or archived, log and audit files and additional critical files determined by entity (for example, through risk assessment or other means). Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing. -SectionCode: a -Children: [] -Controls: - - aws_config_enabled_all_regions -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_11_5_a + title: 5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities + description: Examples of files that should be monitored are system executables, application executables, configuration and parameter files, centrally stored, historical or archived, log and audit files and additional critical files determined by entity (for example, through risk assessment or other means). Change-detection solutions such as file-integrity monitoring (FIM) tools check for changes, additions, and deletions to critical files, and notify when such changes are detected. If not implemented properly and the output of the change-detection solution monitored, a malicious individual could add, remove, or alter configuration file contents, operating system programs, or application executables. Unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_b.yaml index bb2fa5bda..f425a2f57 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_11_5_b.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_11_5_b -Title: 5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly -Description: "" -SectionCode: b -Children: [] -Controls: - - aws_config_enabled_all_regions -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_11_5_b + title: 5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly + description: 5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1.yaml index 08359c8c1..c5c329498 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_1_1 -Title: Establish and implement firewall and router configuration standards -Description: Firewalls and routers are key components of the architecture that controls entry to and exit from the network. These devices are software or hardware devices that block unwanted access and manage authorized access into and out of the network. Configuration standards and procedures will help to ensure that the organization's first line of defense in the protection of its data remains strong. -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_1_1_4 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_1 + title: Establish and implement firewall and router configuration standards + description: Firewalls and routers are key components of the architecture that controls entry to and exit from the network. These devices are software or hardware devices that block unwanted access and manage authorized access into and out of the network. Configuration standards and procedures will help to ensure that the organization's first line of defense in the protection of its data remains strong. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_1_1_4 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4.yaml index f253588f2..8d54dcacf 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_1_1_4 -Title: 1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone -Description: Using a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network, allows the organization to monitor and control access and minimizes the chances of a malicious individual obtaining access to the internal network via an unprotected connection. -SectionCode: "4" -Children: - - aws_pci_dss_v321_requirement_1_1_4_c -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_1_4 + title: 1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone + description: Using a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network, allows the organization to monitor and control access and minimizes the chances of a malicious individual obtaining access to the internal network via an unprotected connection. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_1_1_4_c diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4_c.yaml index f99c332cd..9a5f72ed4 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_1_4_c.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_1_1_4_c -Title: 1.4.c Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams -Description: Using a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network, allows the organization to monitor and control access and minimizes the chances of a malicious individual obtaining access to the internal network via an unprotected connection. -SectionCode: c -Children: [] -Controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_elb_application_lb_waf_enabled - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_1_4_c + title: 1.4.c Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams + description: Using a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network, allows the organization to monitor and control access and minimizes the chances of a malicious individual obtaining access to the internal network via an unprotected connection. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_stage_use_waf_web_acl + - aws_elb_application_lb_waf_enabled + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2.yaml index 20f70a589..5e7353c3c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_1_2 -Title: Examine firewall and router configurations and perform the following to verify that connections are restricted between untrusted networks and system components in the cardholder data environment -Description: It is essential to install network protection between the internal, trusted network and any untrusted network that is external and/or out of the entity's ability to control or manage. Failure to implement this measure correctly results in the entity being vulnerable to unauthorized access by malicious individuals or software. For firewall functionality to be effective, it must be properly configured to control and/or limit traffic into and out of the entity's network. -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_1_2_1 - - aws_pci_dss_v321_requirement_1_2_2 - - aws_pci_dss_v321_requirement_1_2_3 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_2 + title: Examine firewall and router configurations and perform the following to verify that connections are restricted between untrusted networks and system components in the cardholder data environment + description: It is essential to install network protection between the internal, trusted network and any untrusted network that is external and/or out of the entity's ability to control or manage. Failure to implement this measure correctly results in the entity being vulnerable to unauthorized access by malicious individuals or software. For firewall functionality to be effective, it must be properly configured to control and/or limit traffic into and out of the entity's network. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_1_2_1 + - id: aws_pci_dss_v321_requirement_1_2_2 + - id: aws_pci_dss_v321_requirement_1_2_3 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1.yaml index 21e6db24d..a671983cb 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_1_2_1 -Title: 2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic -Description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_1_2_1_a - - aws_pci_dss_v321_requirement_1_2_1_b - - aws_pci_dss_v321_requirement_1_2_1_c -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_2_1 + title: 2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic + description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_1_2_1_a + - id: aws_pci_dss_v321_requirement_1_2_1_b + - id: aws_pci_dss_v321_requirement_1_2_1_c diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_a.yaml index d82b0cb5e..77f521fc9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_a.yaml @@ -1,25 +1,30 @@ -ID: aws_pci_dss_v321_requirement_1_2_1_a -Title: 2.1.a Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment -Description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. -SectionCode: a -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_2_1_a + title: 2.1.a Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment + description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_network_acl_remote_administration + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_b.yaml index c8dbcde48..60a659230 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_b.yaml @@ -1,25 +1,30 @@ -ID: aws_pci_dss_v321_requirement_1_2_1_b -Title: 2.1.b Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment -Description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. -SectionCode: b -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_2_1_b + title: 2.1.b Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment + description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_network_acl_remote_administration + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_c.yaml index 4f573d437..9161c1387 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_1_c.yaml @@ -1,25 +1,30 @@ -ID: aws_pci_dss_v321_requirement_1_2_1_c -Title: 2.1.c Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement -Description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. -SectionCode: c -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_2_1_c + title: 2.1.c Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement + description: Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_network_acl_remote_administration + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2.yaml index e826d7bf1..24d5fa4c5 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_1_2_2 -Title: 2.2 Secure and synchronize router configuration files -Description: While the running (or active) router configuration files include the current, secure settings, the start- up files (which are used when routers are re- started or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_1_2_2_b -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_2_2 + title: 2.2 Secure and synchronize router configuration files + description: While the running (or active) router configuration files include the current, secure settings, the start- up files (which are used when routers are re- started or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_1_2_2_b diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2_b.yaml index 4eba038c4..88bddaec8 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_2_b.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_1_2_2_b -Title: 2.2.b Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted) -Description: While the running (or active) router configuration files include the current, secure settings, the start- up files (which are used when routers are re- started or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. -SectionCode: b -Children: [] -Controls: - - aws_cloudformation_stack_drift_detection_check -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_2_2_b + title: 2.2.b Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted) + description: While the running (or active) router configuration files include the current, secure settings, the start- up files (which are used when routers are re- started or booted) must be updated with the same secure settings to ensure these settings are applied when the start-up configuration is run. Because they only run occasionally, start-up configuration files are often forgotten and are not updated. When a router re-starts and loads a start-up configuration that has not been updated with the same secure settings as those in the running configuration, it may result in weaker rules that allow malicious individuals into the network. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudformation_stack_drift_detection_check diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3.yaml index 10b0399fc..ee0614e15 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_1_2_3 -Title: 2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment -Description: The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and “invisibly” enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information. Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. -SectionCode: "3" -Children: - - aws_pci_dss_v321_requirement_1_2_3_b -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_2_3 + title: 2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment + description: The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and “invisibly” enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information. Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_1_2_3_b diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3_b.yaml index e1d91839d..94ea6d4c8 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_2_3_b.yaml @@ -1,13 +1,18 @@ -ID: aws_pci_dss_v321_requirement_1_2_3_b -Title: 2.3.b Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment -Description: The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and “invisibly” enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information. Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. -SectionCode: b -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_2_3_b + title: 2.3.b Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment + description: The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and “invisibly” enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information. Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_network_acl_remote_administration + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3.yaml index 97be0c2ab..83e427ec8 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3.yaml @@ -1,30 +1,36 @@ -ID: aws_pci_dss_v321_requirement_1_3 -Title: Examine firewall and router configurations—including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment—and perform the following to determine that there is no direct access between the Internet and system components in the internal cardholder network segment -Description: While there may be legitimate reasons for untrusted connections to be permitted to DMZ systems (e.g., to allow public access to a web server), such connections should never be granted to systems in the internal network. A firewall's intent is to manage and control all connections between public systems and internal systems, especially those that store, process or transmit cardholder data. If direct access is allowed between public systems and the CDE, the protections offered by the firewall are bypassed, and system components storing cardholder data may be exposed to compromise. -SectionCode: "3" -Children: - - aws_pci_dss_v321_requirement_1_3_1 - - aws_pci_dss_v321_requirement_1_3_2 - - aws_pci_dss_v321_requirement_1_3_3 - - aws_pci_dss_v321_requirement_1_3_4 - - aws_pci_dss_v321_requirement_1_3_5 - - aws_pci_dss_v321_requirement_1_3_6 -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_igw_attached_to_authorized_vpc -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_3 + title: Examine firewall and router configurations—including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment—and perform the following to determine that there is no direct access between the Internet and system components in the internal cardholder network segment + description: While there may be legitimate reasons for untrusted connections to be permitted to DMZ systems (e.g., to allow public access to a web server), such connections should never be granted to systems in the internal network. A firewall's intent is to manage and control all connections between public systems and internal systems, especially those that store, process or transmit cardholder data. If direct access is allowed between public systems and the CDE, the protections offered by the firewall are bypassed, and system components storing cardholder data may be exposed to compromise. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_1_3_1 + - id: aws_pci_dss_v321_requirement_1_3_2 + - id: aws_pci_dss_v321_requirement_1_3_3 + - id: aws_pci_dss_v321_requirement_1_3_4 + - id: aws_pci_dss_v321_requirement_1_3_5 + - id: aws_pci_dss_v321_requirement_1_3_6 + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_configured_to_use_vpc_endpoints + - aws_vpc_igw_attached_to_authorized_vpc diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_1.yaml index 6085dcff8..7350852d3 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_1.yaml @@ -1,20 +1,25 @@ -ID: aws_pci_dss_v321_requirement_1_3_1 -Title: 3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports -Description: The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and services that an organization needs to have available to the public (like a web server). This functionality is intended to prevent malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner. The set of controls will examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. -SectionCode: "1" -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_3_1 + title: 3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports + description: The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and services that an organization needs to have available to the public (like a web server). This functionality is intended to prevent malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner. The set of controls will examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_2.yaml index c318b9553..7eeafc8cb 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_2.yaml @@ -1,21 +1,26 @@ -ID: aws_pci_dss_v321_requirement_1_3_2 -Title: 3.2 Limit inbound Internet traffic to IP addresses within the DMZ -Description: The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and services that an organization needs to have available to the public (like a web server). This functionality is intended to prevent malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner. The set of controls will limit inbound Internet traffic to IP addresses within the DMZ. -SectionCode: "2" -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_network_acl_remote_administration - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_3_2 + title: 3.2 Limit inbound Internet traffic to IP addresses within the DMZ + description: The DMZ is that part of the network that manages connections between the Internet (or other untrusted networks), and services that an organization needs to have available to the public (like a web server). This functionality is intended to prevent malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner. The set of controls will limit inbound Internet traffic to IP addresses within the DMZ. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_network_acl_remote_administration + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_3.yaml index 2603077f3..8174f0c7b 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_3.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_1_3_3 -Title: 3.3 Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ -Description: Normally a packet contains the IP address of the computer that originally sent it so other computers in the network know where the packet came from. Malicious individuals will often try to spoof (or imitate) the sending IP address so that the target system believes the packet is from a trusted source. Filtering packets coming into the network helps to, among other things, ensure packets are not “spoofed” to look like they are coming from an organization's own internal network. -SectionCode: "3" -Children: [] -Controls: - - aws_autoscaling_launch_config_requires_imdsv2 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_3_3 + title: 3.3 Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ + description: Normally a packet contains the IP address of the computer that originally sent it so other computers in the network know where the packet came from. Malicious individuals will often try to spoof (or imitate) the sending IP address so that the target system believes the packet is from a trusted source. Filtering packets coming into the network helps to, among other things, ensure packets are not “spoofed” to look like they are coming from an organization's own internal network. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_requires_imdsv2 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_4.yaml index b63665f94..3c4f42537 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_4.yaml @@ -1,17 +1,22 @@ -ID: aws_pci_dss_v321_requirement_1_3_4 -Title: 3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet -Description: All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content). The set of controls will examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized. -SectionCode: "4" -Children: [] -Controls: - - aws_autoscaling_launch_config_requires_imdsv2 - - aws_dms_replication_instance_not_publicly_accessible - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_3_4 + title: 3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet + description: All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content). The set of controls will examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_requires_imdsv2 + - aws_dms_replication_instance_not_publicly_accessible + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_5.yaml index 578a1e13b..e7240ff71 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_5.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_1_3_5 -Title: 3.5 Examine firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections not associated with a previously established session -Description: A firewall that maintains the `state` (or the status) for each connection through the firewall knows whether an apparent response to a previous connection is actually a valid, authorized response (since it retains each connection's status) or is malicious traffic trying to trick the firewall into allowing the connection. -SectionCode: "5" -Children: [] -Controls: - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_3_5 + title: 3.5 Examine firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections not associated with a previously established session + description: A firewall that maintains the `state` (or the status) for each connection through the firewall knows whether an apparent response to a previous connection is actually a valid, authorized response (since it retains each connection's status) or is malicious traffic trying to trick the firewall into allowing the connection. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_6.yaml index 138586287..9ec97a539 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_1_3_6.yaml @@ -1,15 +1,20 @@ -ID: aws_pci_dss_v321_requirement_1_3_6 -Title: 3.6 Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks -Description: If cardholder data is located within the DMZ, it is easier for an external attacker to access this information, since there are fewer layers to penetrate. Securing system components that store cardholder data (such as a database) in an internal network zone that is segregated from the DMZ and other untrusted networks by a firewall can prevent unauthorized network traffic from reaching the system component. -SectionCode: "6" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_es_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_sagemaker_notebook_instance_direct_internet_access_disabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_1_3_6 + title: 3.6 Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks + description: If cardholder data is located within the DMZ, it is easier for an external attacker to access this information, since there are fewer layers to penetrate. Securing system components that store cardholder data (such as a database) in an internal network zone that is segregated from the DMZ and other untrusted networks by a firewall can prevent unauthorized network traffic from reaching the system component. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_es_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_sagemaker_notebook_instance_direct_internet_access_disabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2.yaml index e593c3f45..f00f56483 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2.yaml @@ -1,11 +1,16 @@ -ID: aws_pci_dss_v321_requirement_2 -Title: 'Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters' -Description: Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information. -SectionCode: requirement_2 -Children: - - aws_pci_dss_v321_requirement_2_1 - - aws_pci_dss_v321_requirement_2_2 - - aws_pci_dss_v321_requirement_2_3 - - aws_pci_dss_v321_requirement_2_4 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2 + title: "Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters" + description: Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information. + section-code: requirement_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_2_1 + - id: aws_pci_dss_v321_requirement_2_2 + - id: aws_pci_dss_v321_requirement_2_3 + - id: aws_pci_dss_v321_requirement_2_4 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1.yaml index 486f24a54..35eae236e 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_2_1 -Title: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network -Description: This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc. Malicious individuals (external and internal to an organization) often use vendor default settings, account names, and passwords to compromise operating system software, applications, and the systems on which they are installed. Because these default settings are often published and are well known in hacker communities, changing these settings will leave systems less vulnerable to attack. Even if a default account is not intended to be used, changing the default password to a strong unique password and then disabling the account will prevent a malicious individual from re-enabling the account and gaining access with the default password. -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_2_1_b -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_1 + title: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network + description: This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc. Malicious individuals (external and internal to an organization) often use vendor default settings, account names, and passwords to compromise operating system software, applications, and the systems on which they are installed. Because these default settings are often published and are well known in hacker communities, changing these settings will leave systems less vulnerable to attack. Even if a default account is not intended to be used, changing the default password to a strong unique password and then disabling the account will prevent a malicious individual from re-enabling the account and gaining access with the default password. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_2_1_b diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1_b.yaml index 30aa5d045..213042595 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_1_b.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_2_1_b -Title: 1.b For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled -Description: Malicious individuals (external and internal to an organization) often use vendor default settings, account names, and passwords to compromise operating system software, applications, and the systems on which they are installed. Because these default settings are often published and are well known in hacker communities, changing these settings will leave systems less vulnerable to attack. Even if a default account is not intended to be used, changing the default password to a strong unique password and then disabling the account will prevent a malicious individual from re-enabling the account and gaining access with the default password. -SectionCode: b -Children: [] -Controls: - - aws_rds_db_cluster_no_default_admin_name - - aws_rds_db_instance_no_default_admin_name - - aws_redshift_cluster_no_default_admin_name -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_1_b + title: 1.b For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled + description: Malicious individuals (external and internal to an organization) often use vendor default settings, account names, and passwords to compromise operating system software, applications, and the systems on which they are installed. Because these default settings are often published and are well known in hacker communities, changing these settings will leave systems less vulnerable to attack. Even if a default account is not intended to be used, changing the default password to a strong unique password and then disabling the account will prevent a malicious individual from re-enabling the account and gaining access with the default password. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_rds_db_cluster_no_default_admin_name + - aws_rds_db_instance_no_default_admin_name + - aws_redshift_cluster_no_default_admin_name diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2.yaml index a132793ab..83e705877 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2.yaml @@ -1,15 +1,21 @@ -ID: aws_pci_dss_v321_requirement_2_2 -Title: Develop configuration standards for all system components -Description: 'Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute and National Institute of Standards Technology (NIST). There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network.' -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_2_2_2 - - aws_pci_dss_v321_requirement_2_2_4 - - aws_pci_dss_v321_requirement_2_2_5 - - aws_pci_dss_v321_requirement_2_2_a - - aws_pci_dss_v321_requirement_2_2_d -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_iam_root_user_no_access_keys - - aws_s3_bucket_cross_region_replication_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_2 + title: Develop configuration standards for all system components + description: "Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute and National Institute of Standards Technology (NIST). There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_2_2_2 + - id: aws_pci_dss_v321_requirement_2_2_4 + - id: aws_pci_dss_v321_requirement_2_2_5 + - id: aws_pci_dss_v321_requirement_2_2_a + - id: aws_pci_dss_v321_requirement_2_2_d + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_iam_root_user_no_access_keys + - aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_2.yaml index a94aed59c..85085b500 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_2.yaml @@ -1,25 +1,30 @@ -ID: aws_pci_dss_v321_requirement_2_2_2 -Title: 2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system -Description: As stated in Requirement 1.1.6, there are many protocols that a business may need (or have enabled by default) that are commonly used by malicious individuals to compromise a network. Including this requirement as part of an organization's configuration standards and related processes ensures that only the necessary services and protocols are enabled. -SectionCode: "2" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_configured_to_use_vpc_endpoints - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_2_2 + title: 2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system + description: As stated in Requirement 1.1.6, there are many protocols that a business may need (or have enabled by default) that are commonly used by malicious individuals to compromise a network. Including this requirement as part of an organization's configuration standards and related processes ensures that only the necessary services and protocols are enabled. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_configured_to_use_vpc_endpoints + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_4.yaml index af2cae8a9..facac8622 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_4.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_2_2_4 -Title: 2.4 Configure system security parameters to prevent misuse -Description: System configuration standards and related processes should specifically address security settings and parameters that have known security implications for each type of system in use. In order for systems to be configured securely, personnel responsible for configuration and/or administering systems must be knowledgeable in the specific security parameters and settings that apply to the system. -SectionCode: "4" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_2_4 + title: 2.4 Configure system security parameters to prevent misuse + description: System configuration standards and related processes should specifically address security settings and parameters that have known security implications for each type of system in use. In order for systems to be configured securely, personnel responsible for configuration and/or administering systems must be knowledgeable in the specific security parameters and settings that apply to the system. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5.yaml index daf13ae0e..be1675e32 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_2_2_5 -Title: 2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers -Description: Unnecessary functions can provide additional opportunities for malicious individuals to gain access to a system. By removing unnecessary functionality, organizations can focus on securing the functions that are required and reduce the risk that unknown functions will be exploited. Including this in server-hardening standards and processes addresses the specific security implications associated with unnecessary functions (for example, by removing/disabling FTP or the web server if the server will not be performing those functions). -SectionCode: "5" -Children: - - aws_pci_dss_v321_requirement_2_2_5_b -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_2_5 + title: 2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers + description: Unnecessary functions can provide additional opportunities for malicious individuals to gain access to a system. By removing unnecessary functionality, organizations can focus on securing the functions that are required and reduce the risk that unknown functions will be exploited. Including this in server-hardening standards and processes addresses the specific security implications associated with unnecessary functions (for example, by removing/disabling FTP or the web server if the server will not be performing those functions). + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_2_2_5_b diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5_b.yaml index af2dd0ee1..2a839d85c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_5_b.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_2_2_5_b -Title: 2.5.b. Examine the documentation and security parameters to verify enabled functions are documented and support secure configuration -Description: Unnecessary functions can provide additional opportunities for malicious individuals to gain access to a system. By removing unnecessary functionality, organizations can focus on securing the functions that are required and reduce the risk that unknown functions will be exploited. Including this in server-hardening standards and processes addresses the specific security implications associated with unnecessary functions (for example, by removing/disabling FTP or the web server if the server will not be performing those functions). -SectionCode: b -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_2_5_b + title: 2.5.b. Examine the documentation and security parameters to verify enabled functions are documented and support secure configuration + description: Unnecessary functions can provide additional opportunities for malicious individuals to gain access to a system. By removing unnecessary functionality, organizations can focus on securing the functions that are required and reduce the risk that unknown functions will be exploited. Including this in server-hardening standards and processes addresses the specific security implications associated with unnecessary functions (for example, by removing/disabling FTP or the web server if the server will not be performing those functions). + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_a.yaml index 778050f8e..00adbcf32 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_a.yaml @@ -1,12 +1,17 @@ -ID: aws_pci_dss_v321_requirement_2_2_a -Title: 2.a Examine the organization's system configuration standards for all types of system components and verify the system configuration standards are consistent with industry-accepted hardening standards -Description: 'There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network.' -SectionCode: a -Children: [] -Controls: - - aws_autoscaling_launch_config_requires_imdsv2 - - aws_cloudformation_stack_drift_detection_check - - aws_rds_db_cluster_no_default_admin_name - - aws_rds_db_instance_no_default_admin_name - - aws_redshift_cluster_no_default_admin_name -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_2_a + title: 2.a Examine the organization's system configuration standards for all types of system components and verify the system configuration standards are consistent with industry-accepted hardening standards + description: "There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_requires_imdsv2 + - aws_cloudformation_stack_drift_detection_check + - aws_rds_db_cluster_no_default_admin_name + - aws_rds_db_instance_no_default_admin_name + - aws_redshift_cluster_no_default_admin_name diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_d.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_d.yaml index cdad08913..e30a8756f 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_d.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_2_d.yaml @@ -1,12 +1,17 @@ -ID: aws_pci_dss_v321_requirement_2_2_d -Title: 2.d Verify that system configuration standards include the procedures like changing of all vendor-supplied defaults and elimination of unnecessary default accounts etc. for all types of system components -Description: 'System configuration standards include the following procedures for all types of system components: changing of all vendor-supplied defaults and elimination of unnecessary default accounts, implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server, enabling only necessary services, protocols, daemons, etc., as required for the function of the system, implementing additional security features for any required services, protocols or daemons that are considered to be insecure, configuring system security parameters to prevent misuse and removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network.' -SectionCode: d -Children: [] -Controls: - - aws_autoscaling_launch_config_requires_imdsv2 - - aws_cloudformation_stack_drift_detection_check - - aws_rds_db_cluster_no_default_admin_name - - aws_rds_db_instance_no_default_admin_name - - aws_redshift_cluster_no_default_admin_name -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_2_d + title: 2.d Verify that system configuration standards include the procedures like changing of all vendor-supplied defaults and elimination of unnecessary default accounts etc. for all types of system components + description: "System configuration standards include the following procedures for all types of system components: changing of all vendor-supplied defaults and elimination of unnecessary default accounts, implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server, enabling only necessary services, protocols, daemons, etc., as required for the function of the system, implementing additional security features for any required services, protocols or daemons that are considered to be insecure, configuring system security parameters to prevent misuse and removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses. Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors. System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network." + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_requires_imdsv2 + - aws_cloudformation_stack_drift_detection_check + - aws_rds_db_cluster_no_default_admin_name + - aws_rds_db_instance_no_default_admin_name + - aws_redshift_cluster_no_default_admin_name diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_3.yaml index 649b1e947..f637d29c4 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_3.yaml @@ -1,16 +1,21 @@ -ID: aws_pci_dss_v321_requirement_2_3 -Title: Encrypt all non-console administrative access using strong cryptography -Description: If non-console (including remote) administration does not use secure authentication and encrypted communications, sensitive administrative or operational level information (like administrator's IDs and passwords) can be revealed to an eavesdropper. A malicious individual could use this information to access the network, become administrator, and steal data. Clear-text protocols (such as HTTP, telnet, etc.) do not encrypt traffic or logon details, making it easy for an eavesdropper to intercept this information. Select a sample of system components and verify that non-console administrative access is encrypted. -SectionCode: "3" -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_redshift_cluster_encryption_in_transit_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_3 + title: Encrypt all non-console administrative access using strong cryptography + description: If non-console (including remote) administration does not use secure authentication and encrypted communications, sensitive administrative or operational level information (like administrator's IDs and passwords) can be revealed to an eavesdropper. A malicious individual could use this information to access the network, become administrator, and steal data. Clear-text protocols (such as HTTP, telnet, etc.) do not encrypt traffic or logon details, making it easy for an eavesdropper to intercept this information. Select a sample of system components and verify that non-console administrative access is encrypted. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_acm_certificate_expires_30_days + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_cloudfront_distribution_no_deprecated_ssl_protocol + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_redshift_cluster_encryption_in_transit_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4.yaml index 4271ccb2c..30ed426d5 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4.yaml @@ -1,12 +1,18 @@ -ID: aws_pci_dss_v321_requirement_2_4 -Title: Maintain an inventory of system components that are in scope for PCI DSS -Description: Maintaining a current list of all system components will enable an organization to accurately and efficiently define the scope of their environment for implementing PCI DSS controls. Without an inventory, some system components could be forgotten, and be inadvertently excluded from the organization's configuration standards. -SectionCode: "4" -Children: - - aws_pci_dss_v321_requirement_2_4_a -Controls: - - aws_config_enabled_all_regions - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_association_compliant - - aws_vpc_eip_associated -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_4 + title: Maintain an inventory of system components that are in scope for PCI DSS + description: Maintaining a current list of all system components will enable an organization to accurately and efficiently define the scope of their environment for implementing PCI DSS controls. Without an inventory, some system components could be forgotten, and be inadvertently excluded from the organization's configuration standards. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_2_4_a + controls: + - aws_config_enabled_all_regions + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_association_compliant + - aws_vpc_eip_associated diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4_a.yaml index 0b6090a85..84f9c08d0 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_2_4_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_2_4_a -Title: 4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each -Description: Maintaining a current list of all system components will enable an organization to accurately and efficiently define the scope of their environment for implementing PCI DSS controls. Without an inventory, some system components could be forgotten, and be inadvertently excluded from the organization's configuration standards. -SectionCode: a -Children: [] -Controls: - - aws_config_enabled_all_regions -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_2_4_a + title: 4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each + description: Maintaining a current list of all system components will enable an organization to accurately and efficiently define the scope of their environment for implementing PCI DSS controls. Without an inventory, some system components could be forgotten, and be inadvertently excluded from the organization's configuration standards. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_config_enabled_all_regions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3.yaml index a690445a4..8148dd2da 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3.yaml @@ -1,12 +1,17 @@ -ID: aws_pci_dss_v321_requirement_3 -Title: 'Requirement 3: Protect stored cardholder data' -Description: Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. -SectionCode: requirement_3 -Children: - - aws_pci_dss_v321_requirement_3_1 - - aws_pci_dss_v321_requirement_3_2 - - aws_pci_dss_v321_requirement_3_4 - - aws_pci_dss_v321_requirement_3_5 - - aws_pci_dss_v321_requirement_3_6 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3 + title: "Requirement 3: Protect stored cardholder data" + description: Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. + section-code: requirement_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_3_1 + - id: aws_pci_dss_v321_requirement_3_2 + - id: aws_pci_dss_v321_requirement_3_4 + - id: aws_pci_dss_v321_requirement_3_5 + - id: aws_pci_dss_v321_requirement_3_6 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1.yaml index 30c395721..7efa9556d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_3_1 -Title: Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes -Description: 'Procedures and processes should include at least the following for all cardholder data (CHD) storage: limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements, specific retention requirements for cardholder data, processes for secure deletion of data when no longer needed, a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don''t need it, don''t store it!' -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_3_1_a - - aws_pci_dss_v321_requirement_3_1_c -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_1 + title: Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes + description: "Procedures and processes should include at least the following for all cardholder data (CHD) storage: limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements, specific retention requirements for cardholder data, processes for secure deletion of data when no longer needed, a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it!" + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_3_1_a + - id: aws_pci_dss_v321_requirement_3_1_c diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_a.yaml index f9ca8b054..60a4e1b23 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_3_1_a -Title: 1.a Examine the data retention and disposal policies, procedures and processes to verify they satisfy all the requirements for cardholder data (CHD) storage -Description: 'procedures and processes should they include the following for all cardholder data (CHD) storage: limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements, specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons), processes for secure deletion of cardholder data when no longer needed for legal, regulatory, or business reasons and a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements. Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don''t need it, don''t store it!' -SectionCode: a -Children: [] -Controls: - - aws_s3_bucket_lifecycle_policy_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_1_a + title: 1.a Examine the data retention and disposal policies, procedures and processes to verify they satisfy all the requirements for cardholder data (CHD) storage + description: "procedures and processes should they include the following for all cardholder data (CHD) storage: limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements, specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons), processes for secure deletion of cardholder data when no longer needed for legal, regulatory, or business reasons and a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements. Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it!" + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_s3_bucket_lifecycle_policy_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_c.yaml index a71260e6a..db13e34c4 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_1_c.yaml @@ -1,29 +1,34 @@ -ID: aws_pci_dss_v321_requirement_3_1_c -Title: 1.c For a sample of system components that store cardholder data examine files and system records to verify that the data stored does not exceed the requirements defined in the data retention policy and observe the deletion mechanism to verify data is deleted securely -Description: Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it! -SectionCode: c -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_encryption_enabled - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_dynamodb_table_protected_by_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ebs_volume_protected_by_backup_plan - - aws_ec2_instance_ebs_optimized - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_efs_file_system_protected_by_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_rds_db_instance_protected_by_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_1_c + title: 1.c For a sample of system components that store cardholder data examine files and system records to verify that the data stored does not exceed the requirements defined in the data retention policy and observe the deletion mechanism to verify data is deleted securely + description: Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed. Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it! + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_encryption_enabled + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_dynamodb_table_protected_by_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ebs_volume_protected_by_backup_plan + - aws_ec2_instance_ebs_optimized + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_efs_file_system_protected_by_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_rds_db_instance_protected_by_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2.yaml index ee4e3eaed..616588f72 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_3_2 -Title: Do not store sensitive authentication data after authorization (even if encrypted) -Description: If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data if there is a business justification and the data is stored securely. Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3. Sensitive authentication data consists of full track data, card validation code or value, and PIN data. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. Entities that issue payment cards or that perform or support issuing services will often create and control sensitive authentication data as part of the issuing function. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to store such data. It should be noted that all PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. Any such data must be stored securely and in accordance with all PCI DSS and specific payment brand requirements. -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_3_2_3 - - aws_pci_dss_v321_requirement_3_2_c -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_2 + title: Do not store sensitive authentication data after authorization (even if encrypted) + description: If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data if there is a business justification and the data is stored securely. Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3. Sensitive authentication data consists of full track data, card validation code or value, and PIN data. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. Entities that issue payment cards or that perform or support issuing services will often create and control sensitive authentication data as part of the issuing function. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to store such data. It should be noted that all PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. Any such data must be stored securely and in accordance with all PCI DSS and specific payment brand requirements. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_3_2_3 + - id: aws_pci_dss_v321_requirement_3_2_c diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_3.yaml index 454ff6319..907a59445 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_3.yaml @@ -1,15 +1,20 @@ -ID: aws_pci_dss_v321_requirement_3_2_3 -Title: 2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization -Description: 'These values should be known only to the card owner or bank that issued the card. If this data is stolen, malicious individuals can execute fraudulent PIN-based debit transactions (for example, ATM withdrawals). For a sample of system components, examine data sources, including but not limited to the following and verify that PINs and encrypted PIN blocks are not stored after authorization: incoming transaction data, all logs (for example, transaction, history, debugging, error), history files, trace files, several database schemas, database contents' -SectionCode: "3" -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_elb_application_classic_lb_logging_enabled - - aws_rds_db_instance_logging_enabled - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_2_3 + title: 2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization + description: "These values should be known only to the card owner or bank that issued the card. If this data is stolen, malicious individuals can execute fraudulent PIN-based debit transactions (for example, ATM withdrawals). For a sample of system components, examine data sources, including but not limited to the following and verify that PINs and encrypted PIN blocks are not stored after authorization: incoming transaction data, all logs (for example, transaction, history, debugging, error), history files, trace files, several database schemas, database contents" + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_elb_application_classic_lb_logging_enabled + - aws_rds_db_instance_logging_enabled + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_c.yaml index 362061c12..dbffed325 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_2_c.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_3_2_c -Title: 2.c For all other entities, if sensitive authentication data is received, review policies and procedures, and examine system configurations to verify the data is not retained after authorization -Description: Sensitive authentication data consists of full track data, card validation code or value, and PIN data. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. Entities that issue payment cards or that perform or support issuing services will often create and control sensitive authentication data as part of the issuing function. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to store such data. It should be noted that all PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. Any such data must be stored securely and in accordance with all PCI DSS and specific payment brand requirements. -SectionCode: c -Children: [] -Controls: - - aws_s3_bucket_lifecycle_policy_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_2_c + title: 2.c For all other entities, if sensitive authentication data is received, review policies and procedures, and examine system configurations to verify the data is not retained after authorization + description: Sensitive authentication data consists of full track data, card validation code or value, and PIN data. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions. Entities that issue payment cards or that perform or support issuing services will often create and control sensitive authentication data as part of the issuing function. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data ONLY IF they have a legitimate business need to store such data. It should be noted that all PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. Any such data must be stored securely and in accordance with all PCI DSS and specific payment brand requirements. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_s3_bucket_lifecycle_policy_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4.yaml index 3bcdd952f..252d0f59c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4.yaml @@ -1,30 +1,36 @@ -ID: aws_pci_dss_v321_requirement_3_4 -Title: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using approaches like one-way hashes based on strong cryptography, truncation etc -Description: 'The following approaches should be used to render PAN unreadable anywhere it is stored: One-way hashes based on strong cryptography, (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored) and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity''s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home- grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable.' -SectionCode: "4" -Children: - - aws_pci_dss_v321_requirement_3_4_1 - - aws_pci_dss_v321_requirement_3_4_a - - aws_pci_dss_v321_requirement_3_4_b - - aws_pci_dss_v321_requirement_3_4_d -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_4 + title: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using approaches like one-way hashes based on strong cryptography, truncation etc + description: "The following approaches should be used to render PAN unreadable anywhere it is stored: One-way hashes based on strong cryptography, (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored) and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home- grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_3_4_1 + - id: aws_pci_dss_v321_requirement_3_4_a + - id: aws_pci_dss_v321_requirement_3_4_b + - id: aws_pci_dss_v321_requirement_3_4_d + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1.yaml index e6c00d7b9..51124a62a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1.yaml @@ -1,28 +1,34 @@ -ID: aws_pci_dss_v321_requirement_3_4_1 -Title: 4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials) -Description: 'Decryption keys must not be associated with user accounts. Note: This requirement applies in addition to all other PCI DSS encryption and key- management requirements. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable.' -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_3_4_1_a - - aws_pci_dss_v321_requirement_3_4_1_c -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_4_1 + title: 4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials) + description: "Decryption keys must not be associated with user accounts. Note: This requirement applies in addition to all other PCI DSS encryption and key- management requirements. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_3_4_1_a + - id: aws_pci_dss_v321_requirement_3_4_1_c + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_a.yaml index 88e6ba1ce..1639538ec 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_a.yaml @@ -1,26 +1,31 @@ -ID: aws_pci_dss_v321_requirement_3_4_1_a -Title: 4.1.a If disk encryption is used, inspect the configuration and observe the authentication process to verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating system's authentication mechanism (for example, not using local user account databases or general network login credentials) -Description: 'The intent of this requirement is to address the acceptability of disk-level encryption for rendering cardholder data unreadable. Disk-level encryption encrypts the entire disk/partition on a computer and automatically decrypts the information when an authorized user requests it. Many disk- encryption solutions intercept operating system read/write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase upon system startup or at the beginning of a session. Based on these characteristics of disk-level encryption, to be compliant with this requirement, the method cannot: 1) Use the same user account authenticator as the operating system, or 2) Use a decryption key that is associated with or derived from the system''s local user account database or general network login credentials. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore may be appropriate for portable devices that store cardholder data.' -SectionCode: a -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_4_1_a + title: 4.1.a If disk encryption is used, inspect the configuration and observe the authentication process to verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating system's authentication mechanism (for example, not using local user account databases or general network login credentials) + description: "The intent of this requirement is to address the acceptability of disk-level encryption for rendering cardholder data unreadable. Disk-level encryption encrypts the entire disk/partition on a computer and automatically decrypts the information when an authorized user requests it. Many disk- encryption solutions intercept operating system read/write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase upon system startup or at the beginning of a session. Based on these characteristics of disk-level encryption, to be compliant with this requirement, the method cannot: 1) Use the same user account authenticator as the operating system, or 2) Use a decryption key that is associated with or derived from the system's local user account database or general network login credentials. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore may be appropriate for portable devices that store cardholder data." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_c.yaml index 804fc1128..9f93ddf25 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_1_c.yaml @@ -1,26 +1,31 @@ -ID: aws_pci_dss_v321_requirement_3_4_1_c -Title: 4.1.c Examine the configurations and observe the processes to verify that cardholder data on removable media is encrypted wherever stored -Description: 'Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method. The intent of this requirement is to address the acceptability of disk-level encryption for rendering cardholder data unreadable. Disk-level encryption encrypts the entire disk/partition on a computer and automatically decrypts the information when an authorized user requests it. Many disk- encryption solutions intercept operating system read/write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase upon system startup or at the beginning of a session. Based on these characteristics of disk-level encryption, to be compliant with this requirement, the method cannot: 1) Use the same user account authenticator as the operating system, or 2) Use a decryption key that is associated with or derived from the system''s local user account database or general network login credentials. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore may be appropriate for portable devices that store cardholder data.' -SectionCode: c -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_4_1_c + title: 4.1.c Examine the configurations and observe the processes to verify that cardholder data on removable media is encrypted wherever stored + description: "Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method. The intent of this requirement is to address the acceptability of disk-level encryption for rendering cardholder data unreadable. Disk-level encryption encrypts the entire disk/partition on a computer and automatically decrypts the information when an authorized user requests it. Many disk- encryption solutions intercept operating system read/write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or pass phrase upon system startup or at the beginning of a session. Based on these characteristics of disk-level encryption, to be compliant with this requirement, the method cannot: 1) Use the same user account authenticator as the operating system, or 2) Use a decryption key that is associated with or derived from the system's local user account database or general network login credentials. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore may be appropriate for portable devices that store cardholder data." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_a.yaml index b242401d4..097d5c79d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_a.yaml @@ -1,28 +1,33 @@ -ID: aws_pci_dss_v321_requirement_3_4_a -Title: 4.a Examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the PAN is rendered unreadable using methods like truncation,one-way hashes based on strong cryptography etc -Description: 'Verify documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the PAN is rendered unreadable using any of the following methods: One-way hashes based on strong cryptography, truncation, index tokens and pads with the pads being securely stored, strong cryptography, with associated key-management processes and procedures. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable.' -SectionCode: a -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_backup_recovery_point_encryption_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_4_a + title: 4.a Examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the PAN is rendered unreadable using methods like truncation,one-way hashes based on strong cryptography etc + description: "Verify documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the PAN is rendered unreadable using any of the following methods: One-way hashes based on strong cryptography, truncation, index tokens and pads with the pads being securely stored, strong cryptography, with associated key-management processes and procedures. PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_backup_recovery_point_encryption_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_b.yaml index e9fed1082..2d321ce1c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_b.yaml @@ -1,28 +1,33 @@ -ID: aws_pci_dss_v321_requirement_3_4_b -Title: 4.b Examine several tables or files from a sample of data repositories to verify the PAN is rendered unreadable (that is, not stored in plain-text) -Description: PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home- grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable. -SectionCode: b -Children: [] -Controls: - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_backup_recovery_point_encryption_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_es_domain_encryption_at_rest_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_opensearch_domain_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_4_b + title: 4.b Examine several tables or files from a sample of data repositories to verify the PAN is rendered unreadable (that is, not stored in plain-text) + description: PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or `home- grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_backup_recovery_point_encryption_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_es_domain_encryption_at_rest_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_opensearch_domain_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_d.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_d.yaml index 5b81b8aad..24ed54343 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_d.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_4_d.yaml @@ -1,19 +1,24 @@ -ID: aws_pci_dss_v321_requirement_3_4_d -Title: 4.d Examine a sample of audit logs, including payment application logs, to confirm that PAN is rendered unreadable or is not present in the logs -Description: PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or 'home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable. -SectionCode: d -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_elb_application_classic_lb_logging_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_waf_web_acl_logging_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_4_d + title: 4.d Examine a sample of audit logs, including payment application logs, to confirm that PAN is rendered unreadable or is not present in the logs + description: PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception or troubleshooting logs) must all be protected. One-way hash functions based on strong cryptography can be used to render cardholder data unreadable. Hash functions are appropriate when there is no need to retrieve the original number (one-way hashes are irreversible). It is recommended, but not currently a requirement, that an additional, random input value be added to the cardholder data prior to hashing to reduce the feasibility of an attacker comparing the data against (and deriving the PAN from) tables of pre- computed hash values. The intent of truncation is to permanently remove a segment of PAN data so that only a portion (generally not to exceed the first six and last four digits) of the PAN is stored. An index token is a cryptographic token that replaces the PAN based on a given index for an unpredictable value. A one-time pad is a system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key. The intent of strong cryptography (as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms) is that the encryption be based on an industry-tested and accepted algorithm (not a proprietary or 'home-grown` algorithm) with strong cryptographic keys. By correlating hashed and truncated versions of a given PAN, a malicious individual may easily derive the original PAN value. Controls that prevent the correlation of this data will help ensure that the original PAN remains unreadable. + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_elb_application_classic_lb_logging_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_waf_web_acl_logging_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5.yaml index 1cf09fbf4..ee237b1b9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_3_5 -Title: Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse -Description: 'Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys—such key- encrypting keys must be at least as strong as the data-encrypting key. Cryptographic keys must be strongly protected because those who obtain access will be able to decrypt data. Key-encrypting keys, if used, must be at least as strong as the data-encrypting key in order to ensure proper protection of the key that encrypts the data as well as the data encrypted with that key. The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and key-encrypting keys. Because one key- encrypting key may grant access to many data- encrypting keys, the key-encrypting keys require strong protection measures.' -SectionCode: "5" -Children: - - aws_pci_dss_v321_requirement_3_5_2 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_5 + title: Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse + description: "Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys—such key- encrypting keys must be at least as strong as the data-encrypting key. Cryptographic keys must be strongly protected because those who obtain access will be able to decrypt data. Key-encrypting keys, if used, must be at least as strong as the data-encrypting key in order to ensure proper protection of the key that encrypts the data as well as the data encrypted with that key. The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and key-encrypting keys. Because one key- encrypting key may grant access to many data- encrypting keys, the key-encrypting keys require strong protection measures." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_3_5_2 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5_2.yaml index f358c1530..91ac98bd1 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_5_2.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_3_5_2 -Title: 5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary -Description: There should be very few who have access to cryptographic keys (reducing the potential for rending cardholder data visible by unauthorized parties), usually only those who have key custodian responsibilities. -SectionCode: "2" -Children: [] -Controls: - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_5_2 + title: 5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary + description: There should be very few who have access to cryptographic keys (reducing the potential for rending cardholder data visible by unauthorized parties), usually only those who have key custodian responsibilities. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6.yaml index 8997e01c0..d7d69171a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_3_6 -Title: Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data -Description: 'Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov. The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key- management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements at 3.6.1 through 3.6.8. Providing guidance to customers on how to securely transmit, store and update cryptographic keys can help prevent keys from being mismanaged or disclosed to unauthorized entities. This requirement applies to keys used to encrypt stored cardholder data, and any respective key- encrypting keys. Note: Testing Procedure 3.6.a is an additional procedure that only applies if the entity being assessed is a service provider.' -SectionCode: "6" -Children: - - aws_pci_dss_v321_requirement_3_6_4 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_6 + title: Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data + description: "Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov. The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key- management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements at 3.6.1 through 3.6.8. Providing guidance to customers on how to securely transmit, store and update cryptographic keys can help prevent keys from being mismanaged or disclosed to unauthorized entities. This requirement applies to keys used to encrypt stored cardholder data, and any respective key- encrypting keys. Note: Testing Procedure 3.6.a is an additional procedure that only applies if the entity being assessed is a service provider." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_3_6_4 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4.yaml index 7de9d3cc5..1f7068a64 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4.yaml @@ -1,10 +1,16 @@ -ID: aws_pci_dss_v321_requirement_3_6_4 -Title: 6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines -Description: A cryptoperiod is the time span during which a particular cryptographic key can be used for its defined purpose. Considerations for defining the cryptoperiod include, but are not limited to, the strength of the underlying algorithm, size or length of the key, risk of key compromise, and the sensitivity of the data being encrypted. Periodic changing of encryption keys when the keys have reached the end of their cryptoperiod is imperative to minimize the risk of someone's obtaining the encryption keys, and using them to decrypt data. -SectionCode: "4" -Children: - - aws_pci_dss_v321_requirement_3_6_4_a -Controls: - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_6_4 + title: 6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines + description: A cryptoperiod is the time span during which a particular cryptographic key can be used for its defined purpose. Considerations for defining the cryptoperiod include, but are not limited to, the strength of the underlying algorithm, size or length of the key, risk of key compromise, and the sensitivity of the data being encrypted. Periodic changing of encryption keys when the keys have reached the end of their cryptoperiod is imperative to minimize the risk of someone's obtaining the encryption keys, and using them to decrypt data. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_3_6_4_a + controls: + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4_a.yaml index 7587f3301..a663b4bd3 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_3_6_4_a.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_3_6_4_a -Title: 6.4.a Verify that key-management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined cryptoperiod(s) -Description: A cryptoperiod is the time span during which a particular cryptographic key can be used for its defined purpose. Considerations for defining the cryptoperiod include, but are not limited to, the strength of the underlying algorithm, size or length of the key, risk of key compromise, and the sensitivity of the data being encrypted. Periodic changing of encryption keys when the keys have reached the end of their cryptoperiod is imperative to minimize the risk of someone’s obtaining the encryption keys, and using them to decrypt data. -SectionCode: a -Children: [] -Controls: - - aws_iam_policy_custom_no_blocked_kms_actions - - aws_iam_policy_inline_no_blocked_kms_actions -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_3_6_4_a + title: 6.4.a Verify that key-management procedures include a defined cryptoperiod for each key type in use and define a process for key changes at the end of the defined cryptoperiod(s) + description: A cryptoperiod is the time span during which a particular cryptographic key can be used for its defined purpose. Considerations for defining the cryptoperiod include, but are not limited to, the strength of the underlying algorithm, size or length of the key, risk of key compromise, and the sensitivity of the data being encrypted. Periodic changing of encryption keys when the keys have reached the end of their cryptoperiod is imperative to minimize the risk of someone’s obtaining the encryption keys, and using them to decrypt data. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_policy_custom_no_blocked_kms_actions + - aws_iam_policy_inline_no_blocked_kms_actions diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4.yaml index bcda36623..a74eb40b9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_4 -Title: 'Requirement 4: Encrypt transmission of cardholder data across open, public networks' -Description: Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments. -SectionCode: requirement_4 -Children: - - aws_pci_dss_v321_requirement_4_1 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_4 + title: "Requirement 4: Encrypt transmission of cardholder data across open, public networks" + description: Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments. + section-code: requirement_4 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_4_1 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1.yaml index baa38e690..8b1460d8d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1.yaml @@ -1,21 +1,27 @@ -ID: aws_pci_dss_v321_requirement_4_1 -Title: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks -Description: 'Following should be used to safeguard sensitive cardholder data during transmission over open, public networks: only trusted keys and certificates are accepted, the protocol in use only supports secure versions or configurations and the encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to the Internet, wireless technologies, including 802.11 and Bluetooth, cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA), general Packet Radio Service (GPRS) and satellite communications. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2.' -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_4_1_a - - aws_pci_dss_v321_requirement_4_1_d - - aws_pci_dss_v321_requirement_4_1_e - - aws_pci_dss_v321_requirement_4_1_f - - aws_pci_dss_v321_requirement_4_1_g -Controls: - - aws_acm_certificate_expires_30_days - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_4_1 + title: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks + description: "Following should be used to safeguard sensitive cardholder data during transmission over open, public networks: only trusted keys and certificates are accepted, the protocol in use only supports secure versions or configurations and the encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to the Internet, wireless technologies, including 802.11 and Bluetooth, cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA), general Packet Radio Service (GPRS) and satellite communications. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_4_1_a + - id: aws_pci_dss_v321_requirement_4_1_d + - id: aws_pci_dss_v321_requirement_4_1_e + - id: aws_pci_dss_v321_requirement_4_1_f + - id: aws_pci_dss_v321_requirement_4_1_g + controls: + - aws_acm_certificate_expires_30_days + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_a.yaml index faaf7e9d1..81802769a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_a.yaml @@ -1,21 +1,26 @@ -ID: aws_pci_dss_v321_requirement_4_1_a -Title: 1.a Identify all locations where cardholder data is transmitted or received over open, public networks -Description: 'Examine documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2.' -SectionCode: a -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_kinesis_stream_server_side_encryption_enabled - - aws_opensearch_domain_https_required - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_4_1_a + title: 1.a Identify all locations where cardholder data is transmitted or received over open, public networks + description: "Examine documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_acm_certificate_expires_30_days + - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_cloudfront_distribution_no_deprecated_ssl_protocol + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_kinesis_stream_server_side_encryption_enabled + - aws_opensearch_domain_https_required + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_d.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_d.yaml index 915ed4750..c9b498816 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_d.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_d.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_4_1_d -Title: 1.d Examine keys and certificates to verify that only trusted keys and/or certificates are accepted -Description: 'Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2.' -SectionCode: d -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_elb_classic_lb_use_ssl_certificate -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_4_1_d + title: 1.d Examine keys and certificates to verify that only trusted keys and/or certificates are accepted + description: "Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_acm_certificate_expires_30_days + - aws_elb_classic_lb_use_ssl_certificate diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_e.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_e.yaml index b29d12e9b..38e546f1d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_e.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_e.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_4_1_e -Title: 1.e Examine system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations -Description: 'Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2.' -SectionCode: e -Children: [] -Controls: - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_vpc_flow_logs_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_4_1_e + title: 1.e Examine system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations + description: "Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." + section-code: e + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudfront_distribution_no_deprecated_ssl_protocol + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_f.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_f.yaml index 17de20c0f..6f2f11b80 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_f.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_f.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_4_1_f -Title: 1.f Examine system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use -Description: 'Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2.' -SectionCode: f -Children: [] -Controls: - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_vpc_flow_logs_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_4_1_f + title: 1.f Examine system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use + description: "Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." + section-code: f + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudfront_distribution_no_deprecated_ssl_protocol + - aws_vpc_flow_logs_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_g.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_g.yaml index baf44a528..0a3f6aad2 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_g.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_4_1_g.yaml @@ -1,19 +1,24 @@ -ID: aws_pci_dss_v321_requirement_4_1_g -Title: 1.g For TLS implementations, examine system configurations to verify that TLS is enabled whenever cardholder data is transmitted or received -Description: 'For example, for browser-based implementations “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and cardholder data is only requested if “HTTPS” appears as part of the URL. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2.' -SectionCode: g -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudfront_distribution_no_deprecated_ssl_protocol - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_4_1_g + title: 1.g For TLS implementations, examine system configurations to verify that TLS is enabled whenever cardholder data is transmitted or received + description: "For example, for browser-based implementations “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and cardholder data is only requested if “HTTPS” appears as part of the URL. Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Note that some protocol implementations (such as SSL, SSH v1.0, and early TLS) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection—for example, by using only trusted certificates and supporting only strong encryption (not supporting weaker, insecure protocols or methods). Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection. Generally, the web page URL should begin with `HTTPS` and/or the web browser display a padlock icon somewhere in the window of the browser. Many TLS certificate vendors also provide a highly visible verification seal— sometimes referred to as a “security seal,” `secure site seal,` or “secure trust seal”)—which may provide the ability to click on the seal to reveal information about the website. Refer to industry standards and best practices for information on strong cryptography and secure protocols (e.g., NIST SP 800-52 and SP 800-57, OWASP, etc.) Note: SSL/early TLS is not considered strong cryptography and may not be used as a security control, except by POS POI terminals that are verified as not being susceptible to known exploits and the termination points to which they connect as defined in Appendix A2." + section-code: g + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_acm_certificate_expires_30_days + - aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_cloudfront_distribution_no_deprecated_ssl_protocol + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5.yaml index 86a0b828f..fdee1d07a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_5 -Title: 'Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs' -Description: Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many businessapproved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats -SectionCode: requirement_5 -Children: - - aws_pci_dss_v321_requirement_5_1 - - aws_pci_dss_v321_requirement_5_2 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_5 + title: "Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs" + description: Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many businessapproved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats + section-code: requirement_5 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_5_1 + - id: aws_pci_dss_v321_requirement_5_2 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_1.yaml index ca5d7e660..67fe04975 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_1.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_5_1 -Title: For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists -Description: There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. Without an anti-virus solution that is updated regularly, these new forms of malicious software can attack systems, disable a network, or lead to compromise of data. -SectionCode: "1" -Children: [] -Controls: - - aws_ssm_managed_instance_compliance_association_compliant -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_5_1 + title: For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists + description: There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. Without an anti-virus solution that is updated regularly, these new forms of malicious software can attack systems, disable a network, or lead to compromise of data. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2.yaml index 5a08e081f..5c74a5419 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_5_2 -Title: Ensure that all anti-virus mechanisms are maintained -Description: 'Anti-virus mechanisms should be maintained as follows: are kept current, perform periodic scans and generate audit logs which are retained per PCI DSS Requirement 10.7. Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections. Audit logs provide the ability to monitor virus and malware activity and anti-malware reactions. Thus, it is imperative that anti-malware solutions be configured to generate audit logs and that these logs be managed in accordance with Requirement 10.' -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_5_2_c -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_5_2 + title: Ensure that all anti-virus mechanisms are maintained + description: "Anti-virus mechanisms should be maintained as follows: are kept current, perform periodic scans and generate audit logs which are retained per PCI DSS Requirement 10.7. Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections. Audit logs provide the ability to monitor virus and malware activity and anti-malware reactions. Thus, it is imperative that anti-malware solutions be configured to generate audit logs and that these logs be managed in accordance with Requirement 10." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_5_2_c diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2_c.yaml index 1a7d9069b..a4977503f 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_5_2_c.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_5_2_c -Title: 2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that the anti-virus software and definitions are current and periodic scans are performed -Description: Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections. Audit logs provide the ability to monitor virus and malware activity and anti-malware reactions. Thus, it is imperative that anti-malware solutions be configured to generate audit logs and that these logs be managed in accordance with Requirement 10. -SectionCode: c -Children: [] -Controls: - - aws_ssm_managed_instance_compliance_association_compliant -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_5_2_c + title: 2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that the anti-virus software and definitions are current and periodic scans are performed + description: Even the best anti-virus solutions are limited in effectiveness if they are not maintained and kept current with the latest security updates, signature files, or malware protections. Audit logs provide the ability to monitor virus and malware activity and anti-malware reactions. Thus, it is imperative that anti-malware solutions be configured to generate audit logs and that these logs be managed in accordance with Requirement 10. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ssm_managed_instance_compliance_association_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6.yaml index 218dc47d0..39588c714 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6.yaml @@ -1,12 +1,17 @@ -ID: aws_pci_dss_v321_requirement_6 -Title: 'Requirement 6: Develop and maintain secure systems and applications' -Description: Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendorprovided security patches, which must be installed by the entities that manage the systems. -SectionCode: requirement_6 -Children: - - aws_pci_dss_v321_requirement_6_1 - - aws_pci_dss_v321_requirement_6_2 - - aws_pci_dss_v321_requirement_6_3 - - aws_pci_dss_v321_requirement_6_5 - - aws_pci_dss_v321_requirement_6_6 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6 + title: "Requirement 6: Develop and maintain secure systems and applications" + description: Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendorprovided security patches, which must be installed by the entities that manage the systems. + section-code: requirement_6 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_6_1 + - id: aws_pci_dss_v321_requirement_6_2 + - id: aws_pci_dss_v321_requirement_6_3 + - id: aws_pci_dss_v321_requirement_6_5 + - id: aws_pci_dss_v321_requirement_6_6 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1.yaml index 788b5b380..3e07f6190 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_6_1 -Title: Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities -Description: The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked. The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. Classifying the risks (for example, as “high,” “medium,” or “low”) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited. -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_6_1_b -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_1 + title: Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities + description: The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked. The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. Classifying the risks (for example, as “high,” “medium,” or “low”) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_6_1_b diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1_b.yaml index 7501193b3..46f7e6802 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_1_b.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_6_1_b -Title: 1.b Interview responsible personnel and observe processes to verify that new security vulnerabilities are identified, a risk ranking is assigned to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities and processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information -Description: The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked. The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. Classifying the risks (for example, as “high,” “medium,” or “low”) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited. -SectionCode: b -Children: [] -Controls: - - aws_guardduty_finding_archived -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_1_b + title: 1.b Interview responsible personnel and observe processes to verify that new security vulnerabilities are identified, a risk ranking is assigned to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities and processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information + description: The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked. The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. Classifying the risks (for example, as “high,” “medium,” or “low”) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2.yaml index d63981820..4b8cde1f9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2.yaml @@ -1,10 +1,16 @@ -ID: aws_pci_dss_v321_requirement_6_2 -Title: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches -Description: 'Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1. There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. If the most recent patches are not implemented on critical systems as soon as possible, a malicious individual can use these exploits to attack or disable a system, or gain access to sensitive data. Prioritizing patches for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released. Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months. This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not).' -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_6_2_b -Controls: - - aws_ec2_instance_ssm_managed - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_2 + title: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches + description: "Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1. There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. If the most recent patches are not implemented on critical systems as soon as possible, a malicious individual can use these exploits to attack or disable a system, or gain access to sensitive data. Prioritizing patches for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released. Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months. This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not)." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_6_2_b + controls: + - aws_ec2_instance_ssm_managed + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2_b.yaml index b145e3a3f..f957bc768 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_2_b.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_6_2_b -Title: 2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify that the applicable critical vendor-supplied security patches are installed within one month of release, all applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months) -Description: There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. If the most recent patches are not implemented on critical systems as soon as possible, a malicious individual can use these exploits to attack or disable a system, or gain access to sensitive data. Prioritizing patches for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released. Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months. This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not). -SectionCode: b -Children: [] -Controls: - - aws_eks_cluster_with_latest_kubernetes_version - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_2_b + title: 2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify that the applicable critical vendor-supplied security patches are installed within one month of release, all applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months) + description: There is a constant stream of attacks using widely published exploits, often called `zero day` (an attack that exploits a previously unknown vulnerability), against otherwise secured systems. If the most recent patches are not implemented on critical systems as soon as possible, a malicious individual can use these exploits to attack or disable a system, or gain access to sensitive data. Prioritizing patches for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released. Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months. This requirement applies to applicable patches for all installed software, including payment applications (both those that are PA-DSS validated and those that are not). + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_eks_cluster_with_latest_kubernetes_version + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3.yaml index 873ebb315..bc06a5a03 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3.yaml @@ -1,12 +1,17 @@ -ID: aws_pci_dss_v321_requirement_6_3 -Title: Develop internal and external software applications (including web-based administrative access to applications) securely -Description: 'Develop internal and external software application securely as follows: in accordance with PCI DSS (for example, secure authentication and logging), based on industry standards and/or best practices, incorporating information security throughout the software-development life cycle. Note: this applies to all software developed internally as well as bespoke or custom software developed by a third party. Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected.' -SectionCode: "3" -Children: - - aws_pci_dss_v321_requirement_6_3_1 - - aws_pci_dss_v321_requirement_6_3_2 - - aws_pci_dss_v321_requirement_6_3_a - - aws_pci_dss_v321_requirement_6_3_b - - aws_pci_dss_v321_requirement_6_3_c -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_3 + title: Develop internal and external software applications (including web-based administrative access to applications) securely + description: "Develop internal and external software application securely as follows: in accordance with PCI DSS (for example, secure authentication and logging), based on industry standards and/or best practices, incorporating information security throughout the software-development life cycle. Note: this applies to all software developed internally as well as bespoke or custom software developed by a third party. Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_6_3_1 + - id: aws_pci_dss_v321_requirement_6_3_2 + - id: aws_pci_dss_v321_requirement_6_3_a + - id: aws_pci_dss_v321_requirement_6_3_b + - id: aws_pci_dss_v321_requirement_6_3_c diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_1.yaml index 5641e80b9..7dca32c7c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_1.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_6_3_1 -Title: 3.1 Examine written software-development procedures and interview responsible personnel to verify that pre-production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers -Description: Development, test and/or custom application accounts, user IDs, and passwords should be removed from production code before the application becomes active or is released to customers, since these items may give away information about the functioning of the application. Possession of such information could facilitate compromise of the application and related cardholder data. -SectionCode: "1" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_3_1 + title: 3.1 Examine written software-development procedures and interview responsible personnel to verify that pre-production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers + description: Development, test and/or custom application accounts, user IDs, and passwords should be removed from production code before the application becomes active or is released to customers, since these items may give away information about the functioning of the application. Possession of such information could facilitate compromise of the application and related cardholder data. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2.yaml index b0924e0ff..a9f103a21 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_6_3_2 -Title: 3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) -Description: 'Custom code prior to release to production should include the following: code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices, code reviews ensure code is developed according to secure coding guidelines, appropriate corrections are implemented prior to release, code-review results are reviewed and approved by management prior to release and security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and compromise cardholder data. An individual knowledgeable and experienced in code-review techniques should be involved in the review process. Code reviews should be performed by someone other than the developer of the code to allow for an independent, objective review. Automated tools or processes may also be used in lieu of manual reviews, but keep in mind that it may be difficult or even impossible for an automated tool to identify some coding issues. Correcting coding errors before the code is deployed into a production environment or released to customers prevents the code exposing the environments to potential exploit. Faulty code is also far more difficult and expensive to address after it has been deployed or released into production environments. Including a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures.' -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_6_3_2_b -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_3_2 + title: 3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) + description: "Custom code prior to release to production should include the following: code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices, code reviews ensure code is developed according to secure coding guidelines, appropriate corrections are implemented prior to release, code-review results are reviewed and approved by management prior to release and security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and compromise cardholder data. An individual knowledgeable and experienced in code-review techniques should be involved in the review process. Code reviews should be performed by someone other than the developer of the code to allow for an independent, objective review. Automated tools or processes may also be used in lieu of manual reviews, but keep in mind that it may be difficult or even impossible for an automated tool to identify some coding issues. Correcting coding errors before the code is deployed into a production environment or released to customers prevents the code exposing the environments to potential exploit. Faulty code is also far more difficult and expensive to address after it has been deployed or released into production environments. Including a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_6_3_2_b diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2_b.yaml index 30082a829..5973501b9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_2_b.yaml @@ -1,7 +1,11 @@ -ID: aws_pci_dss_v321_requirement_6_3_2_b -Title: 3.2.b Select a sample of recent custom application changes and verify that custom application code is reviewed according to 6.3.2.a, above -Description: Security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and compromise cardholder data. An individual knowledgeable and experienced in code-review techniques should be involved in the review process. Code reviews should be performed by someone other than the developer of the code to allow for an independent, objective review. Automated tools or processes may also be used in lieu of manual reviews, but keep in mind that it may be difficult or even impossible for an automated tool to identify some coding issues. Correcting coding errors before the code is deployed into a production environment or released to customers prevents the code exposing the environments to potential exploit. Faulty code is also far more difficult and expensive to address after it has been deployed or released into production environments. Including a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures. -SectionCode: b -Children: [] -Controls: null -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_3_2_b + title: 3.2.b Select a sample of recent custom application changes and verify that custom application code is reviewed according to 6.3.2.a, above + description: Security vulnerabilities in custom code are commonly exploited by malicious individuals to gain access to a network and compromise cardholder data. An individual knowledgeable and experienced in code-review techniques should be involved in the review process. Code reviews should be performed by someone other than the developer of the code to allow for an independent, objective review. Automated tools or processes may also be used in lieu of manual reviews, but keep in mind that it may be difficult or even impossible for an automated tool to identify some coding issues. Correcting coding errors before the code is deployed into a production environment or released to customers prevents the code exposing the environments to potential exploit. Faulty code is also far more difficult and expensive to address after it has been deployed or released into production environments. Including a formal review and signoff by management prior to release helps to ensure that code is approved and has been developed in accordance with policies and procedures. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_a.yaml index 024cac897..14a23193a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_a.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_6_3_a -Title: 3.a Examine written software-development processes to verify that the processes are based on industry standards and/or best practices -Description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. -SectionCode: a -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_3_a + title: 3.a Examine written software-development processes to verify that the processes are based on industry standards and/or best practices + description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_b.yaml index d7a6ec268..a6e7be0f7 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_b.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_6_3_b -Title: 3.b Examine written software-development processes to verify that information security is included throughout the life cycle -Description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. -SectionCode: b -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_3_b + title: 3.b Examine written software-development processes to verify that information security is included throughout the life cycle + description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_c.yaml index 04bdbb421..98d9eaca6 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_3_c.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_6_3_c -Title: 3.c Examine written software-development processes to verify that software applications are developed in accordance with PCI DSS -Description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. -SectionCode: c -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_3_c + title: 3.c Examine written software-development processes to verify that software applications are developed in accordance with PCI DSS + description: Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment. Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5.yaml index 23aae5606..79f8c27fe 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_6_5 -Title: Address common coding vulnerabilities in software-development processes like train developers at least annually in up-to-date secure coding techniques etc -Description: 'Common coding vulnerabilities in software-development processes as follows: train developers at least annually in up- to-date secure coding techniques, including how to avoid common coding vulnerabilities, develop applications based on secure coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements. The application layer is high-risk and may be targeted by both internal and external threats. Requirements 6.5.1 through 6.5.10 are the minimum controls that should be in place, and organizations should incorporate the relevant secure coding practices as applicable to the particular technology in their environment. Application developers should be properly trained to identify and resolve issues related to these (and other) common coding vulnerabilities. Having staff knowledgeable of secure coding guidelines should minimize the number of security vulnerabilities introduced through poor coding practices. Training for developers may be provided in-house or by third parties and should be applicable for technology used. As industry-accepted secure coding practices change, organizational coding practices and developer training should likewise be updated to address new threats—for example, memory scraping attacks. The vulnerabilities identified in 6.5.1 through 6.5.10 provide a minimum baseline. It is up to the organization to remain up to date with vulnerability trends and incorporate appropriate measures into their secure coding practices.' -SectionCode: "5" -Children: - - aws_pci_dss_v321_requirement_6_5_8 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_5 + title: Address common coding vulnerabilities in software-development processes like train developers at least annually in up-to-date secure coding techniques etc + description: "Common coding vulnerabilities in software-development processes as follows: train developers at least annually in up- to-date secure coding techniques, including how to avoid common coding vulnerabilities, develop applications based on secure coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements. The application layer is high-risk and may be targeted by both internal and external threats. Requirements 6.5.1 through 6.5.10 are the minimum controls that should be in place, and organizations should incorporate the relevant secure coding practices as applicable to the particular technology in their environment. Application developers should be properly trained to identify and resolve issues related to these (and other) common coding vulnerabilities. Having staff knowledgeable of secure coding guidelines should minimize the number of security vulnerabilities introduced through poor coding practices. Training for developers may be provided in-house or by third parties and should be applicable for technology used. As industry-accepted secure coding practices change, organizational coding practices and developer training should likewise be updated to address new threats—for example, memory scraping attacks. The vulnerabilities identified in 6.5.1 through 6.5.10 provide a minimum baseline. It is up to the organization to remain up to date with vulnerability trends and incorporate appropriate measures into their secure coding practices." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_6_5_8 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5_8.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5_8.yaml index 50ca51f3b..a0da8760b 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5_8.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_5_8.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_6_5_8 -Title: 5.8 Examine software-development policies and procedures and interview responsible personnel to verify that improper access control—such as insecure direct object references, failure to restrict URL access, and directory traversal—is addressed by coding technique -Description: 'Directory traversal—is addressed by coding technique should include: proper authentication of users, sanitizing input, not exposing internal object references to users and user interfaces that do not permit access to unauthorized functions. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. Consistently enforce access control in presentation layer and business logic for all URLs. Frequently, the only way an application protects sensitive functionality is by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. An attacker may be able to enumerate and navigate the directory structure of a website (directory traversal) thus gaining access to unauthorized information as well as gaining further insight into the workings of the site for later exploitation. If user interfaces permit access to unauthorized functions, this access could result in unauthorized individuals gaining access to privileged credentials or cardholder data. Only authorized users should be permitted to access direct object references to sensitive resources. Limiting access to data resources will help prevent cardholder data from being presented to unauthorized resources.' -SectionCode: "8" -Children: [] -Controls: - - aws_codebuild_project_environment_privileged_mode_disabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_5_8 + title: 5.8 Examine software-development policies and procedures and interview responsible personnel to verify that improper access control—such as insecure direct object references, failure to restrict URL access, and directory traversal—is addressed by coding technique + description: "Directory traversal—is addressed by coding technique should include: proper authentication of users, sanitizing input, not exposing internal object references to users and user interfaces that do not permit access to unauthorized functions. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. Consistently enforce access control in presentation layer and business logic for all URLs. Frequently, the only way an application protects sensitive functionality is by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. An attacker may be able to enumerate and navigate the directory structure of a website (directory traversal) thus gaining access to unauthorized information as well as gaining further insight into the workings of the site for later exploitation. If user interfaces permit access to unauthorized functions, this access could result in unauthorized individuals gaining access to privileged credentials or cardholder data. Only authorized users should be permitted to access direct object references to sensitive resources. Limiting access to data resources will help prevent cardholder data from being presented to unauthorized resources." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_codebuild_project_environment_privileged_mode_disabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_6.yaml index 57658df12..7da95a62c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_6_6.yaml @@ -1,18 +1,23 @@ -ID: aws_pci_dss_v321_requirement_6_6 -Title: For public-facing web applications, ensure that either one of the requirements are in place -Description: 'Verify following methods is in place as follows: examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed—using either manual or automated vulnerability security assessment tools or methods—as follows: - At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections. Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows: - Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.Public-facing web applications are primary targets for attackers, and poorly coded web applications provide an easy path for attackers to gain access to sensitive data and systems. The requirement for reviewing applications or installing web-application firewalls is intended to reduce the number of compromises on public-facing web applications due to poor coding or application management practices. Manual or automated vulnerability security assessment tools or methods review and/or test the application for vulnerabilities, web-application firewalls filter and block non- essential traffic at the application layer. Used in conjunction with a network-based firewall, a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured. This can be achieved through a combination of technology and process. Process-based solutions must have mechanisms that facilitate timely responses to alerts in order to meet the intent of this requirement, which is to prevent attacks. Note: “An organization that specializes in application security” can be either a third-party company or an internal organization, as long as the reviewers specialize in application security and can demonstrate independence from the development team. For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2., Installing an automated technical solution that detects and prevents web- based attacks (for example, a web- application firewall) in front of public- facing web applications, to continually check all traffic.' -SectionCode: "6" -Children: [] -Controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_elb_application_lb_desync_mitigation_mode - - aws_elb_application_lb_waf_enabled - - aws_elb_classic_lb_desync_mitigation_mode - - aws_waf_regional_rule_condition_attached - - aws_waf_regional_rule_group_rule_attached - - aws_waf_regional_web_acl_rule_attached - - aws_waf_rule_condition_attached - - aws_waf_rule_group_rule_attached - - aws_waf_web_acl_resource_associated - - aws_waf_web_acl_rule_attached -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_6_6 + title: For public-facing web applications, ensure that either one of the requirements are in place + description: "Verify following methods is in place as follows: examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed—using either manual or automated vulnerability security assessment tools or methods—as follows: - At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections. Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows: - Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.Public-facing web applications are primary targets for attackers, and poorly coded web applications provide an easy path for attackers to gain access to sensitive data and systems. The requirement for reviewing applications or installing web-application firewalls is intended to reduce the number of compromises on public-facing web applications due to poor coding or application management practices. Manual or automated vulnerability security assessment tools or methods review and/or test the application for vulnerabilities, web-application firewalls filter and block non- essential traffic at the application layer. Used in conjunction with a network-based firewall, a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured. This can be achieved through a combination of technology and process. Process-based solutions must have mechanisms that facilitate timely responses to alerts in order to meet the intent of this requirement, which is to prevent attacks. Note: “An organization that specializes in application security” can be either a third-party company or an internal organization, as long as the reviewers specialize in application security and can demonstrate independence from the development team. For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2., Installing an automated technical solution that detects and prevents web- based attacks (for example, a web- application firewall) in front of public- facing web applications, to continually check all traffic." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_stage_use_waf_web_acl + - aws_elb_application_lb_desync_mitigation_mode + - aws_elb_application_lb_waf_enabled + - aws_elb_classic_lb_desync_mitigation_mode + - aws_waf_regional_rule_condition_attached + - aws_waf_regional_rule_group_rule_attached + - aws_waf_regional_web_acl_rule_attached + - aws_waf_rule_condition_attached + - aws_waf_rule_group_rule_attached + - aws_waf_web_acl_resource_associated + - aws_waf_web_acl_rule_attached diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7.yaml index 502f00ee3..54a5a1199 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_7 -Title: 'Requirement 7: Restrict access to cardholder data by business need to know' -Description: To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. -SectionCode: requirement_7 -Children: - - aws_pci_dss_v321_requirement_7_1 - - aws_pci_dss_v321_requirement_7_2 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_7 + title: "Requirement 7: Restrict access to cardholder data by business need to know" + description: To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. + section-code: requirement_7 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_7_1 + - id: aws_pci_dss_v321_requirement_7_2 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1.yaml index addb1acd0..a1506ca9f 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_7_1 -Title: Limit access to system components and cardholder data to only those individuals whose job requires such access -Description: The more people who have access to cardholder data, the more risk there is that a user's account will be used maliciously. Limiting access to those with a legitimate business reason for the access helps an organization prevent mishandling of cardholder data through inexperience or malice. -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_7_1_2 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_7_1 + title: Limit access to system components and cardholder data to only those individuals whose job requires such access + description: The more people who have access to cardholder data, the more risk there is that a user's account will be used maliciously. Limiting access to those with a legitimate business reason for the access helps an organization prevent mishandling of cardholder data through inexperience or malice. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_7_1_2 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2.yaml index 395bb5912..4aa5ba11d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_7_1_2 -Title: 1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities -Description: When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator. -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_7_1_2_a -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_7_1_2 + title: 1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities + description: When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_7_1_2_a diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2_a.yaml index 5fde7e752..363b2243d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_1_2_a.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_7_1_2_a -Title: 1.2.a Interview personnel responsible for assigning access to verify that access to privileged user IDs is assigned only to roles that specifically require such privileged access and restricted to least privileges necessary to perform job responsibilities -Description: When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator. -SectionCode: a -Children: [] -Controls: - - aws_efs_access_point_enforce_user_identity - - aws_iam_all_policy_no_service_wild_card - - aws_opensearch_domain_fine_grained_access_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_7_1_2_a + title: 1.2.a Interview personnel responsible for assigning access to verify that access to privileged user IDs is assigned only to roles that specifically require such privileged access and restricted to least privileges necessary to perform job responsibilities + description: When assigning privileged IDs, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_efs_access_point_enforce_user_identity + - aws_iam_all_policy_no_service_wild_card + - aws_opensearch_domain_fine_grained_access_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2.yaml index c73cfe7cc..18b0756bb 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_7_2 -Title: Examine system settings and vendor documentation to verify that an access control system(s) -Description: 'Without a mechanism to restrict access based on user''s need to know, a user may unknowingly be granted access to cardholder data. Access control systems automate the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access. Entities may have one or more access controls systems to manage user access. Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it.' -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_7_2_1 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_7_2 + title: Examine system settings and vendor documentation to verify that an access control system(s) + description: "Without a mechanism to restrict access based on user's need to know, a user may unknowingly be granted access to cardholder data. Access control systems automate the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access. Entities may have one or more access controls systems to manage user access. Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_7_2_1 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2_1.yaml index d8f526ab8..203ab6d7d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_7_2_1.yaml @@ -1,26 +1,31 @@ -ID: aws_pci_dss_v321_requirement_7_2_1 -Title: 2.1 Confirm that access control systems are in place on all system components -Description: 'Without a mechanism to restrict access based on user''s need to know, a user may unknowingly be granted access to cardholder data. Access control systems automate the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access. Entities may have one or more access controls systems to manage user access. Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it.' -SectionCode: "1" -Children: [] -Controls: - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_not_publicly_accessible - - aws_eks_cluster_endpoint_restrict_public_access - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies - - aws_lambda_function_restrict_public_access - - aws_log_metric_filter_root_login - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_account - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_vpc_igw_attached_to_authorized_vpc -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_7_2_1 + title: 2.1 Confirm that access control systems are in place on all system components + description: "Without a mechanism to restrict access based on user's need to know, a user may unknowingly be granted access to cardholder data. Access control systems automate the process of restricting access and assigning privileges. Additionally, a default “deny-all” setting ensures no one is granted access until and unless a rule is established specifically granting such access. Entities may have one or more access controls systems to manage user access. Note: Some access control systems are set by default to “allow-all,” thereby permitting access unless/until a rule is written to specifically deny it." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_not_publicly_accessible + - aws_eks_cluster_endpoint_restrict_public_access + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies + - aws_lambda_function_restrict_public_access + - aws_log_metric_filter_root_login + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_account + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_vpc_igw_attached_to_authorized_vpc diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8.yaml index e334f6a4b..4d9cbaf3b 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8.yaml @@ -1,13 +1,18 @@ -ID: aws_pci_dss_v321_requirement_8 -Title: 'Requirement 8: Identify and authenticate access to system components' -Description: Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes. -SectionCode: requirement_8 -Children: - - aws_pci_dss_v321_requirement_8_1 - - aws_pci_dss_v321_requirement_8_2 - - aws_pci_dss_v321_requirement_8_3 - - aws_pci_dss_v321_requirement_8_5 - - aws_pci_dss_v321_requirement_8_6 - - aws_pci_dss_v321_requirement_8_7 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8 + title: "Requirement 8: Identify and authenticate access to system components" + description: Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes. + section-code: requirement_8 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_1 + - id: aws_pci_dss_v321_requirement_8_2 + - id: aws_pci_dss_v321_requirement_8_3 + - id: aws_pci_dss_v321_requirement_8_5 + - id: aws_pci_dss_v321_requirement_8_6 + - id: aws_pci_dss_v321_requirement_8_7 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1.yaml index 4671d504d..a8918fe92 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_8_1 -Title: Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators -Description: By ensuring each user is uniquely identified— instead of using one ID for several employees—an organization can maintain individual responsibility for actions and an effective audit trail per employee. This will help speed issue resolution and containment when misuse or malicious intent occurs. -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_8_1_2 - - aws_pci_dss_v321_requirement_8_1_4 - - aws_pci_dss_v321_requirement_8_1_5 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_1 + title: Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators + description: By ensuring each user is uniquely identified— instead of using one ID for several employees—an organization can maintain individual responsibility for actions and an effective audit trail per employee. This will help speed issue resolution and containment when misuse or malicious intent occurs. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_1_2 + - id: aws_pci_dss_v321_requirement_8_1_4 + - id: aws_pci_dss_v321_requirement_8_1_5 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_2.yaml index 4343303e8..6d0f47df1 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_2.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_1_2 -Title: 1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects -Description: To ensure that user accounts granted access to systems are all valid and recognized users, strong processes must manage all changes to user IDs and other authentication credentials, including adding new ones and modifying or deleting existing ones. -SectionCode: "2" -Children: [] -Controls: - - aws_log_metric_filter_iam_policy -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_1_2 + title: 1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects + description: To ensure that user accounts granted access to systems are all valid and recognized users, strong processes must manage all changes to user IDs and other authentication credentials, including adding new ones and modifying or deleting existing ones. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_log_metric_filter_iam_policy diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_4.yaml index 90b4ee41e..6e67e174d 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_4.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_8_1_4 -Title: 1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled -Description: Accounts that are not used regularly are often targets of attack since it is less likely that any changes (such as a changed password) will be noticed. As such, these accounts may be more easily exploited and used to access cardholder data. -SectionCode: "4" -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_user_unused_credentials_90 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_1_4 + title: 1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled + description: Accounts that are not used regularly are often targets of attack since it is less likely that any changes (such as a changed password) will be noticed. As such, these accounts may be more easily exploited and used to access cardholder data. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5.yaml index 56604338e..5e67dddaa 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_1_5 -Title: 1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access by enabling only during the time period needed and disabled when not in use -Description: Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor's environment or from a malicious individual who finds and uses this always-available external entry point into your network. Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections. Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames. -SectionCode: "5" -Children: - - aws_pci_dss_v321_requirement_8_1_5_a -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_1_5 + title: 1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access by enabling only during the time period needed and disabled when not in use + description: Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor's environment or from a malicious individual who finds and uses this always-available external entry point into your network. Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections. Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_1_5_a diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5_a.yaml index a0a3ce191..537aa0cbf 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_1_5_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_1_5_a -Title: 1.5.a Interview personnel and observe processes for managing accounts used by third parties to access, support, or maintain system components to verify that accounts used for remote access are disabled when not in use, enabled only when needed by the third party and disabled when not in use -Description: Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor's environment or from a malicious individual who finds and uses this always-available external entry point into your network. Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections. Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames. -SectionCode: a -Children: [] -Controls: - - aws_cloudtrail_trail_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_1_5_a + title: 1.5.a Interview personnel and observe processes for managing accounts used by third parties to access, support, or maintain system components to verify that accounts used for remote access are disabled when not in use, enabled only when needed by the third party and disabled when not in use + description: Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor's environment or from a malicious individual who finds and uses this always-available external entry point into your network. Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections. Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudtrail_trail_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2.yaml index b5abd3dc1..95f7afa60 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2.yaml @@ -1,12 +1,18 @@ -ID: aws_pci_dss_v321_requirement_8_2 -Title: To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment perform the methods like examine documentation describing the authentication method(s) used etc -Description: 'Verify users are authenticated using unique ID, perform the following: examine documentation describing the authentication method(s) used, for each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). These authentication methods, when used in addition to unique IDs, help protect users'' IDs from being compromised, since the one attempting the compromise needs to know both the unique ID and the password (or other authentication used). Note that a digital certificate is a valid option for “something you have” as long as it is unique for a particular user. Since one of the first steps a malicious individual will take to compromise a system is to exploit weak or nonexistent passwords, it is important to implement good processes for authentication management.' -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_8_2_1 - - aws_pci_dss_v321_requirement_8_2_3 - - aws_pci_dss_v321_requirement_8_2_4 - - aws_pci_dss_v321_requirement_8_2_5 -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2 + title: To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment perform the methods like examine documentation describing the authentication method(s) used etc + description: "Verify users are authenticated using unique ID, perform the following: examine documentation describing the authentication method(s) used, for each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). These authentication methods, when used in addition to unique IDs, help protect users' IDs from being compromised, since the one attempting the compromise needs to know both the unique ID and the password (or other authentication used). Note that a digital certificate is a valid option for “something you have” as long as it is unique for a particular user. Since one of the first steps a malicious individual will take to compromise a system is to exploit weak or nonexistent passwords, it is important to implement good processes for authentication management." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_2_1 + - id: aws_pci_dss_v321_requirement_8_2_3 + - id: aws_pci_dss_v321_requirement_8_2_4 + - id: aws_pci_dss_v321_requirement_8_2_5 + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1.yaml index 41f6f2072..8ecf5a5a9 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1.yaml @@ -1,20 +1,26 @@ -ID: aws_pci_dss_v321_requirement_8_2_1 -Title: 2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components -Description: 'Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider.' -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_8_2_1_a - - aws_pci_dss_v321_requirement_8_2_1_b - - aws_pci_dss_v321_requirement_8_2_1_c -Controls: - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values - - aws_codebuild_project_source_repo_oauth_configured - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_node_to_node_encryption_enabled - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_1 + title: 2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components + description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_2_1_a + - id: aws_pci_dss_v321_requirement_8_2_1_b + - id: aws_pci_dss_v321_requirement_8_2_1_c + controls: + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values + - aws_codebuild_project_source_repo_oauth_configured + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_node_to_node_encryption_enabled + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_a.yaml index fc59fad8f..28679b8cc 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_a.yaml @@ -1,33 +1,38 @@ -ID: aws_pci_dss_v321_requirement_8_2_1_a -Title: 2.1.a Examine vendor documentation and system configuration settings to verify that passwords are protected with strong cryptography during transmission and storage -Description: 'Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider.' -SectionCode: a -Children: [] -Controls: - - aws_cloudfront_distribution_encryption_in_transit_enabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dax_cluster_encryption_at_rest_enabled - - aws_dynamodb_table_encrypted_with_kms - - aws_dynamodb_table_encryption_enabled - - aws_ebs_attached_volume_encryption_enabled - - aws_ec2_ebs_default_encryption_enabled - - aws_efs_file_system_encrypt_data_at_rest - - aws_eks_cluster_secrets_encrypted - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_node_to_node_encryption_enabled - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_snapshot_encrypted_at_rest - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_enforces_ssl - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_1_a + title: 2.1.a Examine vendor documentation and system configuration settings to verify that passwords are protected with strong cryptography during transmission and storage + description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_cloudfront_distribution_encryption_in_transit_enabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dax_cluster_encryption_at_rest_enabled + - aws_dynamodb_table_encrypted_with_kms + - aws_dynamodb_table_encryption_enabled + - aws_ebs_attached_volume_encryption_enabled + - aws_ec2_ebs_default_encryption_enabled + - aws_efs_file_system_encrypt_data_at_rest + - aws_eks_cluster_secrets_encrypted + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_node_to_node_encryption_enabled + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_snapshot_encrypted_at_rest + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_enforces_ssl + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_b.yaml index 90aa381eb..be40aff69 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_b.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_2_1_b -Title: 2.1.b For a sample of system components, examine password files to verify that passwords are unreadable during storage -Description: 'Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider.' -SectionCode: b -Children: [] -Controls: - - aws_secretsmanager_secret_encrypted_with_kms_cmk -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_1_b + title: 2.1.b For a sample of system components, examine password files to verify that passwords are unreadable during storage + description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_secretsmanager_secret_encrypted_with_kms_cmk diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_c.yaml index 403f15b30..92c3136cd 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_1_c.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_2_1_c -Title: 2.1.c For a sample of system components, examine data transmissions to verify that passwords are unreadable during transmission -Description: 'Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider.' -SectionCode: c -Children: [] -Controls: - - aws_secretsmanager_secret_encrypted_with_kms_cmk -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_1_c + title: 2.1.c For a sample of system components, examine data transmissions to verify that passwords are unreadable during transmission + description: "Many network devices and applications transmit unencrypted, readable passwords across the network and/or store passwords without encryption. A malicious individual can easily intercept unencrypted passwords during transmission using a “sniffer,” or directly access unencrypted passwords in files where they are stored, and use this data to gain unauthorized access. Note: Testing Procedures 8.2.1.d and 8.2.1.e are additional procedures that only apply if the entity being assessed is a service provider." + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_secretsmanager_secret_encrypted_with_kms_cmk diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3.yaml index c8b9d9e53..29c9d0894 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3.yaml @@ -1,10 +1,16 @@ -ID: aws_pci_dss_v321_requirement_8_2_3 -Title: 2.3 Passwords/passphrases require a minimum length of at least seven characters, contain both numeric and alphabetic characters -Description: 'The passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above. Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider.' -SectionCode: "3" -Children: - - aws_pci_dss_v321_requirement_8_2_3_a - - aws_pci_dss_v321_requirement_8_2_3_b -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_3 + title: 2.3 Passwords/passphrases require a minimum length of at least seven characters, contain both numeric and alphabetic characters + description: "The passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above. Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_2_3_a + - id: aws_pci_dss_v321_requirement_8_2_3_b + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_a.yaml index 2ee9909c8..1b44d6aa2 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_2_3_a -Title: 2.3.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require at least the following strength/complexity that is require a minimum length of at least seven characters and contain both numeric and alphabetic characters -Description: 'Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider.' -SectionCode: a -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_3_a + title: 2.3.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require at least the following strength/complexity that is require a minimum length of at least seven characters and contain both numeric and alphabetic characters + description: "Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_b.yaml index 29158d552..50c956faa 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_3_b.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_2_3_b -Title: 2.3.b Additional testing procedure for service provider assessments only to review internal processes and customer/user documentation to verify that non-consumer customer passwords/passphrases are required to meet at least the following strength/complexity that is require a minimum length of at least seven characters and contain both numeric and alphabetic characters -Description: 'Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider.' -SectionCode: b -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_3_b + title: 2.3.b Additional testing procedure for service provider assessments only to review internal processes and customer/user documentation to verify that non-consumer customer passwords/passphrases are required to meet at least the following strength/complexity that is require a minimum length of at least seven characters and contain both numeric and alphabetic characters + description: "Strong passwords/passphrases are the first line of defense into a network since a malicious individual will often first try to find accounts with weak or non- existent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID. This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/ passphrases. For cases where this minimum cannot be met due to technical limitations, entities can use “equivalent strength” to evaluate their alternative. For information on variability and equivalency of password strength (also referred to as entropy) for passwords/passphrases of different formats, refer to industry standards (e.g., the current version of NIST SP 800-63.) Note: Testing Procedure 8.2.3.b is an additional procedure that only applies if the entity being assessed is a service provider." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4.yaml index e7a329992..cfcb0e2b0 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4.yaml @@ -1,10 +1,16 @@ -ID: aws_pci_dss_v321_requirement_8_2_4 -Title: 2.4 Change user passwords/passphrases at least once every 90 days -Description: 'Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider.' -SectionCode: "4" -Children: - - aws_pci_dss_v321_requirement_8_2_4_a - - aws_pci_dss_v321_requirement_8_2_4_b -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_4 + title: 2.4 Change user passwords/passphrases at least once every 90 days + description: "Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_2_4_a + - id: aws_pci_dss_v321_requirement_8_2_4_b + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_a.yaml index 821c4cd1d..8ba6e4779 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_a.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_8_2_4_a -Title: 2.4.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every 90 days -Description: 'Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider.' -SectionCode: a -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_secretsmanager_secret_last_changed_90_day -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_4_a + title: 2.4.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every 90 days + description: "Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_secretsmanager_secret_last_changed_90_day diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_b.yaml index e4b2bdfb6..cb1194bd2 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_4_b.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_2_4_b -Title: '2.4.b Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that non-consumer customer user passwords/passphrases are required to change periodically; and non-consumer customer users are given guidance as to when, and under what circumstances, passwords/passphrases must change' -Description: 'Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider.' -SectionCode: b -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_4_b + title: "2.4.b Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that non-consumer customer user passwords/passphrases are required to change periodically; and non-consumer customer users are given guidance as to when, and under what circumstances, passwords/passphrases must change" + description: "Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase. Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5.yaml index a512a0a84..eab846121 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5.yaml @@ -1,10 +1,16 @@ -ID: aws_pci_dss_v321_requirement_8_2_5 -Title: 2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used -Description: 'If password history isn''t maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider.' -SectionCode: "5" -Children: - - aws_pci_dss_v321_requirement_8_2_5_a - - aws_pci_dss_v321_requirement_8_2_5_b -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_5 + title: 2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used + description: "If password history isn't maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_2_5_a + - id: aws_pci_dss_v321_requirement_8_2_5_b + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_a.yaml index 56e15b3bd..5dabf8796 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_2_5_a -Title: 2.5.a For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases -Description: 'If password history isn''t maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider.' -SectionCode: a -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_5_a + title: 2.5.a For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases + description: "If password history isn't maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider." + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_b.yaml index 1efd801bb..6bb1d1eae 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_2_5_b.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_2_5_b -Title: 2.5.b Additional testing procedure for service provider assessments only to review internal processes and customer/user documentation to verify that new non-consumer customer user passwords/passphrase cannot be the same as the previous four passwords -Description: 'If password history isn''t maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider.' -SectionCode: b -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_2_5_b + title: 2.5.b Additional testing procedure for service provider assessments only to review internal processes and customer/user documentation to verify that new non-consumer customer user passwords/passphrase cannot be the same as the previous four passwords + description: "If password history isn't maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future. Note: Testing Procedure 8.2.5.b is an additional procedure that only applies if the entity being assessed is a service provider." + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3.yaml index c41685b16..72de0f318 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3.yaml @@ -1,9 +1,14 @@ -ID: aws_pci_dss_v321_requirement_8_3 -Title: Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication -Description: 'Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication. Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication (as described in Requirement 8.2), before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. Multi-factor authentication is not required at both the system-level and application-level for a particular system component. Multi-factor authentication can be performed either upon authentication to the particular network or to the system component. Examples of multi-factor technologies include but are not limited to remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate multi- factor authentication.' -SectionCode: "3" -Children: - - aws_pci_dss_v321_requirement_8_3_1 - - aws_pci_dss_v321_requirement_8_3_2 -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_3 + title: Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication + description: "Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication. Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication (as described in Requirement 8.2), before access is granted. Multi-factor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multi-factor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. Multi-factor authentication is not required at both the system-level and application-level for a particular system component. Multi-factor authentication can be performed either upon authentication to the particular network or to the system component. Examples of multi-factor technologies include but are not limited to remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate multi- factor authentication." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_3_1 + - id: aws_pci_dss_v321_requirement_8_3_2 diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1.yaml index dd574538a..4c37e2a21 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1.yaml @@ -1,11 +1,17 @@ -ID: aws_pci_dss_v321_requirement_8_3_1 -Title: 3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access -Description: This requirement is intended to apply to all personnel with administrative access to the CDE. This requirement applies only to personnel with administrative access and only for non-console access to the CDE; it does not apply to application or system accounts performing automated functions. If the entity does not use segmentation to separate the CDE from the rest of their network, an administrator could use multi-factor authentication either when logging onto the CDE network or when logging onto a system. If the CDE is segmented from the rest of the entity’s network, an administrator would need to use multi- factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE. -SectionCode: "1" -Children: - - aws_pci_dss_v321_requirement_8_3_1_a -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_3_1 + title: 3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access + description: This requirement is intended to apply to all personnel with administrative access to the CDE. This requirement applies only to personnel with administrative access and only for non-console access to the CDE; it does not apply to application or system accounts performing automated functions. If the entity does not use segmentation to separate the CDE from the rest of their network, an administrator could use multi-factor authentication either when logging onto the CDE network or when logging onto a system. If the CDE is segmented from the rest of the entity’s network, an administrator would need to use multi- factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_3_1_a + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1_a.yaml index bc743168f..03fe3809a 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_1_a.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_8_3_1_a -Title: 3.1.a Examine network and/or system configurations, as applicable, to verify multi-factor authentication is required for all non-console administrative access into the CDE -Description: This requirement is intended to apply to all personnel with administrative access to the CDE. This requirement applies only to personnel with administrative access and only for non-console access to the CDE; it does not apply to application or system accounts performing automated functions. If the entity does not use segmentation to separate the CDE from the rest of their network, an administrator could use multi-factor authentication either when logging onto the CDE network or when logging onto a system. If the CDE is segmented from the rest of the entity's network, an administrator would need to use multi- factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE. -SectionCode: a -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_3_1_a + title: 3.1.a Examine network and/or system configurations, as applicable, to verify multi-factor authentication is required for all non-console administrative access into the CDE + description: This requirement is intended to apply to all personnel with administrative access to the CDE. This requirement applies only to personnel with administrative access and only for non-console access to the CDE; it does not apply to application or system accounts performing automated functions. If the entity does not use segmentation to separate the CDE from the rest of their network, an administrator could use multi-factor authentication either when logging onto the CDE network or when logging onto a system. If the CDE is segmented from the rest of the entity's network, an administrator would need to use multi- factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2.yaml index 4beb35ebf..9cee10c6c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_3_2 -Title: 3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity's network -Description: This requirement is intended to apply to all personnel—including general users, administrators, and vendors (for support or maintenance) with remote access to the network—where that remote access could lead to access to the CDE. If remote access is to an entity's network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity's networks. -SectionCode: "2" -Children: - - aws_pci_dss_v321_requirement_8_3_2_a -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_3_2 + title: 3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity's network + description: This requirement is intended to apply to all personnel—including general users, administrators, and vendors (for support or maintenance) with remote access to the network—where that remote access could lead to access to the CDE. If remote access is to an entity's network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity's networks. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_3_2_a diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2_a.yaml index f322ddd86..3f90aa55c 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_3_2_a.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_8_3_2_a -Title: 3.2.a Examine system configurations for remote access servers and systems to verify multi-factor authentication is required for all remote access by personnel, both user and administrator, and all third-party/vendor remote access (including access to applications and system components for support or maintenance purposes) -Description: This requirement is intended to apply to all personnel—including general users, administrators, and vendors (for support or maintenance) with remote access to the network—where that remote access could lead to access to the CDE. If remote access is to an entity's network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity's networks. -SectionCode: a -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_3_2_a + title: 3.2.a Examine system configurations for remote access servers and systems to verify multi-factor authentication is required for all remote access by personnel, both user and administrator, and all third-party/vendor remote access (including access to applications and system components for support or maintenance purposes) + description: This requirement is intended to apply to all personnel—including general users, administrators, and vendors (for support or maintenance) with remote access to the network—where that remote access could lead to access to the CDE. If remote access is to an entity's network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity's networks. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5.yaml index bdbc8ed8d..17dada511 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_5 -Title: Do not use group, shared, or generic IDs, passwords, or other authentication methods -Description: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Shared and generic user IDs are not used to administer any system components. If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual's actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials. -SectionCode: "5" -Children: - - aws_pci_dss_v321_requirement_8_5_a -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_5 + title: Do not use group, shared, or generic IDs, passwords, or other authentication methods + description: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Shared and generic user IDs are not used to administer any system components. If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual's actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_5_a diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5_a.yaml index a08e4cc96..50c5f48d4 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_5_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_5_a -Title: 5.a For a sample of system components, examine user ID lists to verify that generic user IDs are disabled or removed, shared user IDs for system administration activities and other critical functions do not exist or are shared, and generic user IDs are not used to administer any system components -Description: Generic user IDs are disabled or removed. Shared user IDs for system administration activities and other critical functions do not exist. Shared and generic user IDs are not used to administer any system components. If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual's actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials. -SectionCode: a -Children: [] -Controls: - - aws_iam_root_user_no_access_keys -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_5_a + title: 5.a For a sample of system components, examine user ID lists to verify that generic user IDs are disabled or removed, shared user IDs for system administration activities and other critical functions do not exist or are shared, and generic user IDs are not used to administer any system components + description: Generic user IDs are disabled or removed. Shared user IDs for system administration activities and other critical functions do not exist. Shared and generic user IDs are not used to administer any system components. If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual's actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_no_access_keys diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6.yaml index 46510eb3d..439d8aa26 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_6 -Title: Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned authentication mechanisms must be assigned to an individual account and not shared among multiple accounts, physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access -Description: If user authentication mechanisms such as tokens, smart cards, and certificates can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism. Having physical and/or logical controls (for example, a PIN, biometric data, or a password) to uniquely identify the user of the account will prevent unauthorized users from gaining access through use of a shared authentication mechanism. -SectionCode: "6" -Children: - - aws_pci_dss_v321_requirement_8_6_c -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_6 + title: Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned authentication mechanisms must be assigned to an individual account and not shared among multiple accounts, physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access + description: If user authentication mechanisms such as tokens, smart cards, and certificates can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism. Having physical and/or logical controls (for example, a PIN, biometric data, or a password) to uniquely identify the user of the account will prevent unauthorized users from gaining access through use of a shared authentication mechanism. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_6_c diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6_c.yaml index 9a0914e1f..dbb743b75 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_6_c.yaml @@ -1,10 +1,15 @@ -ID: aws_pci_dss_v321_requirement_8_6_c -Title: 6.c Examine system configuration settings and/or physical controls, as applicable, to verify that controls are implemented to ensure only the intended account can use that mechanism to gain access -Description: If user authentication mechanisms such as tokens, smart cards, and certificates can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism. Having physical and/or logical controls (for example, a PIN, biometric data, or a password) to uniquely identify the user of the account will prevent unauthorized users from gaining access through use of a shared authentication mechanism. -SectionCode: c -Children: [] -Controls: - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_mfa_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_6_c + title: 6.c Examine system configuration settings and/or physical controls, as applicable, to verify that controls are implemented to ensure only the intended account can use that mechanism to gain access + description: If user authentication mechanisms such as tokens, smart cards, and certificates can be used by multiple accounts, it may be impossible to identify the individual using the authentication mechanism. Having physical and/or logical controls (for example, a PIN, biometric data, or a password) to uniquely identify the user of the account will prevent unauthorized users from gaining access through use of a shared authentication mechanism. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_mfa_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7.yaml index e038c33d5..2018ae3c8 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7.yaml @@ -1,11 +1,16 @@ -ID: aws_pci_dss_v321_requirement_8_7 -Title: All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted -Description: 'Access to any database containing cardholder data is restricted as follows: all user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties).' -SectionCode: "7" -Children: - - aws_pci_dss_v321_requirement_8_7_a - - aws_pci_dss_v321_requirement_8_7_b - - aws_pci_dss_v321_requirement_8_7_c - - aws_pci_dss_v321_requirement_8_7_d -Controls: [] -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_7 + title: All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted + description: "Access to any database containing cardholder data is restricted as follows: all user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties)." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_pci_dss_v321_requirement_8_7_a + - id: aws_pci_dss_v321_requirement_8_7_b + - id: aws_pci_dss_v321_requirement_8_7_c + - id: aws_pci_dss_v321_requirement_8_7_d diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_a.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_a.yaml index adb16e85d..f29e088cd 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_a.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_a.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_7_a -Title: 7.a Review database and application configuration settings and verify that all users are authenticated prior to access -Description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). -SectionCode: a -Children: [] -Controls: - - aws_rds_db_instance_iam_authentication_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_7_a + title: 7.a Review database and application configuration settings and verify that all users are authenticated prior to access + description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_rds_db_instance_iam_authentication_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_b.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_b.yaml index 4ad72922d..190bb0bdc 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_b.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_b.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_7_b -Title: 7.b Examine database and application configuration settings to verify that all user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures) -Description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). -SectionCode: b -Children: [] -Controls: - - aws_rds_db_instance_iam_authentication_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_7_b + title: 7.b Examine database and application configuration settings to verify that all user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures) + description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_rds_db_instance_iam_authentication_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_c.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_c.yaml index 5bf318a14..cf6e0f850 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_c.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_c.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_7_c -Title: 7.c Examine database access control settings and database application configuration settings to verify that user direct access to or queries of databases are restricted to database administrators -Description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). -SectionCode: c -Children: [] -Controls: - - aws_rds_db_instance_iam_authentication_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_7_c + title: 7.c Examine database access control settings and database application configuration settings to verify that user direct access to or queries of databases are restricted to database administrators + description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_rds_db_instance_iam_authentication_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_d.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_d.yaml index a2788ca8e..3f376b8f3 100755 --- a/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_d.yaml +++ b/compliance/frameworks/aws/aws_pci_dss_v321/aws_pci_dss_v321_requirement_8_7_d.yaml @@ -1,8 +1,13 @@ -ID: aws_pci_dss_v321_requirement_8_7_d -Title: 7.d Examine database access control settings, database application configuration settings, and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes) -Description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). -SectionCode: d -Children: [] -Controls: - - aws_rds_db_instance_iam_authentication_enabled -Tags: {} +control-group: + id: aws_pci_dss_v321_requirement_8_7_d + title: 7.d Examine database access control settings, database application configuration settings, and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes) + description: Without user authentication for access to databases and applications, the potential for unauthorized or malicious access increases, and such access cannot be logged since the user has not been authenticated and is therefore not known to the system. Also, database access should be granted through programmatic methods only (for example, through stored procedures), rather than via direct access to the database by end users (except for DBAs, who may need direct access to the database for their administrative duties). + section-code: d + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_rds_db_instance_iam_authentication_enabled diff --git a/compliance/frameworks/aws/aws_pci_dss_v321/root.yaml b/compliance/frameworks/aws/aws_pci_dss_v321/root.yaml deleted file mode 100755 index c84c6b99b..000000000 --- a/compliance/frameworks/aws/aws_pci_dss_v321/root.yaml +++ /dev/null @@ -1,21 +0,0 @@ -ID: aws_pci_dss_v321 -Title: PCI DSS v3.2.1 -Description: The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is an information security standard for entities that store, process, and/or transmit cardholder data. -SectionCode: aws_pci_dss_v321 -Children: - - aws_pci_dss_v321_requirement_1 - - aws_pci_dss_v321_requirement_2 - - aws_pci_dss_v321_requirement_3 - - aws_pci_dss_v321_requirement_4 - - aws_pci_dss_v321_requirement_5 - - aws_pci_dss_v321_requirement_6 - - aws_pci_dss_v321_requirement_7 - - aws_pci_dss_v321_requirement_8 - - aws_pci_dss_v321_requirement_10 - - aws_pci_dss_v321_requirement_11 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: {} diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security.yaml new file mode 100644 index 000000000..018753bc2 --- /dev/null +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security.yaml @@ -0,0 +1,35 @@ +framework: + id: aws_rbi_cyber_security + title: RBI Cyber Security Framework + description: The Reserve Bank had prescribed a set of baseline cyber security controls for primary (Urban) cooperative banks (UCBs) in October 2018. On further examination, it has been decided to prescribe a comprehensive cyber security framework for the UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk. The framework would mandate implementation of progressively stronger security measures based on the nature, variety and scale of digital product offerings of banks. + section-code: aws_rbi_cyber_security + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Laws & Regulations + plugin: + - aws + rbi_cyber_security: + - "true" + service: + - AWS + type: + - Benchmark + control-group: + - id: aws_rbi_cyber_security_annex_i_1_1 + - id: aws_rbi_cyber_security_annex_i_1_3 + - id: aws_rbi_cyber_security_annex_i_5_1 + - id: aws_rbi_cyber_security_annex_i_6 + - id: aws_rbi_cyber_security_annex_i_7_1 + - id: aws_rbi_cyber_security_annex_i_7_2 + - id: aws_rbi_cyber_security_annex_i_7_3 + - id: aws_rbi_cyber_security_annex_i_7_4 + - id: aws_rbi_cyber_security_annex_i_12 diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_12.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_12.yaml index 366f1d291..0b2511258 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_12.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_12.yaml @@ -1,29 +1,34 @@ -ID: aws_rbi_cyber_security_annex_i_12 -Title: Annex I (12) -Description: Take periodic back up of the important data and store this data ‘off line’ (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files). -SectionCode: annex_i_12 -Children: [] -Controls: - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled - - aws_s3_bucket_versioning_enabled -Tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_12 - service: - - AWS - type: - - Benchmark +control-group: + id: aws_rbi_cyber_security_annex_i_12 + title: Annex I (12) + description: Take periodic back up of the important data and store this data ‘off line’ (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files). + section-code: annex_i_12 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_12 + service: + - AWS + type: + - Benchmark + controls: + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_1.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_1.yaml index 55449f3b3..b652db768 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_1.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_1.yaml @@ -1,20 +1,25 @@ -ID: aws_rbi_cyber_security_annex_i_1_1 -Title: Annex I (1.1) -Description: 'UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: a) Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.), b. Details of systems where customer data are stored, c. Associated business applications, if any, d. Criticality of the IT asset (For example, High/Medium/Low).' -SectionCode: annex_i_1_1 -Children: [] -Controls: - - aws_ec2_instance_ssm_managed -Tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_1_1 - service: - - AWS/EC2 - type: - - Benchmark +control-group: + id: aws_rbi_cyber_security_annex_i_1_1 + title: Annex I (1.1) + description: "UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: a) Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.), b. Details of systems where customer data are stored, c. Associated business applications, if any, d. Criticality of the IT asset (For example, High/Medium/Low)." + section-code: annex_i_1_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_1_1 + service: + - AWS/EC2 + type: + - Benchmark + controls: + - aws_ec2_instance_ssm_managed diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_3.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_3.yaml index 3b90cd44a..eeecd6762 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_3.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_1_3.yaml @@ -1,68 +1,73 @@ -ID: aws_rbi_cyber_security_annex_i_1_3 -Title: Annex I (1.3) -Description: Appropriately manage and provide protection within and outside UCB/network, keeping in mind how the data/information is stored, transmitted, processed, accessed and put to use within/outside the UCB’s network, and level of risk they are exposed to depending on the sensitivity of the data/information. -SectionCode: annex_i_1_3 -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_apigateway_stage_cache_encryption_at_rest_enabled - - aws_autoscaling_launch_config_public_ip_disabled - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk - - aws_dms_replication_instance_not_publicly_accessible - - aws_dynamodb_table_encrypted_with_kms - - aws_ebs_attached_volume_encryption_enabled - - aws_ebs_snapshot_not_publicly_restorable - - aws_ebs_volume_encryption_at_rest_enabled - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_efs_file_system_encrypt_data_at_rest - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_encryption_at_rest_enabled - - aws_es_domain_in_vpc - - aws_es_domain_node_to_node_encryption_enabled - - aws_kms_cmk_rotation_enabled - - aws_kms_key_not_pending_deletion - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_log_group_encryption_at_rest_enabled - - aws_rds_db_instance_encryption_at_rest_enabled - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_encrypted_at_rest - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_redshift_cluster_kms_enabled - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_default_encryption_enabled_kms - - aws_s3_bucket_default_encryption_enabled - - aws_s3_bucket_enforces_ssl - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket_account - - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_sagemaker_notebook_instance_encryption_at_rest_enabled - - aws_sns_topic_encrypted_at_rest - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_route_table_restrict_public_access_to_igw - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_1_3 - service: - - AWS - type: - - Benchmark +control-group: + id: aws_rbi_cyber_security_annex_i_1_3 + title: Annex I (1.3) + description: Appropriately manage and provide protection within and outside UCB/network, keeping in mind how the data/information is stored, transmitted, processed, accessed and put to use within/outside the UCB’s network, and level of risk they are exposed to depending on the sensitivity of the data/information. + section-code: annex_i_1_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_1_3 + service: + - AWS + type: + - Benchmark + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_apigateway_stage_cache_encryption_at_rest_enabled + - aws_autoscaling_launch_config_public_ip_disabled + - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk + - aws_dms_replication_instance_not_publicly_accessible + - aws_dynamodb_table_encrypted_with_kms + - aws_ebs_attached_volume_encryption_enabled + - aws_ebs_snapshot_not_publicly_restorable + - aws_ebs_volume_encryption_at_rest_enabled + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_efs_file_system_encrypt_data_at_rest + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_encryption_at_rest_enabled + - aws_es_domain_in_vpc + - aws_es_domain_node_to_node_encryption_enabled + - aws_kms_cmk_rotation_enabled + - aws_kms_key_not_pending_deletion + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_log_group_encryption_at_rest_enabled + - aws_rds_db_instance_encryption_at_rest_enabled + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_encrypted_at_rest + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_redshift_cluster_kms_enabled + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_default_encryption_enabled_kms + - aws_s3_bucket_default_encryption_enabled + - aws_s3_bucket_enforces_ssl + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_bucket_account + - aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_sagemaker_notebook_instance_encryption_at_rest_enabled + - aws_sns_topic_encrypted_at_rest + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_route_table_restrict_public_access_to_igw + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_5_1.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_5_1.yaml index 6f8f9a3d3..2093045a4 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_5_1.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_5_1.yaml @@ -1,25 +1,30 @@ -ID: aws_rbi_cyber_security_annex_i_5_1 -Title: Annex I (5.1) -Description: The firewall configurations should be set to the highest security level and evaluation of critical device (such as firewall, network switches, security devices, etc.) configurations should be done periodically. -SectionCode: annex_i_5_1 -Children: [] -Controls: - - aws_apigateway_stage_use_waf_web_acl - - aws_elb_application_lb_waf_enabled - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all -Tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_5_1 - service: - - AWS - type: - - Benchmark +control-group: + id: aws_rbi_cyber_security_annex_i_5_1 + title: Annex I (5.1) + description: The firewall configurations should be set to the highest security level and evaluation of critical device (such as firewall, network switches, security devices, etc.) configurations should be done periodically. + section-code: annex_i_5_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_5_1 + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_use_waf_web_acl + - aws_elb_application_lb_waf_enabled + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_6.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_6.yaml index 01517356f..fc993a2a8 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_6.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_6.yaml @@ -1,24 +1,29 @@ -ID: aws_rbi_cyber_security_annex_i_6 -Title: Annex I (6) -Description: Put in place systems and processes to identify, track, manage and monitor the status of patches to servers, operating system and application software running at the systems used by the UCB officials (end-users). Implement and update antivirus protection for all servers and applicable end points preferably through a centralised system. -SectionCode: annex_i_6 -Children: [] -Controls: - - aws_guardduty_finding_archived - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_6 - service: - - AWS - type: - - Benchmark +control-group: + id: aws_rbi_cyber_security_annex_i_6 + title: Annex I (6) + description: Put in place systems and processes to identify, track, manage and monitor the status of patches to servers, operating system and application software running at the systems used by the UCB officials (end-users). Implement and update antivirus protection for all servers and applicable end points preferably through a centralised system. + section-code: annex_i_6 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_6 + service: + - AWS + type: + - Benchmark + controls: + - aws_guardduty_finding_archived + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_1.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_1.yaml index f1f125732..11243c2fa 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_1.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_1.yaml @@ -1,24 +1,29 @@ -ID: aws_rbi_cyber_security_annex_i_7_1 -Title: Annex I (7.1) -Description: Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a ‘need to know’ and ‘need to do’ basis. -SectionCode: annex_i_7_1 -Children: [] -Controls: - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_no_access_keys - - aws_iam_user_no_inline_attached_policies -Tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_7_1 - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_rbi_cyber_security_annex_i_7_1 + title: Annex I (7.1) + description: Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a ‘need to know’ and ‘need to do’ basis. + section-code: annex_i_7_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_7_1 + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_no_access_keys + - aws_iam_user_no_inline_attached_policies diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_2.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_2.yaml index b4ec3f830..d93d2890c 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_2.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_2.yaml @@ -1,20 +1,25 @@ -ID: aws_rbi_cyber_security_annex_i_7_2 -Title: Annex I (7.2) -Description: Passwords should be set as complex and lengthy and users should not use same passwords for all the applications/systems/devices. -SectionCode: annex_i_7_2 -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 -Tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_7_2 - service: - - AWS/IAM - type: - - Benchmark +control-group: + id: aws_rbi_cyber_security_annex_i_7_2 + title: Annex I (7.2) + description: Passwords should be set as complex and lengthy and users should not use same passwords for all the applications/systems/devices. + section-code: annex_i_7_2 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_7_2 + service: + - AWS/IAM + type: + - Benchmark + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_3.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_3.yaml index 4477efbe6..5286d3628 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_3.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_3.yaml @@ -1,20 +1,25 @@ -ID: aws_rbi_cyber_security_annex_i_7_3 -Title: Annex I (7.3) -Description: Remote Desktop Protocol (RDP) which allows others to access the computer remotely over a network or over the internet should be always disabled and should be enabled only with the approval of the authorised officer of the UCB. Logs for such remote access shall be enabled and monitored for suspicious activities. -SectionCode: annex_i_7_3 -Children: [] -Controls: - - aws_vpc_security_group_restrict_ingress_ssh_all -Tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_7_3 - service: - - AWS/VPC - type: - - Benchmark +control-group: + id: aws_rbi_cyber_security_annex_i_7_3 + title: Annex I (7.3) + description: Remote Desktop Protocol (RDP) which allows others to access the computer remotely over a network or over the internet should be always disabled and should be enabled only with the approval of the authorised officer of the UCB. Logs for such remote access shall be enabled and monitored for suspicious activities. + section-code: annex_i_7_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_7_3 + service: + - AWS/VPC + type: + - Benchmark + controls: + - aws_vpc_security_group_restrict_ingress_ssh_all diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_4.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_4.yaml index fb6b55498..99e40446d 100755 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_4.yaml +++ b/compliance/frameworks/aws/aws_rbi_cyber_security/aws_rbi_cyber_security_annex_i_7_4.yaml @@ -1,33 +1,38 @@ -ID: aws_rbi_cyber_security_annex_i_7_4 -Title: Annex I (7.4) -Description: Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/super user/administrative access to critical systems (servers/databases, applications, network devices etc.) -SectionCode: annex_i_7_4 -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_securityhub_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: - category: - - Compliance - plugin: - - aws - rbi_cyber_security: - - "true" - rbi_cyber_security_item_id: - - annex_i_7_4 - service: - - AWS - type: - - Benchmark +control-group: + id: aws_rbi_cyber_security_annex_i_7_4 + title: Annex I (7.4) + description: Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/super user/administrative access to critical systems (servers/databases, applications, network devices etc.) + section-code: annex_i_7_4 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + plugin: + - aws + rbi_cyber_security: + - "true" + rbi_cyber_security_item_id: + - annex_i_7_4 + service: + - AWS + type: + - Benchmark + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_securityhub_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_rbi_cyber_security/root.yaml b/compliance/frameworks/aws/aws_rbi_cyber_security/root.yaml deleted file mode 100755 index 1226de515..000000000 --- a/compliance/frameworks/aws/aws_rbi_cyber_security/root.yaml +++ /dev/null @@ -1,34 +0,0 @@ -ID: aws_rbi_cyber_security -Title: RBI Cyber Security Framework -Description: The Reserve Bank had prescribed a set of baseline cyber security controls for primary (Urban) cooperative banks (UCBs) in October 2018. On further examination, it has been decided to prescribe a comprehensive cyber security framework for the UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk. The framework would mandate implementation of progressively stronger security measures based on the nature, variety and scale of digital product offerings of banks. -SectionCode: aws_rbi_cyber_security -Children: - - aws_rbi_cyber_security_annex_i_1_1 - - aws_rbi_cyber_security_annex_i_1_3 - - aws_rbi_cyber_security_annex_i_5_1 - - aws_rbi_cyber_security_annex_i_6 - - aws_rbi_cyber_security_annex_i_7_1 - - aws_rbi_cyber_security_annex_i_7_2 - - aws_rbi_cyber_security_annex_i_7_3 - - aws_rbi_cyber_security_annex_i_7_4 - - aws_rbi_cyber_security_annex_i_12 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Laws & Regulations - plugin: - - aws - rbi_cyber_security: - - "true" - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc.yaml new file mode 100644 index 000000000..885b1c8da --- /dev/null +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc.yaml @@ -0,0 +1,16 @@ +framework: + id: aws_rbi_itf_nbfc + title: Reserve Bank of India - Information Technology Framework for Non-Banking Financial Companies (RBI ITF-NBFC) + description: The NBFC (Non-Banking Finance Company) sector has grown in size and complexity over the years. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must be benchmarked to best practices. + section-code: aws_rbi_itf_nbfc + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_rbi_itf_nbfc_3 + - id: aws_rbi_itf_nbfc_4 + - id: aws_rbi_itf_nbfc_6 + - id: aws_rbi_itf_nbfc_8 diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3.yaml index 31f6793d5..07c9a9691 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3.yaml @@ -1,10 +1,15 @@ -ID: aws_rbi_itf_nbfc_3 -Title: Information Security -Description: 'Information is an asset to all NBFCs and Information Security (IS) refers to the protection of these assets in order to achieve organizational goals. The purpose of IS is to control access to sensitive information, ensuring use only by legitimate users so that data cannot be read or compromised without proper authorization. NBFCs must have a board approved IS Policy with the following basic tenets: a. Confidentiality - Ensuring access to sensitive data to authorized users only, b. Integrity - Ensuring accuracy and reliability of information by ensuring that there is no modification without authorization, c. Availability - Ensuring that uninterrupted data is available to users when it is needed, d. Authenticity - For IS it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine.' -SectionCode: "3" -Children: - - aws_rbi_itf_nbfc_3_1 - - aws_rbi_itf_nbfc_3_3 - - aws_rbi_itf_nbfc_3_5 -Controls: [] -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_3 + title: Information Security + description: "Information is an asset to all NBFCs and Information Security (IS) refers to the protection of these assets in order to achieve organizational goals. The purpose of IS is to control access to sensitive information, ensuring use only by legitimate users so that data cannot be read or compromised without proper authorization. NBFCs must have a board approved IS Policy with the following basic tenets: a. Confidentiality - Ensuring access to sensitive data to authorized users only, b. Integrity - Ensuring accuracy and reliability of information by ensuring that there is no modification without authorization, c. Availability - Ensuring that uninterrupted data is available to users when it is needed, d. Authenticity - For IS it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_rbi_itf_nbfc_3_1 + - id: aws_rbi_itf_nbfc_3_3 + - id: aws_rbi_itf_nbfc_3_5 diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1.yaml index 5a664ae5d..5b10b28ac 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1.yaml @@ -1,12 +1,17 @@ -ID: aws_rbi_itf_nbfc_3_1 -Title: Information Security Policy -Description: 'The IS Policy must provide for a IS framework with the following basic tenets: a. Identification and Classification of Information Assets, b. Segregation of functions, c. Role based Access Control, d. Personnel Security, e. Physical Security, f. Maker-checker, g. Incident Management, h. Trails, i. Public Key Infrastructure (PKI).' -SectionCode: "1" -Children: - - aws_rbi_itf_nbfc_3_1_a - - aws_rbi_itf_nbfc_3_1_c - - aws_rbi_itf_nbfc_3_1_g - - aws_rbi_itf_nbfc_3_1_h - - aws_rbi_itf_nbfc_3_1_i -Controls: [] -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_3_1 + title: Information Security Policy + description: "The IS Policy must provide for a IS framework with the following basic tenets: a. Identification and Classification of Information Assets, b. Segregation of functions, c. Role based Access Control, d. Personnel Security, e. Physical Security, f. Maker-checker, g. Incident Management, h. Trails, i. Public Key Infrastructure (PKI)." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_rbi_itf_nbfc_3_1_a + - id: aws_rbi_itf_nbfc_3_1_c + - id: aws_rbi_itf_nbfc_3_1_g + - id: aws_rbi_itf_nbfc_3_1_h + - id: aws_rbi_itf_nbfc_3_1_i diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_a.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_a.yaml index 2a03e830d..41cb3c515 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_a.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_a.yaml @@ -1,11 +1,16 @@ -ID: aws_rbi_itf_nbfc_3_1_a -Title: 1.a Identification and Classification of Information Assets -Description: NBFCs shall maintain detailed inventory of Information Asset with distinct and clear identification of the asset. -SectionCode: a -Children: [] -Controls: - - aws_ebs_volume_unused - - aws_ec2_instance_ssm_managed - - aws_ec2_stopped_instance_30_days - - aws_ecr_repository_tag_immutability_enabled -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_3_1_a + title: 1.a Identification and Classification of Information Assets + description: NBFCs shall maintain detailed inventory of Information Asset with distinct and clear identification of the asset. + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ebs_volume_unused + - aws_ec2_instance_ssm_managed + - aws_ec2_stopped_instance_30_days + - aws_ecr_repository_tag_immutability_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_c.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_c.yaml index 7d851f81f..12c76180d 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_c.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_c.yaml @@ -1,27 +1,32 @@ -ID: aws_rbi_itf_nbfc_3_1_c -Title: 1.c Role based Access Control -Description: Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented. -SectionCode: c -Children: [] -Controls: - - aws_ec2_instance_iam_profile_attached - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_cluster_kerberos_enabled - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_3_1_c + title: 1.c Role based Access Control + description: Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented. + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ec2_instance_iam_profile_attached + - aws_efs_access_point_enforce_root_directory + - aws_efs_access_point_enforce_user_identity + - aws_emr_cluster_kerberos_enabled + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_g.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_g.yaml index 2a676d56f..16ee46e10 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_g.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_g.yaml @@ -1,12 +1,17 @@ -ID: aws_rbi_itf_nbfc_3_1_g -Title: 1.g Incident Management -Description: The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analysing and responding to information security incidents. -SectionCode: g -Children: [] -Controls: - - aws_elb_application_lb_waf_enabled - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_securityhub_enabled - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_3_1_g + title: 1.g Incident Management + description: The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analysing and responding to information security incidents. + section-code: g + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_elb_application_lb_waf_enabled + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_securityhub_enabled + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_h.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_h.yaml index cd645e473..bddd9b2f4 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_h.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_h.yaml @@ -1,23 +1,28 @@ -ID: aws_rbi_itf_nbfc_3_1_h -Title: 1.h Trails -Description: NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail. -SectionCode: h -Children: [] -Controls: - - aws_apigateway_stage_logging_enabled - - aws_cloudtrail_multi_region_trail_enabled - - aws_cloudtrail_s3_data_events_enabled - - aws_cloudtrail_trail_enabled - - aws_cloudtrail_trail_integrated_with_logs - - aws_cloudwatch_log_group_retention_period_365 - - aws_codebuild_project_logging_enabled - - aws_elb_application_classic_lb_logging_enabled - - aws_es_domain_logs_to_cloudwatch - - aws_opensearch_domain_logs_to_cloudwatch - - aws_rds_db_instance_logging_enabled - - aws_redshift_cluster_audit_logging_enabled - - aws_redshift_cluster_encryption_logging_enabled - - aws_s3_bucket_logging_enabled - - aws_vpc_flow_logs_enabled - - aws_wafv2_web_acl_logging_enabled -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_3_1_h + title: 1.h Trails + description: NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail. + section-code: h + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_apigateway_stage_logging_enabled + - aws_cloudtrail_multi_region_trail_enabled + - aws_cloudtrail_s3_data_events_enabled + - aws_cloudtrail_trail_enabled + - aws_cloudtrail_trail_integrated_with_logs + - aws_cloudwatch_log_group_retention_period_365 + - aws_codebuild_project_logging_enabled + - aws_elb_application_classic_lb_logging_enabled + - aws_es_domain_logs_to_cloudwatch + - aws_opensearch_domain_logs_to_cloudwatch + - aws_rds_db_instance_logging_enabled + - aws_redshift_cluster_audit_logging_enabled + - aws_redshift_cluster_encryption_logging_enabled + - aws_s3_bucket_logging_enabled + - aws_vpc_flow_logs_enabled + - aws_wafv2_web_acl_logging_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_i.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_i.yaml index 9a0424891..a780110a6 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_i.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_1_i.yaml @@ -1,17 +1,22 @@ -ID: aws_rbi_itf_nbfc_3_1_i -Title: 1.i Public Key Infrastructure (PKI) -Description: NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. -SectionCode: i -Children: [] -Controls: - - aws_acm_certificate_expires_30_days - - aws_apigateway_rest_api_stage_use_ssl_certificate - - aws_elb_application_lb_drop_http_headers - - aws_elb_application_lb_redirect_http_request_to_https - - aws_elb_application_network_lb_use_ssl_certificate - - aws_elb_classic_lb_use_ssl_certificate - - aws_elb_classic_lb_use_tls_https_listeners - - aws_opensearch_domain_https_required - - aws_redshift_cluster_encryption_in_transit_enabled - - aws_s3_bucket_enforces_ssl -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_3_1_i + title: 1.i Public Key Infrastructure (PKI) + description: NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation. + section-code: i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_acm_certificate_expires_30_days + - aws_apigateway_rest_api_stage_use_ssl_certificate + - aws_elb_application_lb_drop_http_headers + - aws_elb_application_lb_redirect_http_request_to_https + - aws_elb_application_network_lb_use_ssl_certificate + - aws_elb_classic_lb_use_ssl_certificate + - aws_elb_classic_lb_use_tls_https_listeners + - aws_opensearch_domain_https_required + - aws_redshift_cluster_encryption_in_transit_enabled + - aws_s3_bucket_enforces_ssl diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_3.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_3.yaml index 15ac781b1..154e54e12 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_3.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_3.yaml @@ -1,13 +1,18 @@ -ID: aws_rbi_itf_nbfc_3_3 -Title: Vulnerability Management -Description: A vulnerability can be defined as an inherent configuration flaw in an organization's information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy. -SectionCode: "3" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_finding_archived - - aws_rds_db_instance_automatic_minor_version_upgrade_enabled - - aws_redshift_cluster_maintenance_settings_check - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_3_3 + title: Vulnerability Management + description: A vulnerability can be defined as an inherent configuration flaw in an organization's information technology base, whether hardware or software, which can be exploited by a third party to gather sensitive information regarding the organization. Vulnerability management is an ongoing process to determine the process of eliminating or mitigating vulnerabilities based upon the risk and cost associated with the vulnerabilities. NBFCs may devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ec2_instance_ssm_managed + - aws_guardduty_finding_archived + - aws_rds_db_instance_automatic_minor_version_upgrade_enabled + - aws_redshift_cluster_maintenance_settings_check + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_5.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_5.yaml index 74e520187..2821cf415 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_5.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_3_5.yaml @@ -1,12 +1,17 @@ -ID: aws_rbi_itf_nbfc_3_5 -Title: Cyber Crisis Management Plan -Description: 'A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment. NBFCs need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. NBFCs are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, NBFCs should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.' -SectionCode: "5" -Children: [] -Controls: - - aws_ec2_instance_ssm_managed - - aws_guardduty_enabled - - aws_guardduty_finding_archived - - aws_ssm_managed_instance_compliance_association_compliant - - aws_ssm_managed_instance_compliance_patch_compliant -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_3_5 + title: Cyber Crisis Management Plan + description: "A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment. NBFCs need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. NBFCs are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, NBFCs should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_ec2_instance_ssm_managed + - aws_guardduty_enabled + - aws_guardduty_finding_archived + - aws_ssm_managed_instance_compliance_association_compliant + - aws_ssm_managed_instance_compliance_patch_compliant diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4.yaml index 05fe3fc2a..fa2fc4946 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4.yaml @@ -1,8 +1,13 @@ -ID: aws_rbi_itf_nbfc_4 -Title: IT Operations -Description: IT Operations should support processing and storage of information, such that the required information is available in a timely, reliable, secure and resilient manner. The Board or Senior Management should take into consideration the risk associated with existing and planned IT operations and the risk tolerance and then establish and monitor policies for risk management. -SectionCode: "4" -Children: - - aws_rbi_itf_nbfc_4_4 -Controls: [] -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_4 + title: IT Operations + description: IT Operations should support processing and storage of information, such that the required information is available in a timely, reliable, secure and resilient manner. The Board or Senior Management should take into consideration the risk associated with existing and planned IT operations and the risk tolerance and then establish and monitor policies for risk management. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_rbi_itf_nbfc_4_4 diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4.yaml index 458110956..510aa7d63 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4.yaml @@ -1,10 +1,15 @@ -ID: aws_rbi_itf_nbfc_4_4 -Title: Management Information System (MIS) -Description: NBFCs may put in place MIS that assist the Top Management as well as the business heads in decision making and also to maintain an oversight over operations of various business verticals. With robust IT systems in place, NBFCs may have the following as part of an effective system generated MIS (indicative list). -SectionCode: "4" -Children: - - aws_rbi_itf_nbfc_4_4_g - - aws_rbi_itf_nbfc_4_4_h - - aws_rbi_itf_nbfc_4_4_i -Controls: [] -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_4_4 + title: Management Information System (MIS) + description: NBFCs may put in place MIS that assist the Top Management as well as the business heads in decision making and also to maintain an oversight over operations of various business verticals. With robust IT systems in place, NBFCs may have the following as part of an effective system generated MIS (indicative list). + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_rbi_itf_nbfc_4_4_g + - id: aws_rbi_itf_nbfc_4_4_h + - id: aws_rbi_itf_nbfc_4_4_i diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_g.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_g.yaml index 4ccbfc7fc..519170be9 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_g.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_g.yaml @@ -1,8 +1,13 @@ -ID: aws_rbi_itf_nbfc_4_4_g -Title: 4.g Fraud analysis -Description: Suspicious transaction analysis, embezzlement, theft or suspected money-laundering, misappropriation of assets, manipulation of financial records etc. The regulatory requirement of reporting fraud to RBI should be system driven. -SectionCode: g -Children: [] -Controls: - - aws_guardduty_enabled -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_4_4_g + title: 4.g Fraud analysis + description: Suspicious transaction analysis, embezzlement, theft or suspected money-laundering, misappropriation of assets, manipulation of financial records etc. The regulatory requirement of reporting fraud to RBI should be system driven. + section-code: g + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_guardduty_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_h.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_h.yaml index 8b23079b1..59437ab0b 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_h.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_h.yaml @@ -1,26 +1,31 @@ -ID: aws_rbi_itf_nbfc_4_4_h -Title: 4.h Capacity and performance analysis -Description: Capacity and performance analysis of IT security systems. -SectionCode: h -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_ec2_instance_ebs_optimized - - aws_elastic_beanstalk_enhanced_health_reporting_enabled - - aws_elb_application_gateway_network_lb_multiple_az_configured - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_multiple_az_configured - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_dead_letter_queue_configured - - aws_lambda_function_multiple_az_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_s3_bucket_object_lock_enabled - - aws_securityhub_enabled - - aws_vpc_vpn_tunnel_up -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_4_4_h + title: 4.h Capacity and performance analysis + description: Capacity and performance analysis of IT security systems. + section-code: h + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_dynamodb_table_auto_scaling_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_ec2_instance_ebs_optimized + - aws_elastic_beanstalk_enhanced_health_reporting_enabled + - aws_elb_application_gateway_network_lb_multiple_az_configured + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_elb_classic_lb_multiple_az_configured + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_dead_letter_queue_configured + - aws_lambda_function_multiple_az_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_s3_bucket_object_lock_enabled + - aws_securityhub_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_i.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_i.yaml index 8cdea44cf..e8e925879 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_i.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_4_4_i.yaml @@ -1,9 +1,14 @@ -ID: aws_rbi_itf_nbfc_4_4_i -Title: 4.i Incident reporting -Description: Incident reporting, their impact and steps taken for non-recurrence of such events in the future. -SectionCode: i -Children: [] -Controls: - - aws_guardduty_enabled - - aws_guardduty_finding_archived -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_4_4_i + title: 4.i Incident reporting + description: Incident reporting, their impact and steps taken for non-recurrence of such events in the future. + section-code: i + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_guardduty_enabled + - aws_guardduty_finding_archived diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6.yaml index 47349638a..16e43c405 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6.yaml @@ -1,8 +1,13 @@ -ID: aws_rbi_itf_nbfc_6 -Title: Business Continuity Planning (BCP) and Disaster Recovery -Description: BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. -SectionCode: "6" -Children: - - aws_rbi_itf_nbfc_6_3 -Controls: [] -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_6 + title: Business Continuity Planning (BCP) and Disaster Recovery + description: BCP forms a significant part of an organisation's overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes. BCP shall be designed to minimise the operational, financial, legal, reputational and other material consequences arising from a disaster. NBFC should adopt a Board approved BCP Policy. The functioning of BCP shall be monitored by the Board by way of periodic reports. The CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_rbi_itf_nbfc_6_3 diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6_3.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6_3.yaml index e177021aa..ac4d32a76 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6_3.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_6_3.yaml @@ -1,22 +1,27 @@ -ID: aws_rbi_itf_nbfc_6_3 -Title: Backup and Recovery -Description: NBFCs shall consider the need to put in place necessary backup sites for their critical business systems and Data centers. -SectionCode: "3" -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_auto_scaling_enabled - - aws_dynamodb_table_in_backup_plan - - aws_ebs_volume_in_backup_plan - - aws_ec2_instance_protected_by_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_fsx_file_system_protected_by_backup_plan - - aws_kms_cmk_rotation_enabled - - aws_rds_db_cluster_aurora_protected_by_backup_plan - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_6_3 + title: Backup and Recovery + description: NBFCs shall consider the need to put in place necessary backup sites for their critical business systems and Data centers. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_auto_scaling_enabled + - aws_dynamodb_table_in_backup_plan + - aws_ebs_volume_in_backup_plan + - aws_ec2_instance_protected_by_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_fsx_file_system_protected_by_backup_plan + - aws_kms_cmk_rotation_enabled + - aws_rds_db_cluster_aurora_protected_by_backup_plan + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8.yaml index e9def95a5..af34db704 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8.yaml @@ -1,12 +1,17 @@ -ID: aws_rbi_itf_nbfc_8 -Title: Recommendations for NBFCs with asset size below ₹ 500 crore -Description: It is recommended that smaller NBFCs may start with developing basic IT systems mainly for maintaining the database. NBFCs having asset size below ₹ 500 crore shall have a Board approved Information Technology policy/Information system policy. -SectionCode: "8" -Children: - - aws_rbi_itf_nbfc_8_1 - - aws_rbi_itf_nbfc_8_I - - aws_rbi_itf_nbfc_8_II - - aws_rbi_itf_nbfc_8_III - - aws_rbi_itf_nbfc_8_IX -Controls: [] -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_8 + title: Recommendations for NBFCs with asset size below ₹ 500 crore + description: It is recommended that smaller NBFCs may start with developing basic IT systems mainly for maintaining the database. NBFCs having asset size below ₹ 500 crore shall have a Board approved Information Technology policy/Information system policy. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: aws_rbi_itf_nbfc_8_1 + - id: aws_rbi_itf_nbfc_8_I + - id: aws_rbi_itf_nbfc_8_II + - id: aws_rbi_itf_nbfc_8_III + - id: aws_rbi_itf_nbfc_8_IX diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_1.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_1.yaml index 856791f79..f5cc5675f 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_1.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_1.yaml @@ -1,22 +1,27 @@ -ID: aws_rbi_itf_nbfc_8_1 -Title: IT Systems -Description: IT Systems should be progressively scaled up as the size and complexity of NBFC's operations increases. -SectionCode: "1" -Children: [] -Controls: - - aws_autoscaling_group_with_lb_use_health_check - - aws_dynamodb_table_auto_scaling_enabled - - aws_ec2_instance_detailed_monitoring_enabled - - aws_elb_application_gateway_network_lb_multiple_az_configured - - aws_elb_application_lb_deletion_protection_enabled - - aws_elb_classic_lb_cross_zone_load_balancing_enabled - - aws_elb_classic_lb_multiple_az_configured - - aws_guardduty_enabled - - aws_lambda_function_concurrent_execution_limit_configured - - aws_lambda_function_multiple_az_configured - - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled - - aws_rds_db_instance_deletion_protection_enabled - - aws_rds_db_instance_multiple_az_enabled - - aws_securityhub_enabled - - aws_vpc_vpn_tunnel_up -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_8_1 + title: IT Systems + description: IT Systems should be progressively scaled up as the size and complexity of NBFC's operations increases. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_group_with_lb_use_health_check + - aws_dynamodb_table_auto_scaling_enabled + - aws_ec2_instance_detailed_monitoring_enabled + - aws_elb_application_gateway_network_lb_multiple_az_configured + - aws_elb_application_lb_deletion_protection_enabled + - aws_elb_classic_lb_cross_zone_load_balancing_enabled + - aws_elb_classic_lb_multiple_az_configured + - aws_guardduty_enabled + - aws_lambda_function_concurrent_execution_limit_configured + - aws_lambda_function_multiple_az_configured + - aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled + - aws_rds_db_instance_deletion_protection_enabled + - aws_rds_db_instance_multiple_az_enabled + - aws_securityhub_enabled + - aws_vpc_vpn_tunnel_up diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_I.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_I.yaml index 8c8039092..9c0083c6a 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_I.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_I.yaml @@ -1,53 +1,58 @@ -ID: aws_rbi_itf_nbfc_8_I -Title: I Basic Security Aspects -Description: Basic security aspects such as physical/ logical access controls and well defined password policy. -SectionCode: I -Children: [] -Controls: - - aws_autoscaling_launch_config_public_ip_disabled - - aws_dms_replication_instance_not_publicly_accessible - - aws_ebs_snapshot_not_publicly_restorable - - aws_ec2_instance_iam_profile_attached - - aws_ec2_instance_in_vpc - - aws_ec2_instance_not_publicly_accessible - - aws_efs_access_point_enforce_root_directory - - aws_efs_access_point_enforce_user_identity - - aws_emr_cluster_kerberos_enabled - - aws_emr_cluster_master_nodes_no_public_ip - - aws_es_domain_in_vpc - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_all_policy_no_service_wild_card - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_root_user_hardware_mfa_enabled - - aws_iam_root_user_mfa_enabled - - aws_iam_root_user_no_access_keys - - aws_iam_user_access_key_age_90 - - aws_iam_user_console_access_mfa_enabled - - aws_iam_user_in_group - - aws_iam_user_mfa_enabled - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 - - aws_lambda_function_in_vpc - - aws_lambda_function_restrict_public_access - - aws_opensearch_domain_in_vpc - - aws_rds_db_instance_prohibit_public_access - - aws_rds_db_snapshot_prohibit_public_access - - aws_redshift_cluster_prohibit_public_access - - aws_s3_bucket_acls_should_prohibit_user_access - - aws_s3_bucket_policy_restrict_public_access - - aws_s3_bucket_restrict_public_read_access - - aws_s3_bucket_restrict_public_write_access - - aws_s3_public_access_block_bucket - - aws_sagemaker_notebook_instance_direct_internet_access_disabled - - aws_secretsmanager_secret_automatic_rotation_enabled - - aws_secretsmanager_secret_rotated_as_scheduled - - aws_ssm_document_prohibit_public_access - - aws_vpc_default_security_group_restricts_all_traffic - - aws_vpc_igw_attached_to_authorized_vpc - - aws_vpc_security_group_restrict_ingress_common_ports_all - - aws_vpc_security_group_restrict_ingress_ssh_all - - aws_vpc_security_group_restrict_ingress_tcp_udp_all - - aws_vpc_subnet_auto_assign_public_ip_disabled -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_8_I + title: I Basic Security Aspects + description: Basic security aspects such as physical/ logical access controls and well defined password policy. + section-code: I + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_autoscaling_launch_config_public_ip_disabled + - aws_dms_replication_instance_not_publicly_accessible + - aws_ebs_snapshot_not_publicly_restorable + - aws_ec2_instance_iam_profile_attached + - aws_ec2_instance_in_vpc + - aws_ec2_instance_not_publicly_accessible + - aws_efs_access_point_enforce_root_directory + - aws_efs_access_point_enforce_user_identity + - aws_emr_cluster_kerberos_enabled + - aws_emr_cluster_master_nodes_no_public_ip + - aws_es_domain_in_vpc + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_all_policy_no_service_wild_card + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_root_user_hardware_mfa_enabled + - aws_iam_root_user_mfa_enabled + - aws_iam_root_user_no_access_keys + - aws_iam_user_access_key_age_90 + - aws_iam_user_console_access_mfa_enabled + - aws_iam_user_in_group + - aws_iam_user_mfa_enabled + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 + - aws_lambda_function_in_vpc + - aws_lambda_function_restrict_public_access + - aws_opensearch_domain_in_vpc + - aws_rds_db_instance_prohibit_public_access + - aws_rds_db_snapshot_prohibit_public_access + - aws_redshift_cluster_prohibit_public_access + - aws_s3_bucket_acls_should_prohibit_user_access + - aws_s3_bucket_policy_restrict_public_access + - aws_s3_bucket_restrict_public_read_access + - aws_s3_bucket_restrict_public_write_access + - aws_s3_public_access_block_bucket + - aws_sagemaker_notebook_instance_direct_internet_access_disabled + - aws_secretsmanager_secret_automatic_rotation_enabled + - aws_secretsmanager_secret_rotated_as_scheduled + - aws_ssm_document_prohibit_public_access + - aws_vpc_default_security_group_restricts_all_traffic + - aws_vpc_igw_attached_to_authorized_vpc + - aws_vpc_security_group_restrict_ingress_common_ports_all + - aws_vpc_security_group_restrict_ingress_ssh_all + - aws_vpc_security_group_restrict_ingress_tcp_udp_all + - aws_vpc_subnet_auto_assign_public_ip_disabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_II.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_II.yaml index 71c0351aa..bc4fc096f 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_II.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_II.yaml @@ -1,14 +1,19 @@ -ID: aws_rbi_itf_nbfc_8_II -Title: II User Role -Description: A well-defined user role. -SectionCode: II -Children: [] -Controls: - - aws_iam_account_password_policy_strong_min_reuse_24 - - aws_iam_group_not_empty - - aws_iam_group_user_role_no_inline_policies - - aws_iam_policy_no_star_star - - aws_iam_user_in_group - - aws_iam_user_no_inline_attached_policies - - aws_iam_user_unused_credentials_90 -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_8_II + title: II User Role + description: A well-defined user role. + section-code: II + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_iam_account_password_policy_strong_min_reuse_24 + - aws_iam_group_not_empty + - aws_iam_group_user_role_no_inline_policies + - aws_iam_policy_no_star_star + - aws_iam_user_in_group + - aws_iam_user_no_inline_attached_policies + - aws_iam_user_unused_credentials_90 diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_III.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_III.yaml index 75ba5c050..ce8612e13 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_III.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_III.yaml @@ -1,8 +1,13 @@ -ID: aws_rbi_itf_nbfc_8_III -Title: III Maker-Checker Concept -Description: A Maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/information. -SectionCode: III -Children: [] -Controls: - - aws_s3_bucket_versioning_enabled -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_8_III + title: III Maker-Checker Concept + description: A Maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/information. + section-code: III + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_s3_bucket_versioning_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_IX.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_IX.yaml index 86e9d0933..568d348bb 100755 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_IX.yaml +++ b/compliance/frameworks/aws/aws_rbi_itf_nbfc/aws_rbi_itf_nbfc_8_IX.yaml @@ -1,19 +1,24 @@ -ID: aws_rbi_itf_nbfc_8_IX -Title: IX Backup and Recovery -Description: Arrangement for backup of data with periodic testing. -SectionCode: IX -Children: [] -Controls: - - aws_backup_plan_min_retention_35_days - - aws_backup_recovery_point_manual_deletion_disabled - - aws_backup_recovery_point_min_retention_35_days - - aws_dynamodb_table_in_backup_plan - - aws_dynamodb_table_point_in_time_recovery_enabled - - aws_ebs_volume_in_backup_plan - - aws_efs_file_system_in_backup_plan - - aws_elasticache_redis_cluster_automatic_backup_retention_15_days - - aws_rds_db_instance_backup_enabled - - aws_rds_db_instance_in_backup_plan - - aws_redshift_cluster_automatic_snapshots_min_7_days - - aws_s3_bucket_cross_region_replication_enabled -Tags: {} +control-group: + id: aws_rbi_itf_nbfc_8_IX + title: IX Backup and Recovery + description: Arrangement for backup of data with periodic testing. + section-code: IX + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - aws_backup_plan_min_retention_35_days + - aws_backup_recovery_point_manual_deletion_disabled + - aws_backup_recovery_point_min_retention_35_days + - aws_dynamodb_table_in_backup_plan + - aws_dynamodb_table_point_in_time_recovery_enabled + - aws_ebs_volume_in_backup_plan + - aws_efs_file_system_in_backup_plan + - aws_elasticache_redis_cluster_automatic_backup_retention_15_days + - aws_rds_db_instance_backup_enabled + - aws_rds_db_instance_in_backup_plan + - aws_redshift_cluster_automatic_snapshots_min_7_days + - aws_s3_bucket_cross_region_replication_enabled diff --git a/compliance/frameworks/aws/aws_rbi_itf_nbfc/root.yaml b/compliance/frameworks/aws/aws_rbi_itf_nbfc/root.yaml deleted file mode 100755 index 1e80d0857..000000000 --- a/compliance/frameworks/aws/aws_rbi_itf_nbfc/root.yaml +++ /dev/null @@ -1,15 +0,0 @@ -ID: aws_rbi_itf_nbfc -Title: Reserve Bank of India - Information Technology Framework for Non-Banking Financial Companies (RBI ITF-NBFC) -Description: The NBFC (Non-Banking Finance Company) sector has grown in size and complexity over the years. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must be benchmarked to best practices. -SectionCode: aws_rbi_itf_nbfc -Children: - - aws_rbi_itf_nbfc_3 - - aws_rbi_itf_nbfc_4 - - aws_rbi_itf_nbfc_6 - - aws_rbi_itf_nbfc_8 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: {} diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls.yaml new file mode 100644 index 000000000..75f432368 --- /dev/null +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls.yaml @@ -0,0 +1,57 @@ +framework: + id: azure_all_controls + title: All Controls + description: This benchmark contains all controls grouped by service to help you detect resource configurations that do not meet best practices. + section-code: azure_all_controls + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_all_controls_activedirectory + - id: azure_all_controls_apimanagement + - id: azure_all_controls_appconfiguration + - id: azure_all_controls_appservice + - id: azure_all_controls_automation + - id: azure_all_controls_batch + - id: azure_all_controls_cognitivesearch + - id: azure_all_controls_cognitiveservice + - id: azure_all_controls_compute + - id: azure_all_controls_containerinstance + - id: azure_all_controls_containerregistry + - id: azure_all_controls_cosmosdb + - id: azure_all_controls_databoxedge + - id: azure_all_controls_datafactory + - id: azure_all_controls_datalakeanalytics + - id: azure_all_controls_datalakestore + - id: azure_all_controls_eventgrid + - id: azure_all_controls_eventhub + - id: azure_all_controls_frontdoor + - id: azure_all_controls_hdinsight + - id: azure_all_controls_healthcare + - id: azure_all_controls_hpccache + - id: azure_all_controls_iothub + - id: azure_all_controls_keyvault + - id: azure_all_controls_kubernetes + - id: azure_all_controls_kusto + - id: azure_all_controls_logic + - id: azure_all_controls_machinelearning + - id: azure_all_controls_mariadb + - id: azure_all_controls_monitor + - id: azure_all_controls_mysql + - id: azure_all_controls_network + - id: azure_all_controls_postgres + - id: azure_all_controls_recoveryservice + - id: azure_all_controls_redis + - id: azure_all_controls_securitycenter + - id: azure_all_controls_servicebus + - id: azure_all_controls_servicefabric + - id: azure_all_controls_signalr + - id: azure_all_controls_springcloud + - id: azure_all_controls_sql + - id: azure_all_controls_storage + - id: azure_all_controls_storagesync + - id: azure_all_controls_streamanalytics + - id: azure_all_controls_synapse diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_activedirectory.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_activedirectory.yaml index df991e085..aeaff8fc5 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_activedirectory.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_activedirectory.yaml @@ -1,23 +1,28 @@ -ID: azure_all_controls_activedirectory -Title: Active Directory -Description: This section contains recommendations for configuring Active Directory resources. -SectionCode: activedirectory -Children: [] -Controls: - - azure_ad_guest_user_reviewed_monthly - - azure_iam_conditional_access_mfa_enabled - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_no_custom_subscription_owner_roles_created - - azure_iam_subscription_owner_max_3 - - azure_iam_subscription_owner_more_than_1 - - azure_iam_subscriptions_with_custom_roles_no_overly_permissive - - azure_iam_user_no_built_in_contributor_role - - azure_iam_user_not_allowed_to_create_security_group - - azure_iam_user_not_allowed_to_create_tenants - - azure_iam_user_not_allowed_to_register_application -Tags: {} +control-group: + id: azure_all_controls_activedirectory + title: Active Directory + description: This section contains recommendations for configuring Active Directory resources. + section-code: activedirectory + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_ad_guest_user_reviewed_monthly + - azure_iam_conditional_access_mfa_enabled + - azure_iam_deprecated_account + - azure_iam_deprecated_account_with_owner_roles + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_no_custom_role + - azure_iam_no_custom_subscription_owner_roles_created + - azure_iam_subscription_owner_max_3 + - azure_iam_subscription_owner_more_than_1 + - azure_iam_subscriptions_with_custom_roles_no_overly_permissive + - azure_iam_user_no_built_in_contributor_role + - azure_iam_user_not_allowed_to_create_security_group + - azure_iam_user_not_allowed_to_create_tenants + - azure_iam_user_not_allowed_to_register_application diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_apimanagement.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_apimanagement.yaml index cfcb3ff7f..97ecae914 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_apimanagement.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_apimanagement.yaml @@ -1,9 +1,14 @@ -ID: azure_all_controls_apimanagement -Title: API Management -Description: This section contains recommendations for configuring API Management resources. -SectionCode: apimanagement -Children: [] -Controls: - - azure_apimanagement_service_client_certificate_enabled - - azure_apimanagement_service_with_virtual_network -Tags: {} +control-group: + id: azure_all_controls_apimanagement + title: API Management + description: This section contains recommendations for configuring API Management resources. + section-code: apimanagement + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_apimanagement_service_client_certificate_enabled + - azure_apimanagement_service_with_virtual_network diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appconfiguration.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appconfiguration.yaml index 9819565a0..3b8077ae4 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appconfiguration.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appconfiguration.yaml @@ -1,10 +1,15 @@ -ID: azure_all_controls_appconfiguration -Title: App Configuration -Description: This section contains recommendations for configuring App Configuration resources. -SectionCode: appconfiguration -Children: [] -Controls: - - azure_app_configuration_encryption_enabled - - azure_app_configuration_private_link_used - - azure_app_configuration_sku_standard -Tags: {} +control-group: + id: azure_all_controls_appconfiguration + title: App Configuration + description: This section contains recommendations for configuring App Configuration resources. + section-code: appconfiguration + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_app_configuration_encryption_enabled + - azure_app_configuration_private_link_used + - azure_app_configuration_sku_standard diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appservice.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appservice.yaml index adbb063f9..55612c5b2 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appservice.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_appservice.yaml @@ -1,51 +1,56 @@ -ID: azure_all_controls_appservice -Title: App Service -Description: This section contains recommendations for configuring App Service resources. -SectionCode: appservice -Children: [] -Controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_appservice_api_app_client_certificates_on - - azure_appservice_api_app_cors_no_star - - azure_appservice_api_app_ftps_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_api_app_use_https - - azure_appservice_api_app_uses_managed_identity - - azure_appservice_authentication_enabled - - azure_appservice_ftp_deployment_disabled - - azure_appservice_function_app_authentication_on - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_cors_no_star - - azure_appservice_function_app_ftps_enabled - - azure_appservice_function_app_latest_http_version - - azure_appservice_function_app_latest_java_version - - azure_appservice_function_app_latest_python_version - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_appservice_function_app_restrict_public_acces - - azure_appservice_function_app_remote_debugging_disabled - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_plan_minimum_sku - - azure_appservice_web_app_always_on - - azure_appservice_web_app_client_certificates_on - - azure_appservice_web_app_cors_no_star - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_appservice_web_app_failed_request_tracing_enabled - - azure_appservice_web_app_ftps_enabled - - azure_appservice_web_app_health_check_enabled - - azure_appservice_web_app_http_logs_enabled - - azure_appservice_web_app_incoming_client_cert_on - - azure_appservice_web_app_latest_dotnet_framework_version - - azure_appservice_web_app_latest_http_version - - azure_appservice_web_app_latest_java_version - - azure_appservice_web_app_latest_php_version - - azure_appservice_web_app_latest_python_version - - azure_appservice_web_app_latest_tls_version - - azure_appservice_web_app_register_with_active_directory_enabled - - azure_appservice_web_app_remote_debugging_disabled - - azure_appservice_web_app_slot_use_https - - azure_appservice_web_app_use_https - - azure_appservice_web_app_use_virtual_service_endpoint - - azure_appservice_web_app_uses_managed_identity -Tags: {} +control-group: + id: azure_all_controls_appservice + title: App Service + description: This section contains recommendations for configuring App Service resources. + section-code: appservice + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_app_service_environment_internal_encryption_enabled + - azure_appservice_api_app_client_certificates_on + - azure_appservice_api_app_cors_no_star + - azure_appservice_api_app_ftps_enabled + - azure_appservice_api_app_latest_tls_version + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_api_app_use_https + - azure_appservice_api_app_uses_managed_identity + - azure_appservice_authentication_enabled + - azure_appservice_ftp_deployment_disabled + - azure_appservice_function_app_authentication_on + - azure_appservice_function_app_client_certificates_on + - azure_appservice_function_app_cors_no_star + - azure_appservice_function_app_ftps_enabled + - azure_appservice_function_app_latest_http_version + - azure_appservice_function_app_latest_java_version + - azure_appservice_function_app_latest_python_version + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_appservice_function_app_restrict_public_acces + - azure_appservice_function_app_remote_debugging_disabled + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_plan_minimum_sku + - azure_appservice_web_app_always_on + - azure_appservice_web_app_client_certificates_on + - azure_appservice_web_app_cors_no_star + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_appservice_web_app_failed_request_tracing_enabled + - azure_appservice_web_app_ftps_enabled + - azure_appservice_web_app_health_check_enabled + - azure_appservice_web_app_http_logs_enabled + - azure_appservice_web_app_incoming_client_cert_on + - azure_appservice_web_app_latest_dotnet_framework_version + - azure_appservice_web_app_latest_http_version + - azure_appservice_web_app_latest_java_version + - azure_appservice_web_app_latest_php_version + - azure_appservice_web_app_latest_python_version + - azure_appservice_web_app_latest_tls_version + - azure_appservice_web_app_register_with_active_directory_enabled + - azure_appservice_web_app_remote_debugging_disabled + - azure_appservice_web_app_slot_use_https + - azure_appservice_web_app_use_https + - azure_appservice_web_app_use_virtual_service_endpoint + - azure_appservice_web_app_uses_managed_identity diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_automation.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_automation.yaml index 49fca190a..5c3af41de 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_automation.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_automation.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_automation -Title: Automation -Description: This section contains recommendations for configuring Automation resources. -SectionCode: automation -Children: [] -Controls: - - azure_automation_account_variable_encryption_enabled -Tags: {} +control-group: + id: azure_all_controls_automation + title: Automation + description: This section contains recommendations for configuring Automation resources. + section-code: automation + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_automation_account_variable_encryption_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_batch.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_batch.yaml index ef43d26d2..f94c0b3b2 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_batch.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_batch.yaml @@ -1,10 +1,15 @@ -ID: azure_all_controls_batch -Title: Batch -Description: This section contains recommendations for configuring Batch resources. -SectionCode: batch -Children: [] -Controls: - - azure_batch_account_encrypted_with_cmk - - azure_batch_account_identity_provider_enabled - - azure_batch_account_logging_enabled -Tags: {} +control-group: + id: azure_all_controls_batch + title: Batch + description: This section contains recommendations for configuring Batch resources. + section-code: batch + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_batch_account_encrypted_with_cmk + - azure_batch_account_identity_provider_enabled + - azure_batch_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitivesearch.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitivesearch.yaml index 4fd9a9030..3bc224fc2 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitivesearch.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitivesearch.yaml @@ -1,13 +1,18 @@ -ID: azure_all_controls_cognitivesearch -Title: Cognitive Search -Description: This section contains recommendations for configuring Cognitive Search resources. -SectionCode: cognitivesearch -Children: [] -Controls: - - azure_search_service_logging_enabled - - azure_search_service_public_network_access_disabled - - azure_search_service_replica_count_3 - - azure_search_service_uses_managed_identity - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link -Tags: {} +control-group: + id: azure_all_controls_cognitivesearch + title: Cognitive Search + description: This section contains recommendations for configuring Cognitive Search resources. + section-code: cognitivesearch + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_search_service_logging_enabled + - azure_search_service_public_network_access_disabled + - azure_search_service_replica_count_3 + - azure_search_service_uses_managed_identity + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitiveservice.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitiveservice.yaml index bdbc0c906..32a27f884 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitiveservice.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cognitiveservice.yaml @@ -1,12 +1,17 @@ -ID: azure_all_controls_cognitiveservice -Title: Cognitive Services -Description: This section contains recommendations for configuring Cognitive Services resources. -SectionCode: cognitiveservice -Children: [] -Controls: - - azure_cognitive_account_encrypted_with_cmk - - azure_cognitive_account_private_link_used - - azure_cognitive_account_public_network_access_disabled - - azure_cognitive_account_restrict_public_access - - azure_cognitive_service_local_auth_disabled -Tags: {} +control-group: + id: azure_all_controls_cognitiveservice + title: Cognitive Services + description: This section contains recommendations for configuring Cognitive Services resources. + section-code: cognitiveservice + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cognitive_account_encrypted_with_cmk + - azure_cognitive_account_private_link_used + - azure_cognitive_account_public_network_access_disabled + - azure_cognitive_account_restrict_public_access + - azure_cognitive_service_local_auth_disabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_compute.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_compute.yaml index 01c783c6a..3a44fdcda 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_compute.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_compute.yaml @@ -1,57 +1,62 @@ -ID: azure_all_controls_compute -Title: Compute -Description: This section contains recommendations for configuring Compute resources. -SectionCode: compute -Children: [] -Controls: - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_compute_disk_access_uses_private_link - - azure_compute_disk_unattached_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed - - azure_compute_unattached_disk_encrypted_with_cmk - - azure_compute_vm_account_with_password_linux - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_compute_vm_attached_with_network - - azure_compute_vm_data_and_os_disk_uses_managed_disk - - azure_compute_vm_disaster_recovery_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_jit_access_protected - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_log_analytics_agent_installed_windows - - azure_compute_vm_malware_agent_automatic_upgrade_enabled - - azure_compute_vm_malware_agent_installed - - azure_compute_vm_max_password_age_70_days_windows - - azure_compute_vm_meet_security_baseline_requirements_linux - - azure_compute_vm_meet_security_baseline_requirements_windows - - azure_compute_vm_min_password_age_1_day_windows - - azure_compute_vm_min_password_length_14_windows - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_password_complexity_setting_enabled_windows - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_restrict_previous_24_passwords_resuse_windows - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_compute_vm_scale_set_automatic_upgrade_enabled - - azure_compute_vm_scale_set_boot_diagnostics_enabled - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_compute_vm_scale_set_logging_enabled - - azure_compute_vm_scale_set_uses_managed_disks - - azure_compute_vm_scale_set_ssh_key_authentication_linux - - azure_compute_vm_secure_communication_protocols_configured - - azure_compute_vm_ssh_key_authentication_linux - - azure_compute_vm_system_updates_installed - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_compute_vm_uses_azure_resource_manager - - azure_compute_vm_utilizing_managed_disk - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_network_interface_ip_forwarding_disabled -Tags: {} +control-group: + id: azure_all_controls_compute + title: Compute + description: This section contains recommendations for configuring Compute resources. + section-code: compute + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_compute_disk_access_uses_private_link + - azure_compute_disk_unattached_encrypted_with_cmk + - azure_compute_os_and_data_disk_encrypted_with_cmk + - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed + - azure_compute_unattached_disk_encrypted_with_cmk + - azure_compute_vm_account_with_password_linux + - azure_compute_vm_and_sacle_set_encryption_at_host_enabled + - azure_compute_vm_attached_with_network + - azure_compute_vm_data_and_os_disk_uses_managed_disk + - azure_compute_vm_disaster_recovery_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_jit_access_protected + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_log_analytics_agent_installed_windows + - azure_compute_vm_malware_agent_automatic_upgrade_enabled + - azure_compute_vm_malware_agent_installed + - azure_compute_vm_max_password_age_70_days_windows + - azure_compute_vm_meet_security_baseline_requirements_linux + - azure_compute_vm_meet_security_baseline_requirements_windows + - azure_compute_vm_min_password_age_1_day_windows + - azure_compute_vm_min_password_length_14_windows + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_password_complexity_setting_enabled_windows + - azure_compute_vm_passwords_stored_using_reversible_encryption_windows + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_restrict_previous_24_passwords_resuse_windows + - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux + - azure_compute_vm_scale_set_automatic_upgrade_enabled + - azure_compute_vm_scale_set_boot_diagnostics_enabled + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_compute_vm_scale_set_logging_enabled + - azure_compute_vm_scale_set_uses_managed_disks + - azure_compute_vm_scale_set_ssh_key_authentication_linux + - azure_compute_vm_secure_communication_protocols_configured + - azure_compute_vm_ssh_key_authentication_linux + - azure_compute_vm_system_updates_installed + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_compute_vm_uses_azure_resource_manager + - azure_compute_vm_utilizing_managed_disk + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_compute_vm_windows_defender_exploit_guard_enabled + - azure_network_interface_ip_forwarding_disabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerinstance.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerinstance.yaml index 7a1b77481..c718a233e 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerinstance.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerinstance.yaml @@ -1,11 +1,16 @@ -ID: azure_all_controls_containerinstance -Title: Container Instance -Description: This section contains recommendations for configuring Container Instance resources. -SectionCode: containerinstance -Children: [] -Controls: - - azure_container_instance_container_group_encrypted_using_cmk - - azure_container_instance_container_group_identity_provider_enabled - - azure_container_instance_container_group_in_virtual_network - - azure_container_instance_container_group_secured_environment_variable -Tags: {} +control-group: + id: azure_all_controls_containerinstance + title: Container Instance + description: This section contains recommendations for configuring Container Instance resources. + section-code: containerinstance + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_container_instance_container_group_encrypted_using_cmk + - azure_container_instance_container_group_identity_provider_enabled + - azure_container_instance_container_group_in_virtual_network + - azure_container_instance_container_group_secured_environment_variable diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerregistry.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerregistry.yaml index e3a405c23..1c861f0f8 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerregistry.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_containerregistry.yaml @@ -1,17 +1,22 @@ -ID: azure_all_controls_containerregistry -Title: Container Registry -Description: This section contains recommendations for configuring Container Registry resources. -SectionCode: containerregistry -Children: [] -Controls: - - azure_container_registry_admin_user_disabled - - azure_container_registry_encrypted_with_cmk - - azure_container_registry_geo_replication_enabled - - azure_container_registry_public_network_access_disabled - - azure_container_registry_quarantine_policy_enabled - - azure_container_registry_restrict_public_access - - azure_container_registry_retention_policy_enabled - - azure_container_registry_trust_policy_enabled - - azure_container_registry_use_virtual_service_endpoint - - azure_container_registry_uses_private_link -Tags: {} +control-group: + id: azure_all_controls_containerregistry + title: Container Registry + description: This section contains recommendations for configuring Container Registry resources. + section-code: containerregistry + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_container_registry_admin_user_disabled + - azure_container_registry_encrypted_with_cmk + - azure_container_registry_geo_replication_enabled + - azure_container_registry_public_network_access_disabled + - azure_container_registry_quarantine_policy_enabled + - azure_container_registry_restrict_public_access + - azure_container_registry_retention_policy_enabled + - azure_container_registry_trust_policy_enabled + - azure_container_registry_use_virtual_service_endpoint + - azure_container_registry_uses_private_link diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cosmosdb.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cosmosdb.yaml index 2558560a7..acd49c70e 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cosmosdb.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_cosmosdb.yaml @@ -1,14 +1,19 @@ -ID: azure_all_controls_cosmosdb -Title: Cosmos DB -Description: This section contains recommendations for configuring CosmosDB resources. -SectionCode: cosmosdb -Children: [] -Controls: - - azure_cosmosdb_account_encryption_at_rest_using_cmk - - azure_cosmosdb_account_key_based_metadata_write_access_disabled - - azure_cosmosdb_account_uses_aad_and_rbac - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_virtual_network_filter_enabled - - azure_cosmosdb_account_with_firewall_rules - - azure_cosmosdb_use_virtual_service_endpoint -Tags: {} +control-group: + id: azure_all_controls_cosmosdb + title: Cosmos DB + description: This section contains recommendations for configuring CosmosDB resources. + section-code: cosmosdb + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cosmosdb_account_encryption_at_rest_using_cmk + - azure_cosmosdb_account_key_based_metadata_write_access_disabled + - azure_cosmosdb_account_uses_aad_and_rbac + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_virtual_network_filter_enabled + - azure_cosmosdb_account_with_firewall_rules + - azure_cosmosdb_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_databoxedge.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_databoxedge.yaml index 45adb0dc8..140fb2ac4 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_databoxedge.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_databoxedge.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_databoxedge -Title: Data Box -Description: This section contains recommendations for configuring Data Box resources. -SectionCode: databoxedge -Children: [] -Controls: - - azure_databox_edge_device_double_encryption_enabled -Tags: {} +control-group: + id: azure_all_controls_databoxedge + title: Data Box + description: This section contains recommendations for configuring Data Box resources. + section-code: databoxedge + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_databox_edge_device_double_encryption_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datafactory.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datafactory.yaml index 923c47de0..4d63393f6 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datafactory.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datafactory.yaml @@ -1,11 +1,16 @@ -ID: azure_all_controls_datafactory -Title: Data Factory -Description: This section contains recommendations for configuring Data Factory resources. -SectionCode: datafactory -Children: [] -Controls: - - azure_data_factory_encrypted_with_cmk - - azure_data_factory_public_network_access_disabled - - azure_data_factory_uses_git_repository - - azure_data_factory_uses_private_link -Tags: {} +control-group: + id: azure_all_controls_datafactory + title: Data Factory + description: This section contains recommendations for configuring Data Factory resources. + section-code: datafactory + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_data_factory_encrypted_with_cmk + - azure_data_factory_public_network_access_disabled + - azure_data_factory_uses_git_repository + - azure_data_factory_uses_private_link diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakeanalytics.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakeanalytics.yaml index 74cdf1bf9..d677ab9ec 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakeanalytics.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakeanalytics.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_datalakeanalytics -Title: Data Lake Analytics -Description: This section contains recommendations for configuring Data Lake Analytics resources. -SectionCode: datalakeanalytics -Children: [] -Controls: - - azure_datalake_analytics_account_logging_enabled -Tags: {} +control-group: + id: azure_all_controls_datalakeanalytics + title: Data Lake Analytics + description: This section contains recommendations for configuring Data Lake Analytics resources. + section-code: datalakeanalytics + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_datalake_analytics_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakestore.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakestore.yaml index c5c1389c8..d1e3088c0 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakestore.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_datalakestore.yaml @@ -1,9 +1,14 @@ -ID: azure_all_controls_datalakestore -Title: Data Lake Storage -Description: This section contains recommendations for configuring Data Lake Storage resources. -SectionCode: datalakestore -Children: [] -Controls: - - azure_datalake_store_account_encryption_enabled - - azure_datalake_store_account_logging_enabled -Tags: {} +control-group: + id: azure_all_controls_datalakestore + title: Data Lake Storage + description: This section contains recommendations for configuring Data Lake Storage resources. + section-code: datalakestore + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_datalake_store_account_encryption_enabled + - azure_datalake_store_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventgrid.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventgrid.yaml index 12a560d58..fd5aa9122 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventgrid.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventgrid.yaml @@ -1,13 +1,18 @@ -ID: azure_all_controls_eventgrid -Title: Event Grid -Description: This section contains recommendations for configuring Event Grid resources. -SectionCode: eventgrid -Children: [] -Controls: - - azure_eventgrid_domain_identity_provider_enabled - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_domain_restrict_public_access - - azure_eventgrid_topic_identity_provider_enabled - - azure_eventgrid_topic_local_auth_enabled - - azure_eventgrid_topic_private_link_used -Tags: {} +control-group: + id: azure_all_controls_eventgrid + title: Event Grid + description: This section contains recommendations for configuring Event Grid resources. + section-code: eventgrid + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_eventgrid_domain_identity_provider_enabled + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_domain_restrict_public_access + - azure_eventgrid_topic_identity_provider_enabled + - azure_eventgrid_topic_local_auth_enabled + - azure_eventgrid_topic_private_link_used diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventhub.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventhub.yaml index c1f288055..adbc9b615 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventhub.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_eventhub.yaml @@ -1,11 +1,16 @@ -ID: azure_all_controls_eventhub -Title: Event Hub -Description: This section contains recommendations for configuring Event Hub resources. -SectionCode: eventhub -Children: [] -Controls: - - azure_eventhub_namespace_cmk_encryption_enabled - - azure_eventhub_namespace_logging_enabled - - azure_eventhub_namespace_private_link_used - - azure_eventhub_namespace_use_virtual_service_endpoint -Tags: {} +control-group: + id: azure_all_controls_eventhub + title: Event Hub + description: This section contains recommendations for configuring Event Hub resources. + section-code: eventhub + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_eventhub_namespace_cmk_encryption_enabled + - azure_eventhub_namespace_logging_enabled + - azure_eventhub_namespace_private_link_used + - azure_eventhub_namespace_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_frontdoor.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_frontdoor.yaml index d49a4bb7f..437f29021 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_frontdoor.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_frontdoor.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_frontdoor -Title: Front Door -Description: This section contains recommendations for configuring Front Door resources. -SectionCode: frontdoor -Children: [] -Controls: - - azure_frontdoor_waf_enabled -Tags: {} +control-group: + id: azure_all_controls_frontdoor + title: Front Door + description: This section contains recommendations for configuring Front Door resources. + section-code: frontdoor + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_frontdoor_waf_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hdinsight.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hdinsight.yaml index 51dc64fda..7e1051ab8 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hdinsight.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hdinsight.yaml @@ -1,10 +1,15 @@ -ID: azure_all_controls_hdinsight -Title: HDInsight -Description: This section contains recommendations for configuring HDInsight resources. -SectionCode: hdinsight -Children: [] -Controls: - - azure_hdinsight_cluster_encrypted_at_rest_with_cmk - - azure_hdinsight_cluster_encryption_at_host_enabled - - azure_hdinsight_cluster_encryption_in_transit_enabled -Tags: {} +control-group: + id: azure_all_controls_hdinsight + title: HDInsight + description: This section contains recommendations for configuring HDInsight resources. + section-code: hdinsight + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_hdinsight_cluster_encrypted_at_rest_with_cmk + - azure_hdinsight_cluster_encryption_at_host_enabled + - azure_hdinsight_cluster_encryption_in_transit_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_healthcare.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_healthcare.yaml index 735aefbc0..dd175002f 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_healthcare.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_healthcare.yaml @@ -1,9 +1,14 @@ -ID: azure_all_controls_healthcare -Title: HealthcareAPIs -Description: This section contains recommendations for configuring HealthcareAPIs resources. -SectionCode: healthcare -Children: [] -Controls: - - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk - - azure_healthcare_fhir_uses_private_link -Tags: {} +control-group: + id: azure_all_controls_healthcare + title: HealthcareAPIs + description: This section contains recommendations for configuring HealthcareAPIs resources. + section-code: healthcare + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk + - azure_healthcare_fhir_uses_private_link diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hpccache.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hpccache.yaml index d7349fa0c..723b07e1c 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hpccache.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_hpccache.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_hpccache -Title: HPC Cache -Description: This section contains recommendations for configuring HPC Cache resources. -SectionCode: hpccache -Children: [] -Controls: - - azure_hpc_cache_encrypted_with_cmk -Tags: {} +control-group: + id: azure_all_controls_hpccache + title: HPC Cache + description: This section contains recommendations for configuring HPC Cache resources. + section-code: hpccache + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_hpc_cache_encrypted_with_cmk diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_iothub.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_iothub.yaml index 7e922e818..b4387d9cd 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_iothub.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_iothub.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_iothub -Title: IoT Hub -Description: This section contains recommendations for configuring IoT Hub resources. -SectionCode: iothub -Children: [] -Controls: - - azure_iot_hub_logging_enabled -Tags: {} +control-group: + id: azure_all_controls_iothub + title: IoT Hub + description: This section contains recommendations for configuring IoT Hub resources. + section-code: iothub + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_iot_hub_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_keyvault.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_keyvault.yaml index 5fb062cef..a4054f5e6 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_keyvault.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_keyvault.yaml @@ -1,24 +1,29 @@ -ID: azure_all_controls_keyvault -Title: Key Vault -Description: This section contains recommendations for configuring Key Vault resources. -SectionCode: keyvault -Children: [] -Controls: - - azure_keyvault_firewall_enabled - - azure_keyvault_key_expiration_set - - azure_keyvault_logging_enabled - - azure_keyvault_managed_hms_logging_enabled - - azure_keyvault_managed_hms_purge_protection_enabled - - azure_keyvault_purge_protection_enabled - - azure_keyvault_rbac_enabled - - azure_keyvault_secret_expiration_set - - azure_keyvault_soft_delete_enabled - - azure_keyvault_vault_private_link_used - - azure_keyvault_vault_public_network_access_disabled - - azure_keyvault_vault_recoverable - - azure_keyvault_vault_use_virtual_service_endpoint - - azure_keyvault_with_non_rbac_key_expiration_set - - azure_keyvault_with_non_rbac_secret_expiration_set - - azure_keyvault_with_rbac_key_expiration_set - - azure_keyvault_with_rbac_secret_expiration_set -Tags: {} +control-group: + id: azure_all_controls_keyvault + title: Key Vault + description: This section contains recommendations for configuring Key Vault resources. + section-code: keyvault + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_keyvault_firewall_enabled + - azure_keyvault_key_expiration_set + - azure_keyvault_logging_enabled + - azure_keyvault_managed_hms_logging_enabled + - azure_keyvault_managed_hms_purge_protection_enabled + - azure_keyvault_purge_protection_enabled + - azure_keyvault_rbac_enabled + - azure_keyvault_secret_expiration_set + - azure_keyvault_soft_delete_enabled + - azure_keyvault_vault_private_link_used + - azure_keyvault_vault_public_network_access_disabled + - azure_keyvault_vault_recoverable + - azure_keyvault_vault_use_virtual_service_endpoint + - azure_keyvault_with_non_rbac_key_expiration_set + - azure_keyvault_with_non_rbac_secret_expiration_set + - azure_keyvault_with_rbac_key_expiration_set + - azure_keyvault_with_rbac_secret_expiration_set diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kubernetes.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kubernetes.yaml index a063b4e09..4ecada2d6 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kubernetes.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kubernetes.yaml @@ -1,24 +1,29 @@ -ID: azure_all_controls_kubernetes -Title: Kubernetes Service -Description: This section contains recommendations for configuring Kubernetes Service resources. -SectionCode: kubernetes -Children: [] -Controls: - - azure_kubernetes_cluster_add_on_azure_policy_enabled - - azure_kubernetes_cluster_addon_azure_policy_enabled - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_kubernetes_cluster_http_application_routing_disabled - - azure_kubernetes_cluster_key_vault_secret_rotation_enabled - - azure_kubernetes_cluster_logging_enabled - - azure_kubernetes_cluster_max_pod_50 - - azure_kubernetes_cluster_network_plugin_azure - - azure_kubernetes_cluster_network_policy_enabled - - azure_kubernetes_cluster_node_restrict_public_access - - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk - - azure_kubernetes_cluster_restrict_public_access - - azure_kubernetes_cluster_sku_standard - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kubernetes_cluster_upgrade_channel - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_kubernetes_instance_rbac_enabled -Tags: {} +control-group: + id: azure_all_controls_kubernetes + title: Kubernetes Service + description: This section contains recommendations for configuring Kubernetes Service resources. + section-code: kubernetes + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_kubernetes_cluster_add_on_azure_policy_enabled + - azure_kubernetes_cluster_addon_azure_policy_enabled + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_kubernetes_cluster_http_application_routing_disabled + - azure_kubernetes_cluster_key_vault_secret_rotation_enabled + - azure_kubernetes_cluster_logging_enabled + - azure_kubernetes_cluster_max_pod_50 + - azure_kubernetes_cluster_network_plugin_azure + - azure_kubernetes_cluster_network_policy_enabled + - azure_kubernetes_cluster_node_restrict_public_access + - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk + - azure_kubernetes_cluster_restrict_public_access + - azure_kubernetes_cluster_sku_standard + - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host + - azure_kubernetes_cluster_upgrade_channel + - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version + - azure_kubernetes_instance_rbac_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kusto.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kusto.yaml index c357e336f..382cd4cfe 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kusto.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_kusto.yaml @@ -1,11 +1,16 @@ -ID: azure_all_controls_kusto -Title: Data Explorer -Description: This section contains recommendations for configuring Data Explorer resources. -SectionCode: kusto -Children: [] -Controls: - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_kusto_cluster_encrypted_at_rest_with_cmk - - azure_kusto_cluster_sku_with_sla -Tags: {} +control-group: + id: azure_all_controls_kusto + title: Data Explorer + description: This section contains recommendations for configuring Data Explorer resources. + section-code: kusto + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_kusto_cluster_disk_encryption_enabled + - azure_kusto_cluster_double_encryption_enabled + - azure_kusto_cluster_encrypted_at_rest_with_cmk + - azure_kusto_cluster_sku_with_sla diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_logic.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_logic.yaml index e73053622..788479425 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_logic.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_logic.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_logic -Title: Logic -Description: This section contains recommendations for configuring Logic resources. -SectionCode: logic -Children: [] -Controls: - - azure_logic_app_workflow_logging_enabled -Tags: {} +control-group: + id: azure_all_controls_logic + title: Logic + description: This section contains recommendations for configuring Logic resources. + section-code: logic + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_logic_app_workflow_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_machinelearning.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_machinelearning.yaml index 2f61cc086..a7fe0711b 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_machinelearning.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_machinelearning.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_machinelearning -Title: Machine Learning -Description: This section contains recommendations for configuring Machine Learning resources. -SectionCode: machinelearning -Children: [] -Controls: - - azure_machine_learning_workspace_encrypted_with_cmk -Tags: {} +control-group: + id: azure_all_controls_machinelearning + title: Machine Learning + description: This section contains recommendations for configuring Machine Learning resources. + section-code: machinelearning + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_machine_learning_workspace_encrypted_with_cmk diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mariadb.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mariadb.yaml index 357afb533..9f74ac6c6 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mariadb.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mariadb.yaml @@ -1,10 +1,15 @@ -ID: azure_all_controls_mariadb -Title: MariaDB -Description: This section contains recommendations for configuring MariaDB resources. -SectionCode: mariadb -Children: [] -Controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mariadb_server_public_network_access_disabled - - azure_mariadb_server_ssl_enabled -Tags: {} +control-group: + id: azure_all_controls_mariadb + title: MariaDB + description: This section contains recommendations for configuring MariaDB resources. + section-code: mariadb + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mariadb_server_public_network_access_disabled + - azure_mariadb_server_ssl_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_monitor.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_monitor.yaml index e74e7d770..e76c4c186 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_monitor.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_monitor.yaml @@ -1,31 +1,36 @@ -ID: azure_all_controls_monitor -Title: Monitor -Description: This section contains recommendations for configuring Monitor resources. -SectionCode: monitor -Children: [] -Controls: - - azure_application_insights_block_log_ingestion_and_querying_from_public - - azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public - - azure_log_analytics_workspace_block_non_azure_ingestion - - azure_log_profile_enabled_for_all_subscription - - azure_monitor_diagnostic_settings_captures_proper_categories - - azure_monitor_log_alert_create_policy_assignment - - azure_monitor_log_alert_create_update_nsg - - azure_monitor_log_alert_create_update_nsg_rule - - azure_monitor_log_alert_create_update_public_ip_address - - azure_monitor_log_alert_create_update_security_solution - - azure_monitor_log_alert_create_update_sql_servers_firewall_rule - - azure_monitor_log_alert_delete_nsg - - azure_monitor_log_alert_delete_nsg_rule - - azure_monitor_log_alert_delete_policy_assignment - - azure_monitor_log_alert_delete_public_ip_address - - azure_monitor_log_alert_delete_security_solution - - azure_monitor_log_alert_delete_sql_servers_firewall_rule - - azure_monitor_log_alert_for_administrative_operations - - azure_monitor_log_alert_sql_firewall_rule - - azure_monitor_log_profile_enabled_for_all_categories - - azure_monitor_log_profile_enabled_for_all_regions - - azure_monitor_log_profile_retention_365_days - - azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible - - azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible -Tags: {} +control-group: + id: azure_all_controls_monitor + title: Monitor + description: This section contains recommendations for configuring Monitor resources. + section-code: monitor + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_application_insights_block_log_ingestion_and_querying_from_public + - azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public + - azure_log_analytics_workspace_block_non_azure_ingestion + - azure_log_profile_enabled_for_all_subscription + - azure_monitor_diagnostic_settings_captures_proper_categories + - azure_monitor_log_alert_create_policy_assignment + - azure_monitor_log_alert_create_update_nsg + - azure_monitor_log_alert_create_update_nsg_rule + - azure_monitor_log_alert_create_update_public_ip_address + - azure_monitor_log_alert_create_update_security_solution + - azure_monitor_log_alert_create_update_sql_servers_firewall_rule + - azure_monitor_log_alert_delete_nsg + - azure_monitor_log_alert_delete_nsg_rule + - azure_monitor_log_alert_delete_policy_assignment + - azure_monitor_log_alert_delete_public_ip_address + - azure_monitor_log_alert_delete_security_solution + - azure_monitor_log_alert_delete_sql_servers_firewall_rule + - azure_monitor_log_alert_for_administrative_operations + - azure_monitor_log_alert_sql_firewall_rule + - azure_monitor_log_profile_enabled_for_all_categories + - azure_monitor_log_profile_enabled_for_all_regions + - azure_monitor_log_profile_retention_365_days + - azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible + - azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mysql.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mysql.yaml index 110531109..a477962ee 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mysql.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_mysql.yaml @@ -1,18 +1,23 @@ -ID: azure_all_controls_mysql -Title: MySQL -Description: This section contains recommendations for configuring MySQL resources. -SectionCode: mysql -Children: [] -Controls: - - azure_mssql_managed_instance_encryption_at_rest_using_cmk - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_mysql_server_audit_logging_enabled - - azure_mysql_server_audit_logging_events_connection_set - - azure_mysql_server_encrypted_at_rest_using_cmk - - azure_mysql_server_infrastructure_encryption_enabled - - azure_mysql_server_min_tls_1_2 - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_mysql_ssl_enabled -Tags: {} +control-group: + id: azure_all_controls_mysql + title: MySQL + description: This section contains recommendations for configuring MySQL resources. + section-code: mysql + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_mssql_managed_instance_encryption_at_rest_using_cmk + - azure_mssql_managed_instance_vulnerability_assessment_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_mysql_server_audit_logging_enabled + - azure_mysql_server_audit_logging_events_connection_set + - azure_mysql_server_encrypted_at_rest_using_cmk + - azure_mysql_server_infrastructure_encryption_enabled + - azure_mysql_server_min_tls_1_2 + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_mysql_ssl_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_network.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_network.yaml index 1c6589863..c3b8be7d1 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_network.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_network.yaml @@ -1,49 +1,54 @@ -ID: azure_all_controls_network -Title: Network -Description: This section contains recommendations for configuring Network resources. -SectionCode: network -Children: [] -Controls: - - azure_application_gateway_waf_enabled - - azure_application_gateway_waf_uses_specified_mode - - azure_network_bastion_host_min_1 - - azure_network_ddos_enabled - - azure_network_lb_no_basic_sku - - azure_network_network_peering_connected - - azure_network_public_ip_no_basic_sku - - azure_network_security_group_diagnostic_setting_deployed - - azure_network_security_group_https_access_restricted - - azure_network_security_group_not_configured_gateway_subnets - - azure_network_security_group_outbound_access_restricted - - azure_network_security_group_rdp_access_restricted - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_restrict_inbound_icmp_port - - azure_network_security_group_restrict_inbound_tcp_port_135 - - azure_network_security_group_restrict_inbound_tcp_port_1433 - - azure_network_security_group_restrict_inbound_tcp_port_20 - - azure_network_security_group_restrict_inbound_tcp_port_21 - - azure_network_security_group_restrict_inbound_tcp_port_23 - - azure_network_security_group_restrict_inbound_tcp_port_25 - - azure_network_security_group_restrict_inbound_tcp_port_3306 - - azure_network_security_group_restrict_inbound_tcp_port_4333 - - azure_network_security_group_restrict_inbound_tcp_port_445 - - azure_network_security_group_restrict_inbound_tcp_port_53 - - azure_network_security_group_restrict_inbound_tcp_port_5432 - - azure_network_security_group_restrict_inbound_tcp_port_5500 - - azure_network_security_group_restrict_inbound_tcp_port_5900 - - azure_network_security_group_restrict_inbound_udp_port_137 - - azure_network_security_group_restrict_inbound_udp_port_138 - - azure_network_security_group_restrict_inbound_udp_port_1434 - - azure_network_security_group_restrict_inbound_udp_port_445 - - azure_network_security_group_restrict_inbound_udp_port_53 - - azure_network_security_group_ssh_access_restricted - - azure_network_security_group_subnet_associated - - azure_network_security_group_udp_service_restricted - - azure_network_sg_flowlog_enabled - - azure_network_sg_flowlog_retention_period_greater_than_90 - - azure_network_virtual_network_gateway_no_basic_sku - - azure_network_watcher_enabled - - azure_network_watcher_flow_log_enabled - - azure_network_watcher_flow_log_traffic_analytics_enabled - - azure_network_watcher_in_regions_with_virtual_network -Tags: {} +control-group: + id: azure_all_controls_network + title: Network + description: This section contains recommendations for configuring Network resources. + section-code: network + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_application_gateway_waf_enabled + - azure_application_gateway_waf_uses_specified_mode + - azure_network_bastion_host_min_1 + - azure_network_ddos_enabled + - azure_network_lb_no_basic_sku + - azure_network_network_peering_connected + - azure_network_public_ip_no_basic_sku + - azure_network_security_group_diagnostic_setting_deployed + - azure_network_security_group_https_access_restricted + - azure_network_security_group_not_configured_gateway_subnets + - azure_network_security_group_outbound_access_restricted + - azure_network_security_group_rdp_access_restricted + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_restrict_inbound_icmp_port + - azure_network_security_group_restrict_inbound_tcp_port_135 + - azure_network_security_group_restrict_inbound_tcp_port_1433 + - azure_network_security_group_restrict_inbound_tcp_port_20 + - azure_network_security_group_restrict_inbound_tcp_port_21 + - azure_network_security_group_restrict_inbound_tcp_port_23 + - azure_network_security_group_restrict_inbound_tcp_port_25 + - azure_network_security_group_restrict_inbound_tcp_port_3306 + - azure_network_security_group_restrict_inbound_tcp_port_4333 + - azure_network_security_group_restrict_inbound_tcp_port_445 + - azure_network_security_group_restrict_inbound_tcp_port_53 + - azure_network_security_group_restrict_inbound_tcp_port_5432 + - azure_network_security_group_restrict_inbound_tcp_port_5500 + - azure_network_security_group_restrict_inbound_tcp_port_5900 + - azure_network_security_group_restrict_inbound_udp_port_137 + - azure_network_security_group_restrict_inbound_udp_port_138 + - azure_network_security_group_restrict_inbound_udp_port_1434 + - azure_network_security_group_restrict_inbound_udp_port_445 + - azure_network_security_group_restrict_inbound_udp_port_53 + - azure_network_security_group_ssh_access_restricted + - azure_network_security_group_subnet_associated + - azure_network_security_group_udp_service_restricted + - azure_network_sg_flowlog_enabled + - azure_network_sg_flowlog_retention_period_greater_than_90 + - azure_network_virtual_network_gateway_no_basic_sku + - azure_network_watcher_enabled + - azure_network_watcher_flow_log_enabled + - azure_network_watcher_flow_log_traffic_analytics_enabled + - azure_network_watcher_in_regions_with_virtual_network diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_postgres.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_postgres.yaml index 35ebc9c93..1d4e85467 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_postgres.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_postgres.yaml @@ -1,20 +1,25 @@ -ID: azure_all_controls_postgres -Title: PostgreSQL -Description: This section contains recommendations for configuring PostgreSQL resources. -SectionCode: postgres -Children: [] -Controls: - - azure_postgres_db_server_allow_access_to_azure_services_disabled - - azure_postgres_db_server_connection_throttling_on - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_latest_tls_version - - azure_postgres_db_server_log_checkpoints_on - - azure_postgres_db_server_log_connections_on - - azure_postgres_db_server_log_disconnections_on - - azure_postgres_db_server_log_retention_days_3 - - azure_postgres_server_private_link_used - - azure_postgres_sql_server_encrypted_at_rest_using_cmk - - azure_postgres_sql_ssl_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_postgresql_server_public_network_access_disabled -Tags: {} +control-group: + id: azure_all_controls_postgres + title: PostgreSQL + description: This section contains recommendations for configuring PostgreSQL resources. + section-code: postgres + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_postgres_db_server_allow_access_to_azure_services_disabled + - azure_postgres_db_server_connection_throttling_on + - azure_postgres_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_latest_tls_version + - azure_postgres_db_server_log_checkpoints_on + - azure_postgres_db_server_log_connections_on + - azure_postgres_db_server_log_disconnections_on + - azure_postgres_db_server_log_retention_days_3 + - azure_postgres_server_private_link_used + - azure_postgres_sql_server_encrypted_at_rest_using_cmk + - azure_postgres_sql_ssl_enabled + - azure_postgresql_server_infrastructure_encryption_enabled + - azure_postgresql_server_public_network_access_disabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_recoveryservice.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_recoveryservice.yaml index 9936e0f6d..3446661cd 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_recoveryservice.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_recoveryservice.yaml @@ -1,10 +1,15 @@ -ID: azure_all_controls_recoveryservice -Title: Recovery Service -Description: This section contains recommendations for configuring Recovery Service resources. -SectionCode: recoveryservice -Children: [] -Controls: - - azure_recovery_service_vault_uses_managed_identity - - azure_recovery_service_vault_uses_private_link - - azure_recovery_service_vault_uses_private_link_for_backup -Tags: {} +control-group: + id: azure_all_controls_recoveryservice + title: Recovery Service + description: This section contains recommendations for configuring Recovery Service resources. + section-code: recoveryservice + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_recovery_service_vault_uses_managed_identity + - azure_recovery_service_vault_uses_private_link + - azure_recovery_service_vault_uses_private_link_for_backup diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_redis.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_redis.yaml index 14ce5a07b..29b08c51f 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_redis.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_redis.yaml @@ -1,12 +1,17 @@ -ID: azure_all_controls_redis -Title: Redis -Description: This section contains recommendations for configuring Redis resources. -SectionCode: redis -Children: [] -Controls: - - azure_redis_cache_ssl_enabled - - azure_redis_cache_uses_private_link - - azure_redis_cache_in_virtual_network - - azure_redis_cache_min_tls_1_2 - - azure_redis_cache_no_basic_sku -Tags: {} +control-group: + id: azure_all_controls_redis + title: Redis + description: This section contains recommendations for configuring Redis resources. + section-code: redis + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_redis_cache_ssl_enabled + - azure_redis_cache_uses_private_link + - azure_redis_cache_in_virtual_network + - azure_redis_cache_min_tls_1_2 + - azure_redis_cache_no_basic_sku diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_securitycenter.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_securitycenter.yaml index 005a7184b..a8f52e1d1 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_securitycenter.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_securitycenter.yaml @@ -1,31 +1,36 @@ -ID: azure_all_controls_securitycenter -Title: Security Center -Description: This section contains recommendations for configuring Security Center resources. -SectionCode: securitycenter -Children: [] -Controls: - - azure_securitycenter_additional_email_configured - - azure_securitycenter_asc_default_setting_not_disabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containerregistry - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_cosmosdb - - azure_securitycenter_azure_defender_on_for_database - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_k8s - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_opensource_relational_db - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_container_image_scan_enabled - - azure_securitycenter_email_configured - - azure_securitycenter_mcas_integration - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_pricing_standard - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_securitycenter_wdatp_integration -Tags: {} +control-group: + id: azure_all_controls_securitycenter + title: Security Center + description: This section contains recommendations for configuring Security Center resources. + section-code: securitycenter + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_securitycenter_additional_email_configured + - azure_securitycenter_asc_default_setting_not_disabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containerregistry + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_cosmosdb + - azure_securitycenter_azure_defender_on_for_database + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_k8s + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_opensource_relational_db + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_securitycenter_container_image_scan_enabled + - azure_securitycenter_email_configured + - azure_securitycenter_mcas_integration + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_pricing_standard + - azure_securitycenter_security_alerts_to_owner_enabled + - azure_securitycenter_wdatp_integration diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicebus.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicebus.yaml index 5003823a2..8b3ccbb0d 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicebus.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicebus.yaml @@ -1,13 +1,18 @@ -ID: azure_all_controls_servicebus -Title: Service Bus -Description: This section contains recommendations for configuring Service Bus resources. -SectionCode: servicebus -Children: [] -Controls: - - azure_servicebus_name_space_private_link_used - - azure_servicebus_namespace_logging_enabled - - azure_servicebus_namespace_azure_ad_authentication_enabled - - azure_servicebus_namespace_no_overly_permissive_network_access - - azure_servicebus_premium_namespace_cmk_encrypted - - azure_servicebus_use_virtual_service_endpoint -Tags: {} +control-group: + id: azure_all_controls_servicebus + title: Service Bus + description: This section contains recommendations for configuring Service Bus resources. + section-code: servicebus + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_servicebus_name_space_private_link_used + - azure_servicebus_namespace_logging_enabled + - azure_servicebus_namespace_azure_ad_authentication_enabled + - azure_servicebus_namespace_no_overly_permissive_network_access + - azure_servicebus_premium_namespace_cmk_encrypted + - azure_servicebus_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicefabric.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicefabric.yaml index f7ed992c1..dac810d01 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicefabric.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_servicefabric.yaml @@ -1,9 +1,14 @@ -ID: azure_all_controls_servicefabric -Title: Service Fabric -Description: This section contains recommendations for configuring Service Fabric resources. -SectionCode: servicefabric -Children: [] -Controls: - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign -Tags: {} +control-group: + id: azure_all_controls_servicefabric + title: Service Fabric + description: This section contains recommendations for configuring Service Fabric resources. + section-code: servicefabric + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_signalr.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_signalr.yaml index 9a9f6f7d4..669dd7068 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_signalr.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_signalr.yaml @@ -1,9 +1,14 @@ -ID: azure_all_controls_signalr -Title: SignalR Service -Description: This section contains recommendations for configuring SignalR Service resources. -SectionCode: signalr -Children: [] -Controls: - - azure_signalr_service_no_free_tier_sku - - azure_signalr_service_private_link_used -Tags: {} +control-group: + id: azure_all_controls_signalr + title: SignalR Service + description: This section contains recommendations for configuring SignalR Service resources. + section-code: signalr + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_signalr_service_no_free_tier_sku + - azure_signalr_service_private_link_used diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_springcloud.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_springcloud.yaml index 3991efcdc..3cf5137b2 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_springcloud.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_springcloud.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_springcloud -Title: Spring Cloud -Description: This section contains recommendations for configuring Spring Cloud resources. -SectionCode: springcloud -Children: [] -Controls: - - azure_spring_cloud_service_network_injection_enabled -Tags: {} +control-group: + id: azure_all_controls_springcloud + title: Spring Cloud + description: This section contains recommendations for configuring Spring Cloud resources. + section-code: springcloud + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_spring_cloud_service_network_injection_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_sql.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_sql.yaml index 1b2ab2a9b..bec865a16 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_sql.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_sql.yaml @@ -1,28 +1,33 @@ -ID: azure_all_controls_sql -Title: SQL -Description: This section contains recommendations for configuring SQL resources. -SectionCode: sql -Children: [] -Controls: - - azure_sql_database_allow_internet_access - - azure_sql_database_long_term_geo_redundant_backup_enabled - - azure_sql_database_transparent_data_encryption_enabled - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_db_active_directory_admin_configured - - azure_sql_db_public_network_access_disabled - - azure_sql_server_and_databases_va_enabled - - azure_sql_server_atp_enabled - - azure_sql_server_auditing_on - - azure_sql_server_auditing_retention_period_90 - - azure_sql_server_auditing_storage_account_destination_retention_90_days - - azure_sql_server_azure_ad_authentication_enabled - - azure_sql_server_azure_defender_enabled - - azure_sql_server_tde_protector_cmk_encrypted - - azure_sql_server_threat_detection_all_enabled - - azure_sql_server_transparent_data_encryption_enabled - - azure_sql_server_use_virtual_service_endpoint - - azure_sql_server_uses_private_link - - azure_sql_server_va_setting_periodic_scan_enabled - - azure_sql_server_va_setting_reports_notify_admins - - azure_sql_server_va_setting_scan_reports_configured -Tags: {} +control-group: + id: azure_all_controls_sql + title: SQL + description: This section contains recommendations for configuring SQL resources. + section-code: sql + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_sql_database_allow_internet_access + - azure_sql_database_long_term_geo_redundant_backup_enabled + - azure_sql_database_transparent_data_encryption_enabled + - azure_sql_database_vulnerability_findings_resolved + - azure_sql_db_active_directory_admin_configured + - azure_sql_db_public_network_access_disabled + - azure_sql_server_and_databases_va_enabled + - azure_sql_server_atp_enabled + - azure_sql_server_auditing_on + - azure_sql_server_auditing_retention_period_90 + - azure_sql_server_auditing_storage_account_destination_retention_90_days + - azure_sql_server_azure_ad_authentication_enabled + - azure_sql_server_azure_defender_enabled + - azure_sql_server_tde_protector_cmk_encrypted + - azure_sql_server_threat_detection_all_enabled + - azure_sql_server_transparent_data_encryption_enabled + - azure_sql_server_use_virtual_service_endpoint + - azure_sql_server_uses_private_link + - azure_sql_server_va_setting_periodic_scan_enabled + - azure_sql_server_va_setting_reports_notify_admins + - azure_sql_server_va_setting_scan_reports_configured diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storage.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storage.yaml index 80522b581..ed60ea986 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storage.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storage.yaml @@ -1,27 +1,32 @@ -ID: azure_all_controls_storage -Title: Storage -Description: This section contains recommendations for configuring Storage resources. -SectionCode: storage -Children: [] -Controls: - - azure_storage_account_blob_containers_public_access_private - - azure_storage_account_blob_service_logging_enabled - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_encryption_at_rest_using_cmk - - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk - - azure_storage_account_geo_redundant_enabled - - azure_storage_account_infrastructure_encryption_enabled - - azure_storage_account_blobs_logging_enabled - - azure_storage_account_tables_logging_enabled - - azure_storage_account_min_tls_1_2 - - azure_storage_account_queue_services_logging_enabled - - azure_storage_account_restrict_network_access - - azure_storage_account_secure_transfer_required_enabled - - azure_storage_account_soft_delete_enabled - - azure_storage_account_table_service_logging_enabled - - azure_storage_account_trusted_microsoft_services_enabled - - azure_storage_account_use_virtual_service_endpoint - - azure_storage_account_uses_azure_resource_manager - - azure_storage_account_uses_private_link -Tags: {} +control-group: + id: azure_all_controls_storage + title: Storage + description: This section contains recommendations for configuring Storage resources. + section-code: storage + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_storage_account_blob_containers_public_access_private + - azure_storage_account_blob_service_logging_enabled + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_encryption_at_rest_using_cmk + - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk + - azure_storage_account_geo_redundant_enabled + - azure_storage_account_infrastructure_encryption_enabled + - azure_storage_account_blobs_logging_enabled + - azure_storage_account_tables_logging_enabled + - azure_storage_account_min_tls_1_2 + - azure_storage_account_queue_services_logging_enabled + - azure_storage_account_restrict_network_access + - azure_storage_account_secure_transfer_required_enabled + - azure_storage_account_soft_delete_enabled + - azure_storage_account_table_service_logging_enabled + - azure_storage_account_trusted_microsoft_services_enabled + - azure_storage_account_use_virtual_service_endpoint + - azure_storage_account_uses_azure_resource_manager + - azure_storage_account_uses_private_link diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storagesync.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storagesync.yaml index 3e84791bf..4d6a4629d 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storagesync.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_storagesync.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_storagesync -Title: File Sync -Description: This section contains recommendations for configuring FileSync resources. -SectionCode: storagesync -Children: [] -Controls: - - azure_storage_sync_private_link_used -Tags: {} +control-group: + id: azure_all_controls_storagesync + title: File Sync + description: This section contains recommendations for configuring FileSync resources. + section-code: storagesync + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_storage_sync_private_link_used diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_streamanalytics.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_streamanalytics.yaml index a3835d536..69dc0021a 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_streamanalytics.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_streamanalytics.yaml @@ -1,8 +1,13 @@ -ID: azure_all_controls_streamanalytics -Title: Stream Analytics -Description: This section contains recommendations for configuring Stream Analytics resources. -SectionCode: streamanalytics -Children: [] -Controls: - - azure_stream_analytics_job_logging_enabled -Tags: {} +control-group: + id: azure_all_controls_streamanalytics + title: Stream Analytics + description: This section contains recommendations for configuring Stream Analytics resources. + section-code: streamanalytics + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_synapse.yaml b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_synapse.yaml index d36e29410..0551e4b3f 100755 --- a/compliance/frameworks/azure/azure_all_controls/azure_all_controls_synapse.yaml +++ b/compliance/frameworks/azure/azure_all_controls/azure_all_controls_synapse.yaml @@ -1,11 +1,16 @@ -ID: azure_all_controls_synapse -Title: Synapse Analytics -Description: This section contains recommendations for configuring Synapse Analytics resources. -SectionCode: synapse -Children: [] -Controls: - - azure_synapse_workspace_data_exfiltration_protection_enabled - - azure_synapse_workspace_encryption_at_rest_using_cmk - - azure_synapse_workspace_private_link_used - - azure_synapse_workspace_vulnerability_assessment_enabled -Tags: {} +control-group: + id: azure_all_controls_synapse + title: Synapse Analytics + description: This section contains recommendations for configuring Synapse Analytics resources. + section-code: synapse + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_synapse_workspace_data_exfiltration_protection_enabled + - azure_synapse_workspace_encryption_at_rest_using_cmk + - azure_synapse_workspace_private_link_used + - azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_all_controls/root.yaml b/compliance/frameworks/azure/azure_all_controls/root.yaml deleted file mode 100755 index 6bbaba337..000000000 --- a/compliance/frameworks/azure/azure_all_controls/root.yaml +++ /dev/null @@ -1,56 +0,0 @@ -ID: azure_all_controls -Title: All Controls -Description: This benchmark contains all controls grouped by service to help you detect resource configurations that do not meet best practices. -SectionCode: azure_all_controls -Children: - - azure_all_controls_activedirectory - - azure_all_controls_apimanagement - - azure_all_controls_appconfiguration - - azure_all_controls_appservice - - azure_all_controls_automation - - azure_all_controls_batch - - azure_all_controls_cognitivesearch - - azure_all_controls_cognitiveservice - - azure_all_controls_compute - - azure_all_controls_containerinstance - - azure_all_controls_containerregistry - - azure_all_controls_cosmosdb - - azure_all_controls_databoxedge - - azure_all_controls_datafactory - - azure_all_controls_datalakeanalytics - - azure_all_controls_datalakestore - - azure_all_controls_eventgrid - - azure_all_controls_eventhub - - azure_all_controls_frontdoor - - azure_all_controls_hdinsight - - azure_all_controls_healthcare - - azure_all_controls_hpccache - - azure_all_controls_iothub - - azure_all_controls_keyvault - - azure_all_controls_kubernetes - - azure_all_controls_kusto - - azure_all_controls_logic - - azure_all_controls_machinelearning - - azure_all_controls_mariadb - - azure_all_controls_monitor - - azure_all_controls_mysql - - azure_all_controls_network - - azure_all_controls_postgres - - azure_all_controls_recoveryservice - - azure_all_controls_redis - - azure_all_controls_securitycenter - - azure_all_controls_servicebus - - azure_all_controls_servicefabric - - azure_all_controls_signalr - - azure_all_controls_springcloud - - azure_all_controls_sql - - azure_all_controls_storage - - azure_all_controls_storagesync - - azure_all_controls_streamanalytics - - azure_all_controls_synapse -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: {} diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130.yaml new file mode 100644 index 000000000..cba80d6c1 --- /dev/null +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130.yaml @@ -0,0 +1,37 @@ +framework: + id: azure_cis_v130 + title: CIS v1.3.0 + description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. + section-code: azure_cis_v130 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.3.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v130_1 + - id: azure_cis_v130_2 + - id: azure_cis_v130_3 + - id: azure_cis_v130_4 + - id: azure_cis_v130_5 + - id: azure_cis_v130_6 + - id: azure_cis_v130_7 + - id: azure_cis_v130_8 + - id: azure_cis_v130_9 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_1.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_1.yaml index a56aa8dc9..089aec97a 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_1.yaml @@ -1,44 +1,49 @@ -ID: azure_cis_v130_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v130_1_1 - - azure_cis_v130_1_2 - - azure_cis_v130_1_3 - - azure_cis_v130_1_4 - - azure_cis_v130_1_5 - - azure_cis_v130_1_6 - - azure_cis_v130_1_7 - - azure_cis_v130_1_8 - - azure_cis_v130_1_9 - - azure_cis_v130_1_10 - - azure_cis_v130_1_11 - - azure_cis_v130_1_12 - - azure_cis_v130_1_13 - - azure_cis_v130_1_14 - - azure_cis_v130_1_15 - - azure_cis_v130_1_16 - - azure_cis_v130_1_17 - - azure_cis_v130_1_18 - - azure_cis_v130_1_19 - - azure_cis_v130_1_20 - - azure_cis_v130_1_21 - - azure_cis_v130_1_22 - - azure_cis_v130_1_23 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_cis_v130_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_cis_v130_1_1 + - azure_cis_v130_1_2 + - azure_cis_v130_1_3 + - azure_cis_v130_1_4 + - azure_cis_v130_1_5 + - azure_cis_v130_1_6 + - azure_cis_v130_1_7 + - azure_cis_v130_1_8 + - azure_cis_v130_1_9 + - azure_cis_v130_1_10 + - azure_cis_v130_1_11 + - azure_cis_v130_1_12 + - azure_cis_v130_1_13 + - azure_cis_v130_1_14 + - azure_cis_v130_1_15 + - azure_cis_v130_1_16 + - azure_cis_v130_1_17 + - azure_cis_v130_1_18 + - azure_cis_v130_1_19 + - azure_cis_v130_1_20 + - azure_cis_v130_1_21 + - azure_cis_v130_1_22 + - azure_cis_v130_1_23 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_2.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_2.yaml index 83ae5722b..9b0440ea7 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_2.yaml @@ -1,36 +1,41 @@ -ID: azure_cis_v130_2 -Title: Security Center -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v130_2_1 - - azure_cis_v130_2_2 - - azure_cis_v130_2_3 - - azure_cis_v130_2_4 - - azure_cis_v130_2_5 - - azure_cis_v130_2_6 - - azure_cis_v130_2_7 - - azure_cis_v130_2_8 - - azure_cis_v130_2_9 - - azure_cis_v130_2_10 - - azure_cis_v130_2_11 - - azure_cis_v130_2_12 - - azure_cis_v130_2_13 - - azure_cis_v130_2_14 - - azure_cis_v130_2_15 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v130_2 + title: Security Center + description: Security Center + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_cis_v130_2_1 + - azure_cis_v130_2_2 + - azure_cis_v130_2_3 + - azure_cis_v130_2_4 + - azure_cis_v130_2_5 + - azure_cis_v130_2_6 + - azure_cis_v130_2_7 + - azure_cis_v130_2_8 + - azure_cis_v130_2_9 + - azure_cis_v130_2_10 + - azure_cis_v130_2_11 + - azure_cis_v130_2_12 + - azure_cis_v130_2_13 + - azure_cis_v130_2_14 + - azure_cis_v130_2_15 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_3.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_3.yaml index ee2b04ce8..69ce3c56b 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_3.yaml @@ -1,31 +1,36 @@ -ID: azure_cis_v130_3 -Title: Storage Accounts -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v130_3_1 - - azure_cis_v130_3_2 - - azure_cis_v130_3_3 - - azure_cis_v130_3_4 - - azure_cis_v130_3_6 - - azure_cis_v130_3_7 - - azure_cis_v130_3_8 - - azure_cis_v130_3_9 - - azure_cis_v130_3_10 - - azure_cis_v130_3_11 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark +control-group: + id: azure_cis_v130_3 + title: Storage Accounts + description: Storage Accounts + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark + controls: + - azure_cis_v130_3_1 + - azure_cis_v130_3_2 + - azure_cis_v130_3_3 + - azure_cis_v130_3_4 + - azure_cis_v130_3_6 + - azure_cis_v130_3_7 + - azure_cis_v130_3_8 + - azure_cis_v130_3_9 + - azure_cis_v130_3_10 + - azure_cis_v130_3_11 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4.yaml index a26cf3f1a..59523e47f 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4.yaml @@ -1,25 +1,31 @@ -ID: azure_cis_v130_4 -Title: Database Services -Description: "" -SectionCode: "4" -Children: - - azure_cis_v130_4_1 - - azure_cis_v130_4_2 - - azure_cis_v130_4_3 -Controls: - - azure_cis_v130_4_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v130_4 + title: Database Services + description: Database Services + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v130_4_1 + - id: azure_cis_v130_4_2 + - id: azure_cis_v130_4_3 + controls: + - azure_cis_v130_4_4 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_1.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_1.yaml index ec1ab8928..7006e0172 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_1.yaml @@ -1,22 +1,27 @@ -ID: azure_cis_v130_4_1 -Title: SQL Server - Auditing -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v130_4_1_2 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.1" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v130_4_1 + title: SQL Server - Auditing + description: SQL Server - Auditing + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.1" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_cis_v130_4_1_2 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_2.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_2.yaml index 87663d0a2..6e396c100 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_2.yaml @@ -1,21 +1,25 @@ -ID: azure_cis_v130_4_2 -Title: SQL Server - Azure Defender for SQL -Description: "" -SectionCode: "2" -Children: [] -Controls: null -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.2" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v130_4_2 + title: SQL Server - Azure Defender for SQL + description: SQL Server - Azure Defender for SQL + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.2" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_3.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_3.yaml index 5e7609d3b..1604d8659 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_4_3.yaml @@ -1,25 +1,30 @@ -ID: azure_cis_v130_4_3 -Title: PostgreSQL Database Server -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v130_4_3_1 - - azure_cis_v130_4_3_2 - - azure_cis_v130_4_3_5 - - azure_cis_v130_4_3_8 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.3" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v130_4_3 + title: PostgreSQL Database Server + description: PostgreSQL Database Server + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.3" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v130_4_3_1 + - azure_cis_v130_4_3_2 + - azure_cis_v130_4_3_5 + - azure_cis_v130_4_3_8 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5.yaml index ddfa473d3..02c1f40ef 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5.yaml @@ -1,24 +1,30 @@ -ID: azure_cis_v130_5 -Title: Logging and Monitoring -Description: "" -SectionCode: "5" -Children: - - azure_cis_v130_5_1 - - azure_cis_v130_5_2 -Controls: - - azure_cis_v130_5_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v130_5 + title: Logging and Monitoring + description: Logging and Monitoring + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v130_5_1 + - id: azure_cis_v130_5_2 + controls: + - azure_cis_v130_5_3 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_1.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_1.yaml index 9b3c0c4ca..5f4903c5d 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_1.yaml @@ -1,25 +1,30 @@ -ID: azure_cis_v130_5_1 -Title: Configuring Diagnostic Settings -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v130_5_1_1 - - azure_cis_v130_5_1_2 - - azure_cis_v130_5_1_3 - - azure_cis_v130_5_1_5 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5.1" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v130_5_1 + title: Configuring Diagnostic Settings + description: Configuring Diagnostic Settings + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5.1" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v130_5_1_1 + - azure_cis_v130_5_1_2 + - azure_cis_v130_5_1_3 + - azure_cis_v130_5_1_5 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_2.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_2.yaml index 530da8dd3..3cc6a4cba 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_5_2.yaml @@ -1,30 +1,35 @@ -ID: azure_cis_v130_5_2 -Title: Monitoring using Activity Log Alerts -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v130_5_2_1 - - azure_cis_v130_5_2_2 - - azure_cis_v130_5_2_3 - - azure_cis_v130_5_2_4 - - azure_cis_v130_5_2_5 - - azure_cis_v130_5_2_6 - - azure_cis_v130_5_2_7 - - azure_cis_v130_5_2_8 - - azure_cis_v130_5_2_9 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5.2" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_cis_v130_5_2 + title: Monitoring using Activity Log Alerts + description: Monitoring using Activity Log Alerts + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5.2" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_cis_v130_5_2_1 + - azure_cis_v130_5_2_2 + - azure_cis_v130_5_2_3 + - azure_cis_v130_5_2_4 + - azure_cis_v130_5_2_5 + - azure_cis_v130_5_2_6 + - azure_cis_v130_5_2_7 + - azure_cis_v130_5_2_8 + - azure_cis_v130_5_2_9 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_6.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_6.yaml index 3a00483a0..2ea920894 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_6.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_6.yaml @@ -1,25 +1,30 @@ -ID: azure_cis_v130_6 -Title: Networking -Description: "" -SectionCode: "6" -Children: [] -Controls: - - azure_cis_v130_6_1 - - azure_cis_v130_6_2 - - azure_cis_v130_6_3 - - azure_cis_v130_6_6 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "6" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_cis_v130_6 + title: Networking + description: Networking + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "6" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_cis_v130_6_1 + - azure_cis_v130_6_2 + - azure_cis_v130_6_3 + - azure_cis_v130_6_6 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_7.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_7.yaml index 9795e0d4e..5cb4a40c5 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_7.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_7.yaml @@ -1,28 +1,33 @@ -ID: azure_cis_v130_7 -Title: Virtual Machines -Description: "" -SectionCode: "7" -Children: [] -Controls: - - azure_cis_v130_7_1 - - azure_cis_v130_7_2 - - azure_cis_v130_7_3 - - azure_cis_v130_7_4 - - azure_cis_v130_7_5 - - azure_cis_v130_7_6 - - azure_cis_v130_7_7 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "7" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_cis_v130_7 + title: Virtual Machines + description: Virtual Machines + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "7" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_cis_v130_7_1 + - azure_cis_v130_7_2 + - azure_cis_v130_7_3 + - azure_cis_v130_7_4 + - azure_cis_v130_7_5 + - azure_cis_v130_7_6 + - azure_cis_v130_7_7 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_8.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_8.yaml index de757ab7f..d1b3b8bce 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_8.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_8.yaml @@ -1,26 +1,31 @@ -ID: azure_cis_v130_8 -Title: Other Security Considerations -Description: "" -SectionCode: "8" -Children: [] -Controls: - - azure_cis_v130_8_1 - - azure_cis_v130_8_2 - - azure_cis_v130_8_3 - - azure_cis_v130_8_4 - - azure_cis_v130_8_5 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "8" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v130_8 + title: Other Security Considerations + description: Other Security Considerations + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "8" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v130_8_1 + - azure_cis_v130_8_2 + - azure_cis_v130_8_3 + - azure_cis_v130_8_4 + - azure_cis_v130_8_5 diff --git a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_9.yaml b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_9.yaml index 01e87520e..ddd7256fd 100755 --- a/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_9.yaml +++ b/compliance/frameworks/azure/azure_cis_v130/azure_cis_v130_9.yaml @@ -1,31 +1,36 @@ -ID: azure_cis_v130_9 -Title: AppService -Description: "" -SectionCode: "9" -Children: [] -Controls: - - azure_cis_v130_9_1 - - azure_cis_v130_9_2 - - azure_cis_v130_9_3 - - azure_cis_v130_9_4 - - azure_cis_v130_9_5 - - azure_cis_v130_9_6 - - azure_cis_v130_9_7 - - azure_cis_v130_9_8 - - azure_cis_v130_9_9 - - azure_cis_v130_9_11 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "9" - cis_version: - - v1.3.0 - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_cis_v130_9 + title: AppService + description: AppService + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "9" + cis_version: + - v1.3.0 + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_cis_v130_9_1 + - azure_cis_v130_9_2 + - azure_cis_v130_9_3 + - azure_cis_v130_9_4 + - azure_cis_v130_9_5 + - azure_cis_v130_9_6 + - azure_cis_v130_9_7 + - azure_cis_v130_9_8 + - azure_cis_v130_9_9 + - azure_cis_v130_9_11 diff --git a/compliance/frameworks/azure/azure_cis_v130/root.yaml b/compliance/frameworks/azure/azure_cis_v130/root.yaml deleted file mode 100755 index dabf16dd5..000000000 --- a/compliance/frameworks/azure/azure_cis_v130/root.yaml +++ /dev/null @@ -1,36 +0,0 @@ -ID: azure_cis_v130 -Title: CIS v1.3.0 -Description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. -SectionCode: azure_cis_v130 -Children: - - azure_cis_v130_1 - - azure_cis_v130_2 - - azure_cis_v130_3 - - azure_cis_v130_4 - - azure_cis_v130_5 - - azure_cis_v130_6 - - azure_cis_v130_7 - - azure_cis_v130_8 - - azure_cis_v130_9 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.3.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140.yaml new file mode 100644 index 000000000..1fc375c82 --- /dev/null +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140.yaml @@ -0,0 +1,37 @@ +framework: + id: azure_cis_v140 + title: CIS v1.4.0 + description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. + section-code: azure_cis_v140 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.4.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v140_1 + - id: azure_cis_v140_2 + - id: azure_cis_v140_3 + - id: azure_cis_v140_4 + - id: azure_cis_v140_5 + - id: azure_cis_v140_6 + - id: azure_cis_v140_7 + - id: azure_cis_v140_8 + - id: azure_cis_v140_9 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_1.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_1.yaml index 7b6fc07d4..d7bf95120 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_1.yaml @@ -1,41 +1,46 @@ -ID: azure_cis_v140_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v140_1_1 - - azure_cis_v140_1_2 - - azure_cis_v140_1_3 - - azure_cis_v140_1_4 - - azure_cis_v140_1_5 - - azure_cis_v140_1_7 - - azure_cis_v140_1_9 - - azure_cis_v140_1_10 - - azure_cis_v140_1_11 - - azure_cis_v140_1_12 - - azure_cis_v140_1_13 - - azure_cis_v140_1_14 - - azure_cis_v140_1_15 - - azure_cis_v140_1_16 - - azure_cis_v140_1_17 - - azure_cis_v140_1_18 - - azure_cis_v140_1_19 - - azure_cis_v140_1_20 - - azure_cis_v140_1_21 - - azure_cis_v140_1_22 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_cis_v140_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_cis_v140_1_1 + - azure_cis_v140_1_2 + - azure_cis_v140_1_3 + - azure_cis_v140_1_4 + - azure_cis_v140_1_5 + - azure_cis_v140_1_7 + - azure_cis_v140_1_9 + - azure_cis_v140_1_10 + - azure_cis_v140_1_11 + - azure_cis_v140_1_12 + - azure_cis_v140_1_13 + - azure_cis_v140_1_14 + - azure_cis_v140_1_15 + - azure_cis_v140_1_16 + - azure_cis_v140_1_17 + - azure_cis_v140_1_18 + - azure_cis_v140_1_19 + - azure_cis_v140_1_20 + - azure_cis_v140_1_21 + - azure_cis_v140_1_22 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_2.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_2.yaml index 9e29f751a..f143ff677 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_2.yaml @@ -1,36 +1,41 @@ -ID: azure_cis_v140_2 -Title: Microsoft Defender for Cloud -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v140_2_1 - - azure_cis_v140_2_2 - - azure_cis_v140_2_3 - - azure_cis_v140_2_4 - - azure_cis_v140_2_5 - - azure_cis_v140_2_6 - - azure_cis_v140_2_7 - - azure_cis_v140_2_8 - - azure_cis_v140_2_9 - - azure_cis_v140_2_10 - - azure_cis_v140_2_11 - - azure_cis_v140_2_12 - - azure_cis_v140_2_13 - - azure_cis_v140_2_14 - - azure_cis_v140_2_15 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v140_2 + title: Microsoft Defender for Cloud + description: Microsoft Defender for Cloud + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_cis_v140_2_1 + - azure_cis_v140_2_2 + - azure_cis_v140_2_3 + - azure_cis_v140_2_4 + - azure_cis_v140_2_5 + - azure_cis_v140_2_6 + - azure_cis_v140_2_7 + - azure_cis_v140_2_8 + - azure_cis_v140_2_9 + - azure_cis_v140_2_10 + - azure_cis_v140_2_11 + - azure_cis_v140_2_12 + - azure_cis_v140_2_13 + - azure_cis_v140_2_14 + - azure_cis_v140_2_15 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_3.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_3.yaml index 7ccbeaa33..c9aa4addd 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_3.yaml @@ -1,32 +1,37 @@ -ID: azure_cis_v140_3 -Title: Storage Accounts -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v140_3_1 - - azure_cis_v140_3_2 - - azure_cis_v140_3_3 - - azure_cis_v140_3_4 - - azure_cis_v140_3_6 - - azure_cis_v140_3_7 - - azure_cis_v140_3_8 - - azure_cis_v140_3_9 - - azure_cis_v140_3_10 - - azure_cis_v140_3_11 - - azure_cis_v140_3_12 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark +control-group: + id: azure_cis_v140_3 + title: Storage Accounts + description: Storage Accounts + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark + controls: + - azure_cis_v140_3_1 + - azure_cis_v140_3_2 + - azure_cis_v140_3_3 + - azure_cis_v140_3_4 + - azure_cis_v140_3_6 + - azure_cis_v140_3_7 + - azure_cis_v140_3_8 + - azure_cis_v140_3_9 + - azure_cis_v140_3_10 + - azure_cis_v140_3_11 + - azure_cis_v140_3_12 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4.yaml index 5daf47e7a..837e6bb4c 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4.yaml @@ -1,26 +1,32 @@ -ID: azure_cis_v140_4 -Title: Database Services -Description: "" -SectionCode: "4" -Children: - - azure_cis_v140_4_1 - - azure_cis_v140_4_2 - - azure_cis_v140_4_3 - - azure_cis_v140_4_4 -Controls: - - azure_cis_v140_4_5 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v140_4 + title: Database Services + description: Database Services + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v140_4_1 + - id: azure_cis_v140_4_2 + - id: azure_cis_v140_4_3 + - id: azure_cis_v140_4_4 + controls: + - azure_cis_v140_4_5 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_1.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_1.yaml index 8cf8c2632..cf9e36043 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_1.yaml @@ -1,22 +1,27 @@ -ID: azure_cis_v140_4_1 -Title: SQL Server - Auditing -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v140_4_1_2 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.1" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v140_4_1 + title: SQL Server - Auditing + description: SQL Server - Auditing + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.1" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_cis_v140_4_1_2 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_2.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_2.yaml index 468f111ac..57e2b6bee 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_2.yaml @@ -1,21 +1,25 @@ -ID: azure_cis_v140_4_2 -Title: SQL Server - Azure Defender for SQL -Description: "" -SectionCode: "2" -Children: [] -Controls: null -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.2" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v140_4_2 + title: SQL Server - Azure Defender for SQL + description: SQL Server - Azure Defender for SQL + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.2" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_3.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_3.yaml index f560533ba..071e23677 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_3.yaml @@ -1,24 +1,29 @@ -ID: azure_cis_v140_4_3 -Title: PostgreSQL Database Server -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v140_4_3_1 - - azure_cis_v140_4_3_7 - - azure_cis_v140_4_3_8 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.3" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v140_4_3 + title: PostgreSQL Database Server + description: PostgreSQL Database Server + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.3" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v140_4_3_1 + - azure_cis_v140_4_3_7 + - azure_cis_v140_4_3_8 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_4.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_4.yaml index 5dbef50d1..7d04b9ae1 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_4_4.yaml @@ -1,23 +1,28 @@ -ID: azure_cis_v140_4_4 -Title: MySQL Database -Description: "" -SectionCode: "4" -Children: [] -Controls: - - azure_cis_v140_4_4_1 - - azure_cis_v140_4_4_2 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.4" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v140_4_4 + title: MySQL Database + description: MySQL Database + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.4" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_cis_v140_4_4_1 + - azure_cis_v140_4_4_2 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5.yaml index ef052ff2a..ce548eded 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5.yaml @@ -1,24 +1,30 @@ -ID: azure_cis_v140_5 -Title: Logging and Monitoring -Description: "" -SectionCode: "5" -Children: - - azure_cis_v140_5_1 - - azure_cis_v140_5_2 -Controls: - - azure_cis_v140_5_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v140_5 + title: Logging and Monitoring + description: Logging and Monitoring + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v140_5_1 + - id: azure_cis_v140_5_2 + controls: + - azure_cis_v140_5_3 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_1.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_1.yaml index cbbd2314d..c524f6bdc 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_1.yaml @@ -1,25 +1,30 @@ -ID: azure_cis_v140_5_1 -Title: Configuring Diagnostic Settings -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v140_5_1_1 - - azure_cis_v140_5_1_2 - - azure_cis_v140_5_1_3 - - azure_cis_v140_5_1_5 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5.1" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v140_5_1 + title: Configuring Diagnostic Settings + description: Configuring Diagnostic Settings + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5.1" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v140_5_1_1 + - azure_cis_v140_5_1_2 + - azure_cis_v140_5_1_3 + - azure_cis_v140_5_1_5 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_2.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_2.yaml index 4b3d44563..bf5d95491 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_5_2.yaml @@ -1,30 +1,35 @@ -ID: azure_cis_v140_5_2 -Title: Monitoring using Activity Log Alerts -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v140_5_2_1 - - azure_cis_v140_5_2_2 - - azure_cis_v140_5_2_3 - - azure_cis_v140_5_2_4 - - azure_cis_v140_5_2_5 - - azure_cis_v140_5_2_6 - - azure_cis_v140_5_2_7 - - azure_cis_v140_5_2_8 - - azure_cis_v140_5_2_9 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5.2" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_cis_v140_5_2 + title: Monitoring using Activity Log Alerts + description: Monitoring using Activity Log Alerts + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5.2" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_cis_v140_5_2_1 + - azure_cis_v140_5_2_2 + - azure_cis_v140_5_2_3 + - azure_cis_v140_5_2_4 + - azure_cis_v140_5_2_5 + - azure_cis_v140_5_2_6 + - azure_cis_v140_5_2_7 + - azure_cis_v140_5_2_8 + - azure_cis_v140_5_2_9 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_6.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_6.yaml index 766d8c3fc..8994c09f9 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_6.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_6.yaml @@ -1,25 +1,30 @@ -ID: azure_cis_v140_6 -Title: Networking -Description: "" -SectionCode: "6" -Children: [] -Controls: - - azure_cis_v140_6_1 - - azure_cis_v140_6_2 - - azure_cis_v140_6_3 - - azure_cis_v140_6_6 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "6" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_cis_v140_6 + title: Networking + description: Networking + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "6" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_cis_v140_6_1 + - azure_cis_v140_6_2 + - azure_cis_v140_6_3 + - azure_cis_v140_6_6 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_7.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_7.yaml index 1ec3d012e..103d63a60 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_7.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_7.yaml @@ -1,28 +1,33 @@ -ID: azure_cis_v140_7 -Title: Virtual Machines -Description: "" -SectionCode: "7" -Children: [] -Controls: - - azure_cis_v140_7_1 - - azure_cis_v140_7_2 - - azure_cis_v140_7_3 - - azure_cis_v140_7_4 - - azure_cis_v140_7_5 - - azure_cis_v140_7_6 - - azure_cis_v140_7_7 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "7" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_cis_v140_7 + title: Virtual Machines + description: Virtual Machines + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "7" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_cis_v140_7_1 + - azure_cis_v140_7_2 + - azure_cis_v140_7_3 + - azure_cis_v140_7_4 + - azure_cis_v140_7_5 + - azure_cis_v140_7_6 + - azure_cis_v140_7_7 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_8.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_8.yaml index 9471b644c..6950e85fd 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_8.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_8.yaml @@ -1,28 +1,33 @@ -ID: azure_cis_v140_8 -Title: Other Security Considerations -Description: "" -SectionCode: "8" -Children: [] -Controls: - - azure_cis_v140_8_1 - - azure_cis_v140_8_2 - - azure_cis_v140_8_3 - - azure_cis_v140_8_4 - - azure_cis_v140_8_5 - - azure_cis_v140_8_6 - - azure_cis_v140_8_7 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "8" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v140_8 + title: Other Security Considerations + description: Other Security Considerations + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "8" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v140_8_1 + - azure_cis_v140_8_2 + - azure_cis_v140_8_3 + - azure_cis_v140_8_4 + - azure_cis_v140_8_5 + - azure_cis_v140_8_6 + - azure_cis_v140_8_7 diff --git a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_9.yaml b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_9.yaml index 93530e6c3..198392364 100755 --- a/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_9.yaml +++ b/compliance/frameworks/azure/azure_cis_v140/azure_cis_v140_9.yaml @@ -1,31 +1,36 @@ -ID: azure_cis_v140_9 -Title: AppService -Description: "" -SectionCode: "9" -Children: [] -Controls: - - azure_cis_v140_9_1 - - azure_cis_v140_9_2 - - azure_cis_v140_9_3 - - azure_cis_v140_9_4 - - azure_cis_v140_9_5 - - azure_cis_v140_9_6 - - azure_cis_v140_9_7 - - azure_cis_v140_9_8 - - azure_cis_v140_9_9 - - azure_cis_v140_9_11 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "9" - cis_version: - - v1.4.0 - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_cis_v140_9 + title: AppService + description: AppService + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "9" + cis_version: + - v1.4.0 + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_cis_v140_9_1 + - azure_cis_v140_9_2 + - azure_cis_v140_9_3 + - azure_cis_v140_9_4 + - azure_cis_v140_9_5 + - azure_cis_v140_9_6 + - azure_cis_v140_9_7 + - azure_cis_v140_9_8 + - azure_cis_v140_9_9 + - azure_cis_v140_9_11 diff --git a/compliance/frameworks/azure/azure_cis_v140/root.yaml b/compliance/frameworks/azure/azure_cis_v140/root.yaml deleted file mode 100755 index 9b89d4d42..000000000 --- a/compliance/frameworks/azure/azure_cis_v140/root.yaml +++ /dev/null @@ -1,36 +0,0 @@ -ID: azure_cis_v140 -Title: CIS v1.4.0 -Description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. -SectionCode: azure_cis_v140 -Children: - - azure_cis_v140_1 - - azure_cis_v140_2 - - azure_cis_v140_3 - - azure_cis_v140_4 - - azure_cis_v140_5 - - azure_cis_v140_6 - - azure_cis_v140_7 - - azure_cis_v140_8 - - azure_cis_v140_9 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.4.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150.yaml new file mode 100644 index 000000000..297380f09 --- /dev/null +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150.yaml @@ -0,0 +1,38 @@ +framework: + id: azure_cis_v150 + title: CIS v1.5.0 + description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. + section-code: azure_cis_v150 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v1.5.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v150_1 + - id: azure_cis_v150_2 + - id: azure_cis_v150_3 + - id: azure_cis_v150_4 + - id: azure_cis_v150_5 + - id: azure_cis_v150_6 + - id: azure_cis_v150_7 + - id: azure_cis_v150_8 + - id: azure_cis_v150_9 + - id: azure_cis_v150_10 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1.yaml index 1f5ae4c33..7a2fd6668 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1.yaml @@ -1,44 +1,50 @@ -ID: azure_cis_v150_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: - - azure_cis_v150_1_1 - - azure_cis_v150_1_2 -Controls: - - azure_cis_v150_1_3 - - azure_cis_v150_1_4 - - azure_cis_v150_1_5 - - azure_cis_v150_1_6 - - azure_cis_v150_1_7 - - azure_cis_v150_1_8 - - azure_cis_v150_1_9 - - azure_cis_v150_1_10 - - azure_cis_v150_1_11 - - azure_cis_v150_1_12 - - azure_cis_v150_1_14 - - azure_cis_v150_1_15 - - azure_cis_v150_1_16 - - azure_cis_v150_1_17 - - azure_cis_v150_1_19 - - azure_cis_v150_1_20 - - azure_cis_v150_1_21 - - azure_cis_v150_1_22 - - azure_cis_v150_1_23 - - azure_cis_v150_1_24 - - azure_cis_v150_1_25 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_cis_v150_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + control-group: + - id: azure_cis_v150_1_1 + - id: azure_cis_v150_1_2 + controls: + - azure_cis_v150_1_3 + - azure_cis_v150_1_4 + - azure_cis_v150_1_5 + - azure_cis_v150_1_6 + - azure_cis_v150_1_7 + - azure_cis_v150_1_8 + - azure_cis_v150_1_9 + - azure_cis_v150_1_10 + - azure_cis_v150_1_11 + - azure_cis_v150_1_12 + - azure_cis_v150_1_14 + - azure_cis_v150_1_15 + - azure_cis_v150_1_16 + - azure_cis_v150_1_17 + - azure_cis_v150_1_19 + - azure_cis_v150_1_20 + - azure_cis_v150_1_21 + - azure_cis_v150_1_22 + - azure_cis_v150_1_23 + - azure_cis_v150_1_24 + - azure_cis_v150_1_25 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_10.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_10.yaml index bf2d9b877..3aed33134 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_10.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_10.yaml @@ -1,22 +1,27 @@ -ID: azure_cis_v150_10 -Title: Miscellaneous -Description: "" -SectionCode: "10" -Children: [] -Controls: - - azure_cis_v150_10_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "10" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v150_10 + title: Miscellaneous + description: Miscellaneous + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "10" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v150_10_1 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_1.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_1.yaml index 5f833da3c..b9caa678f 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_1.yaml @@ -1,25 +1,30 @@ -ID: azure_cis_v150_1_1 -Title: Security Defaults -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v150_1_1_1 - - azure_cis_v150_1_1_2 - - azure_cis_v150_1_1_3 - - azure_cis_v150_1_1_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1.1" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_cis_v150_1_1 + title: Security Defaults + description: Security Defaults + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1.1" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_cis_v150_1_1_1 + - azure_cis_v150_1_1_2 + - azure_cis_v150_1_1_3 + - azure_cis_v150_1_1_4 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_2.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_2.yaml index 88f6e07cd..616497d55 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_1_2.yaml @@ -1,27 +1,32 @@ -ID: azure_cis_v150_1_2 -Title: Conditional Access -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v150_1_2_1 - - azure_cis_v150_1_2_2 - - azure_cis_v150_1_2_3 - - azure_cis_v150_1_2_4 - - azure_cis_v150_1_2_5 - - azure_cis_v150_1_2_6 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1.2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_cis_v150_1_2 + title: Conditional Access + description: Conditional Access + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1.2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_cis_v150_1_2_1 + - azure_cis_v150_1_2_2 + - azure_cis_v150_1_2_3 + - azure_cis_v150_1_2_4 + - azure_cis_v150_1_2_5 + - azure_cis_v150_1_2_6 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2.yaml index cd27ab12c..bb286b94d 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2.yaml @@ -1,27 +1,33 @@ -ID: azure_cis_v150_2 -Title: Microsoft Defender for Cloud -Description: "" -SectionCode: "2" -Children: - - azure_cis_v150_2_1 - - azure_cis_v150_2_2 - - azure_cis_v150_2_3 - - azure_cis_v150_2_4 -Controls: - - azure_cis_v150_2_5 - - azure_cis_v150_2_6 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v150_2 + title: Microsoft Defender for Cloud + description: Microsoft Defender for Cloud + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + control-group: + - id: azure_cis_v150_2_1 + - id: azure_cis_v150_2_2 + - id: azure_cis_v150_2_3 + - id: azure_cis_v150_2_4 + controls: + - azure_cis_v150_2_5 + - azure_cis_v150_2_6 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_1.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_1.yaml index 02cb02091..2fbd612ec 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_1.yaml @@ -1,34 +1,39 @@ -ID: azure_cis_v150_2_1 -Title: Defender Plans -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v150_2_1_1 - - azure_cis_v150_2_1_2 - - azure_cis_v150_2_1_3 - - azure_cis_v150_2_1_4 - - azure_cis_v150_2_1_5 - - azure_cis_v150_2_1_6 - - azure_cis_v150_2_1_7 - - azure_cis_v150_2_1_8 - - azure_cis_v150_2_1_9 - - azure_cis_v150_2_1_10 - - azure_cis_v150_2_1_11 - - azure_cis_v150_2_1_12 - - azure_cis_v150_2_1_13 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v150_2_1 + title: Defender Plans + description: Defender Plans + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_cis_v150_2_1_1 + - azure_cis_v150_2_1_2 + - azure_cis_v150_2_1_3 + - azure_cis_v150_2_1_4 + - azure_cis_v150_2_1_5 + - azure_cis_v150_2_1_6 + - azure_cis_v150_2_1_7 + - azure_cis_v150_2_1_8 + - azure_cis_v150_2_1_9 + - azure_cis_v150_2_1_10 + - azure_cis_v150_2_1_11 + - azure_cis_v150_2_1_12 + - azure_cis_v150_2_1_13 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_2.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_2.yaml index 2e7193b5e..09abe97f4 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_2.yaml @@ -1,24 +1,29 @@ -ID: azure_cis_v150_2_2 -Title: Auto Provisioning -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v150_2_2_1 - - azure_cis_v150_2_2_2 - - azure_cis_v150_2_2_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v150_2_2 + title: Auto Provisioning + description: Auto Provisioning + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_cis_v150_2_2_1 + - azure_cis_v150_2_2_2 + - azure_cis_v150_2_2_3 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_3.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_3.yaml index 6b69f371d..774648fad 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_3.yaml @@ -1,24 +1,29 @@ -ID: azure_cis_v150_2_3 -Title: Email notifications -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v150_2_3_1 - - azure_cis_v150_2_3_2 - - azure_cis_v150_2_3_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v150_2_3 + title: Email notifications + description: Email notifications + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_cis_v150_2_3_1 + - azure_cis_v150_2_3_2 + - azure_cis_v150_2_3_3 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_4.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_4.yaml index 46ebf21e0..223660ea0 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_2_4.yaml @@ -1,23 +1,28 @@ -ID: azure_cis_v150_2_4 -Title: Integrations -Description: "" -SectionCode: "4" -Children: [] -Controls: - - azure_cis_v150_2_4_1 - - azure_cis_v150_2_4_2 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v150_2_4 + title: Integrations + description: Integrations + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_cis_v150_2_4_1 + - azure_cis_v150_2_4_2 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_3.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_3.yaml index 1c5252d12..670db084e 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_3.yaml @@ -1,35 +1,40 @@ -ID: azure_cis_v150_3 -Title: Storage Accounts -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v150_3_1 - - azure_cis_v150_3_2 - - azure_cis_v150_3_3 - - azure_cis_v150_3_4 - - azure_cis_v150_3_5 - - azure_cis_v150_3_6 - - azure_cis_v150_3_7 - - azure_cis_v150_3_8 - - azure_cis_v150_3_9 - - azure_cis_v150_3_10 - - azure_cis_v150_3_11 - - azure_cis_v150_3_12 - - azure_cis_v150_3_14 - - azure_cis_v150_3_15 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark +control-group: + id: azure_cis_v150_3 + title: Storage Accounts + description: Storage Accounts + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark + controls: + - azure_cis_v150_3_1 + - azure_cis_v150_3_2 + - azure_cis_v150_3_3 + - azure_cis_v150_3_4 + - azure_cis_v150_3_5 + - azure_cis_v150_3_6 + - azure_cis_v150_3_7 + - azure_cis_v150_3_8 + - azure_cis_v150_3_9 + - azure_cis_v150_3_10 + - azure_cis_v150_3_11 + - azure_cis_v150_3_12 + - azure_cis_v150_3_14 + - azure_cis_v150_3_15 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4.yaml index 3550d67ef..5411a7496 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4.yaml @@ -1,26 +1,31 @@ -ID: azure_cis_v150_4 -Title: Database Services -Description: "" -SectionCode: "4" -Children: - - azure_cis_v150_4_1 - - azure_cis_v150_4_2 - - azure_cis_v150_4_3 - - azure_cis_v150_4_4 - - azure_cis_v150_4_5 -Controls: [] -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v150_4 + title: Database Services + description: Database Services + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v150_4_1 + - id: azure_cis_v150_4_2 + - id: azure_cis_v150_4_3 + - id: azure_cis_v150_4_4 + - id: azure_cis_v150_4_5 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_1.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_1.yaml index 4397dffa7..ce22c8509 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_1.yaml @@ -1,24 +1,29 @@ -ID: azure_cis_v150_4_1 -Title: SQL Server - Auditing -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v150_4_1_2 - - azure_cis_v150_4_1_4 - - azure_cis_v150_4_1_5 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.1" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v150_4_1 + title: SQL Server - Auditing + description: SQL Server - Auditing + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.1" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_cis_v150_4_1_2 + - azure_cis_v150_4_1_4 + - azure_cis_v150_4_1_5 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_2.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_2.yaml index 0a6c59304..afb03678d 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_2.yaml @@ -1,21 +1,25 @@ -ID: azure_cis_v150_4_2 -Title: SQL Server - Microsoft Defender for SQL -Description: "" -SectionCode: "2" -Children: [] -Controls: null -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.2" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v150_4_2 + title: SQL Server - Microsoft Defender for SQL + description: SQL Server - Microsoft Defender for SQL + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.2" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_3.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_3.yaml index f8acfc998..d6bce48f2 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_3.yaml @@ -1,24 +1,29 @@ -ID: azure_cis_v150_4_3 -Title: PostgreSQL Database Server -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v150_4_3_1 - - azure_cis_v150_4_3_7 - - azure_cis_v150_4_3_8 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.3" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v150_4_3 + title: PostgreSQL Database Server + description: PostgreSQL Database Server + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.3" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v150_4_3_1 + - azure_cis_v150_4_3_7 + - azure_cis_v150_4_3_8 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_4.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_4.yaml index 800866d77..2f360b0fb 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_4.yaml @@ -1,24 +1,29 @@ -ID: azure_cis_v150_4_4 -Title: MySQL Database -Description: "" -SectionCode: "4" -Children: [] -Controls: - - azure_cis_v150_4_4_1 - - azure_cis_v150_4_4_2 - - azure_cis_v150_4_4_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.4" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v150_4_4 + title: MySQL Database + description: MySQL Database + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.4" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_cis_v150_4_4_1 + - azure_cis_v150_4_4_2 + - azure_cis_v150_4_4_3 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_5.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_5.yaml index 90f6e8015..d168aa073 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_4_5.yaml @@ -1,23 +1,28 @@ -ID: azure_cis_v150_4_5 -Title: Cosmos DB -Description: "" -SectionCode: "5" -Children: [] -Controls: - - azure_cis_v150_4_5_1 - - azure_cis_v150_4_5_2 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v150_4_5 + title: Cosmos DB + description: Cosmos DB + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_cis_v150_4_5_1 + - azure_cis_v150_4_5_2 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5.yaml index 7860759e0..3ac0c4fd1 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5.yaml @@ -1,24 +1,30 @@ -ID: azure_cis_v150_5 -Title: Logging and Monitoring -Description: "" -SectionCode: "5" -Children: - - azure_cis_v150_5_1 - - azure_cis_v150_5_2 -Controls: - - azure_cis_v150_5_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v150_5 + title: Logging and Monitoring + description: Logging and Monitoring + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v150_5_1 + - id: azure_cis_v150_5_2 + controls: + - azure_cis_v150_5_3 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_1.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_1.yaml index b6b8781ca..a6347a3e3 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_1.yaml @@ -1,27 +1,32 @@ -ID: azure_cis_v150_5_1 -Title: Configuring Diagnostic Settings -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v150_5_1_1 - - azure_cis_v150_5_1_2 - - azure_cis_v150_5_1_3 - - azure_cis_v150_5_1_5 - - azure_cis_v150_5_1_6 - - azure_cis_v150_5_1_7 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v150_5_1 + title: Configuring Diagnostic Settings + description: Configuring Diagnostic Settings + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v150_5_1_1 + - azure_cis_v150_5_1_2 + - azure_cis_v150_5_1_3 + - azure_cis_v150_5_1_5 + - azure_cis_v150_5_1_6 + - azure_cis_v150_5_1_7 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_2.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_2.yaml index b00188f59..195d37065 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_5_2.yaml @@ -1,31 +1,36 @@ -ID: azure_cis_v150_5_2 -Title: Monitoring using Activity Log Alerts -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v150_5_2_1 - - azure_cis_v150_5_2_2 - - azure_cis_v150_5_2_3 - - azure_cis_v150_5_2_4 - - azure_cis_v150_5_2_5 - - azure_cis_v150_5_2_6 - - azure_cis_v150_5_2_7 - - azure_cis_v150_5_2_8 - - azure_cis_v150_5_2_9 - - azure_cis_v150_5_2_10 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_cis_v150_5_2 + title: Monitoring using Activity Log Alerts + description: Monitoring using Activity Log Alerts + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_cis_v150_5_2_1 + - azure_cis_v150_5_2_2 + - azure_cis_v150_5_2_3 + - azure_cis_v150_5_2_4 + - azure_cis_v150_5_2_5 + - azure_cis_v150_5_2_6 + - azure_cis_v150_5_2_7 + - azure_cis_v150_5_2_8 + - azure_cis_v150_5_2_9 + - azure_cis_v150_5_2_10 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_6.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_6.yaml index db18ea4a3..ee174542a 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_6.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_6.yaml @@ -1,25 +1,30 @@ -ID: azure_cis_v150_6 -Title: Networking -Description: "" -SectionCode: "6" -Children: [] -Controls: - - azure_cis_v150_6_1 - - azure_cis_v150_6_2 - - azure_cis_v150_6_3 - - azure_cis_v150_6_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "6" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_cis_v150_6 + title: Networking + description: Networking + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "6" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_cis_v150_6_1 + - azure_cis_v150_6_2 + - azure_cis_v150_6_3 + - azure_cis_v150_6_4 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_7.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_7.yaml index e7ab1825e..e518143fc 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_7.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_7.yaml @@ -1,27 +1,32 @@ -ID: azure_cis_v150_7 -Title: Virtual Machines -Description: "" -SectionCode: "7" -Children: [] -Controls: - - azure_cis_v150_7_1 - - azure_cis_v150_7_2 - - azure_cis_v150_7_3 - - azure_cis_v150_7_4 - - azure_cis_v150_7_5 - - azure_cis_v150_7_6 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "7" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_cis_v150_7 + title: Virtual Machines + description: Virtual Machines + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "7" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_cis_v150_7_1 + - azure_cis_v150_7_2 + - azure_cis_v150_7_3 + - azure_cis_v150_7_4 + - azure_cis_v150_7_5 + - azure_cis_v150_7_6 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_8.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_8.yaml index b25f13f0f..7c9f5d76b 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_8.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_8.yaml @@ -1,28 +1,33 @@ -ID: azure_cis_v150_8 -Title: Other Security Considerations -Description: "" -SectionCode: "8" -Children: [] -Controls: - - azure_cis_v150_8_1 - - azure_cis_v150_8_2 - - azure_cis_v150_8_3 - - azure_cis_v150_8_4 - - azure_cis_v150_8_5 - - azure_cis_v150_8_6 - - azure_cis_v150_8_8 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "8" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v150_8 + title: Other Security Considerations + description: Other Security Considerations + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "8" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v150_8_1 + - azure_cis_v150_8_2 + - azure_cis_v150_8_3 + - azure_cis_v150_8_4 + - azure_cis_v150_8_5 + - azure_cis_v150_8_6 + - azure_cis_v150_8_8 diff --git a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_9.yaml b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_9.yaml index 82bde5d98..8d9e3025c 100755 --- a/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_9.yaml +++ b/compliance/frameworks/azure/azure_cis_v150/azure_cis_v150_9.yaml @@ -1,30 +1,35 @@ -ID: azure_cis_v150_9 -Title: AppService -Description: "" -SectionCode: "9" -Children: [] -Controls: - - azure_cis_v150_9_1 - - azure_cis_v150_9_2 - - azure_cis_v150_9_4 - - azure_cis_v150_9_5 - - azure_cis_v150_9_6 - - azure_cis_v150_9_7 - - azure_cis_v150_9_8 - - azure_cis_v150_9_9 - - azure_cis_v150_9_11 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "9" - cis_version: - - v1.5.0 - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_cis_v150_9 + title: AppService + description: AppService + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "9" + cis_version: + - v1.5.0 + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_cis_v150_9_1 + - azure_cis_v150_9_2 + - azure_cis_v150_9_4 + - azure_cis_v150_9_5 + - azure_cis_v150_9_6 + - azure_cis_v150_9_7 + - azure_cis_v150_9_8 + - azure_cis_v150_9_9 + - azure_cis_v150_9_11 diff --git a/compliance/frameworks/azure/azure_cis_v150/root.yaml b/compliance/frameworks/azure/azure_cis_v150/root.yaml deleted file mode 100755 index 43149c7a5..000000000 --- a/compliance/frameworks/azure/azure_cis_v150/root.yaml +++ /dev/null @@ -1,37 +0,0 @@ -ID: azure_cis_v150 -Title: CIS v1.5.0 -Description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. -SectionCode: azure_cis_v150 -Children: - - azure_cis_v150_1 - - azure_cis_v150_2 - - azure_cis_v150_3 - - azure_cis_v150_4 - - azure_cis_v150_5 - - azure_cis_v150_6 - - azure_cis_v150_7 - - azure_cis_v150_8 - - azure_cis_v150_9 - - azure_cis_v150_10 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v1.5.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200.yaml new file mode 100644 index 000000000..90edc843b --- /dev/null +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200.yaml @@ -0,0 +1,38 @@ +framework: + id: azure_cis_v200 + title: CIS v2.0.0 + description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. + section-code: azure_cis_v200 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_version: + - v2.0.0 + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v200_1 + - id: azure_cis_v200_2 + - id: azure_cis_v200_3 + - id: azure_cis_v200_4 + - id: azure_cis_v200_5 + - id: azure_cis_v200_6 + - id: azure_cis_v200_7 + - id: azure_cis_v200_8 + - id: azure_cis_v200_9 + - id: azure_cis_v200_10 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1.yaml index 305aa03cd..f488c8734 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1.yaml @@ -1,45 +1,51 @@ -ID: azure_cis_v200_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: - - azure_cis_v200_1_1 - - azure_cis_v200_1_2 -Controls: - - azure_cis_v200_1_3 - - azure_cis_v200_1_4 - - azure_cis_v200_1_5 - - azure_cis_v200_1_6 - - azure_cis_v200_1_7 - - azure_cis_v200_1_8 - - azure_cis_v200_1_9 - - azure_cis_v200_1_10 - - azure_cis_v200_1_12 - - azure_cis_v200_1_13 - - azure_cis_v200_1_14 - - azure_cis_v200_1_15 - - azure_cis_v200_1_16 - - azure_cis_v200_1_17 - - azure_cis_v200_1_18 - - azure_cis_v200_1_19 - - azure_cis_v200_1_20 - - azure_cis_v200_1_21 - - azure_cis_v200_1_22 - - azure_cis_v200_1_23 - - azure_cis_v200_1_24 - - azure_cis_v200_1_25 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_cis_v200_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + control-group: + - id: azure_cis_v200_1_1 + - id: azure_cis_v200_1_2 + controls: + - azure_cis_v200_1_3 + - azure_cis_v200_1_4 + - azure_cis_v200_1_5 + - azure_cis_v200_1_6 + - azure_cis_v200_1_7 + - azure_cis_v200_1_8 + - azure_cis_v200_1_9 + - azure_cis_v200_1_10 + - azure_cis_v200_1_12 + - azure_cis_v200_1_13 + - azure_cis_v200_1_14 + - azure_cis_v200_1_15 + - azure_cis_v200_1_16 + - azure_cis_v200_1_17 + - azure_cis_v200_1_18 + - azure_cis_v200_1_19 + - azure_cis_v200_1_20 + - azure_cis_v200_1_21 + - azure_cis_v200_1_22 + - azure_cis_v200_1_23 + - azure_cis_v200_1_24 + - azure_cis_v200_1_25 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_10.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_10.yaml index 20d606c3e..a5de0c918 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_10.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_10.yaml @@ -1,22 +1,27 @@ -ID: azure_cis_v200_10 -Title: Miscellaneous -Description: "" -SectionCode: "10" -Children: [] -Controls: - - azure_cis_v200_10_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "10" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v200_10 + title: Miscellaneous + description: Miscellaneous + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "10" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v200_10_1 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_1.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_1.yaml index 8815e7ff4..8c586aefb 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_1.yaml @@ -1,25 +1,30 @@ -ID: azure_cis_v200_1_1 -Title: Security Defaults -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v200_1_1_1 - - azure_cis_v200_1_1_2 - - azure_cis_v200_1_1_3 - - azure_cis_v200_1_1_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1.1" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_cis_v200_1_1 + title: Security Defaults + description: Security Defaults + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1.1" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_cis_v200_1_1_1 + - azure_cis_v200_1_1_2 + - azure_cis_v200_1_1_3 + - azure_cis_v200_1_1_4 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_2.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_2.yaml index 81627558e..b04c03ca9 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_1_2.yaml @@ -1,27 +1,32 @@ -ID: azure_cis_v200_1_2 -Title: Conditional Access -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v200_1_2_1 - - azure_cis_v200_1_2_2 - - azure_cis_v200_1_2_3 - - azure_cis_v200_1_2_4 - - azure_cis_v200_1_2_5 - - azure_cis_v200_1_2_6 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "1.2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_cis_v200_1_2 + title: Conditional Access + description: Conditional Access + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "1.2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_cis_v200_1_2_1 + - azure_cis_v200_1_2_2 + - azure_cis_v200_1_2_3 + - azure_cis_v200_1_2_4 + - azure_cis_v200_1_2_5 + - azure_cis_v200_1_2_6 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2.yaml index c357c1c22..94d0b080b 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2.yaml @@ -1,24 +1,29 @@ -ID: azure_cis_v200_2 -Title: Microsoft Defender -Description: "" -SectionCode: "2" -Children: - - azure_cis_v200_2_1 - - azure_cis_v200_2_2 - - azure_cis_v200_2_3 -Controls: [] -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v200_2 + title: Microsoft Defender + description: Microsoft Defender + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + control-group: + - id: azure_cis_v200_2_1 + - id: azure_cis_v200_2_2 + - id: azure_cis_v200_2_3 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_1.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_1.yaml index a62a90fdb..e3513d942 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_1.yaml @@ -1,42 +1,47 @@ -ID: azure_cis_v200_2_1 -Title: Microsoft Defender for Cloud -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v200_2_1_1 - - azure_cis_v200_2_1_2 - - azure_cis_v200_2_1_3 - - azure_cis_v200_2_1_4 - - azure_cis_v200_2_1_5 - - azure_cis_v200_2_1_6 - - azure_cis_v200_2_1_7 - - azure_cis_v200_2_1_8 - - azure_cis_v200_2_1_9 - - azure_cis_v200_2_1_11 - - azure_cis_v200_2_1_12 - - azure_cis_v200_2_1_13 - - azure_cis_v200_2_1_14 - - azure_cis_v200_2_1_15 - - azure_cis_v200_2_1_16 - - azure_cis_v200_2_1_17 - - azure_cis_v200_2_1_18 - - azure_cis_v200_2_1_19 - - azure_cis_v200_2_1_20 - - azure_cis_v200_2_1_21 - - azure_cis_v200_2_1_22 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v200_2_1 + title: Microsoft Defender for Cloud + description: Microsoft Defender for Cloud + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_cis_v200_2_1_1 + - azure_cis_v200_2_1_2 + - azure_cis_v200_2_1_3 + - azure_cis_v200_2_1_4 + - azure_cis_v200_2_1_5 + - azure_cis_v200_2_1_6 + - azure_cis_v200_2_1_7 + - azure_cis_v200_2_1_8 + - azure_cis_v200_2_1_9 + - azure_cis_v200_2_1_11 + - azure_cis_v200_2_1_12 + - azure_cis_v200_2_1_13 + - azure_cis_v200_2_1_14 + - azure_cis_v200_2_1_15 + - azure_cis_v200_2_1_16 + - azure_cis_v200_2_1_17 + - azure_cis_v200_2_1_18 + - azure_cis_v200_2_1_19 + - azure_cis_v200_2_1_20 + - azure_cis_v200_2_1_21 + - azure_cis_v200_2_1_22 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_2.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_2.yaml index 5cd454cc5..505588dcf 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_2.yaml @@ -1,22 +1,27 @@ -ID: azure_cis_v200_2_2 -Title: Microsoft Defender for IoT -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v200_2_2_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v200_2_2 + title: Microsoft Defender for IoT + description: Microsoft Defender for IoT + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_cis_v200_2_2_1 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_3.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_3.yaml index bfbcb3e0b..3093d430f 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_2_3.yaml @@ -1,21 +1,25 @@ -ID: azure_cis_v200_2_3 -Title: Microsoft Defender for External Attack Surface Monitoring -Description: "" -SectionCode: "3" -Children: [] -Controls: [] -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_cis_v200_2_3 + title: Microsoft Defender for External Attack Surface Monitoring + description: Microsoft Defender for External Attack Surface Monitoring + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_3.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_3.yaml index 0e130a769..9ab27bd8f 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_3.yaml @@ -1,34 +1,39 @@ -ID: azure_cis_v200_3 -Title: Storage Accounts -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v200_3_1 - - azure_cis_v200_3_2 - - azure_cis_v200_3_3 - - azure_cis_v200_3_4 - - azure_cis_v200_3_5 - - azure_cis_v200_3_6 - - azure_cis_v200_3_8 - - azure_cis_v200_3_9 - - azure_cis_v200_3_10 - - azure_cis_v200_3_11 - - azure_cis_v200_3_12 - - azure_cis_v200_3_14 - - azure_cis_v200_3_15 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "3" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark +control-group: + id: azure_cis_v200_3 + title: Storage Accounts + description: Storage Accounts + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "3" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark + controls: + - azure_cis_v200_3_1 + - azure_cis_v200_3_2 + - azure_cis_v200_3_3 + - azure_cis_v200_3_4 + - azure_cis_v200_3_5 + - azure_cis_v200_3_6 + - azure_cis_v200_3_8 + - azure_cis_v200_3_9 + - azure_cis_v200_3_10 + - azure_cis_v200_3_11 + - azure_cis_v200_3_12 + - azure_cis_v200_3_14 + - azure_cis_v200_3_15 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4.yaml index 8fe4f4df9..87e07790a 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4.yaml @@ -1,26 +1,31 @@ -ID: azure_cis_v200_4 -Title: Database Services -Description: "" -SectionCode: "4" -Children: - - azure_cis_v200_4_1 - - azure_cis_v200_4_2 - - azure_cis_v200_4_3 - - azure_cis_v200_4_4 - - azure_cis_v200_4_5 -Controls: [] -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v200_4 + title: Database Services + description: Database Services + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v200_4_1 + - id: azure_cis_v200_4_2 + - id: azure_cis_v200_4_3 + - id: azure_cis_v200_4_4 + - id: azure_cis_v200_4_5 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_1.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_1.yaml index e789b86ee..ba72a8bc1 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_1.yaml @@ -1,23 +1,28 @@ -ID: azure_cis_v200_4_1 -Title: SQL Server - Auditing -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v200_4_1_2 - - azure_cis_v200_4_1_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.1" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v200_4_1 + title: SQL Server - Auditing + description: SQL Server - Auditing + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.1" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_cis_v200_4_1_2 + - azure_cis_v200_4_1_4 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_2.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_2.yaml index f61a33c7a..ffa1c99d7 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_2.yaml @@ -1,21 +1,25 @@ -ID: azure_cis_v200_4_2 -Title: SQL Server - Microsoft Defender for SQL -Description: "" -SectionCode: "2" -Children: [] -Controls: null -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.2" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v200_4_2 + title: SQL Server - Microsoft Defender for SQL + description: SQL Server - Microsoft Defender for SQL + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.2" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_3.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_3.yaml index c72453f76..e9550806f 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_3.yaml @@ -1,25 +1,30 @@ -ID: azure_cis_v200_4_3 -Title: PostgreSQL Database Server -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v200_4_3_1 - - azure_cis_v200_4_3_5 - - azure_cis_v200_4_3_7 - - azure_cis_v200_4_3_8 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.3" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v200_4_3 + title: PostgreSQL Database Server + description: PostgreSQL Database Server + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.3" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v200_4_3_1 + - azure_cis_v200_4_3_5 + - azure_cis_v200_4_3_7 + - azure_cis_v200_4_3_8 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_4.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_4.yaml index b89a1787a..c7354ce4f 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_4.yaml @@ -1,23 +1,28 @@ -ID: azure_cis_v200_4_4 -Title: MySQL Database -Description: "" -SectionCode: "4" -Children: [] -Controls: - - azure_cis_v200_4_4_1 - - azure_cis_v200_4_4_2 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4.4" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v200_4_4 + title: MySQL Database + description: MySQL Database + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4.4" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_cis_v200_4_4_1 + - azure_cis_v200_4_4_2 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_5.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_5.yaml index 1d0ba2296..0e50c108d 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_4_5.yaml @@ -1,24 +1,29 @@ -ID: azure_cis_v200_4_5 -Title: Cosmos DB -Description: "" -SectionCode: "5" -Children: [] -Controls: - - azure_cis_v200_4_5_1 - - azure_cis_v200_4_5_2 - - azure_cis_v200_4_5_3 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "4" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_cis_v200_4_5 + title: Cosmos DB + description: Cosmos DB + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "4" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_cis_v200_4_5_1 + - azure_cis_v200_4_5_2 + - azure_cis_v200_4_5_3 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5.yaml index 0631079ff..694b537c7 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5.yaml @@ -1,26 +1,32 @@ -ID: azure_cis_v200_5 -Title: Logging and Monitoring -Description: "" -SectionCode: "5" -Children: - - azure_cis_v200_5_1 - - azure_cis_v200_5_2 - - azure_cis_v200_5_3 - - azure_cis_v200_5_5 -Controls: - - azure_cis_v200_5_4 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v200_5 + title: Logging and Monitoring + description: Logging and Monitoring + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v200_5_1 + - id: azure_cis_v200_5_2 + - id: azure_cis_v200_5_3 + - id: azure_cis_v200_5_5 + controls: + - azure_cis_v200_5_4 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_1.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_1.yaml index a335b7e85..ad4cf91c4 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_1.yaml @@ -1,27 +1,32 @@ -ID: azure_cis_v200_5_1 -Title: Configuring Diagnostic Settings -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v200_5_1_1 - - azure_cis_v200_5_1_2 - - azure_cis_v200_5_1_3 - - azure_cis_v200_5_1_5 - - azure_cis_v200_5_1_6 - - azure_cis_v200_5_1_7 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v200_5_1 + title: Configuring Diagnostic Settings + description: Configuring Diagnostic Settings + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v200_5_1_1 + - azure_cis_v200_5_1_2 + - azure_cis_v200_5_1_3 + - azure_cis_v200_5_1_5 + - azure_cis_v200_5_1_6 + - azure_cis_v200_5_1_7 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_2.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_2.yaml index 1c79ea576..07702d805 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_2.yaml @@ -1,31 +1,36 @@ -ID: azure_cis_v200_5_2 -Title: Monitoring using Activity Log Alerts -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v200_5_2_1 - - azure_cis_v200_5_2_2 - - azure_cis_v200_5_2_3 - - azure_cis_v200_5_2_4 - - azure_cis_v200_5_2_5 - - azure_cis_v200_5_2_6 - - azure_cis_v200_5_2_7 - - azure_cis_v200_5_2_8 - - azure_cis_v200_5_2_9 - - azure_cis_v200_5_2_10 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_cis_v200_5_2 + title: Monitoring using Activity Log Alerts + description: Monitoring using Activity Log Alerts + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_cis_v200_5_2_1 + - azure_cis_v200_5_2_2 + - azure_cis_v200_5_2_3 + - azure_cis_v200_5_2_4 + - azure_cis_v200_5_2_5 + - azure_cis_v200_5_2_6 + - azure_cis_v200_5_2_7 + - azure_cis_v200_5_2_8 + - azure_cis_v200_5_2_9 + - azure_cis_v200_5_2_10 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_3.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_3.yaml index 380d4413f..90746ee34 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_3.yaml @@ -1,22 +1,27 @@ -ID: azure_cis_v200_5_3 -Title: Configuring Application Insights -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v200_5_3_1 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_cis_v200_5_3 + title: Configuring Application Insights + description: Configuring Application Insights + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_cis_v200_5_3_1 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_5.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_5.yaml index ec9fcd0f0..b626ce004 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_5_5.yaml @@ -1,29 +1,34 @@ -ID: azure_cis_v200_5_5 -Title: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) -Description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. -SectionCode: "5" -Children: [] -Controls: - - azure_network_lb_no_basic_sku - - azure_network_public_ip_no_basic_sku - - azure_network_virtual_network_gateway_no_basic_sku - - azure_redis_cache_no_basic_sku -Tags: - category: - - Compliance - cis: - - "true" - cis_item_id: - - "5.5" - cis_level: - - "2" - cis_section_id: - - "5" - cis_type: - - automated - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Monitor +control-group: + id: azure_cis_v200_5_5 + title: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) + description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_item_id: + - "5.5" + cis_level: + - "2" + cis_section_id: + - "5" + cis_type: + - automated + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Monitor + controls: + - azure_network_lb_no_basic_sku + - azure_network_public_ip_no_basic_sku + - azure_network_virtual_network_gateway_no_basic_sku + - azure_redis_cache_no_basic_sku diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_6.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_6.yaml index b7858617d..399adf148 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_6.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_6.yaml @@ -1,26 +1,31 @@ -ID: azure_cis_v200_6 -Title: Networking -Description: "" -SectionCode: "6" -Children: [] -Controls: - - azure_cis_v200_6_1 - - azure_cis_v200_6_2 - - azure_cis_v200_6_3 - - azure_cis_v200_6_4 - - azure_cis_v200_6_7 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "6" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_cis_v200_6 + title: Networking + description: Networking + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "6" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_cis_v200_6_1 + - azure_cis_v200_6_2 + - azure_cis_v200_6_3 + - azure_cis_v200_6_4 + - azure_cis_v200_6_7 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_7.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_7.yaml index 676f034be..b66ac6229 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_7.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_7.yaml @@ -1,28 +1,33 @@ -ID: azure_cis_v200_7 -Title: Virtual Machines -Description: "" -SectionCode: "7" -Children: [] -Controls: - - azure_cis_v200_7_1 - - azure_cis_v200_7_2 - - azure_cis_v200_7_3 - - azure_cis_v200_7_4 - - azure_cis_v200_7_5 - - azure_cis_v200_7_6 - - azure_cis_v200_7_7 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "7" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_cis_v200_7 + title: Virtual Machines + description: Virtual Machines + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "7" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_cis_v200_7_1 + - azure_cis_v200_7_2 + - azure_cis_v200_7_3 + - azure_cis_v200_7_4 + - azure_cis_v200_7_5 + - azure_cis_v200_7_6 + - azure_cis_v200_7_7 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_8.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_8.yaml index 1aa1d7c8e..84d3866e3 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_8.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_8.yaml @@ -1,28 +1,33 @@ -ID: azure_cis_v200_8 -Title: Key Vault -Description: "" -SectionCode: "8" -Children: [] -Controls: - - azure_cis_v200_8_1 - - azure_cis_v200_8_2 - - azure_cis_v200_8_3 - - azure_cis_v200_8_4 - - azure_cis_v200_8_5 - - azure_cis_v200_8_6 - - azure_cis_v200_8_8 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "8" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_cis_v200_8 + title: Key Vault + description: Key Vault + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "8" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cis_v200_8_1 + - azure_cis_v200_8_2 + - azure_cis_v200_8_3 + - azure_cis_v200_8_4 + - azure_cis_v200_8_5 + - azure_cis_v200_8_6 + - azure_cis_v200_8_8 diff --git a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_9.yaml b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_9.yaml index 8218d8679..2ddb80c3f 100755 --- a/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_9.yaml +++ b/compliance/frameworks/azure/azure_cis_v200/azure_cis_v200_9.yaml @@ -1,31 +1,36 @@ -ID: azure_cis_v200_9 -Title: AppService -Description: "" -SectionCode: "9" -Children: [] -Controls: - - azure_cis_v200_9_1 - - azure_cis_v200_9_2 - - azure_cis_v200_9_3 - - azure_cis_v200_9_4 - - azure_cis_v200_9_5 - - azure_cis_v200_9_6 - - azure_cis_v200_9_7 - - azure_cis_v200_9_8 - - azure_cis_v200_9_9 - - azure_cis_v200_9_11 -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "9" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_cis_v200_9 + title: AppService + description: AppService + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "9" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_cis_v200_9_1 + - azure_cis_v200_9_2 + - azure_cis_v200_9_3 + - azure_cis_v200_9_4 + - azure_cis_v200_9_5 + - azure_cis_v200_9_6 + - azure_cis_v200_9_7 + - azure_cis_v200_9_8 + - azure_cis_v200_9_9 + - azure_cis_v200_9_11 diff --git a/compliance/frameworks/azure/azure_cis_v200/root.yaml b/compliance/frameworks/azure/azure_cis_v200/root.yaml deleted file mode 100755 index b19534ffb..000000000 --- a/compliance/frameworks/azure/azure_cis_v200/root.yaml +++ /dev/null @@ -1,37 +0,0 @@ -ID: azure_cis_v200 -Title: CIS v2.0.0 -Description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. -SectionCode: azure_cis_v200 -Children: - - azure_cis_v200_1 - - azure_cis_v200_2 - - azure_cis_v200_3 - - azure_cis_v200_4 - - azure_cis_v200_5 - - azure_cis_v200_6 - - azure_cis_v200_7 - - azure_cis_v200_8 - - azure_cis_v200_9 - - azure_cis_v200_10 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - cis: - - "true" - cis_version: - - v2.0.0 - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210.yaml new file mode 100644 index 000000000..3eddb6cf8 --- /dev/null +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210.yaml @@ -0,0 +1,22 @@ +framework: + id: azure_cis_v210 + title: CIS v2.1.0 + description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. + section-code: azure_cis_v210 + metadata: + defaults: + auto-assign: true + enabled: true + tracks-drift-events: false + tags: {} + control-group: + - id: azure_cis_v210_1 + - id: azure_cis_v210_2 + - id: azure_cis_v210_3 + - id: azure_cis_v210_4 + - id: azure_cis_v210_5 + - id: azure_cis_v210_6 + - id: azure_cis_v210_7 + - id: azure_cis_v210_8 + - id: azure_cis_v210_9 + - id: azure_cis_v210_10 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1.yaml index 8de7c5a09..863e2275b 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1.yaml @@ -1,31 +1,37 @@ -ID: azure_cis_v210_1 -Title: Identity and Access Management -Description: "" -SectionCode: "1" -Children: - - azure_cis_v210_1_1 - - azure_cis_v210_1_2 -Controls: - - azure_cis_v210_1_4 - - azure_cis_v210_1_5 - - azure_cis_v210_1_6 - - azure_cis_v210_1_7 - - azure_cis_v210_1_8 - - azure_cis_v210_1_9 - - azure_cis_v210_1_10 - - azure_cis_v210_1_11 - - azure_cis_v210_1_12 - - azure_cis_v210_1_13 - - azure_cis_v210_1_14 - - azure_cis_v210_1_15 - - azure_cis_v210_1_16 - - azure_cis_v210_1_17 - - azure_cis_v210_1_18 - - azure_cis_v210_1_19 - - azure_cis_v210_1_20 - - azure_cis_v210_1_21 - - azure_cis_v210_1_22 - - azure_cis_v210_1_23 - - azure_cis_v210_1_24 - - azure_cis_v210_1_25 -Tags: {} +control-group: + id: azure_cis_v210_1 + title: Identity and Access Management + description: Identity and Access Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_cis_v210_1_1 + - id: azure_cis_v210_1_2 + controls: + - azure_cis_v210_1_4 + - azure_cis_v210_1_5 + - azure_cis_v210_1_6 + - azure_cis_v210_1_7 + - azure_cis_v210_1_8 + - azure_cis_v210_1_9 + - azure_cis_v210_1_10 + - azure_cis_v210_1_11 + - azure_cis_v210_1_12 + - azure_cis_v210_1_13 + - azure_cis_v210_1_14 + - azure_cis_v210_1_15 + - azure_cis_v210_1_16 + - azure_cis_v210_1_17 + - azure_cis_v210_1_18 + - azure_cis_v210_1_19 + - azure_cis_v210_1_20 + - azure_cis_v210_1_21 + - azure_cis_v210_1_22 + - azure_cis_v210_1_23 + - azure_cis_v210_1_24 + - azure_cis_v210_1_25 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_10.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_10.yaml index 3f3869091..069ae8c60 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_10.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_10.yaml @@ -1,8 +1,13 @@ -ID: azure_cis_v210_10 -Title: Miscellaneous -Description: "" -SectionCode: "10" -Children: [] -Controls: - - azure_cis_v210_10_1 -Tags: {} +control-group: + id: azure_cis_v210_10 + title: Miscellaneous + description: Miscellaneous + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_10_1 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_1.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_1.yaml index 0181edffa..fcbd1a71c 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_1.yaml @@ -1,11 +1,16 @@ -ID: azure_cis_v210_1_1 -Title: Security Defaults -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v210_1_1_1 - - azure_cis_v210_1_1_2 - - azure_cis_v210_1_1_3 - - azure_cis_v210_1_1_4 -Tags: {} +control-group: + id: azure_cis_v210_1_1 + title: Security Defaults + description: Security Defaults + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_1_1_1 + - azure_cis_v210_1_1_2 + - azure_cis_v210_1_1_3 + - azure_cis_v210_1_1_4 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_2.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_2.yaml index 796f971c8..1ab267458 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_1_2.yaml @@ -1,14 +1,19 @@ -ID: azure_cis_v210_1_2 -Title: Conditional Access -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v210_1_2_1 - - azure_cis_v210_1_2_2 - - azure_cis_v210_1_2_3 - - azure_cis_v210_1_2_4 - - azure_cis_v210_1_2_5 - - azure_cis_v210_1_2_6 - - azure_cis_v210_1_2_7 -Tags: {} +control-group: + id: azure_cis_v210_1_2 + title: Conditional Access + description: Conditional Access + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_1_2_1 + - azure_cis_v210_1_2_2 + - azure_cis_v210_1_2_3 + - azure_cis_v210_1_2_4 + - azure_cis_v210_1_2_5 + - azure_cis_v210_1_2_6 + - azure_cis_v210_1_2_7 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2.yaml index 74ecb0e06..5e62a8865 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2.yaml @@ -1,9 +1,14 @@ -ID: azure_cis_v210_2 -Title: Microsoft Defender -Description: "" -SectionCode: "2" -Children: - - azure_cis_v210_2_1 - - azure_cis_v210_2_2 -Controls: [] -Tags: {} +control-group: + id: azure_cis_v210_2 + title: Microsoft Defender + description: Microsoft Defender + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_cis_v210_2_1 + - id: azure_cis_v210_2_2 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_1.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_1.yaml index 698c5f2f8..0eecc64ab 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_1.yaml @@ -1,28 +1,33 @@ -ID: azure_cis_v210_2_1 -Title: Microsoft Defender for Cloud -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v210_2_1_1 - - azure_cis_v210_2_1_2 - - azure_cis_v210_2_1_3 - - azure_cis_v210_2_1_4 - - azure_cis_v210_2_1_5 - - azure_cis_v210_2_1_6 - - azure_cis_v210_2_1_7 - - azure_cis_v210_2_1_8 - - azure_cis_v210_2_1_10 - - azure_cis_v210_2_1_11 - - azure_cis_v210_2_1_12 - - azure_cis_v210_2_1_13 - - azure_cis_v210_2_1_14 - - azure_cis_v210_2_1_15 - - azure_cis_v210_2_1_16 - - azure_cis_v210_2_1_17 - - azure_cis_v210_2_1_18 - - azure_cis_v210_2_1_19 - - azure_cis_v210_2_1_20 - - azure_cis_v210_2_1_21 - - azure_cis_v210_2_1_22 -Tags: {} +control-group: + id: azure_cis_v210_2_1 + title: Microsoft Defender for Cloud + description: Microsoft Defender for Cloud + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_2_1_1 + - azure_cis_v210_2_1_2 + - azure_cis_v210_2_1_3 + - azure_cis_v210_2_1_4 + - azure_cis_v210_2_1_5 + - azure_cis_v210_2_1_6 + - azure_cis_v210_2_1_7 + - azure_cis_v210_2_1_8 + - azure_cis_v210_2_1_10 + - azure_cis_v210_2_1_11 + - azure_cis_v210_2_1_12 + - azure_cis_v210_2_1_13 + - azure_cis_v210_2_1_14 + - azure_cis_v210_2_1_15 + - azure_cis_v210_2_1_16 + - azure_cis_v210_2_1_17 + - azure_cis_v210_2_1_18 + - azure_cis_v210_2_1_19 + - azure_cis_v210_2_1_20 + - azure_cis_v210_2_1_21 + - azure_cis_v210_2_1_22 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_2.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_2.yaml index fbebfaede..f1c6e0159 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_2_2.yaml @@ -1,8 +1,13 @@ -ID: azure_cis_v210_2_2 -Title: Microsoft Defender for IoT -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v210_2_2_1 -Tags: {} +control-group: + id: azure_cis_v210_2_2 + title: Microsoft Defender for IoT + description: Microsoft Defender for IoT + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_2_2_1 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_3.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_3.yaml index 65e1c2edf..0e42f4904 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_3.yaml @@ -1,23 +1,28 @@ -ID: azure_cis_v210_3 -Title: Storage Accounts -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v210_3_1 - - azure_cis_v210_3_2 - - azure_cis_v210_3_3 - - azure_cis_v210_3_4 - - azure_cis_v210_3_5 - - azure_cis_v210_3_6 - - azure_cis_v210_3_7 - - azure_cis_v210_3_8 - - azure_cis_v210_3_9 - - azure_cis_v210_3_10 - - azure_cis_v210_3_11 - - azure_cis_v210_3_12 - - azure_cis_v210_3_13 - - azure_cis_v210_3_14 - - azure_cis_v210_3_15 - - azure_cis_v210_3_16 -Tags: {} +control-group: + id: azure_cis_v210_3 + title: Storage Accounts + description: Storage Accounts + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_3_1 + - azure_cis_v210_3_2 + - azure_cis_v210_3_3 + - azure_cis_v210_3_4 + - azure_cis_v210_3_5 + - azure_cis_v210_3_6 + - azure_cis_v210_3_7 + - azure_cis_v210_3_8 + - azure_cis_v210_3_9 + - azure_cis_v210_3_10 + - azure_cis_v210_3_11 + - azure_cis_v210_3_12 + - azure_cis_v210_3_13 + - azure_cis_v210_3_14 + - azure_cis_v210_3_15 + - azure_cis_v210_3_16 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4.yaml index 6d7190731..7292b8948 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4.yaml @@ -1,11 +1,16 @@ -ID: azure_cis_v210_4 -Title: Database Services -Description: "" -SectionCode: "4" -Children: - - azure_cis_v210_4_1 - - azure_cis_v210_4_3 - - azure_cis_v210_4_4 - - azure_cis_v210_4_5 -Controls: [] -Tags: {} +control-group: + id: azure_cis_v210_4 + title: Database Services + description: Database Services + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_cis_v210_4_1 + - id: azure_cis_v210_4_3 + - id: azure_cis_v210_4_4 + - id: azure_cis_v210_4_5 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_1.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_1.yaml index b0d9e037c..af1f53030 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_1.yaml @@ -1,10 +1,15 @@ -ID: azure_cis_v210_4_1 -Title: SQL Server - Auditing -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v210_4_1_2 - - azure_cis_v210_4_1_4 - - azure_cis_v210_4_1_5 -Tags: {} +control-group: + id: azure_cis_v210_4_1 + title: SQL Server - Auditing + description: SQL Server - Auditing + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_4_1_2 + - azure_cis_v210_4_1_4 + - azure_cis_v210_4_1_5 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_3.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_3.yaml index 9317ee2dd..d888f333d 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_3.yaml @@ -1,10 +1,15 @@ -ID: azure_cis_v210_4_3 -Title: PostgreSQL Database Server -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v210_4_3_1 - - azure_cis_v210_4_3_7 - - azure_cis_v210_4_3_8 -Tags: {} +control-group: + id: azure_cis_v210_4_3 + title: PostgreSQL Database Server + description: PostgreSQL Database Server + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_4_3_1 + - azure_cis_v210_4_3_7 + - azure_cis_v210_4_3_8 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_4.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_4.yaml index a8667d597..a4dddff60 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_4.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_4.yaml @@ -1,9 +1,14 @@ -ID: azure_cis_v210_4_4 -Title: MySQL Database -Description: "" -SectionCode: "4" -Children: [] -Controls: - - azure_cis_v210_4_4_1 - - azure_cis_v210_4_4_2 -Tags: {} +control-group: + id: azure_cis_v210_4_4 + title: MySQL Database + description: MySQL Database + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_4_4_1 + - azure_cis_v210_4_4_2 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_5.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_5.yaml index 2e6827bc7..d8a727c9a 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_4_5.yaml @@ -1,10 +1,15 @@ -ID: azure_cis_v210_4_5 -Title: Cosmos DB -Description: "" -SectionCode: "5" -Children: [] -Controls: - - azure_cis_v210_4_5_1 - - azure_cis_v210_4_5_2 - - azure_cis_v210_4_5_3 -Tags: {} +control-group: + id: azure_cis_v210_4_5 + title: Cosmos DB + description: Cosmos DB + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_4_5_1 + - azure_cis_v210_4_5_2 + - azure_cis_v210_4_5_3 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5.yaml index c6c6aff0a..c44096fae 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5.yaml @@ -1,12 +1,18 @@ -ID: azure_cis_v210_5 -Title: Logging and Monitoring -Description: "" -SectionCode: "5" -Children: - - azure_cis_v210_5_1 - - azure_cis_v210_5_2 - - azure_cis_v210_5_3 - - azure_cis_v210_5_5 -Controls: - - azure_cis_v210_5_4 -Tags: {} +control-group: + id: azure_cis_v210_5 + title: Logging and Monitoring + description: Logging and Monitoring + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_cis_v210_5_1 + - id: azure_cis_v210_5_2 + - id: azure_cis_v210_5_3 + - id: azure_cis_v210_5_5 + controls: + - azure_cis_v210_5_4 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_1.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_1.yaml index 1ae5a0486..b8ad3a282 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_1.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_1.yaml @@ -1,13 +1,18 @@ -ID: azure_cis_v210_5_1 -Title: Configuring Diagnostic Settings -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_cis_v210_5_1_1 - - azure_cis_v210_5_1_2 - - azure_cis_v210_5_1_3 - - azure_cis_v210_5_1_4 - - azure_cis_v210_5_1_5 - - azure_cis_v210_5_1_6 -Tags: {} +control-group: + id: azure_cis_v210_5_1 + title: Configuring Diagnostic Settings + description: Configuring Diagnostic Settings + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_5_1_1 + - azure_cis_v210_5_1_2 + - azure_cis_v210_5_1_3 + - azure_cis_v210_5_1_4 + - azure_cis_v210_5_1_5 + - azure_cis_v210_5_1_6 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_2.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_2.yaml index 20a669445..79809247e 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_2.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_2.yaml @@ -1,17 +1,22 @@ -ID: azure_cis_v210_5_2 -Title: Monitoring using Activity Log Alerts -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_cis_v210_5_2_1 - - azure_cis_v210_5_2_2 - - azure_cis_v210_5_2_3 - - azure_cis_v210_5_2_4 - - azure_cis_v210_5_2_5 - - azure_cis_v210_5_2_6 - - azure_cis_v210_5_2_7 - - azure_cis_v210_5_2_8 - - azure_cis_v210_5_2_9 - - azure_cis_v210_5_2_10 -Tags: {} +control-group: + id: azure_cis_v210_5_2 + title: Monitoring using Activity Log Alerts + description: Monitoring using Activity Log Alerts + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_5_2_1 + - azure_cis_v210_5_2_2 + - azure_cis_v210_5_2_3 + - azure_cis_v210_5_2_4 + - azure_cis_v210_5_2_5 + - azure_cis_v210_5_2_6 + - azure_cis_v210_5_2_7 + - azure_cis_v210_5_2_8 + - azure_cis_v210_5_2_9 + - azure_cis_v210_5_2_10 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_3.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_3.yaml index f97da3c36..3bfa83e69 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_3.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_3.yaml @@ -1,8 +1,13 @@ -ID: azure_cis_v210_5_3 -Title: Configuring Application Insights -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_cis_v210_5_3_1 -Tags: {} +control-group: + id: azure_cis_v210_5_3 + title: Configuring Application Insights + description: Configuring Application Insights + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_5_3_1 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_5.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_5.yaml index f200e93a9..75703cdad 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_5.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_5_5.yaml @@ -1,11 +1,16 @@ -ID: azure_cis_v210_5_5 -Title: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) -Description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. -SectionCode: "5" -Children: [] -Controls: - - azure_network_lb_no_basic_sku - - azure_network_public_ip_no_basic_sku - - azure_network_virtual_network_gateway_no_basic_sku - - azure_redis_cache_no_basic_sku -Tags: {} +control-group: + id: azure_cis_v210_5_5 + title: Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) + description: The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU's do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_network_lb_no_basic_sku + - azure_network_public_ip_no_basic_sku + - azure_network_virtual_network_gateway_no_basic_sku + - azure_redis_cache_no_basic_sku diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_6.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_6.yaml index 3f20d3554..d08917f6a 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_6.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_6.yaml @@ -1,13 +1,18 @@ -ID: azure_cis_v210_6 -Title: Networking -Description: "" -SectionCode: "6" -Children: [] -Controls: - - azure_cis_v210_6_1 - - azure_cis_v210_6_2 - - azure_cis_v210_6_3 - - azure_cis_v210_6_4 - - azure_cis_v210_6_6 - - azure_cis_v210_6_7 -Tags: {} +control-group: + id: azure_cis_v210_6 + title: Networking + description: Networking + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_6_1 + - azure_cis_v210_6_2 + - azure_cis_v210_6_3 + - azure_cis_v210_6_4 + - azure_cis_v210_6_6 + - azure_cis_v210_6_7 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_7.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_7.yaml index 20b1d8c5d..15ae7ec24 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_7.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_7.yaml @@ -1,16 +1,21 @@ -ID: azure_cis_v210_7 -Title: Virtual Machines -Description: "" -SectionCode: "7" -Children: [] -Controls: - - azure_cis_v210_7_1 - - azure_cis_v210_7_2 - - azure_cis_v210_7_3 - - azure_cis_v210_7_4 - - azure_cis_v210_7_5 - - azure_cis_v210_7_6 - - azure_cis_v210_7_7 - - azure_cis_v210_7_8 - - azure_cis_v210_7_9 -Tags: {} +control-group: + id: azure_cis_v210_7 + title: Virtual Machines + description: Virtual Machines + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_7_1 + - azure_cis_v210_7_2 + - azure_cis_v210_7_3 + - azure_cis_v210_7_4 + - azure_cis_v210_7_5 + - azure_cis_v210_7_6 + - azure_cis_v210_7_7 + - azure_cis_v210_7_8 + - azure_cis_v210_7_9 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_8.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_8.yaml index 4d521e1ad..dee6967be 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_8.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_8.yaml @@ -1,14 +1,19 @@ -ID: azure_cis_v210_8 -Title: Key Vault -Description: "" -SectionCode: "8" -Children: [] -Controls: - - azure_cis_v210_8_1 - - azure_cis_v210_8_2 - - azure_cis_v210_8_3 - - azure_cis_v210_8_4 - - azure_cis_v210_8_5 - - azure_cis_v210_8_6 - - azure_cis_v210_8_8 -Tags: {} +control-group: + id: azure_cis_v210_8 + title: Key Vault + description: Key Vault + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_8_1 + - azure_cis_v210_8_2 + - azure_cis_v210_8_3 + - azure_cis_v210_8_4 + - azure_cis_v210_8_5 + - azure_cis_v210_8_6 + - azure_cis_v210_8_8 diff --git a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_9.yaml b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_9.yaml index e91265c09..875229774 100755 --- a/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_9.yaml +++ b/compliance/frameworks/azure/azure_cis_v210/azure_cis_v210_9.yaml @@ -1,16 +1,21 @@ -ID: azure_cis_v210_9 -Title: AppService -Description: "" -SectionCode: "9" -Children: [] -Controls: - - azure_cis_v210_9_1 - - azure_cis_v210_9_2 - - azure_cis_v210_9_3 - - azure_cis_v210_9_4 - - azure_cis_v210_9_5 - - azure_cis_v210_9_6 - - azure_cis_v210_9_7 - - azure_cis_v210_9_8 - - azure_cis_v210_9_10 -Tags: {} +control-group: + id: azure_cis_v210_9 + title: AppService + description: AppService + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_cis_v210_9_1 + - azure_cis_v210_9_2 + - azure_cis_v210_9_3 + - azure_cis_v210_9_4 + - azure_cis_v210_9_5 + - azure_cis_v210_9_6 + - azure_cis_v210_9_7 + - azure_cis_v210_9_8 + - azure_cis_v210_9_10 diff --git a/compliance/frameworks/azure/azure_cis_v210/root.yaml b/compliance/frameworks/azure/azure_cis_v210/root.yaml deleted file mode 100755 index ed4283aa0..000000000 --- a/compliance/frameworks/azure/azure_cis_v210/root.yaml +++ /dev/null @@ -1,21 +0,0 @@ -ID: azure_cis_v210 -Title: CIS v2.1.0 -Description: The CIS Microsoft Azure Foundations Security Benchmark provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Azure. -SectionCode: azure_cis_v210 -Children: - - azure_cis_v210_1 - - azure_cis_v210_2 - - azure_cis_v210_3 - - azure_cis_v210_4 - - azure_cis_v210_5 - - azure_cis_v210_6 - - azure_cis_v210_7 - - azure_cis_v210_8 - - azure_cis_v210_9 - - azure_cis_v210_10 -Controls: [] -Defaults: - AutoAssign: true - Enabled: true - TracksDriftEvents: false -Tags: {} diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high.yaml new file mode 100644 index 000000000..a0501128c --- /dev/null +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high.yaml @@ -0,0 +1,21 @@ +framework: + id: azure_fedramp_high + title: FedRAMP High + description: The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program. In May 2020 the Salesforce Government Cloud Plus achieved a provisional Authority to Operate (ATO) at the high impact level issued by the FedRAMP Joint Authorization Board (JAB). + section-code: azure_fedramp_high + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_ac + - id: azure_fedramp_high_au + - id: azure_fedramp_high_cm + - id: azure_fedramp_high_cp + - id: azure_fedramp_high_ia + - id: azure_fedramp_high_ir + - id: azure_fedramp_high_ra + - id: azure_fedramp_high_sc + - id: azure_fedramp_high_si diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac.yaml index a7cacb3dc..6036228ed 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac.yaml @@ -1,13 +1,18 @@ -ID: azure_fedramp_high_ac -Title: Access Control (AC) -Description: Access control policies and procedures are established and implemented to ensure that access to systems and data is restricted to authorized users, processes, or devices, and to prevent unauthorized access. -SectionCode: ac -Children: - - azure_fedramp_high_ac_2 - - azure_fedramp_high_ac_3 - - azure_fedramp_high_ac_4 - - azure_fedramp_high_ac_5 - - azure_fedramp_high_ac_6 - - azure_fedramp_high_ac_17 -Controls: [] -Tags: {} +control-group: + id: azure_fedramp_high_ac + title: Access Control (AC) + description: Access control policies and procedures are established and implemented to ensure that access to systems and data is restricted to authorized users, processes, or devices, and to prevent unauthorized access. + section-code: ac + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_ac_2 + - id: azure_fedramp_high_ac_3 + - id: azure_fedramp_high_ac_4 + - id: azure_fedramp_high_ac_5 + - id: azure_fedramp_high_ac_6 + - id: azure_fedramp_high_ac_17 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17.yaml index 413c4d118..939f4b637 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17.yaml @@ -1,39 +1,45 @@ -ID: azure_fedramp_high_ac_17 -Title: Remote Access (AC-17) -Description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. -SectionCode: "17" -Children: - - azure_fedramp_high_ac_17_1 -Controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_fedramp_high_ac_17 + title: Remote Access (AC-17) + description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. + section-code: "17" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_ac_17_1 + controls: + - azure_app_configuration_private_link_used + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_remote_debugging_disabled + - azure_cognitive_account_private_link_used + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_vault_private_link_used + - azure_mysql_server_private_link_used + - azure_postgres_server_private_link_used + - azure_redis_cache_uses_private_link + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_spring_cloud_service_network_injection_enabled + - azure_sql_server_uses_private_link + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17_1.yaml index 451cbca4e..5415961d9 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_17_1.yaml @@ -1,38 +1,43 @@ -ID: azure_fedramp_high_ac_17_1 -Title: AC-17(1) Automated Monitoring / Control -Description: Employ automated mechanisms to monitor and control remote access methods. -SectionCode: "1" -Children: [] -Controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_fedramp_high_ac_17_1 + title: AC-17(1) Automated Monitoring / Control + description: Employ automated mechanisms to monitor and control remote access methods. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_app_configuration_private_link_used + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_remote_debugging_disabled + - azure_cognitive_account_private_link_used + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_vault_private_link_used + - azure_mysql_server_private_link_used + - azure_postgres_server_private_link_used + - azure_redis_cache_uses_private_link + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_spring_cloud_service_network_injection_enabled + - azure_sql_server_uses_private_link + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2.yaml index 93196720f..696046bea 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2.yaml @@ -1,21 +1,27 @@ -ID: azure_fedramp_high_ac_2 -Title: Account Management (AC-2) -Description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. -SectionCode: "2" -Children: - - azure_fedramp_high_ac_2_1 - - azure_fedramp_high_ac_2_12 - - azure_fedramp_high_ac_2_7 -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: {} +control-group: + id: azure_fedramp_high_ac_2 + title: Account Management (AC-2) + description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_ac_2_1 + - id: azure_fedramp_high_ac_2_12 + - id: azure_fedramp_high_ac_2_7 + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_iam_deprecated_account + - azure_iam_deprecated_account_with_owner_roles + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_no_custom_role + - azure_iam_subscription_owner_max_3 + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_1.yaml index f721439e7..854ee9704 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_1.yaml @@ -1,9 +1,14 @@ -ID: azure_fedramp_high_ac_2_1 -Title: AC-2(1) Automated System Account Management -Description: 'Support the management of system accounts using [Assignment: organization-defined automated mechanisms].' -SectionCode: "1" -Children: [] -Controls: - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: {} +control-group: + id: azure_fedramp_high_ac_2_1 + title: AC-2(1) Automated System Account Management + description: "Support the management of system accounts using [Assignment: organization-defined automated mechanisms]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_12.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_12.yaml index 320155bf6..e9fa9982d 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_12.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_12.yaml @@ -1,16 +1,21 @@ -ID: azure_fedramp_high_ac_2_12 -Title: AC-2(12) Account Monitoring -Description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. -SectionCode: "12" -Children: [] -Controls: - - azure_compute_vm_jit_access_protected - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage -Tags: {} +control-group: + id: azure_fedramp_high_ac_2_12 + title: AC-2(12) Account Monitoring + description: Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_jit_access_protected + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_7.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_7.yaml index 1b95c3781..65b8e7956 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_7.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_2_7.yaml @@ -1,9 +1,14 @@ -ID: azure_fedramp_high_ac_2_7 -Title: AC-2(7) Role-Based Schemes -Description: 'The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; Monitors privileged role assignments; and Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.' -SectionCode: "7" -Children: [] -Controls: - - azure_iam_no_custom_role - - azure_sql_server_azure_ad_authentication_enabled -Tags: {} +control-group: + id: azure_fedramp_high_ac_2_7 + title: AC-2(7) Role-Based Schemes + description: "The organization: Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; Monitors privileged role assignments; and Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_iam_no_custom_role + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_3.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_3.yaml index 610b11703..9f196a4e3 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_3.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_3.yaml @@ -1,18 +1,23 @@ -ID: azure_fedramp_high_ac_3 -Title: Access Enforcement (AC-3) -Description: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. -SectionCode: "3" -Children: [] -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_compute_vm_account_with_password_linux - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_ssh_key_authentication_linux - - azure_compute_vm_uses_azure_resource_manager - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled - - azure_storage_account_uses_azure_resource_manager -Tags: {} +control-group: + id: azure_fedramp_high_ac_3 + title: Access Enforcement (AC-3) + description: Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_compute_vm_account_with_password_linux + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_ssh_key_authentication_linux + - azure_compute_vm_uses_azure_resource_manager + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled + - azure_storage_account_uses_azure_resource_manager diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_4.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_4.yaml index 76b0d0f65..7f8b6bc70 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_4.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_4.yaml @@ -1,49 +1,54 @@ -ID: azure_fedramp_high_ac_4 -Title: Information Flow Enforcement (AC-4) -Description: 'Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].' -SectionCode: "4" -Children: [] -Controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_appservice_web_app_cors_no_star - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_fedramp_high_ac_4 + title: Information Flow Enforcement (AC-4) + description: "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_apimanagement_service_with_virtual_network + - azure_app_configuration_private_link_used + - azure_appservice_web_app_cors_no_star + - azure_cognitive_account_private_link_used + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_jit_access_protected + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_with_firewall_rules + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_firewall_enabled + - azure_keyvault_vault_private_link_used + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_postgres_server_private_link_used + - azure_postgresql_server_public_network_access_disabled + - azure_redis_cache_uses_private_link + - azure_search_service_public_network_access_disabled + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_sql_db_public_network_access_disabled + - azure_sql_server_uses_private_link + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_5.yaml index 10b8609e7..99e465eb6 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_5.yaml @@ -1,8 +1,13 @@ -ID: azure_fedramp_high_ac_5 -Title: Separation Of Duties (AC-5) -Description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. -SectionCode: "5" -Children: [] -Controls: - - azure_iam_subscription_owner_more_than_1 -Tags: {} +control-group: + id: azure_fedramp_high_ac_5 + title: Separation Of Duties (AC-5) + description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6.yaml index 6a1a5b3e3..cdc0eb9fe 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6.yaml @@ -1,10 +1,16 @@ -ID: azure_fedramp_high_ac_6 -Title: Least Privilege (AC-6) -Description: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. -SectionCode: "6" -Children: - - azure_fedramp_high_ac_6_7 -Controls: - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 -Tags: {} +control-group: + id: azure_fedramp_high_ac_6 + title: Least Privilege (AC-6) + description: Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_ac_6_7 + controls: + - azure_iam_no_custom_role + - azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6_7.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6_7.yaml index 9be51ff39..5769040d7 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6_7.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ac_6_7.yaml @@ -1,9 +1,14 @@ -ID: azure_fedramp_high_ac_6_7 -Title: AC-6(7) Review Of User Privileges -Description: Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. -SectionCode: "7" -Children: [] -Controls: - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 -Tags: {} +control-group: + id: azure_fedramp_high_ac_6_7 + title: AC-6(7) Review Of User Privileges + description: Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_iam_no_custom_role + - azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au.yaml index c2c99b8db..cb06bff25 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au.yaml @@ -1,9 +1,14 @@ -ID: azure_fedramp_high_au -Title: Audit And Accountability (AU) -Description: The FedRAMP High baseline requires that audit logs are generated and reviewed for security-relevant events. This benchmark verifies that audit logs are generated and reviewed for security-relevant events. -SectionCode: au -Children: - - azure_fedramp_high_au_6 - - azure_fedramp_high_au_12 -Controls: [] -Tags: {} +control-group: + id: azure_fedramp_high_au + title: Audit And Accountability (AU) + description: The FedRAMP High baseline requires that audit logs are generated and reviewed for security-relevant events. This benchmark verifies that audit logs are generated and reviewed for security-relevant events. + section-code: au + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_au_6 + - id: azure_fedramp_high_au_12 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12.yaml index 429a66470..d6d68410f 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12.yaml @@ -1,38 +1,44 @@ -ID: azure_fedramp_high_au_12 -Title: Audit Generation (AU-12) -Description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. -SectionCode: "12" -Children: - - azure_fedramp_high_au_12_1 -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled -Tags: {} +control-group: + id: azure_fedramp_high_au_12 + title: Audit Generation (AU-12) + description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_au_12_1 + controls: + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_batch_account_logging_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_datalake_analytics_account_logging_enabled + - azure_datalake_store_account_logging_enabled + - azure_eventhub_namespace_logging_enabled + - azure_iot_hub_logging_enabled + - azure_keyvault_logging_enabled + - azure_logic_app_workflow_logging_enabled + - azure_network_watcher_enabled + - azure_search_service_logging_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_servicebus_namespace_logging_enabled + - azure_sql_server_auditing_on + - azure_sql_server_azure_defender_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12_1.yaml index 0d9a72152..9e2d5cc84 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_12_1.yaml @@ -1,37 +1,42 @@ -ID: azure_fedramp_high_au_12_1 -Title: AU-12(1) System-Wide / Time-Correlated Audit Trail -Description: 'Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].' -SectionCode: "1" -Children: [] -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled -Tags: {} +control-group: + id: azure_fedramp_high_au_12_1 + title: AU-12(1) System-Wide / Time-Correlated Audit Trail + description: "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_batch_account_logging_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_datalake_analytics_account_logging_enabled + - azure_datalake_store_account_logging_enabled + - azure_eventhub_namespace_logging_enabled + - azure_iot_hub_logging_enabled + - azure_keyvault_logging_enabled + - azure_logic_app_workflow_logging_enabled + - azure_network_watcher_enabled + - azure_search_service_logging_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_servicebus_namespace_logging_enabled + - azure_sql_server_auditing_on + - azure_sql_server_azure_defender_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6.yaml index 91996b921..68b0ad21b 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6.yaml @@ -1,20 +1,26 @@ -ID: azure_fedramp_high_au_6 -Title: Audit Record Review, Analysis And Reporting (AU-6) -Description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. -SectionCode: "6" -Children: - - azure_fedramp_high_au_6_4 - - azure_fedramp_high_au_6_5 -Controls: - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_network_watcher_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled -Tags: {} +control-group: + id: azure_fedramp_high_au_6 + title: Audit Record Review, Analysis And Reporting (AU-6) + description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_au_6_4 + - id: azure_fedramp_high_au_6_5 + controls: + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_network_watcher_enabled + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_4.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_4.yaml index 5cb5f7beb..ca5564c1c 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_4.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_4.yaml @@ -1,37 +1,42 @@ -ID: azure_fedramp_high_au_6_4 -Title: AU-6(4) Central Review And Analysis -Description: Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. -SectionCode: "4" -Children: [] -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled -Tags: {} +control-group: + id: azure_fedramp_high_au_6_4 + title: AU-6(4) Central Review And Analysis + description: Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_batch_account_logging_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_datalake_analytics_account_logging_enabled + - azure_datalake_store_account_logging_enabled + - azure_eventhub_namespace_logging_enabled + - azure_iot_hub_logging_enabled + - azure_keyvault_logging_enabled + - azure_logic_app_workflow_logging_enabled + - azure_network_watcher_enabled + - azure_search_service_logging_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_servicebus_namespace_logging_enabled + - azure_sql_server_auditing_on + - azure_sql_server_azure_defender_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_5.yaml index 79abf7210..b47630599 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_au_6_5.yaml @@ -1,37 +1,42 @@ -ID: azure_fedramp_high_au_6_5 -Title: AU-6(5) Integration / Scanning And Monitoring Capabilities -Description: 'Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.' -SectionCode: "5" -Children: [] -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled -Tags: {} +control-group: + id: azure_fedramp_high_au_6_5 + title: AU-6(5) Integration / Scanning And Monitoring Capabilities + description: "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_batch_account_logging_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_datalake_analytics_account_logging_enabled + - azure_datalake_store_account_logging_enabled + - azure_eventhub_namespace_logging_enabled + - azure_iot_hub_logging_enabled + - azure_keyvault_logging_enabled + - azure_logic_app_workflow_logging_enabled + - azure_network_watcher_enabled + - azure_search_service_logging_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_servicebus_namespace_logging_enabled + - azure_sql_server_auditing_on + - azure_sql_server_azure_defender_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm.yaml index 114d88f1c..8ee6f1445 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm.yaml @@ -1,9 +1,14 @@ -ID: azure_fedramp_high_cm -Title: Configuration Management (CM) -Description: 'The organization: (i) defines and documents configuration settings for information technology products employed within the information system; (ii) implements the configuration settings; (iii) identifies, documents, and approves any deviations from established configuration settings; and (iv) monitors and controls changes to the configuration settings.' -SectionCode: cm -Children: - - azure_fedramp_high_cm_6 - - azure_fedramp_high_cm_7 -Controls: [] -Tags: {} +control-group: + id: azure_fedramp_high_cm + title: Configuration Management (CM) + description: "The organization: (i) defines and documents configuration settings for information technology products employed within the information system; (ii) implements the configuration settings; (iii) identifies, documents, and approves any deviations from established configuration settings; and (iv) monitors and controls changes to the configuration settings." + section-code: cm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_cm_6 + - id: azure_fedramp_high_cm_7 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_6.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_6.yaml index 809a086d0..fd8745cf1 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_6.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_6.yaml @@ -1,16 +1,21 @@ -ID: azure_fedramp_high_cm_6 -Title: Configuration Settings (CM-6) -Description: 'The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system.' -SectionCode: "6" -Children: [] -Controls: - - azure_appservice_api_app_client_certificates_on - - azure_appservice_api_app_cors_no_star - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_cors_no_star - - azure_appservice_function_app_remote_debugging_disabled - - azure_compute_vm_meet_security_baseline_requirements_linux - - azure_compute_vm_meet_security_baseline_requirements_windows - - azure_kubernetes_cluster_add_on_azure_policy_enabled -Tags: {} +control-group: + id: azure_fedramp_high_cm_6 + title: Configuration Settings (CM-6) + description: "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system." + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_api_app_client_certificates_on + - azure_appservice_api_app_cors_no_star + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_client_certificates_on + - azure_appservice_function_app_cors_no_star + - azure_appservice_function_app_remote_debugging_disabled + - azure_compute_vm_meet_security_baseline_requirements_linux + - azure_compute_vm_meet_security_baseline_requirements_windows + - azure_kubernetes_cluster_add_on_azure_policy_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_7.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_7.yaml index ddc0e3c74..f9adfe6a4 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_7.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cm_7.yaml @@ -1,8 +1,13 @@ -ID: azure_fedramp_high_cm_7 -Title: Least Functionality (CM-7) -Description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. -SectionCode: "7" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_server -Tags: {} +control-group: + id: azure_fedramp_high_cm_7 + title: Least Functionality (CM-7) + description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp.yaml index 3a1a225da..7708ec484 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp.yaml @@ -1,10 +1,15 @@ -ID: azure_fedramp_high_cp -Title: Contingency Planning (CP) -Description: Thecp control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. -SectionCode: cp -Children: - - azure_fedramp_high_cp_6 - - azure_fedramp_high_cp_7 - - azure_fedramp_high_cp_9 -Controls: [] -Tags: {} +control-group: + id: azure_fedramp_high_cp + title: Contingency Planning (CP) + description: Thecp control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. + section-code: cp + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_cp_6 + - id: azure_fedramp_high_cp_7 + - id: azure_fedramp_high_cp_9 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6.yaml index d40f190a0..98f657cf2 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6.yaml @@ -1,13 +1,19 @@ -ID: azure_fedramp_high_cp_6 -Title: Alternate Storage Sites (CP-6) -Description: a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. -SectionCode: "6" -Children: - - azure_fedramp_high_cp_6_1 -Controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_sql_database_long_term_geo_redundant_backup_enabled - - azure_storage_account_geo_redundant_enabled -Tags: {} +control-group: + id: azure_fedramp_high_cp_6 + title: Alternate Storage Sites (CP-6) + description: a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_cp_6_1 + controls: + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled + - azure_sql_database_long_term_geo_redundant_backup_enabled + - azure_storage_account_geo_redundant_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6_1.yaml index 86e5ad9d4..1915ab5cc 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_6_1.yaml @@ -1,12 +1,17 @@ -ID: azure_fedramp_high_cp_6_1 -Title: CP-6(1) Separation From Primary Site -Description: Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. -SectionCode: "1" -Children: [] -Controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_sql_database_long_term_geo_redundant_backup_enabled - - azure_storage_account_geo_redundant_enabled -Tags: {} +control-group: + id: azure_fedramp_high_cp_6_1 + title: CP-6(1) Separation From Primary Site + description: Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled + - azure_sql_database_long_term_geo_redundant_backup_enabled + - azure_storage_account_geo_redundant_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_7.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_7.yaml index a0b922121..253e13dc6 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_7.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_7.yaml @@ -1,8 +1,13 @@ -ID: azure_fedramp_high_cp_7 -Title: Alternate Processing Site (CP-7) -Description: "" -SectionCode: "7" -Children: [] -Controls: - - azure_compute_vm_disaster_recovery_enabled -Tags: {} +control-group: + id: azure_fedramp_high_cp_7 + title: Alternate Processing Site (CP-7) + description: Alternate Processing Site (CP-7) + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_disaster_recovery_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_9.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_9.yaml index a91d511c3..6a54d2b94 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_9.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_cp_9.yaml @@ -1,12 +1,17 @@ -ID: azure_fedramp_high_cp_9 -Title: System Backup (CP-9) -Description: 'a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information.' -SectionCode: "9" -Children: [] -Controls: - - azure_keyvault_purge_protection_enabled - - azure_keyvault_soft_delete_enabled - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled -Tags: {} +control-group: + id: azure_fedramp_high_cp_9 + title: System Backup (CP-9) + description: "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information." + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_keyvault_purge_protection_enabled + - azure_keyvault_soft_delete_enabled + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia.yaml index 583e8abe9..0f53c1d3a 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia.yaml @@ -1,10 +1,15 @@ -ID: azure_fedramp_high_ia -Title: Identification and Authentication (IA) -Description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. -SectionCode: ia -Children: - - azure_fedramp_high_ia_2 - - azure_fedramp_high_ia_4 - - azure_fedramp_high_ia_5 -Controls: [] -Tags: {} +control-group: + id: azure_fedramp_high_ia + title: Identification and Authentication (IA) + description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. + section-code: ia + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_ia_2 + - id: azure_fedramp_high_ia_4 + - id: azure_fedramp_high_ia_5 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_2.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_2.yaml index 2cda79f8e..d1019ce79 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_2.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_2.yaml @@ -1,11 +1,16 @@ -ID: azure_fedramp_high_ia_2 -Title: Identification and Authentication (Organizational users) (IA-2) -Description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). -SectionCode: "2" -Children: [] -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: {} +control-group: + id: azure_fedramp_high_ia_2 + title: Identification and Authentication (Organizational users) (IA-2) + description: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_4.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_4.yaml index 664cc93e5..4124cff84 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_4.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_4.yaml @@ -1,11 +1,16 @@ -ID: azure_fedramp_high_ia_4 -Title: Identifier Management (IA-4) -Description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. -SectionCode: "4" -Children: [] -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: {} +control-group: + id: azure_fedramp_high_ia_4 + title: Identifier Management (IA-4) + description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5.yaml index 50572267a..91d98cbc8 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5.yaml @@ -1,16 +1,22 @@ -ID: azure_fedramp_high_ia_5 -Title: Authenticator Management (IA-5) -Description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. -SectionCode: "5" -Children: - - azure_fedramp_high_ia_5_1 -Controls: - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows - - azure_compute_vm_ssh_key_authentication_linux - - azure_keyvault_key_expiration_set - - azure_keyvault_secret_expiration_set -Tags: {} +control-group: + id: azure_fedramp_high_ia_5 + title: Authenticator Management (IA-5) + description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_ia_5_1 + controls: + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_passwords_stored_using_reversible_encryption_windows + - azure_compute_vm_ssh_key_authentication_linux + - azure_keyvault_key_expiration_set + - azure_keyvault_secret_expiration_set diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5_1.yaml index bac03b427..3af741f22 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ia_5_1.yaml @@ -1,13 +1,18 @@ -ID: azure_fedramp_high_ia_5_1 -Title: IA-5(1) Password-Based Authentication -Description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. -SectionCode: "1" -Children: [] -Controls: - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_password_complexity_setting_enabled_windows - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows -Tags: {} +control-group: + id: azure_fedramp_high_ia_5_1 + title: IA-5(1) Password-Based Authentication + description: The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_password_complexity_setting_enabled_windows + - azure_compute_vm_passwords_stored_using_reversible_encryption_windows diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir.yaml index df3f9c769..0e70df3bb 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir.yaml @@ -1,9 +1,14 @@ -ID: azure_fedramp_high_ir -Title: Incident Response (IR) -Description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. -SectionCode: ir -Children: - - azure_fedramp_high_ir_4 - - azure_fedramp_high_ir_5 -Controls: [] -Tags: {} +control-group: + id: azure_fedramp_high_ir + title: Incident Response (IR) + description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. + section-code: ir + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_ir_4 + - id: azure_fedramp_high_ir_5 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_4.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_4.yaml index 7cd5a93a3..309c0162a 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_4.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_4.yaml @@ -1,18 +1,23 @@ -ID: azure_fedramp_high_ir_4 -Title: Incident Handling (IR-4) -Description: a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. -SectionCode: "4" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled -Tags: {} +control-group: + id: azure_fedramp_high_ir_4 + title: Incident Handling (IR-4) + description: a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_5.yaml index 052bfbe54..3d9cedc5b 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ir_5.yaml @@ -1,18 +1,23 @@ -ID: azure_fedramp_high_ir_5 -Title: Incident Monitoring (IR-5) -Description: 'Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms].' -SectionCode: "5" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled -Tags: {} +control-group: + id: azure_fedramp_high_ir_5 + title: Incident Monitoring (IR-5) + description: "Track incidents and collect and analyze incident information using [Assignment: organization-defined automated mechanisms]." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra.yaml index 673f548f4..709ad20c4 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra.yaml @@ -1,8 +1,13 @@ -ID: azure_fedramp_high_ra -Title: Risk Assessment (RA) -Description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. -SectionCode: ra -Children: - - azure_fedramp_high_ra_5 -Controls: [] -Tags: {} +control-group: + id: azure_fedramp_high_ra + title: Risk Assessment (RA) + description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. + section-code: ra + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_ra_5 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra_5.yaml index f10b11a36..9c49baa33 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_ra_5.yaml @@ -1,20 +1,25 @@ -ID: azure_fedramp_high_ra_5 -Title: Vulnerability Scanning (RA-5) -Description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. -SectionCode: "5" -Children: [] -Controls: - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled - - azure_sql_server_azure_defender_enabled - - azure_synapse_workspace_vulnerability_assessment_enabled -Tags: {} +control-group: + id: azure_fedramp_high_ra_5 + title: Vulnerability Scanning (RA-5) + description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_mssql_managed_instance_vulnerability_assessment_enabled + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_database_vulnerability_findings_resolved + - azure_sql_server_and_databases_va_enabled + - azure_sql_server_azure_defender_enabled + - azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc.yaml index 9b1bd3c47..e42fbde95 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc.yaml @@ -1,13 +1,18 @@ -ID: azure_fedramp_high_sc -Title: System and Communications Protection (SC) -Description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. -SectionCode: sc -Children: - - azure_fedramp_high_sc_3 - - azure_fedramp_high_sc_5 - - azure_fedramp_high_sc_7 - - azure_fedramp_high_sc_8 - - azure_fedramp_high_sc_12 - - azure_fedramp_high_sc_28 -Controls: [] -Tags: {} +control-group: + id: azure_fedramp_high_sc + title: System and Communications Protection (SC) + description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. + section-code: sc + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_sc_3 + - id: azure_fedramp_high_sc_5 + - id: azure_fedramp_high_sc_7 + - id: azure_fedramp_high_sc_8 + - id: azure_fedramp_high_sc_12 + - id: azure_fedramp_high_sc_28 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_12.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_12.yaml index edc1b4282..6b26c3102 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_12.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_12.yaml @@ -1,29 +1,34 @@ -ID: azure_fedramp_high_sc_12 -Title: Cryptographic Key Establishment And Management (SC-12) -Description: 'The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].' -SectionCode: "12" -Children: [] -Controls: - - azure_batch_account_encrypted_with_cmk - - azure_cognitive_account_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed - - azure_container_registry_encrypted_with_cmk - - azure_cosmosdb_account_encryption_at_rest_using_cmk - - azure_eventhub_namespace_cmk_encryption_enabled - - azure_hdinsight_cluster_encrypted_at_rest_with_cmk - - azure_hdinsight_cluster_encryption_at_host_enabled - - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk - - azure_hpc_cache_encrypted_with_cmk - - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk - - azure_kusto_cluster_encrypted_at_rest_with_cmk - - azure_machine_learning_workspace_encrypted_with_cmk - - azure_mssql_managed_instance_encryption_at_rest_using_cmk - - azure_mysql_server_encrypted_at_rest_using_cmk - - azure_postgres_sql_server_encrypted_at_rest_using_cmk - - azure_servicebus_premium_namespace_cmk_encrypted - - azure_sql_server_tde_protector_cmk_encrypted - - azure_storage_account_encryption_at_rest_using_cmk - - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk - - azure_synapse_workspace_encryption_at_rest_using_cmk -Tags: {} +control-group: + id: azure_fedramp_high_sc_12 + title: Cryptographic Key Establishment And Management (SC-12) + description: "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_batch_account_encrypted_with_cmk + - azure_cognitive_account_encrypted_with_cmk + - azure_compute_os_and_data_disk_encrypted_with_cmk + - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed + - azure_container_registry_encrypted_with_cmk + - azure_cosmosdb_account_encryption_at_rest_using_cmk + - azure_eventhub_namespace_cmk_encryption_enabled + - azure_hdinsight_cluster_encrypted_at_rest_with_cmk + - azure_hdinsight_cluster_encryption_at_host_enabled + - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk + - azure_hpc_cache_encrypted_with_cmk + - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk + - azure_kusto_cluster_encrypted_at_rest_with_cmk + - azure_machine_learning_workspace_encrypted_with_cmk + - azure_mssql_managed_instance_encryption_at_rest_using_cmk + - azure_mysql_server_encrypted_at_rest_using_cmk + - azure_postgres_sql_server_encrypted_at_rest_using_cmk + - azure_servicebus_premium_namespace_cmk_encrypted + - azure_sql_server_tde_protector_cmk_encrypted + - azure_storage_account_encryption_at_rest_using_cmk + - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk + - azure_synapse_workspace_encryption_at_rest_using_cmk diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28.yaml index af97846b4..8678ba16e 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28.yaml @@ -1,20 +1,26 @@ -ID: azure_fedramp_high_sc_28 -Title: Protection Of Information At Rest (SC-28) -Description: 'The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].' -SectionCode: "28" -Children: - - azure_fedramp_high_sc_28_1 -Controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_automation_account_variable_encryption_enabled - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_databox_edge_device_double_encryption_enabled - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_mysql_server_infrastructure_encryption_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_infrastructure_encryption_enabled -Tags: {} +control-group: + id: azure_fedramp_high_sc_28 + title: Protection Of Information At Rest (SC-28) + description: "The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]." + section-code: "28" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_sc_28_1 + controls: + - azure_app_service_environment_internal_encryption_enabled + - azure_automation_account_variable_encryption_enabled + - azure_compute_vm_and_sacle_set_encryption_at_host_enabled + - azure_databox_edge_device_double_encryption_enabled + - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host + - azure_kusto_cluster_disk_encryption_enabled + - azure_kusto_cluster_double_encryption_enabled + - azure_mysql_server_infrastructure_encryption_enabled + - azure_postgresql_server_infrastructure_encryption_enabled + - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign + - azure_sql_server_transparent_data_encryption_enabled + - azure_storage_account_infrastructure_encryption_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28_1.yaml index 59c1cabd4..b5bec0a4f 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_28_1.yaml @@ -1,19 +1,24 @@ -ID: azure_fedramp_high_sc_28_1 -Title: SC-28(1) Cryptographic Protection -Description: 'Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].' -SectionCode: "1" -Children: [] -Controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_automation_account_variable_encryption_enabled - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_databox_edge_device_double_encryption_enabled - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_mysql_server_infrastructure_encryption_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_infrastructure_encryption_enabled -Tags: {} +control-group: + id: azure_fedramp_high_sc_28_1 + title: SC-28(1) Cryptographic Protection + description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_app_service_environment_internal_encryption_enabled + - azure_automation_account_variable_encryption_enabled + - azure_compute_vm_and_sacle_set_encryption_at_host_enabled + - azure_databox_edge_device_double_encryption_enabled + - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host + - azure_kusto_cluster_disk_encryption_enabled + - azure_kusto_cluster_double_encryption_enabled + - azure_mysql_server_infrastructure_encryption_enabled + - azure_postgresql_server_infrastructure_encryption_enabled + - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign + - azure_sql_server_transparent_data_encryption_enabled + - azure_storage_account_infrastructure_encryption_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_3.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_3.yaml index bfa164674..35fbc0c23 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_3.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_3.yaml @@ -1,9 +1,14 @@ -ID: azure_fedramp_high_sc_3 -Title: Security Function Isolation (SC-3) -Description: Isolate security functions from nonsecurity functions. -SectionCode: "3" -Children: [] -Controls: - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server -Tags: {} +control-group: + id: azure_fedramp_high_sc_3 + title: Security Function Isolation (SC-3) + description: Isolate security functions from nonsecurity functions. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_windows_defender_exploit_guard_enabled + - azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_5.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_5.yaml index 6136eebd1..e61ba9cb3 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_5.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_5.yaml @@ -1,10 +1,15 @@ -ID: azure_fedramp_high_sc_5 -Title: Denial Of Service Protection (SC-5) -Description: 'The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].' -SectionCode: "5" -Children: [] -Controls: - - azure_application_gateway_waf_enabled - - azure_frontdoor_waf_enabled - - azure_network_interface_ip_forwarding_disabled -Tags: {} +control-group: + id: azure_fedramp_high_sc_5 + title: Denial Of Service Protection (SC-5) + description: "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards]." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_application_gateway_waf_enabled + - azure_frontdoor_waf_enabled + - azure_network_interface_ip_forwarding_disabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7.yaml index cfc0582f8..47d2eec32 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7.yaml @@ -1,51 +1,57 @@ -ID: azure_fedramp_high_sc_7 -Title: Boundary Protection (SC-7) -Description: 'The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.' -SectionCode: "7" -Children: - - azure_fedramp_high_sc_7_3 -Controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_fedramp_high_sc_7 + title: Boundary Protection (SC-7) + description: "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_sc_7_3 + controls: + - azure_apimanagement_service_with_virtual_network + - azure_app_configuration_private_link_used + - azure_application_gateway_waf_enabled + - azure_cognitive_account_private_link_used + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_jit_access_protected + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_with_firewall_rules + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_frontdoor_waf_enabled + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_firewall_enabled + - azure_keyvault_vault_private_link_used + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_postgres_server_private_link_used + - azure_postgresql_server_public_network_access_disabled + - azure_redis_cache_uses_private_link + - azure_search_service_public_network_access_disabled + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_sql_db_public_network_access_disabled + - azure_sql_server_uses_private_link + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7_3.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7_3.yaml index 06580c6d8..f87f0a507 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7_3.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_7_3.yaml @@ -1,50 +1,55 @@ -ID: azure_fedramp_high_sc_7_3 -Title: SC-7(3) Access Points -Description: The organization limits the number of external network connections to the information system. -SectionCode: "3" -Children: [] -Controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_fedramp_high_sc_7_3 + title: SC-7(3) Access Points + description: The organization limits the number of external network connections to the information system. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_apimanagement_service_with_virtual_network + - azure_app_configuration_private_link_used + - azure_application_gateway_waf_enabled + - azure_cognitive_account_private_link_used + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_jit_access_protected + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_with_firewall_rules + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_frontdoor_waf_enabled + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_firewall_enabled + - azure_keyvault_vault_private_link_used + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_postgres_server_private_link_used + - azure_postgresql_server_public_network_access_disabled + - azure_redis_cache_uses_private_link + - azure_search_service_public_network_access_disabled + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_sql_db_public_network_access_disabled + - azure_sql_server_uses_private_link + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8.yaml index 9d1ce2b2b..f835f77aa 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8.yaml @@ -1,18 +1,24 @@ -ID: azure_fedramp_high_sc_8 -Title: Transmission Confidentiality And Integrity (SC-8) -Description: 'The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.' -SectionCode: "8" -Children: - - azure_fedramp_high_sc_8_1 -Controls: - - azure_appservice_api_app_ftps_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_hdinsight_cluster_encryption_in_transit_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_ssl_enabled - - azure_redis_cache_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: {} +control-group: + id: azure_fedramp_high_sc_8 + title: Transmission Confidentiality And Integrity (SC-8) + description: "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information." + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_sc_8_1 + controls: + - azure_appservice_api_app_ftps_enabled + - azure_appservice_api_app_latest_tls_version + - azure_appservice_api_app_use_https + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_hdinsight_cluster_encryption_in_transit_enabled + - azure_mysql_ssl_enabled + - azure_postgres_sql_ssl_enabled + - azure_redis_cache_ssl_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8_1.yaml index 837f573bf..1daff1f6b 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_sc_8_1.yaml @@ -1,17 +1,22 @@ -ID: azure_fedramp_high_sc_8_1 -Title: SC-8(1) Cryptographic Or Alternate Physical Protection -Description: 'The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].' -SectionCode: "1" -Children: [] -Controls: - - azure_appservice_api_app_ftps_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_hdinsight_cluster_encryption_in_transit_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_ssl_enabled - - azure_redis_cache_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: {} +control-group: + id: azure_fedramp_high_sc_8_1 + title: SC-8(1) Cryptographic Or Alternate Physical Protection + description: "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_api_app_ftps_enabled + - azure_appservice_api_app_latest_tls_version + - azure_appservice_api_app_use_https + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_hdinsight_cluster_encryption_in_transit_enabled + - azure_mysql_ssl_enabled + - azure_postgres_sql_ssl_enabled + - azure_redis_cache_ssl_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si.yaml index 7c26e887a..62ed7d324 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si.yaml @@ -1,11 +1,16 @@ -ID: azure_fedramp_high_si -Title: System and Information Integrity (SI) -Description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. -SectionCode: si -Children: - - azure_fedramp_high_si_2 - - azure_fedramp_high_si_3 - - azure_fedramp_high_si_4 - - azure_fedramp_high_si_16 -Controls: [] -Tags: {} +control-group: + id: azure_fedramp_high_si + title: System and Information Integrity (SI) + description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. + section-code: si + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_si_2 + - id: azure_fedramp_high_si_3 + - id: azure_fedramp_high_si_4 + - id: azure_fedramp_high_si_16 diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_16.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_16.yaml index 163d2b917..9cae6ce83 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_16.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_16.yaml @@ -1,9 +1,14 @@ -ID: azure_fedramp_high_si_16 -Title: Memory Protection (SI-16) -Description: 'Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls].' -SectionCode: "16" -Children: [] -Controls: - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server -Tags: {} +control-group: + id: azure_fedramp_high_si_16 + title: Memory Protection (SI-16) + description: "Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]." + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_windows_defender_exploit_guard_enabled + - azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_2.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_2.yaml index 70f599a15..b4e7fa785 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_2.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_2.yaml @@ -1,20 +1,25 @@ -ID: azure_fedramp_high_si_2 -Title: Flaw Remediation (SI-2) -Description: 'The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process.' -SectionCode: "2" -Children: [] -Controls: - - azure_appservice_function_app_latest_http_version - - azure_appservice_web_app_latest_http_version - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved -Tags: {} +control-group: + id: azure_fedramp_high_si_2 + title: Flaw Remediation (SI-2) + description: "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_function_app_latest_http_version + - azure_appservice_web_app_latest_http_version + - azure_compute_vm_system_updates_installed + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3.yaml index 8aeaafbad..7f2ea6355 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3.yaml @@ -1,10 +1,16 @@ -ID: azure_fedramp_high_si_3 -Title: Malicious Code Protection (SI-3) -Description: 'Implement [Assignment (one or more): signature based, non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;' -SectionCode: "3" -Children: - - azure_fedramp_high_si_3_1 -Controls: - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server -Tags: {} +control-group: + id: azure_fedramp_high_si_3 + title: Malicious Code Protection (SI-3) + description: "Implement [Assignment (one or more): signature based, non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;" + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_fedramp_high_si_3_1 + controls: + - azure_compute_vm_windows_defender_exploit_guard_enabled + - azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3_1.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3_1.yaml index c33e18aff..e50e40948 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3_1.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_3_1.yaml @@ -1,9 +1,14 @@ -ID: azure_fedramp_high_si_3_1 -Title: SI-3(1) Central Management -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server -Tags: {} +control-group: + id: azure_fedramp_high_si_3_1 + title: SI-3(1) Central Management + description: SI-3(1) Central Management + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_windows_defender_exploit_guard_enabled + - azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_4.yaml b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_4.yaml index 66f040dae..dd19dd743 100755 --- a/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_4.yaml +++ b/compliance/frameworks/azure/azure_fedramp_high/azure_fedramp_high_si_4.yaml @@ -1,25 +1,30 @@ -ID: azure_fedramp_high_si_4 -Title: Information System Monitoring (SI-4) -Description: 'The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].' -SectionCode: "4" -Children: [] -Controls: - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_network_watcher_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled -Tags: {} +control-group: + id: azure_fedramp_high_si_4 + title: Information System Monitoring (SI-4) + description: "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_network_watcher_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_fedramp_high/root.yaml b/compliance/frameworks/azure/azure_fedramp_high/root.yaml deleted file mode 100755 index 6392e1c97..000000000 --- a/compliance/frameworks/azure/azure_fedramp_high/root.yaml +++ /dev/null @@ -1,20 +0,0 @@ -ID: azure_fedramp_high -Title: FedRAMP High -Description: The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program. In May 2020 the Salesforce Government Cloud Plus achieved a provisional Authority to Operate (ATO) at the high impact level issued by the FedRAMP Joint Authorization Board (JAB). -SectionCode: azure_fedramp_high -Children: - - azure_fedramp_high_ac - - azure_fedramp_high_au - - azure_fedramp_high_cm - - azure_fedramp_high_cp - - azure_fedramp_high_ia - - azure_fedramp_high_ir - - azure_fedramp_high_ra - - azure_fedramp_high_sc - - azure_fedramp_high_si -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: {} diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92.yaml new file mode 100644 index 000000000..dd7e7e9cb --- /dev/null +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92.yaml @@ -0,0 +1,47 @@ +framework: + id: azure_hipaa_hitrust_v92 + title: HIPAA HITRUST 9.2 + description: The HIPAA HITRUST 9.2 provides a combined set of predefined compliance and security best-practice checks for Health Insurance Portability and Accountability Act. + section-code: azure_hipaa_hitrust_v92 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Laws & Regulations + - Frameworks + - Privacy + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_privilege_management + - id: azure_hipaa_hitrust_v92_user_authentication_for_external_connections + - id: azure_hipaa_hitrust_v92_user_identification_and_authentication + - id: azure_hipaa_hitrust_v92_endpoint_protection + - id: azure_hipaa_hitrust_v92_portable_media_security + - id: azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties + - id: azure_hipaa_hitrust_v92_configuration_management + - id: azure_hipaa_hitrust_v92_vulnerability_management + - id: azure_hipaa_hitrust_v92_network_protection + - id: azure_hipaa_hitrust_v92_back_up + - id: azure_hipaa_hitrust_v92_network_controls + - id: azure_hipaa_hitrust_v92_on_line_transactions + - id: azure_hipaa_hitrust_v92_transmission_protection + - id: azure_hipaa_hitrust_v92_control_of_operational_software + - id: azure_hipaa_hitrust_v92_access_control + - id: azure_hipaa_hitrust_v92_audit_logging_and_monitoring + - id: azure_hipaa_hitrust_v92_education_training_and_awareness + - id: azure_hipaa_hitrust_v92_third_party_assurance + - id: azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0201_09j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0201_09j1organizational.yaml index 69e577e9e..f916485c2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0201_09j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0201_09j1organizational.yaml @@ -1,23 +1,28 @@ -ID: azure_hipaa_hitrust_v92_0201_09j1organizational -Title: 09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code -Description: Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. -SectionCode: azure_hipaa_hitrust_v92_0201_09j1organizational -Children: [] -Controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_endpoint_protection_agent_installed - - azure_compute_vm_malware_agent_automatic_upgrade_enabled - - azure_compute_vm_malware_agent_installed - - azure_compute_vm_scale_set_endpoint_protection_solution_installed - - azure_compute_vm_system_updates_installed -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0201_09j1organizational + title: 09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code + description: Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software may address the requirement via a network-based malware detection (NBMD) solution. + section-code: azure_hipaa_hitrust_v92_0201_09j1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_adaptive_application_controls_enabled + - azure_compute_vm_endpoint_protection_agent_installed + - azure_compute_vm_malware_agent_automatic_upgrade_enabled + - azure_compute_vm_malware_agent_installed + - azure_compute_vm_scale_set_endpoint_protection_solution_installed + - azure_compute_vm_system_updates_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0301_09o1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0301_09o1organizational.yaml index 1d67df50e..a804d8792 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0301_09o1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0301_09o1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0301_09o1organizational -Title: 09o1Organizational.123-09.o 09.07 Media Handling -Description: The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. -SectionCode: azure_hipaa_hitrust_v92_0301_09o1organizational -Children: [] -Controls: - - azure_sql_database_transparent_data_encryption_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0301_09o1organizational + title: 09o1Organizational.123-09.o 09.07 Media Handling + description: The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. + section-code: azure_hipaa_hitrust_v92_0301_09o1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_sql_database_transparent_data_encryption_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0302_09o2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0302_09o2organizational.yaml index 1d35c8321..c536d3356 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0302_09o2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0302_09o2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0302_09o2organizational -Title: 09o2Organizational.1-09.o 09.07 Media Handling -Description: The organization protects and controls media containing sensitive information during transport outside of controlled areas. -SectionCode: azure_hipaa_hitrust_v92_0302_09o2organizational -Children: [] -Controls: - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0302_09o2organizational + title: 09o2Organizational.1-09.o 09.07 Media Handling + description: The organization protects and controls media containing sensitive information during transport outside of controlled areas. + section-code: azure_hipaa_hitrust_v92_0302_09o2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0304_09o3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0304_09o3organizational.yaml index 1fec78a4b..e3b180c87 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0304_09o3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0304_09o3organizational.yaml @@ -1,20 +1,25 @@ -ID: azure_hipaa_hitrust_v92_0304_09o3organizational -Title: 09o3Organizational.1-09.o 09.07 Media Handling -Description: The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. -SectionCode: azure_hipaa_hitrust_v92_0304_09o3organizational -Children: [] -Controls: - - azure_datalake_store_account_encryption_enabled - - azure_mssql_managed_instance_encryption_at_rest_using_cmk - - azure_sql_server_tde_protector_cmk_encrypted -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0304_09o3organizational + title: 09o3Organizational.1-09.o 09.07 Media Handling + description: The organization restricts the use of writable removable media and personally-owned removable media in organizational systems. + section-code: azure_hipaa_hitrust_v92_0304_09o3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_datalake_store_account_encryption_enabled + - azure_mssql_managed_instance_encryption_at_rest_using_cmk + - azure_sql_server_tde_protector_cmk_encrypted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0605_10h1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0605_10h1system.yaml index 1ff005e47..1084f8c23 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0605_10h1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0605_10h1system.yaml @@ -1,20 +1,25 @@ -ID: azure_hipaa_hitrust_v92_0605_10h1system -Title: 10h1System.12-10.h 10.04 Security of System Files -Description: Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. -SectionCode: azure_hipaa_hitrust_v92_0605_10h1system -Children: [] -Controls: - - azure_compute_vm_meet_security_option_audit_requirement_windows - - azure_compute_vm_meet_system_audit_policies_requirement_windows - - azure_compute_vm_security_configuration_vulnerabilities_remediated -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0605_10h1system + title: 10h1System.12-10.h 10.04 Security of System Files + description: Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release. + section-code: azure_hipaa_hitrust_v92_0605_10h1system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_security_option_audit_requirement_windows + - azure_compute_vm_meet_system_audit_policies_requirement_windows + - azure_compute_vm_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0606_10h2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0606_10h2system.yaml index 86e73ce6e..8a069e503 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0606_10h2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0606_10h2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0606_10h2system -Title: Applications and operating systems are successfully tested for usability, security and impact prior to production -Description: "" -SectionCode: azure_hipaa_hitrust_v92_0606_10h2system -Children: [] -Controls: - - azure_compute_vm_container_security_configurations_vulnerabilities_remediated -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0606_10h2system + title: Applications and operating systems are successfully tested for usability, security and impact prior to production + description: Applications and operating systems are successfully tested for usability, security and impact prior to production + section-code: azure_hipaa_hitrust_v92_0606_10h2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_container_security_configurations_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0607_10h2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0607_10h2system.yaml index 85314f61d..1830b266b 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0607_10h2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0607_10h2system.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_0607_10h2system -Title: The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation -Description: "" -SectionCode: azure_hipaa_hitrust_v92_0607_10h2system -Children: [] -Controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0607_10h2system + title: The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation + description: The organization uses its configuration control program to maintain control of all implemented software and its system documentation and archive prior versions of implemented software and associated system documentation + section-code: azure_hipaa_hitrust_v92_0607_10h2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_adaptive_application_controls_enabled + - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0635_10k1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0635_10k1organizational.yaml index 314e8d8c3..1ffdfb66c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0635_10k1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0635_10k1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0635_10k1organizational -Title: 10k1Organizational.12-10.k 10.05 Security In Development and Support Processes -Description: Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. -SectionCode: azure_hipaa_hitrust_v92_0635_10k1organizational -Children: [] -Controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0635_10k1organizational + title: 10k1Organizational.12-10.k 10.05 Security In Development and Support Processes + description: Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. + section-code: azure_hipaa_hitrust_v92_0635_10k1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0636_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0636_10k2organizational.yaml index 8277e0a06..8a2d85134 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0636_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0636_10k2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0636_10k2organizational -Title: 10k2Organizational.1-10.k 10.05 Security In Development and Support Processes -Description: The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management. -SectionCode: azure_hipaa_hitrust_v92_0636_10k2organizational -Children: [] -Controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0636_10k2organizational + title: 10k2Organizational.1-10.k 10.05 Security In Development and Support Processes + description: The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management. + section-code: azure_hipaa_hitrust_v92_0636_10k2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0637_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0637_10k2organizational.yaml index 77b4d76ba..ba6986d05 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0637_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0637_10k2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0637_10k2organizational -Title: 10k2Organizational.2-10.k 10.05 Security In Development and Support Processes -Description: The organization has developed, documented, and implemented a configuration management plan for the information system. -SectionCode: azure_hipaa_hitrust_v92_0637_10k2organizational -Children: [] -Controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0637_10k2organizational + title: 10k2Organizational.2-10.k 10.05 Security In Development and Support Processes + description: The organization has developed, documented, and implemented a configuration management plan for the information system. + section-code: azure_hipaa_hitrust_v92_0637_10k2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0638_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0638_10k2organizational.yaml index 8d100568b..68aff6c49 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0638_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0638_10k2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0638_10k2organizational -Title: 10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes -Description: Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems. -SectionCode: azure_hipaa_hitrust_v92_0638_10k2organizational -Children: [] -Controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0638_10k2organizational + title: 10k2Organizational.34569-10.k 10.05 Security In Development and Support Processes + description: Changes are formally controlled, documented and enforced in order to minimize the corruption of information systems. + section-code: azure_hipaa_hitrust_v92_0638_10k2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0639_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0639_10k2organizational.yaml index 784e0d562..73a64684f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0639_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0639_10k2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0639_10k2organizational -Title: 10k2Organizational.78-10.k 10.05 Security In Development and Support Processes -Description: Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards. -SectionCode: azure_hipaa_hitrust_v92_0639_10k2organizational -Children: [] -Controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0639_10k2organizational + title: 10k2Organizational.78-10.k 10.05 Security In Development and Support Processes + description: Installation checklists and vulnerability scans are used to validate the configuration of servers, workstations, devices and appliances and ensure the configuration meets minimum standards. + section-code: azure_hipaa_hitrust_v92_0639_10k2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0640_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0640_10k2organizational.yaml index 1da9d2baf..6b9d86a5b 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0640_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0640_10k2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0640_10k2organizational -Title: 10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes -Description: Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. -SectionCode: azure_hipaa_hitrust_v92_0640_10k2organizational -Children: [] -Controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0640_10k2organizational + title: 10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes + description: Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. + section-code: azure_hipaa_hitrust_v92_0640_10k2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0641_10k2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0641_10k2organizational.yaml index a67164fdf..3e9457b5f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0641_10k2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0641_10k2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0641_10k2organizational -Title: 10k2Organizational.11-10.k 10.05 Security In Development and Support Processes -Description: The organization does not use automated updates on critical systems. -SectionCode: azure_hipaa_hitrust_v92_0641_10k2organizational -Children: [] -Controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0641_10k2organizational + title: 10k2Organizational.11-10.k 10.05 Security In Development and Support Processes + description: The organization does not use automated updates on critical systems. + section-code: azure_hipaa_hitrust_v92_0641_10k2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0642_10k3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0642_10k3organizational.yaml index 9612ecc54..0aa9604c8 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0642_10k3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0642_10k3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0642_10k3organizational -Title: 10k3Organizational.12-10.k 10.05 Security In Development and Support Processes -Description: The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. -SectionCode: azure_hipaa_hitrust_v92_0642_10k3organizational -Children: [] -Controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0642_10k3organizational + title: 10k3Organizational.12-10.k 10.05 Security In Development and Support Processes + description: The organization develops, documents, and maintains, under configuration control, a current baseline configuration of the information system, and reviews and updates the baseline as required. + section-code: azure_hipaa_hitrust_v92_0642_10k3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0643_10k3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0643_10k3organizational.yaml index c6097b262..2231c3d7e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0643_10k3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0643_10k3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0643_10k3organizational -Title: 10k3Organizational.3-10.k 10.05 Security In Development and Support Processes -Description: The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. -SectionCode: azure_hipaa_hitrust_v92_0643_10k3organizational -Children: [] -Controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0643_10k3organizational + title: 10k3Organizational.3-10.k 10.05 Security In Development and Support Processes + description: The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. + section-code: azure_hipaa_hitrust_v92_0643_10k3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0644_10k3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0644_10k3organizational.yaml index 65f0cdbd7..11b78f3ac 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0644_10k3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0644_10k3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0644_10k3organizational -Title: 10k3Organizational.4-10.k 10.05 Security In Development and Support Processes -Description: The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions. -SectionCode: azure_hipaa_hitrust_v92_0644_10k3organizational -Children: [] -Controls: - - azure_compute_vm_meet_system_audit_policies_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0644_10k3organizational + title: 10k3Organizational.4-10.k 10.05 Security In Development and Support Processes + description: The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and (iii) enforce access restrictions and auditing of the enforcement actions. + section-code: azure_hipaa_hitrust_v92_0644_10k3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_system_audit_policies_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0662_09scsporganizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0662_09scsporganizational.yaml index c2746a93d..74db640c2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0662_09scsporganizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0662_09scsporganizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0662_09scsporganizational -Title: 09sCSPOrganizational.2-09.s 09.08 Exchange of Information -Description: Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review. -SectionCode: azure_hipaa_hitrust_v92_0662_09scsporganizational -Children: [] -Controls: - - azure_appservice_web_app_client_certificates_on -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0662_09scsporganizational + title: 09sCSPOrganizational.2-09.s 09.08 Exchange of Information + description: Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review. + section-code: azure_hipaa_hitrust_v92_0662_09scsporganizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_web_app_client_certificates_on diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0709_10m1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0709_10m1organizational.yaml index a34491466..5cb937c60 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0709_10m1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0709_10m1organizational.yaml @@ -1,24 +1,29 @@ -ID: azure_hipaa_hitrust_v92_0709_10m1organizational -Title: 10m1Organizational.1-10.m 10.06 Technical Vulnerability Management -Description: Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. -SectionCode: azure_hipaa_hitrust_v92_0709_10m1organizational -Children: [] -Controls: - - azure_compute_vm_container_security_configurations_vulnerabilities_remediated - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0709_10m1organizational + title: 10m1Organizational.1-10.m 10.06 Technical Vulnerability Management + description: Technical vulnerabilities are identified, evaluated for risk and corrected in a timely manner. + section-code: azure_hipaa_hitrust_v92_0709_10m1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_compute_vm_container_security_configurations_vulnerabilities_remediated + - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated + - azure_compute_vm_security_configuration_vulnerabilities_remediated + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_mssql_managed_instance_vulnerability_assessment_enabled + - azure_sql_database_vulnerability_findings_resolved + - azure_sql_server_and_databases_va_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0710_10m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0710_10m2organizational.yaml index 464a3422c..c976428fd 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0710_10m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0710_10m2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0710_10m2organizational -Title: 10m2Organizational.1-10.m 10.06 Technical Vulnerability Management -Description: A hardened configuration standard exists for all system and network components. -SectionCode: azure_hipaa_hitrust_v92_0710_10m2organizational -Children: [] -Controls: - - azure_mssql_managed_instance_vulnerability_assessment_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0710_10m2organizational + title: 10m2Organizational.1-10.m 10.06 Technical Vulnerability Management + description: A hardened configuration standard exists for all system and network components. + section-code: azure_hipaa_hitrust_v92_0710_10m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark + controls: + - azure_mssql_managed_instance_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0711_10m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0711_10m2organizational.yaml index ffff7ef84..e287fe2b8 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0711_10m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0711_10m2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0711_10m2organizational -Title: 10m2Organizational.23-10.m 10.06 Technical Vulnerability Management -Description: A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems. -SectionCode: azure_hipaa_hitrust_v92_0711_10m2organizational -Children: [] -Controls: - - azure_compute_vm_vulnerability_assessment_solution_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0711_10m2organizational + title: 10m2Organizational.23-10.m 10.06 Technical Vulnerability Management + description: A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems. + section-code: azure_hipaa_hitrust_v92_0711_10m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_vulnerability_assessment_solution_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0713_10m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0713_10m2organizational.yaml index 44ff2fae6..1f9a17e3e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0713_10m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0713_10m2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0713_10m2organizational -Title: 10m2Organizational.5-10.m 10.06 Technical Vulnerability Management -Description: Patches are tested and evaluated before they are installed. -SectionCode: azure_hipaa_hitrust_v92_0713_10m2organizational -Children: [] -Controls: - - azure_compute_vm_security_configuration_vulnerabilities_remediated -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0713_10m2organizational + title: 10m2Organizational.5-10.m 10.06 Technical Vulnerability Management + description: Patches are tested and evaluated before they are installed. + section-code: azure_hipaa_hitrust_v92_0713_10m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0714_10m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0714_10m2organizational.yaml index b4392bec9..0f0e74a9c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0714_10m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0714_10m2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0714_10m2organizational -Title: 10m2Organizational.7-10.m 10.06 Technical Vulnerability Management -Description: The technical vulnerability management program is evaluated on a quarterly basis. -SectionCode: azure_hipaa_hitrust_v92_0714_10m2organizational -Children: [] -Controls: - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0714_10m2organizational + title: 10m2Organizational.7-10.m 10.06 Technical Vulnerability Management + description: The technical vulnerability management program is evaluated on a quarterly basis. + section-code: azure_hipaa_hitrust_v92_0714_10m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0715_10m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0715_10m2organizational.yaml index 4409f45de..45f2ae49b 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0715_10m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0715_10m2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0715_10m2organizational -Title: 10m2Organizational.8-10.m 10.06 Technical Vulnerability Management -Description: Systems are appropriately hardened (e.g., configured with only necessary and secure services, ports and protocols enabled). -SectionCode: azure_hipaa_hitrust_v92_0715_10m2organizational -Children: [] -Controls: - - azure_compute_vm_container_security_configurations_vulnerabilities_remediated -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0715_10m2organizational + title: 10m2Organizational.8-10.m 10.06 Technical Vulnerability Management + description: Systems are appropriately hardened (e.g., configured with only necessary and secure services, ports and protocols enabled). + section-code: azure_hipaa_hitrust_v92_0715_10m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_container_security_configurations_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0716_10m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0716_10m3organizational.yaml index 4a86f3c14..b1be79078 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0716_10m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0716_10m3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0716_10m3organizational -Title: 10m3Organizational.1-10.m 10.06 Technical Vulnerability Management -Description: The organization conducts an enterprise security posture review as needed but no less than once within every three-hundred-sixty-five (365) days, in accordance with organizational IS procedures. -SectionCode: azure_hipaa_hitrust_v92_0716_10m3organizational -Children: [] -Controls: - - azure_sql_database_vulnerability_findings_resolved -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0716_10m3organizational + title: 10m3Organizational.1-10.m 10.06 Technical Vulnerability Management + description: The organization conducts an enterprise security posture review as needed but no less than once within every three-hundred-sixty-five (365) days, in accordance with organizational IS procedures. + section-code: azure_hipaa_hitrust_v92_0716_10m3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0717_10m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0717_10m3organizational.yaml index 0f098974f..2ec487694 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0717_10m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0717_10m3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0717_10m3organizational -Title: 10m3Organizational.2-10.m 10.06 Technical Vulnerability Management -Description: Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned. -SectionCode: azure_hipaa_hitrust_v92_0717_10m3organizational -Children: [] -Controls: - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0717_10m3organizational + title: 10m3Organizational.2-10.m 10.06 Technical Vulnerability Management + description: Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned. + section-code: azure_hipaa_hitrust_v92_0717_10m3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0718_10m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0718_10m3organizational.yaml index 311cfce5a..710a162c8 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0718_10m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0718_10m3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0718_10m3organizational -Title: 10m3Organizational.34-10.m 10.06 Technical Vulnerability Management -Description: The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically) and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported. -SectionCode: azure_hipaa_hitrust_v92_0718_10m3organizational -Children: [] -Controls: - - azure_compute_vm_security_configuration_vulnerabilities_remediated -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0718_10m3organizational + title: 10m3Organizational.34-10.m 10.06 Technical Vulnerability Management + description: The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically) and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported. + section-code: azure_hipaa_hitrust_v92_0718_10m3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_security_configuration_vulnerabilities_remediated diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0719_10m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0719_10m3organizational.yaml index 591716d86..99062b802 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0719_10m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0719_10m3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0719_10m3organizational -Title: 10m3Organizational.5-10.m 10.06 Technical Vulnerability Management -Description: The organization updates the list of information system vulnerabilities scanned within every thirty (30) days or when new vulnerabilities are identified and reported. -SectionCode: azure_hipaa_hitrust_v92_0719_10m3organizational -Children: [] -Controls: - - azure_mssql_managed_instance_vulnerability_assessment_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0719_10m3organizational + title: 10m3Organizational.5-10.m 10.06 Technical Vulnerability Management + description: The organization updates the list of information system vulnerabilities scanned within every thirty (30) days or when new vulnerabilities are identified and reported. + section-code: azure_hipaa_hitrust_v92_0719_10m3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark + controls: + - azure_mssql_managed_instance_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0805_01m1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0805_01m1organizational.yaml index adb4c4042..68e0f27b5 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0805_01m1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0805_01m1organizational.yaml @@ -1,28 +1,33 @@ -ID: azure_hipaa_hitrust_v92_0805_01m1organizational -Title: 01m1Organizational.12-01.m 01.04 Network Access Control -Description: The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. -SectionCode: azure_hipaa_hitrust_v92_0805_01m1organizational -Children: [] -Controls: - - azure_appservice_web_app_use_virtual_service_endpoint - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_use_virtual_service_endpoint - - azure_cosmosdb_use_virtual_service_endpoint - - azure_eventhub_namespace_use_virtual_service_endpoint - - azure_keyvault_vault_use_virtual_service_endpoint - - azure_network_security_group_not_configured_gateway_subnets - - azure_network_security_group_subnet_associated - - azure_sql_server_use_virtual_service_endpoint - - azure_storage_account_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0805_01m1organizational + title: 01m1Organizational.12-01.m 01.04 Network Access Control + description: The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. + section-code: azure_hipaa_hitrust_v92_0805_01m1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_web_app_use_virtual_service_endpoint + - azure_compute_vm_attached_with_network + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_use_virtual_service_endpoint + - azure_cosmosdb_use_virtual_service_endpoint + - azure_eventhub_namespace_use_virtual_service_endpoint + - azure_keyvault_vault_use_virtual_service_endpoint + - azure_network_security_group_not_configured_gateway_subnets + - azure_network_security_group_subnet_associated + - azure_sql_server_use_virtual_service_endpoint + - azure_storage_account_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0806_01m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0806_01m2organizational.yaml index fdee3276a..6a04127b1 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0806_01m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0806_01m2organizational.yaml @@ -1,28 +1,33 @@ -ID: azure_hipaa_hitrust_v92_0806_01m2organizational -Title: 01m2Organizational.12356-01.m 01.04 Network Access Control -Description: The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. -SectionCode: azure_hipaa_hitrust_v92_0806_01m2organizational -Children: [] -Controls: - - azure_appservice_web_app_use_virtual_service_endpoint - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_use_virtual_service_endpoint - - azure_cosmosdb_use_virtual_service_endpoint - - azure_eventhub_namespace_use_virtual_service_endpoint - - azure_keyvault_vault_use_virtual_service_endpoint - - azure_network_security_group_not_configured_gateway_subnets - - azure_network_security_group_subnet_associated - - azure_sql_server_use_virtual_service_endpoint - - azure_storage_account_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0806_01m2organizational + title: 01m2Organizational.12356-01.m 01.04 Network Access Control + description: The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. + section-code: azure_hipaa_hitrust_v92_0806_01m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_web_app_use_virtual_service_endpoint + - azure_compute_vm_attached_with_network + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_use_virtual_service_endpoint + - azure_cosmosdb_use_virtual_service_endpoint + - azure_eventhub_namespace_use_virtual_service_endpoint + - azure_keyvault_vault_use_virtual_service_endpoint + - azure_network_security_group_not_configured_gateway_subnets + - azure_network_security_group_subnet_associated + - azure_sql_server_use_virtual_service_endpoint + - azure_storage_account_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0809_01n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0809_01n2organizational.yaml index 37e3d71da..2a6522ab9 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0809_01n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0809_01n2organizational.yaml @@ -1,29 +1,34 @@ -ID: azure_hipaa_hitrust_v92_0809_01n2organizational -Title: 01n2Organizational.1234-01.n 01.04 Network Access Control -Description: Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. -SectionCode: azure_hipaa_hitrust_v92_0809_01n2organizational -Children: [] -Controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_redis_cache_ssl_enabled - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_mysql_ssl_enabled - - azure_network_security_group_subnet_associated - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0809_01n2organizational + title: 01n2Organizational.1234-01.n 01.04 Network Access Control + description: Network traffic is controlled in accordance with the organizations access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. + section-code: azure_hipaa_hitrust_v92_0809_01n2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_api_app_latest_tls_version + - azure_appservice_api_app_use_https + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_redis_cache_ssl_enabled + - azure_compute_vm_adaptive_network_hardening_recommendation_applied + - azure_compute_vm_attached_with_network + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_mysql_ssl_enabled + - azure_network_security_group_subnet_associated + - azure_postgres_sql_ssl_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0810_01n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0810_01n2organizational.yaml index 56edd2828..d121d80fc 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0810_01n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0810_01n2organizational.yaml @@ -1,29 +1,34 @@ -ID: azure_hipaa_hitrust_v92_0810_01n2organizational -Title: 01n2Organizational.5-01.n 01.04 Network Access Control -Description: Transmitted information is secured and, at a minimum, encrypted over open, public networks. -SectionCode: azure_hipaa_hitrust_v92_0810_01n2organizational -Children: [] -Controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_redis_cache_ssl_enabled - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_mysql_ssl_enabled - - azure_network_security_group_subnet_associated - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0810_01n2organizational + title: 01n2Organizational.5-01.n 01.04 Network Access Control + description: Transmitted information is secured and, at a minimum, encrypted over open, public networks. + section-code: azure_hipaa_hitrust_v92_0810_01n2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_api_app_latest_tls_version + - azure_appservice_api_app_use_https + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_redis_cache_ssl_enabled + - azure_compute_vm_adaptive_network_hardening_recommendation_applied + - azure_compute_vm_attached_with_network + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_mysql_ssl_enabled + - azure_network_security_group_subnet_associated + - azure_postgres_sql_ssl_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0811_01n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0811_01n2organizational.yaml index 4c7273da9..37b170a65 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0811_01n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0811_01n2organizational.yaml @@ -1,29 +1,34 @@ -ID: azure_hipaa_hitrust_v92_0811_01n2organizational -Title: 01n2Organizational.6-01.n 01.04 Network Access Control -Description: Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. -SectionCode: azure_hipaa_hitrust_v92_0811_01n2organizational -Children: [] -Controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_redis_cache_ssl_enabled - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_mysql_ssl_enabled - - azure_network_security_group_subnet_associated - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0811_01n2organizational + title: 01n2Organizational.6-01.n 01.04 Network Access Control + description: Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. + section-code: azure_hipaa_hitrust_v92_0811_01n2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_api_app_latest_tls_version + - azure_appservice_api_app_use_https + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_redis_cache_ssl_enabled + - azure_compute_vm_adaptive_network_hardening_recommendation_applied + - azure_compute_vm_attached_with_network + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_mysql_ssl_enabled + - azure_network_security_group_subnet_associated + - azure_postgres_sql_ssl_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0812_01n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0812_01n2organizational.yaml index eba770854..eaa4a8f9e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0812_01n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0812_01n2organizational.yaml @@ -1,29 +1,34 @@ -ID: azure_hipaa_hitrust_v92_0812_01n2organizational -Title: 01n2Organizational.8-01.n 01.04 Network Access Control -Description: Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. -SectionCode: azure_hipaa_hitrust_v92_0812_01n2organizational -Children: [] -Controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_redis_cache_ssl_enabled - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_mysql_ssl_enabled - - azure_network_security_group_subnet_associated - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0812_01n2organizational + title: 01n2Organizational.8-01.n 01.04 Network Access Control + description: Remote devices establishing a non-remote connection are not allowed to communicate with external (remote) resources. + section-code: azure_hipaa_hitrust_v92_0812_01n2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_api_app_latest_tls_version + - azure_appservice_api_app_use_https + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_redis_cache_ssl_enabled + - azure_compute_vm_adaptive_network_hardening_recommendation_applied + - azure_compute_vm_attached_with_network + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_mysql_ssl_enabled + - azure_network_security_group_subnet_associated + - azure_postgres_sql_ssl_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0814_01n1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0814_01n1organizational.yaml index bb0756e2a..bdd9c8d90 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0814_01n1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0814_01n1organizational.yaml @@ -1,29 +1,34 @@ -ID: azure_hipaa_hitrust_v92_0814_01n1organizational -Title: 01n1Organizational.12-01.n 01.04 Network Access Control -Description: The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. -SectionCode: azure_hipaa_hitrust_v92_0814_01n1organizational -Children: [] -Controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_redis_cache_ssl_enabled - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_mysql_ssl_enabled - - azure_network_security_group_subnet_associated - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0814_01n1organizational + title: 01n1Organizational.12-01.n 01.04 Network Access Control + description: The ability of users to connect to the internal network is restricted using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications. + section-code: azure_hipaa_hitrust_v92_0814_01n1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_api_app_latest_tls_version + - azure_appservice_api_app_use_https + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_redis_cache_ssl_enabled + - azure_compute_vm_adaptive_network_hardening_recommendation_applied + - azure_compute_vm_attached_with_network + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_mysql_ssl_enabled + - azure_network_security_group_subnet_associated + - azure_postgres_sql_ssl_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0835_09n1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0835_09n1organizational.yaml index 342d125ce..ebd67c502 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0835_09n1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0835_09n1organizational.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_0835_09n1organizational -Title: 09n1Organizational.1-09.n 09.06 Network Security Management -Description: Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. -SectionCode: azure_hipaa_hitrust_v92_0835_09n1organizational -Children: [] -Controls: - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_uses_azure_resource_manager -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0835_09n1organizational + title: 09n1Organizational.1-09.n 09.06 Network Security Management + description: Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. + section-code: azure_hipaa_hitrust_v92_0835_09n1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_uses_azure_resource_manager diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0836_09_n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0836_09_n2organizational.yaml index 036ff2a86..4e883980f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0836_09_n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0836_09_n2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0836_09_n2organizational -Title: 09.n2Organizational.1-09.n 09.06 Network Security Management -Description: The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization. -SectionCode: azure_hipaa_hitrust_v92_0836_09_n2organizational -Children: [] -Controls: - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0836_09_n2organizational + title: 09.n2Organizational.1-09.n 09.06 Network Security Management + description: The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization. + section-code: azure_hipaa_hitrust_v92_0836_09_n2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0837_09_n2Organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0837_09_n2Organizational.yaml index 32968d093..d763b59c1 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0837_09_n2Organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0837_09_n2Organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0837_09_n2Organizational -Title: 09.n2Organizational.2-09.n 09.06 Network Security Management -Description: Formal agreements with external information system providers include specific obligations for security and privacy. -SectionCode: azure_hipaa_hitrust_v92_0837_09_n2Organizational -Children: [] -Controls: - - azure_network_watcher_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0837_09_n2Organizational + title: 09.n2Organizational.2-09.n 09.06 Network Security Management + description: Formal agreements with external information system providers include specific obligations for security and privacy. + section-code: azure_hipaa_hitrust_v92_0837_09_n2Organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_network_watcher_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0858_09m1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0858_09m1organizational.yaml index db5b045d2..d6d21c5b3 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0858_09m1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0858_09m1organizational.yaml @@ -1,20 +1,25 @@ -ID: azure_hipaa_hitrust_v92_0858_09m1organizational -Title: 09m1Organizational.4-09.m 09.06 Network Security Management -Description: The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. -SectionCode: azure_hipaa_hitrust_v92_0858_09m1organizational -Children: [] -Controls: - - azure_compute_vm_jit_access_protected - - azure_compute_vm_meet_firewall_properties_windows - - azure_compute_vm_remote_access_restricted_all_ports -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0858_09m1organizational + title: 09m1Organizational.4-09.m 09.06 Network Security Management + description: The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. + section-code: azure_hipaa_hitrust_v92_0858_09m1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_jit_access_protected + - azure_compute_vm_meet_firewall_properties_windows + - azure_compute_vm_remote_access_restricted_all_ports diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0859_09m1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0859_09m1organizational.yaml index f3be726d5..4df562541 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0859_09m1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0859_09m1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0859_09m1organizational -Title: 09m1Organizational.78-09.m 09.06 Network Security Management -Description: The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. -SectionCode: azure_hipaa_hitrust_v92_0859_09m1organizational -Children: [] -Controls: - - azure_compute_vm_adaptive_network_hardening_recommendation_applied -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0859_09m1organizational + title: 09m1Organizational.78-09.m 09.06 Network Security Management + description: The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. + section-code: azure_hipaa_hitrust_v92_0859_09m1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_adaptive_network_hardening_recommendation_applied diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0860_09m1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0860_09m1organizational.yaml index c1e13f938..9979f2616 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0860_09m1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0860_09m1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0860_09m1organizational -Title: 09m1Organizational.9-09.m 09.06 Network Security Management -Description: The organization formally manages equipment on the network, including equipment in user areas. -SectionCode: azure_hipaa_hitrust_v92_0860_09m1organizational -Children: [] -Controls: - - azure_network_security_group_diagnostic_setting_deployed -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0860_09m1organizational + title: 09m1Organizational.9-09.m 09.06 Network Security Management + description: The organization formally manages equipment on the network, including equipment in user areas. + section-code: azure_hipaa_hitrust_v92_0860_09m1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_network_security_group_diagnostic_setting_deployed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0861_09m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0861_09m2organizational.yaml index e213e0c2f..acbde186a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0861_09m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0861_09m2organizational.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_0861_09m2organizational -Title: 09m2Organizational.67-09.m 09.06 Network Security Management -Description: To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. -SectionCode: azure_hipaa_hitrust_v92_0861_09m2organizational -Children: [] -Controls: - - azure_appservice_web_app_use_virtual_service_endpoint - - azure_compute_vm_meet_security_options_network_access_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0861_09m2organizational + title: 09m2Organizational.67-09.m 09.06 Network Security Management + description: To identify and authenticate devices on local and/or wide area networks, including wireless networks, the information system uses either a (i) shared known information solution or (ii) an organizational authentication solution, the exact selection and strength of which is dependent on the security categorization of the information system. + section-code: azure_hipaa_hitrust_v92_0861_09m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_web_app_use_virtual_service_endpoint + - azure_compute_vm_meet_security_options_network_access_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0862_09m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0862_09m2organizational.yaml index f739cf5c7..14c3d46c5 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0862_09m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0862_09m2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0862_09m2organizational -Title: 09m2Organizational.8-09.m 09.06 Network Security Management -Description: The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. -SectionCode: azure_hipaa_hitrust_v92_0862_09m2organizational -Children: [] -Controls: - - azure_sql_server_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0862_09m2organizational + title: 09m2Organizational.8-09.m 09.06 Network Security Management + description: The organization ensures information systems protect the confidentiality and integrity of transmitted information, including during preparation for transmission and during reception. + section-code: azure_hipaa_hitrust_v92_0862_09m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_sql_server_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0863_09m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0863_09m2organizational.yaml index f0bfabd7d..9311695fe 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0863_09m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0863_09m2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0863_09m2organizational -Title: 09m2Organizational.910-09.m 09.06 Network Security Management -Description: The organization builds a firewall configuration that restricts connections between un-trusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. -SectionCode: azure_hipaa_hitrust_v92_0863_09m2organizational -Children: [] -Controls: - - azure_eventhub_namespace_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/EventHub - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0863_09m2organizational + title: 09m2Organizational.910-09.m 09.06 Network Security Management + description: The organization builds a firewall configuration that restricts connections between un-trusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. + section-code: azure_hipaa_hitrust_v92_0863_09m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/EventHub + type: + - Benchmark + controls: + - azure_eventhub_namespace_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0864_09m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0864_09m2organizational.yaml index 27891b9cd..fd7d4a5c6 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0864_09m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0864_09m2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0864_09m2organizational -Title: 09m2Organizational.12-09.m 09.06 Network Security Management -Description: Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service. -SectionCode: azure_hipaa_hitrust_v92_0864_09m2organizational -Children: [] -Controls: - - azure_cosmosdb_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/CosmosDB - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0864_09m2organizational + title: 09m2Organizational.12-09.m 09.06 Network Security Management + description: Usage restrictions and implementation guidance are formally defined for VoIP, including the authorization and monitoring of the service. + section-code: azure_hipaa_hitrust_v92_0864_09m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/CosmosDB + type: + - Benchmark + controls: + - azure_cosmosdb_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0865_09m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0865_09m2organizational.yaml index 9103a105e..c9f3ec3be 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0865_09m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0865_09m2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0865_09m2organizational -Title: 09m2Organizational.13-09.m 09.06 Network Security Management -Description: The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny all, permit by exception policy for allowing connections from the information system to other information systems outside of the organization; and (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. -SectionCode: azure_hipaa_hitrust_v92_0865_09m2organizational -Children: [] -Controls: - - azure_keyvault_vault_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/KeyVault - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0865_09m2organizational + title: 09m2Organizational.13-09.m 09.06 Network Security Management + description: The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny all, permit by exception policy for allowing connections from the information system to other information systems outside of the organization; and (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. + section-code: azure_hipaa_hitrust_v92_0865_09m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/KeyVault + type: + - Benchmark + controls: + - azure_keyvault_vault_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0866_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0866_09m3organizational.yaml index f0b1f6642..26cec376d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0866_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0866_09m3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0866_09m3organizational -Title: 09m3Organizational.1516-09.m 09.06 Network Security Management -Description: The organization describes the groups, roles, and responsibilities for the logical management of network components and ensures coordination of and consistency in the elements of the network infrastructure. -SectionCode: azure_hipaa_hitrust_v92_0866_09m3organizational -Children: [] -Controls: - - azure_storage_account_default_network_access_rule_denied -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0866_09m3organizational + title: 09m3Organizational.1516-09.m 09.06 Network Security Management + description: The organization describes the groups, roles, and responsibilities for the logical management of network components and ensures coordination of and consistency in the elements of the network infrastructure. + section-code: azure_hipaa_hitrust_v92_0866_09m3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark + controls: + - azure_storage_account_default_network_access_rule_denied diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0867_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0867_09m3organizational.yaml index 46a4b47f6..a26e89d1a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0867_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0867_09m3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0867_09m3organizational -Title: Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends) -Description: Ensure the protection of information in networks and protection of the supporting network infrastructure. -SectionCode: azure_hipaa_hitrust_v92_0867_09m3organizational -Children: [] -Controls: - - azure_storage_account_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0867_09m3organizational + title: Wireless access points are placed in secure areas and shut down when not in use (e.g. nights, weekends) + description: Ensure the protection of information in networks and protection of the supporting network infrastructure. + section-code: azure_hipaa_hitrust_v92_0867_09m3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark + controls: + - azure_storage_account_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0868_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0868_09m3organizational.yaml index dd073b044..6ac6ceb93 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0868_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0868_09m3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0868_09m3organizational -Title: 09m3Organizational.18-09.m 09.06 Network Security Management -Description: The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. -SectionCode: azure_hipaa_hitrust_v92_0868_09m3organizational -Children: [] -Controls: - - azure_container_registry_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ContainerRegistry - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0868_09m3organizational + title: 09m3Organizational.18-09.m 09.06 Network Security Management + description: The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. + section-code: azure_hipaa_hitrust_v92_0868_09m3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ContainerRegistry + type: + - Benchmark + controls: + - azure_container_registry_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0869_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0869_09m3organizational.yaml index 6e6fcbe0d..10c4221cb 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0869_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0869_09m3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0869_09m3organizational -Title: 09m3Organizational.19-09.m 09.06 Network Security Management -Description: The router configuration files are secured and synchronized. -SectionCode: azure_hipaa_hitrust_v92_0869_09m3organizational -Children: [] -Controls: - - azure_container_registry_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ContainerRegistry - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0869_09m3organizational + title: 09m3Organizational.19-09.m 09.06 Network Security Management + description: The router configuration files are secured and synchronized. + section-code: azure_hipaa_hitrust_v92_0869_09m3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ContainerRegistry + type: + - Benchmark + controls: + - azure_container_registry_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0870_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0870_09m3organizational.yaml index f1dfca101..fceb91e16 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0870_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0870_09m3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0870_09m3organizational -Title: 09m3Organizational.20-09.m 09.06 Network Security Management -Description: Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. -SectionCode: azure_hipaa_hitrust_v92_0870_09m3organizational -Children: [] -Controls: - - azure_container_registry_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ContainerRegistry - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0870_09m3organizational + title: 09m3Organizational.20-09.m 09.06 Network Security Management + description: Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. + section-code: azure_hipaa_hitrust_v92_0870_09m3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ContainerRegistry + type: + - Benchmark + controls: + - azure_container_registry_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0871_09m3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0871_09m3organizational.yaml index 5b15c8946..ece66991d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0871_09m3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0871_09m3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0871_09m3organizational -Title: 09m3Organizational.22-09.m 09.07 Network Security Management -Description: Authoritative DNS servers are segregated into internal and external roles. -SectionCode: azure_hipaa_hitrust_v92_0871_09m3organizational -Children: [] -Controls: - - azure_container_registry_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ContainerRegistry - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0871_09m3organizational + title: 09m3Organizational.22-09.m 09.07 Network Security Management + description: Authoritative DNS servers are segregated into internal and external roles. + section-code: azure_hipaa_hitrust_v92_0871_09m3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ContainerRegistry + type: + - Benchmark + controls: + - azure_container_registry_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0885_09n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0885_09n2organizational.yaml index b16816b5e..ba07d7b7f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0885_09n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0885_09n2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0885_09n2organizational -Title: 09n2Organizational.3-09.n 09.06 Network Security Management -Description: The organization reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements. -SectionCode: azure_hipaa_hitrust_v92_0885_09n2organizational -Children: [] -Controls: - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0885_09n2organizational + title: 09n2Organizational.3-09.n 09.06 Network Security Management + description: The organization reviews and updates the interconnection security agreements on an ongoing basis verifying enforcement of security requirements. + section-code: azure_hipaa_hitrust_v92_0885_09n2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0886_09n2Organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0886_09n2Organizational.yaml index f76e0e03f..c6640fc53 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0886_09n2Organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0886_09n2Organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0886_09n2Organizational -Title: 09n2Organizational.4-09.n 09.06 Network Security Management -Description: The organization employs and documents in a formal agreement or other document, either i) allow-all, deny-by-exception, or, ii) deny-all, permit-by-exception (preferred), policy for allowing specific information systems to connect to external information systems. -SectionCode: azure_hipaa_hitrust_v92_0886_09n2Organizational -Children: [] -Controls: - - azure_network_watcher_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0886_09n2Organizational + title: 09n2Organizational.4-09.n 09.06 Network Security Management + description: The organization employs and documents in a formal agreement or other document, either i) allow-all, deny-by-exception, or, ii) deny-all, permit-by-exception (preferred), policy for allowing specific information systems to connect to external information systems. + section-code: azure_hipaa_hitrust_v92_0886_09n2Organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_network_watcher_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0887_09n2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0887_09n2organizational.yaml index 6cc69f4ec..d698f8e55 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0887_09n2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0887_09n2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0887_09n2organizational -Title: 09n2Organizational.5-09.n 09.06 Network Security Management -Description: The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services. -SectionCode: azure_hipaa_hitrust_v92_0887_09n2organizational -Children: [] -Controls: - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0887_09n2organizational + title: 09n2Organizational.5-09.n 09.06 Network Security Management + description: The organization requires external/outsourced service providers to identify the specific functions, ports, and protocols used in the provision of the external/outsourced services. + section-code: azure_hipaa_hitrust_v92_0887_09n2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0888_09n2Organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0888_09n2Organizational.yaml index 1932040d8..032a9e8e2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0888_09n2Organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0888_09n2Organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0888_09n2Organizational -Title: 09n2Organizational.6-09.n 09.06 Network Security Management -Description: The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. -SectionCode: azure_hipaa_hitrust_v92_0888_09n2Organizational -Children: [] -Controls: - - azure_network_watcher_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0888_09n2Organizational + title: 09n2Organizational.6-09.n 09.06 Network Security Management + description: The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. + section-code: azure_hipaa_hitrust_v92_0888_09n2Organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_network_watcher_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0894_01m2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0894_01m2organizational.yaml index 670d8ce6d..c6d14bfb9 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0894_01m2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0894_01m2organizational.yaml @@ -1,29 +1,34 @@ -ID: azure_hipaa_hitrust_v92_0894_01m2organizational -Title: 01m2Organizational.7-01.m 01.04 Network Access Control -Description: Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. -SectionCode: azure_hipaa_hitrust_v92_0894_01m2organizational -Children: [] -Controls: - - azure_appservice_web_app_use_virtual_service_endpoint - - azure_compute_vm_attached_with_network - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_use_virtual_service_endpoint - - azure_cosmosdb_use_virtual_service_endpoint - - azure_eventhub_namespace_use_virtual_service_endpoint - - azure_keyvault_vault_use_virtual_service_endpoint - - azure_network_security_group_not_configured_gateway_subnets - - azure_network_security_group_subnet_associated - - azure_network_watcher_in_regions_with_virtual_network - - azure_sql_server_use_virtual_service_endpoint - - azure_storage_account_use_virtual_service_endpoint -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0894_01m2organizational + title: 01m2Organizational.7-01.m 01.04 Network Access Control + description: Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. + section-code: azure_hipaa_hitrust_v92_0894_01m2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_web_app_use_virtual_service_endpoint + - azure_compute_vm_attached_with_network + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_use_virtual_service_endpoint + - azure_cosmosdb_use_virtual_service_endpoint + - azure_eventhub_namespace_use_virtual_service_endpoint + - azure_keyvault_vault_use_virtual_service_endpoint + - azure_network_security_group_not_configured_gateway_subnets + - azure_network_security_group_subnet_associated + - azure_network_watcher_in_regions_with_virtual_network + - azure_sql_server_use_virtual_service_endpoint + - azure_storage_account_use_virtual_service_endpoint diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0901_09s1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0901_09s1organizational.yaml index a178b6a53..476415861 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0901_09s1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0901_09s1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0901_09s1organizational -Title: 09s1Organizational.1-09.s 09.08 Exchange of Information -Description: The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. -SectionCode: azure_hipaa_hitrust_v92_0901_09s1organizational -Children: [] -Controls: - - azure_appservice_api_app_cors_no_star -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0901_09s1organizational + title: 09s1Organizational.1-09.s 09.08 Exchange of Information + description: The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. + section-code: azure_hipaa_hitrust_v92_0901_09s1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_api_app_cors_no_star diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0902_09s2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0902_09s2organizational.yaml index 4f8e06c2a..00a1f9ca0 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0902_09s2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0902_09s2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0902_09s2organizational -Title: 09s2Organizational.13-09.s 09.08 Exchange of Information -Description: Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. -SectionCode: azure_hipaa_hitrust_v92_0902_09s2organizational -Children: [] -Controls: - - azure_appservice_function_app_cors_no_star -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0902_09s2organizational + title: 09s2Organizational.13-09.s 09.08 Exchange of Information + description: Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. + section-code: azure_hipaa_hitrust_v92_0902_09s2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_function_app_cors_no_star diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0912_09s1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0912_09s1organizational.yaml index 442298534..0a1a4dd5a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0912_09s1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0912_09s1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0912_09s1organizational -Title: 09s1Organizational.4-09.s 09.08 Exchange of Information -Description: Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. -SectionCode: azure_hipaa_hitrust_v92_0912_09s1organizational -Children: [] -Controls: - - azure_appservice_api_app_remote_debugging_disabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0912_09s1organizational + title: 09s1Organizational.4-09.s 09.08 Exchange of Information + description: Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. + section-code: azure_hipaa_hitrust_v92_0912_09s1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_api_app_remote_debugging_disabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0913_09s1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0913_09s1organizational.yaml index fd82c0050..6b37aa55d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0913_09s1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0913_09s1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0913_09s1organizational -Title: 09s1Organizational.5-09.s 09.08 Exchange of Information -Description: Strong cryptography protocols are used to safeguard covered information during transmission over less trusted / open public networks. -SectionCode: azure_hipaa_hitrust_v92_0913_09s1organizational -Children: [] -Controls: - - azure_appservice_function_app_remote_debugging_disabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0913_09s1organizational + title: 09s1Organizational.5-09.s 09.08 Exchange of Information + description: Strong cryptography protocols are used to safeguard covered information during transmission over less trusted / open public networks. + section-code: azure_hipaa_hitrust_v92_0913_09s1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_function_app_remote_debugging_disabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0915_09s2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0915_09s2organizational.yaml index e81f8ee7a..ec32ed596 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0915_09s2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0915_09s2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0915_09s2organizational -Title: 09s2Organizational.2-09.s 09.08 Exchange of Information -Description: The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems. -SectionCode: azure_hipaa_hitrust_v92_0915_09s2organizational -Children: [] -Controls: - - azure_appservice_api_app_client_certificates_on -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0915_09s2organizational + title: 09s2Organizational.2-09.s 09.08 Exchange of Information + description: The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems. + section-code: azure_hipaa_hitrust_v92_0915_09s2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_api_app_client_certificates_on diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0916_09s2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0916_09s2organizational.yaml index 32005b935..ea62e1732 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0916_09s2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0916_09s2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0916_09s2organizational -Title: 09s2Organizational.4-09.s 09.08 Exchange of Information -Description: The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. -SectionCode: azure_hipaa_hitrust_v92_0916_09s2organizational -Children: [] -Controls: - - azure_appservice_api_app_cors_no_star -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0916_09s2organizational + title: 09s2Organizational.4-09.s 09.08 Exchange of Information + description: The information system prohibits remote activation of collaborative computing devices and provides an explicit indication of use to users physically present at the devices. + section-code: azure_hipaa_hitrust_v92_0916_09s2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_api_app_cors_no_star diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0943_09y1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0943_09y1organizational.yaml index c1c05d628..9650fdf66 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0943_09y1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0943_09y1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0943_09y1organizational -Title: 09y1Organizational.1-09.y 09.09 Electronic Commerce Services -Description: The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. -SectionCode: azure_hipaa_hitrust_v92_0943_09y1organizational -Children: [] -Controls: - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0943_09y1organizational + title: 09y1Organizational.1-09.y 09.09 Electronic Commerce Services + description: The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. + section-code: azure_hipaa_hitrust_v92_0943_09y1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark + controls: + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0945_09y1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0945_09y1organizational.yaml index 620c65ddf..3f59748ef 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0945_09y1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0945_09y1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0945_09y1organizational -Title: 09y1Organizational.3-09.y 09.09 Electronic Commerce Services -Description: Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). -SectionCode: azure_hipaa_hitrust_v92_0945_09y1organizational -Children: [] -Controls: - - azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0945_09y1organizational + title: 09y1Organizational.3-09.y 09.09 Electronic Commerce Services + description: Protocols used to communicate between all involved parties are secured using cryptographic techniques (e.g., SSL). + section-code: azure_hipaa_hitrust_v92_0945_09y1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0946_09y2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0946_09y2organizational.yaml index a488f5eff..84ce04b31 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0946_09y2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0946_09y2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0946_09y2organizational -Title: The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction -Description: "" -SectionCode: azure_hipaa_hitrust_v92_0946_09y2organizational -Children: [] -Controls: - - azure_redis_cache_ssl_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Redis - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0946_09y2organizational + title: The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction + description: The organization requires the use of encryption between, and the use of electronic signatures by, each of the parties involved in the transaction + section-code: azure_hipaa_hitrust_v92_0946_09y2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Redis + type: + - Benchmark + controls: + - azure_redis_cache_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0947_09y2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0947_09y2organizational.yaml index fc1b6bfb7..31f49bd2b 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0947_09y2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0947_09y2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0947_09y2organizational -Title: 09y2Organizational.2-09.y 09.09 Electronic Commerce Services -Description: The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. -SectionCode: azure_hipaa_hitrust_v92_0947_09y2organizational -Children: [] -Controls: - - azure_postgres_sql_ssl_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/PostgreSQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0947_09y2organizational + title: 09y2Organizational.2-09.y 09.09 Electronic Commerce Services + description: The organization ensures the storage of the transaction details are located outside of any publicly accessible environments (e.g., on a storage platform existing on the organization's intranet) and not retained and exposed on a storage medium directly accessible from the Internet. + section-code: azure_hipaa_hitrust_v92_0947_09y2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/PostgreSQL + type: + - Benchmark + controls: + - azure_postgres_sql_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0948_09y2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0948_09y2organizational.yaml index 03d55719f..aeee8b352 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0948_09y2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0948_09y2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0948_09y2organizational -Title: 09y2Organizational.3-09.y 09.09 Electronic Commerce Services -Description: Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates), security is integrated and embedded throughout the entire end-to-end certificate/signature management process. -SectionCode: azure_hipaa_hitrust_v92_0948_09y2organizational -Children: [] -Controls: - - azure_mysql_ssl_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0948_09y2organizational + title: 09y2Organizational.3-09.y 09.09 Electronic Commerce Services + description: Where a trusted authority is used (e.g., for the purposes of issuing and maintaining digital signatures and/or digital certificates), security is integrated and embedded throughout the entire end-to-end certificate/signature management process. + section-code: azure_hipaa_hitrust_v92_0948_09y2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark + controls: + - azure_mysql_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0949_09y2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0949_09y2organizational.yaml index a2ed61058..ee32f685f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0949_09y2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0949_09y2organizational.yaml @@ -1,21 +1,26 @@ -ID: azure_hipaa_hitrust_v92_0949_09y2organizational -Title: 09y2Organizational.5-09.y 09.09 Electronic Commerce Services -Description: The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. -SectionCode: azure_hipaa_hitrust_v92_0949_09y2organizational -Children: [] -Controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0949_09y2organizational + title: 09y2Organizational.5-09.y 09.09 Electronic Commerce Services + description: The protocols used for communications are enhanced to address any new vulnerability, and the updated versions of the protocols are adopted as soon as possible. + section-code: azure_hipaa_hitrust_v92_0949_09y2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_api_app_latest_tls_version + - azure_appservice_api_app_use_https + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0960_09scsporganizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0960_09scsporganizational.yaml index e0df097bb..f98d8aafa 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0960_09scsporganizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_0960_09scsporganizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_0960_09scsporganizational -Title: 09sCSPOrganizational.1-09.s 09.08 Exchange of Information -Description: Cloud service providers use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved. -SectionCode: azure_hipaa_hitrust_v92_0960_09scsporganizational -Children: [] -Controls: - - azure_appservice_function_app_cors_no_star -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_0960_09scsporganizational + title: 09sCSPOrganizational.1-09.s 09.08 Exchange of Information + description: Cloud service providers use secure (e.g., non-clear text and authenticated) standardized network protocols for the import and export of data and to manage the service, and make available a document to consumers (tenants) detailing the relevant interoperability and portability standards that are involved. + section-code: azure_hipaa_hitrust_v92_0960_09scsporganizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_function_app_cors_no_star diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11109_01q1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11109_01q1organizational.yaml index eedfc61f3..407c07f71 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11109_01q1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11109_01q1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_11109_01q1organizational -Title: 01q1Organizational.57-01.q 01.05 Operating System Access Control -Description: The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. -SectionCode: azure_hipaa_hitrust_v92_11109_01q1organizational -Children: [] -Controls: - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_11109_01q1organizational + title: 01q1Organizational.57-01.q 01.05 Operating System Access Control + description: The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. + section-code: azure_hipaa_hitrust_v92_11109_01q1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11110_01q1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11110_01q1organizational.yaml index 830524a12..80f906e1e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11110_01q1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11110_01q1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_11110_01q1organizational -Title: Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated -Description: "" -SectionCode: azure_hipaa_hitrust_v92_11110_01q1organizational -Children: [] -Controls: - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_11110_01q1organizational + title: Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated + description: Non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals), or processes acting on behalf of non-organizational users, determined to need access to information residing on the organization's information systems, are uniquely identified and authenticated + section-code: azure_hipaa_hitrust_v92_11110_01q1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_write_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11111_01q2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11111_01q2system.yaml index 565d67a6a..8aa8741fb 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11111_01q2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11111_01q2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_11111_01q2system -Title: 01q2System.4-01.q 01.05 Operating System Access Control -Description: When PKI-based authentication is used, the information system validates certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; enforces access to the corresponding private key; maps the identity to the corresponding account of the individual or group; and implements a local cache of revocation data to support path discovery and validation in case of an inability to access revocation information via the network. -SectionCode: azure_hipaa_hitrust_v92_11111_01q2system -Children: [] -Controls: - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_11111_01q2system + title: 01q2System.4-01.q 01.05 Operating System Access Control + description: When PKI-based authentication is used, the information system validates certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; enforces access to the corresponding private key; maps the identity to the corresponding account of the individual or group; and implements a local cache of revocation data to support path discovery and validation in case of an inability to access revocation information via the network. + section-code: azure_hipaa_hitrust_v92_11111_01q2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_read_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11112_01q2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11112_01q2organizational.yaml index cec636515..0cc8769ff 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11112_01q2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11112_01q2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_11112_01q2organizational -Title: 01q2Organizational.67-01.q 01.05 Operating System Access Control -Description: The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts; and, for hardware token-based authentication, employs mechanisms that satisfy minimum token requirements discussed in NIST SP 800-63-2, Electronic Authentication Guideline. -SectionCode: azure_hipaa_hitrust_v92_11112_01q2organizational -Children: [] -Controls: - - azure_iam_subscription_owner_max_3 -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_11112_01q2organizational + title: 01q2Organizational.67-01.q 01.05 Operating System Access Control + description: The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts; and, for hardware token-based authentication, employs mechanisms that satisfy minimum token requirements discussed in NIST SP 800-63-2, Electronic Authentication Guideline. + section-code: azure_hipaa_hitrust_v92_11112_01q2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1116_01j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1116_01j1organizational.yaml index e463debac..76181d6fd 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1116_01j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1116_01j1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1116_01j1organizational -Title: 01j1Organizational.145-01.j 01.04 Network Access Control -Description: Prevent unauthorized access to networked services, such as user authentication for external connections. -SectionCode: azure_hipaa_hitrust_v92_1116_01j1organizational -Children: [] -Controls: - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1116_01j1organizational + title: 01j1Organizational.145-01.j 01.04 Network Access Control + description: Prevent unauthorized access to networked services, such as user authentication for external connections. + section-code: azure_hipaa_hitrust_v92_1116_01j1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1117_01j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1117_01j1organizational.yaml index 4e3d27ba8..9b654fdd4 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1117_01j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1117_01j1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1117_01j1organizational -Title: Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use -Description: "" -SectionCode: azure_hipaa_hitrust_v92_1117_01j1organizational -Children: [] -Controls: - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1117_01j1organizational + title: Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use + description: Remote access by vendors and business partners (e.g., for remote maintenance) is disabled/deactivated when not in use + section-code: azure_hipaa_hitrust_v92_1117_01j1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_write_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11180_01c3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11180_01c3system.yaml index 0fb403b58..8560bf75b 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11180_01c3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11180_01c3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_11180_01c3system -Title: 01c3System.6-01.c 01.02 Authorized Access to Information Systems -Description: Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls. -SectionCode: azure_hipaa_hitrust_v92_11180_01c3system -Children: [] -Controls: - - azure_compute_vm_jit_access_protected -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_11180_01c3system + title: 01c3System.6-01.c 01.02 Authorized Access to Information Systems + description: Access to management functions or administrative consoles for systems hosting virtualized systems are restricted to personnel based upon the principle of least privilege and supported through technical controls. + section-code: azure_hipaa_hitrust_v92_11180_01c3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1118_01j2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1118_01j2organizational.yaml index b173eec4e..f2b8360c2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1118_01j2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1118_01j2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1118_01j2organizational -Title: 01j2Organizational.124-01.j 01.04 Network Access Control -Description: The organization has implemented encryption (e.g. VPN solutions or private lines) and logs remote access to the organization's network by employees, contractors or third party. -SectionCode: azure_hipaa_hitrust_v92_1118_01j2organizational -Children: [] -Controls: - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1118_01j2organizational + title: 01j2Organizational.124-01.j 01.04 Network Access Control + description: The organization has implemented encryption (e.g. VPN solutions or private lines) and logs remote access to the organization's network by employees, contractors or third party. + section-code: azure_hipaa_hitrust_v92_1118_01j2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_read_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1119_01j2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1119_01j2organizational.yaml index 032dab83a..2aab5b0bf 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1119_01j2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1119_01j2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1119_01j2organizational -Title: 01j2Organizational.3-01.j 01.04 Network Access Control -Description: Network equipment is checked for unanticipated dial-up capabilities. -SectionCode: azure_hipaa_hitrust_v92_1119_01j2organizational -Children: [] -Controls: - - azure_compute_vm_jit_access_protected -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1119_01j2organizational + title: 01j2Organizational.3-01.j 01.04 Network Access Control + description: Network equipment is checked for unanticipated dial-up capabilities. + section-code: azure_hipaa_hitrust_v92_1119_01j2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11208_01q1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11208_01q1organizational.yaml index c422ee714..c7b77f4bd 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11208_01q1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11208_01q1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_11208_01q1organizational -Title: The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else -Description: "" -SectionCode: azure_hipaa_hitrust_v92_11208_01q1organizational -Children: [] -Controls: - - azure_iam_subscription_owner_more_than_1 -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_11208_01q1organizational + title: The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else + description: The organization requires that electronic signatures, unique to one individual, cannot be reused by, or reassigned to, anyone else + section-code: azure_hipaa_hitrust_v92_11208_01q1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1120_09ab3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1120_09ab3system.yaml index 979014255..fcf85b5d3 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1120_09ab3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1120_09ab3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1120_09ab3system -Title: 09ab3System.9-09.ab 09.10 Monitoring -Description: Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered. -SectionCode: azure_hipaa_hitrust_v92_1120_09ab3system -Children: [] -Controls: - - azure_monitor_log_profile_enabled_for_all_regions -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1120_09ab3system + title: 09ab3System.9-09.ab 09.10 Monitoring + description: Unauthorized remote connections to the information systems are monitored and reviewed at least quarterly, and appropriate action is taken if an unauthorized connection is discovered. + section-code: azure_hipaa_hitrust_v92_1120_09ab3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_monitor_log_profile_enabled_for_all_regions diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11210_01q2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11210_01q2organizational.yaml index 9d1670462..48a5b2e96 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11210_01q2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11210_01q2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_11210_01q2organizational -Title: Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records -Description: "" -SectionCode: azure_hipaa_hitrust_v92_11210_01q2organizational -Children: [] -Controls: - - azure_compute_vm_administrators_group_with_specified_members_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_11210_01q2organizational + title: Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records + description: Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records + section-code: azure_hipaa_hitrust_v92_11210_01q2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_administrators_group_with_specified_members_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11211_01q2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11211_01q2organizational.yaml index c5007bda8..2e8fb20f4 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11211_01q2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_11211_01q2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_11211_01q2organizational -Title: Signed electronic records shall contain information associated with the signing in human-readable format -Description: "" -SectionCode: azure_hipaa_hitrust_v92_11211_01q2organizational -Children: [] -Controls: - - azure_compute_vm_administrators_group_with_no_specified_members_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_11211_01q2organizational + title: Signed electronic records shall contain information associated with the signing in human-readable format + description: Signed electronic records shall contain information associated with the signing in human-readable format + section-code: azure_hipaa_hitrust_v92_11211_01q2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_administrators_group_with_no_specified_members_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1121_01j3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1121_01j3organizational.yaml index 4ee4a9bc4..1385908ea 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1121_01j3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1121_01j3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1121_01j3organizational -Title: 01j3Organizational.2-01.j 01.04 Network Access Control -Description: The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. -SectionCode: azure_hipaa_hitrust_v92_1121_01j3organizational -Children: [] -Controls: - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1121_01j3organizational + title: 01j3Organizational.2-01.j 01.04 Network Access Control + description: The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. + section-code: azure_hipaa_hitrust_v92_1121_01j3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1123_01q1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1123_01q1system.yaml index 8cb37ecad..fe59fbb36 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1123_01q1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1123_01q1system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1123_01q1system -Title: 01q1System.2-01.q 01.05 Operating System Access Control -Description: Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions. -SectionCode: azure_hipaa_hitrust_v92_1123_01q1system -Children: [] -Controls: - - azure_compute_vm_administrators_group_with_extra_accounts_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1123_01q1system + title: 01q1System.2-01.q 01.05 Operating System Access Control + description: Users who performed privileged functions (e.g., system administration) use separate accounts when performing those privileged functions. + section-code: azure_hipaa_hitrust_v92_1123_01q1system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_administrators_group_with_extra_accounts_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1125_01q2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1125_01q2system.yaml index 76196b668..927dd7050 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1125_01q2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1125_01q2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1125_01q2system -Title: 01q2System.1-01.q 01.05 Operating System Access Control -Description: Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access). -SectionCode: azure_hipaa_hitrust_v92_1125_01q2system -Children: [] -Controls: - - azure_compute_vm_administrators_group_with_specified_members_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1125_01q2system + title: 01q2System.1-01.q 01.05 Operating System Access Control + description: Multi-factor authentication methods are used in accordance with organizational policy, (e.g., for remote network access). + section-code: azure_hipaa_hitrust_v92_1125_01q2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_administrators_group_with_specified_members_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1127_01q2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1127_01q2system.yaml index 24fbe0d6c..cb973f5ad 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1127_01q2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1127_01q2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1127_01q2system -Title: 01q2System.3-01.q 01.05 Operating System Access Control -Description: Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. -SectionCode: azure_hipaa_hitrust_v92_1127_01q2system -Children: [] -Controls: - - azure_compute_vm_administrators_group_with_no_specified_members_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1127_01q2system + title: 01q2System.3-01.q 01.05 Operating System Access Control + description: Where tokens are provided for multi-factor authentication, in-person verification is required prior to granting access. + section-code: azure_hipaa_hitrust_v92_1127_01q2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_administrators_group_with_no_specified_members_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1143_01c1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1143_01c1system.yaml index aa7bcc970..848c74df5 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1143_01c1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1143_01c1system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1143_01c1system -Title: 01c1System.123-01.c 01.02 Authorized Access to Information Systems -Description: Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element. -SectionCode: azure_hipaa_hitrust_v92_1143_01c1system -Children: [] -Controls: - - azure_network_security_group_remote_access_restricted -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1143_01c1system + title: 01c1System.123-01.c 01.02 Authorized Access to Information Systems + description: Privileges are formally authorized and controlled, allocated to users on a need-to-use and event-by-event basis for their functional role (e.g., user or administrator), and documented for each system product/element. + section-code: azure_hipaa_hitrust_v92_1143_01c1system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_network_security_group_remote_access_restricted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1144_01c1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1144_01c1system.yaml index cbf0881e9..3010985d5 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1144_01c1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1144_01c1system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1144_01c1system -Title: 01c1System.4-01.c 01.02 Authorized Access to Information Systems -Description: The organization explicitly authorizes access to specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information. -SectionCode: azure_hipaa_hitrust_v92_1144_01c1system -Children: [] -Controls: - - azure_iam_subscription_owner_max_3 -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1144_01c1system + title: 01c1System.4-01.c 01.02 Authorized Access to Information Systems + description: The organization explicitly authorizes access to specific security relevant functions (deployed in hardware, software, and firmware) and security-relevant information. + section-code: azure_hipaa_hitrust_v92_1144_01c1system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1145_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1145_01c2system.yaml index eac03f117..eb9448d8b 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1145_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1145_01c2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1145_01c2system -Title: 01c2System.1-01.c 01.02 Authorized Access to Information Systems -Description: Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. -SectionCode: azure_hipaa_hitrust_v92_1145_01c2system -Children: [] -Controls: - - azure_iam_subscription_owner_more_than_1 -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1145_01c2system + title: 01c2System.1-01.c 01.02 Authorized Access to Information Systems + description: Role-based access control is implemented and capable of mapping each user to one or more roles, and each role to one or more system functions. + section-code: azure_hipaa_hitrust_v92_1145_01c2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1146_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1146_01c2system.yaml index 5d93c8b89..e1a2791a9 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1146_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1146_01c2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1146_01c2system -Title: 01c2System.23-01.c 01.02 Authorized Access to Information Systems -Description: The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users. -SectionCode: azure_hipaa_hitrust_v92_1146_01c2system -Children: [] -Controls: - - azure_iam_external_user_with_owner_role -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1146_01c2system + title: 01c2System.23-01.c 01.02 Authorized Access to Information Systems + description: The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users. + section-code: azure_hipaa_hitrust_v92_1146_01c2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_external_user_with_owner_role diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1147_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1147_01c2system.yaml index 178d84c08..9a8e2339d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1147_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1147_01c2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1147_01c2system -Title: 01c2System.456-01.c 01.02 Authorized Access to Information Systems -Description: Elevated privileges are assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized. -SectionCode: azure_hipaa_hitrust_v92_1147_01c2system -Children: [] -Controls: - - azure_iam_deprecated_account_with_owner_roles -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1147_01c2system + title: 01c2System.456-01.c 01.02 Authorized Access to Information Systems + description: Elevated privileges are assigned to a different user ID from those used for normal business use, all users access privileged services in a single role, and such privileged access is minimized. + section-code: azure_hipaa_hitrust_v92_1147_01c2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_deprecated_account_with_owner_roles diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1148_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1148_01c2system.yaml index f8bfdc351..097df8ad3 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1148_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1148_01c2system.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_1148_01c2system -Title: 01c2System.78-01.c 01.02 Authorized Access to Information Systems -Description: The organization restricts access to privileged functions and all security-relevant information. -SectionCode: azure_hipaa_hitrust_v92_1148_01c2system -Children: [] -Controls: - - azure_iam_no_custom_role - - azure_compute_vm_meet_security_option_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1148_01c2system + title: 01c2System.78-01.c 01.02 Authorized Access to Information Systems + description: The organization restricts access to privileged functions and all security-relevant information. + section-code: azure_hipaa_hitrust_v92_1148_01c2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_iam_no_custom_role + - azure_compute_vm_meet_security_option_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1149_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1149_01c2system.yaml index e8a77670c..25adcb89c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1149_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1149_01c2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1149_01c2system -Title: The organization facilitates information sharing by enabling authorized users -Description: To determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions. -SectionCode: azure_hipaa_hitrust_v92_1149_01c2system -Children: [] -Controls: - - azure_kubernetes_instance_rbac_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/KubernetesService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1149_01c2system + title: The organization facilitates information sharing by enabling authorized users + description: To determine a business partner's access when discretion is allowed as defined by the organization and by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions. + section-code: azure_hipaa_hitrust_v92_1149_01c2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/KubernetesService + type: + - Benchmark + controls: + - azure_kubernetes_instance_rbac_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1150_01c2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1150_01c2system.yaml index e1f36db3e..a6110311e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1150_01c2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1150_01c2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1150_01c2system -Title: 01c2System.10-01.c 01.02 Authorized Access to Information Systems -Description: The access control system for the system components storing, processing or transmitting covered information is set with a default 'deny-all' setting. -SectionCode: azure_hipaa_hitrust_v92_1150_01c2system -Children: [] -Controls: - - azure_network_security_group_remote_access_restricted -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1150_01c2system + title: 01c2System.10-01.c 01.02 Authorized Access to Information Systems + description: The access control system for the system components storing, processing or transmitting covered information is set with a default 'deny-all' setting. + section-code: azure_hipaa_hitrust_v92_1150_01c2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_network_security_group_remote_access_restricted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1151_01c3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1151_01c3system.yaml index 1babfcbba..759d056ec 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1151_01c3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1151_01c3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1151_01c3system -Title: 01c3System.1-01.c 01.02 Authorized Access to Information Systems -Description: The organization limits authorization to privileged accounts on information systems to a pre-defined subset of users. -SectionCode: azure_hipaa_hitrust_v92_1151_01c3system -Children: [] -Controls: - - azure_iam_subscription_owner_max_3 -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1151_01c3system + title: 01c3System.1-01.c 01.02 Authorized Access to Information Systems + description: The organization limits authorization to privileged accounts on information systems to a pre-defined subset of users. + section-code: azure_hipaa_hitrust_v92_1151_01c3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1152_01c3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1152_01c3system.yaml index 33cfd2d07..d11473d62 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1152_01c3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1152_01c3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1152_01c3system -Title: 01c3System.2-01.c 01.02 Authorized Access to Information Systems -Description: The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions. -SectionCode: azure_hipaa_hitrust_v92_1152_01c3system -Children: [] -Controls: - - azure_iam_subscription_owner_more_than_1 -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1152_01c3system + title: 01c3System.2-01.c 01.02 Authorized Access to Information Systems + description: The organization audits the execution of privileged functions on information systems and ensures information systems prevent non-privileged users from executing privileged functions. + section-code: azure_hipaa_hitrust_v92_1152_01c3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1153_01c3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1153_01c3system.yaml index 5b71d0443..97217f5af 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1153_01c3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1153_01c3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1153_01c3system -Title: 01c3System.35-01.c 01.02 Authorized Access to Information Systems -Description: All file system access not explicitly required is disabled, and only authorized users are permitted access to only that which is expressly required for the performance of the users' job duties. -SectionCode: azure_hipaa_hitrust_v92_1153_01c3system -Children: [] -Controls: - - azure_kubernetes_instance_rbac_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/KubernetesService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1153_01c3system + title: 01c3System.35-01.c 01.02 Authorized Access to Information Systems + description: All file system access not explicitly required is disabled, and only authorized users are permitted access to only that which is expressly required for the performance of the users' job duties. + section-code: azure_hipaa_hitrust_v92_1153_01c3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/KubernetesService + type: + - Benchmark + controls: + - azure_kubernetes_instance_rbac_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1154_01c3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1154_01c3system.yaml index f5b8e5a62..7ceff23d9 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1154_01c3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1154_01c3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1154_01c3system -Title: Contractors are provided with minimal system and physical access -Description: The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. Only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply. -SectionCode: azure_hipaa_hitrust_v92_1154_01c3system -Children: [] -Controls: - - azure_iam_subscription_owner_max_3 -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1154_01c3system + title: Contractors are provided with minimal system and physical access + description: The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls. Only after the organization assesses the contractor's ability to comply with its security requirements and the contractor agrees to comply. + section-code: azure_hipaa_hitrust_v92_1154_01c3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1173_01j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1173_01j1organizational.yaml index dcc246d51..c3a47bc37 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1173_01j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1173_01j1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1173_01j1organizational -Title: If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization -Description: "" -SectionCode: azure_hipaa_hitrust_v92_1173_01j1organizational -Children: [] -Controls: - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1173_01j1organizational + title: If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization + description: If encryption is not used for dial-up connections, the CIO or his/her designated representative provides specific written authorization + section-code: azure_hipaa_hitrust_v92_1173_01j1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_write_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1174_01j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1174_01j1organizational.yaml index 35d39fdc9..de8499c55 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1174_01j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1174_01j1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1174_01j1organizational -Title: The organization protects wireless access to systems containing sensitive information by authenticating both users and devices -Description: "" -SectionCode: azure_hipaa_hitrust_v92_1174_01j1organizational -Children: [] -Controls: - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1174_01j1organizational + title: The organization protects wireless access to systems containing sensitive information by authenticating both users and devices + description: The organization protects wireless access to systems containing sensitive information by authenticating both users and devices + section-code: azure_hipaa_hitrust_v92_1174_01j1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_read_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1175_01j1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1175_01j1organizational.yaml index 7b79797a8..dae5109c7 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1175_01j1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1175_01j1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1175_01j1organizational -Title: 01j1Organizational.8-01.j 01.04 Network Access Control -Description: Remote access to business information across public networks only takes place after successful identification and authentication. -SectionCode: azure_hipaa_hitrust_v92_1175_01j1organizational -Children: [] -Controls: - - azure_compute_vm_jit_access_protected -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1175_01j1organizational + title: 01j1Organizational.8-01.j 01.04 Network Access Control + description: Remote access to business information across public networks only takes place after successful identification and authentication. + section-code: azure_hipaa_hitrust_v92_1175_01j1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1176_01j2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1176_01j2organizational.yaml index d7da5edea..fb4390f4d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1176_01j2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1176_01j2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1176_01j2organizational -Title: The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations -Description: "" -SectionCode: azure_hipaa_hitrust_v92_1176_01j2organizational -Children: [] -Controls: - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1176_01j2organizational + title: The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations + description: The organization requires a callback capability with re-authentication to verify dial-up connections from authorized locations + section-code: azure_hipaa_hitrust_v92_1176_01j2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1177_01j2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1177_01j2organizational.yaml index 0fbcb5ca0..019499484 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1177_01j2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1177_01j2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1177_01j2organizational -Title: User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually -Description: "" -SectionCode: azure_hipaa_hitrust_v92_1177_01j2organizational -Children: [] -Controls: - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1177_01j2organizational + title: User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually + description: User IDs assigned to vendors are reviewed in accordance with the organization's access review policy, at a minimum annually + section-code: azure_hipaa_hitrust_v92_1177_01j2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_write_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1178_01j2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1178_01j2organizational.yaml index d8f56509c..9634f95bd 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1178_01j2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1178_01j2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1178_01j2organizational -Title: 01j2Organizational.7-01.j 01.04 Network Access Control -Description: "" -SectionCode: azure_hipaa_hitrust_v92_1178_01j2organizational -Children: [] -Controls: - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1178_01j2organizational + title: 01j2Organizational.7-01.j 01.04 Network Access Control + description: 01j2Organizational.7-01.j 01.04 Network Access Control + section-code: azure_hipaa_hitrust_v92_1178_01j2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_user_with_read_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1179_01j3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1179_01j3organizational.yaml index eca53c413..7fe34fa2e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1179_01j3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1179_01j3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1179_01j3organizational -Title: 01j3Organizational.1-01.j 01.04 Network Access Control -Description: The information system monitors and controls remote access methods. -SectionCode: azure_hipaa_hitrust_v92_1179_01j3organizational -Children: [] -Controls: - - azure_compute_vm_jit_access_protected -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1179_01j3organizational + title: 01j3Organizational.1-01.j 01.04 Network Access Control + description: The information system monitors and controls remote access methods. + section-code: azure_hipaa_hitrust_v92_1179_01j3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1192_01l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1192_01l1organizational.yaml index f01f1f1a2..74d504750 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1192_01l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1192_01l1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1192_01l1organizational -Title: 01l1Organizational.1-01.l 01.04 Network Access Control -Description: Access to network equipment is physically protected. -SectionCode: azure_hipaa_hitrust_v92_1192_01l1organizational -Children: [] -Controls: - - azure_compute_vm_jit_access_protected -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1192_01l1organizational + title: 01l1Organizational.1-01.l 01.04 Network Access Control + description: Access to network equipment is physically protected. + section-code: azure_hipaa_hitrust_v92_1192_01l1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1193_01l2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1193_01l2organizational.yaml index 7f02857f8..b1b1ca9b8 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1193_01l2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1193_01l2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1193_01l2organizational -Title: 01l2Organizational.13-01.l 01.04 Network Access Control -Description: Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. -SectionCode: azure_hipaa_hitrust_v92_1193_01l2organizational -Children: [] -Controls: - - azure_network_security_group_remote_access_restricted -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1193_01l2organizational + title: 01l2Organizational.13-01.l 01.04 Network Access Control + description: Controls for the access to diagnostic and configuration ports include the use of a key lock and the implementation of supporting procedures to control physical access to the port. + section-code: azure_hipaa_hitrust_v92_1193_01l2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_network_security_group_remote_access_restricted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1194_01l2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1194_01l2organizational.yaml index 46b4dbfbe..b01ce0624 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1194_01l2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1194_01l2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1194_01l2organizational -Title: 01l2Organizational.2-01.l 01.04 Network Access Control -Description: Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed. -SectionCode: azure_hipaa_hitrust_v92_1194_01l2organizational -Children: [] -Controls: - - azure_appservice_api_app_remote_debugging_disabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1194_01l2organizational + title: 01l2Organizational.2-01.l 01.04 Network Access Control + description: Ports, services, and similar applications installed on a computer or network systems, which are not specifically required for business functionality, are disabled or removed. + section-code: azure_hipaa_hitrust_v92_1194_01l2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_api_app_remote_debugging_disabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1195_01l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1195_01l3organizational.yaml index 67a6e5459..684e83f3b 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1195_01l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1195_01l3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1195_01l3organizational -Title: 01l3Organizational.1-01.l 01.04 Network Access Control -Description: The organization reviews the information system within every three hundred and sixty-five (365) days to identify and disables unnecessary and non-secure functions, ports, protocols, and/or services. -SectionCode: azure_hipaa_hitrust_v92_1195_01l3organizational -Children: [] -Controls: - - azure_appservice_function_app_remote_debugging_disabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1195_01l3organizational + title: 01l3Organizational.1-01.l 01.04 Network Access Control + description: The organization reviews the information system within every three hundred and sixty-five (365) days to identify and disables unnecessary and non-secure functions, ports, protocols, and/or services. + section-code: azure_hipaa_hitrust_v92_1195_01l3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_function_app_remote_debugging_disabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1197_01l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1197_01l3organizational.yaml index 045d98d69..209693a1d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1197_01l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1197_01l3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1197_01l3organizational -Title: 01l3Organizational.3-01.l 01.04 Network Access Control -Description: The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure. -SectionCode: azure_hipaa_hitrust_v92_1197_01l3organizational -Children: [] -Controls: - - azure_compute_vm_adaptive_application_controls_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1197_01l3organizational + title: 01l3Organizational.3-01.l 01.04 Network Access Control + description: The organization disables Bluetooth and peer-to-peer networking protocols within the information system determined to be unnecessary or non-secure. + section-code: azure_hipaa_hitrust_v92_1197_01l3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_adaptive_application_controls_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1202_09aa1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1202_09aa1system.yaml index 031b950f2..6d52f481d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1202_09aa1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1202_09aa1system.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_1202_09aa1system -Title: 09aa1System.1-09.aa 09.10 Monitoring -Description: A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information. -SectionCode: azure_hipaa_hitrust_v92_1202_09aa1system -Children: [] -Controls: - - azure_compute_vm_scale_set_system_updates_installed - - azure_datalake_store_account_logging_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1202_09aa1system + title: 09aa1System.1-09.aa 09.10 Monitoring + description: A secure audit record is created for all activities on the system (create, read, update, delete) involving covered information. + section-code: azure_hipaa_hitrust_v92_1202_09aa1system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_compute_vm_scale_set_system_updates_installed + - azure_datalake_store_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1203_09aa1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1203_09aa1system.yaml index 31def1fa2..eb63bc72c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1203_09aa1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1203_09aa1system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1203_09aa1system -Title: 09aa1System.2-09.aa 09.10 Monitoring -Description: Audit records include the unique user ID, unique data subject ID, function performed, and date/time the event was performed. -SectionCode: azure_hipaa_hitrust_v92_1203_09aa1system -Children: [] -Controls: - - azure_logic_app_workflow_logging_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Logic - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1203_09aa1system + title: 09aa1System.2-09.aa 09.10 Monitoring + description: Audit records include the unique user ID, unique data subject ID, function performed, and date/time the event was performed. + section-code: azure_hipaa_hitrust_v92_1203_09aa1system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Logic + type: + - Benchmark + controls: + - azure_logic_app_workflow_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1204_09aa1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1204_09aa1system.yaml index 96d5a20d7..af22d4af4 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1204_09aa1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1204_09aa1system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1204_09aa1system -Title: 09aa1System.3-09.aa 09.10 Monitoring -Description: The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event. -SectionCode: azure_hipaa_hitrust_v92_1204_09aa1system -Children: [] -Controls: - - azure_iot_hub_logging_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IoTHub - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1204_09aa1system + title: 09aa1System.3-09.aa 09.10 Monitoring + description: The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event. + section-code: azure_hipaa_hitrust_v92_1204_09aa1system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IoTHub + type: + - Benchmark + controls: + - azure_iot_hub_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1205_09aa2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1205_09aa2system.yaml index 2ecf76e22..28645c480 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1205_09aa2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1205_09aa2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1205_09aa2system -Title: 09aa2System.1-09.aa 09.10 Monitoring -Description: Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents. -SectionCode: azure_hipaa_hitrust_v92_1205_09aa2system -Children: [] -Controls: - - azure_batch_account_logging_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Batch - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1205_09aa2system + title: 09aa2System.1-09.aa 09.10 Monitoring + description: Logs of messages sent and received are maintained including the date, time, origin and destination of the message, but not its contents. + section-code: azure_hipaa_hitrust_v92_1205_09aa2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Batch + type: + - Benchmark + controls: + - azure_batch_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1207_09aa2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1207_09aa2system.yaml index dc6a720e1..367561d7e 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1207_09aa2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1207_09aa2system.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_1207_09aa2system -Title: 09aa2System.4-09.aa 09.10 Monitoring -Description: Audit records are retained for 90 days and older audit records are archived for one year. -SectionCode: azure_hipaa_hitrust_v92_1207_09aa2system -Children: [] -Controls: - - azure_eventhub_namespace_logging_enabled - - azure_stream_analytics_job_logging_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1207_09aa2system + title: 09aa2System.4-09.aa 09.10 Monitoring + description: Audit records are retained for 90 days and older audit records are archived for one year. + section-code: azure_hipaa_hitrust_v92_1207_09aa2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_eventhub_namespace_logging_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1208_09aa3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1208_09aa3system.yaml index 7f36f6ab5..2ab156769 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1208_09aa3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1208_09aa3system.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_1208_09aa3system -Title: 09aa3System.1-09.aa 09.10 Monitoring -Description: Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. -SectionCode: azure_hipaa_hitrust_v92_1208_09aa3system -Children: [] -Controls: - - azure_search_service_logging_enabled - - azure_servicebus_namespace_logging_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1208_09aa3system + title: 09aa3System.1-09.aa 09.10 Monitoring + description: Audit logs are maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. + section-code: azure_hipaa_hitrust_v92_1208_09aa3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_search_service_logging_enabled + - azure_servicebus_namespace_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1209_09aa3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1209_09aa3system.yaml index 3438226d9..5588c62f3 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1209_09aa3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1209_09aa3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1209_09aa3system -Title: 09aa3System.2-09.aa 09.10 Monitoring -Description: 'The information system generates audit records containing the following detailed information: filename accessed, program or command used to initiate the event and source and destination addresses.' -SectionCode: azure_hipaa_hitrust_v92_1209_09aa3system -Children: [] -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1209_09aa3system + title: 09aa3System.2-09.aa 09.10 Monitoring + description: "The information system generates audit records containing the following detailed information: filename accessed, program or command used to initiate the event and source and destination addresses." + section-code: azure_hipaa_hitrust_v92_1209_09aa3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_web_app_diagnostic_logs_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12100_09ab2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12100_09ab2system.yaml index 0fdb14ad1..93160ce43 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12100_09ab2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12100_09ab2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_12100_09ab2system -Title: 09ab2System.15-09.ab 09.10 Monitoring -Description: The organization monitors the information system to identify irregularities or anomalies that are indicators of a system malfunction or compromise and help confirm the system is functioning in an optimal, resilient and secure state. -SectionCode: azure_hipaa_hitrust_v92_12100_09ab2system -Children: [] -Controls: - - azure_compute_vm_log_analytics_agent_installed -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_12100_09ab2system + title: 09ab2System.15-09.ab 09.10 Monitoring + description: The organization monitors the information system to identify irregularities or anomalies that are indicators of a system malfunction or compromise and help confirm the system is functioning in an optimal, resilient and secure state. + section-code: azure_hipaa_hitrust_v92_12100_09ab2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_log_analytics_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12101_09ab1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12101_09ab1organizational.yaml index f89c16f45..508570958 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12101_09ab1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12101_09ab1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_12101_09ab1organizational -Title: 09ab1Organizational.3-09.ab 09.10 Monitoring -Description: The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. -SectionCode: azure_hipaa_hitrust_v92_12101_09ab1organizational -Children: [] -Controls: - - azure_compute_vm_scale_set_log_analytics_agent_installed -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_12101_09ab1organizational + title: 09ab1Organizational.3-09.ab 09.10 Monitoring + description: The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. + section-code: azure_hipaa_hitrust_v92_12101_09ab1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_scale_set_log_analytics_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12102_09ab1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12102_09ab1organizational.yaml index 02f5eaff6..cf1be237f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12102_09ab1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_12102_09ab1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_12102_09ab1organizational -Title: 09ab1Organizational.4-09.ab 09.10 Monitoring -Description: The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes. -SectionCode: azure_hipaa_hitrust_v92_12102_09ab1organizational -Children: [] -Controls: - - azure_compute_vm_log_analytics_agent_installed_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_12102_09ab1organizational + title: 09ab1Organizational.4-09.ab 09.10 Monitoring + description: The organization shall periodically test its monitoring and detection processes, remediate deficiencies, and improve its processes. + section-code: azure_hipaa_hitrust_v92_12102_09ab1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_log_analytics_agent_installed_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1210_09aa3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1210_09aa3system.yaml index ad4264c65..d53368aa2 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1210_09aa3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1210_09aa3system.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_1210_09aa3system -Title: 09aa3System.3-09.aa 09.10 Monitoring -Description: All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender. -SectionCode: azure_hipaa_hitrust_v92_1210_09aa3system -Children: [] -Controls: - - azure_audit_diagnostic_setting - - azure_datalake_analytics_account_logging_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1210_09aa3system + title: 09aa3System.3-09.aa 09.10 Monitoring + description: All disclosures of covered information within or outside of the organization are logged including type of disclosure, date/time of the event, recipient, and sender. + section-code: azure_hipaa_hitrust_v92_1210_09aa3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_audit_diagnostic_setting + - azure_datalake_analytics_account_logging_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1211_09aa3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1211_09aa3system.yaml index 21690288a..5b24fa337 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1211_09aa3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1211_09aa3system.yaml @@ -1,20 +1,25 @@ -ID: azure_hipaa_hitrust_v92_1211_09aa3system -Title: 09aa3System.4-09.aa 09.10 Monitoring -Description: The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. -SectionCode: azure_hipaa_hitrust_v92_1211_09aa3system -Children: [] -Controls: - - azure_keyvault_logging_enabled - - azure_keyvault_managed_hms_logging_enabled - - azure_sql_server_auditing_on -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1211_09aa3system + title: 09aa3System.4-09.aa 09.10 Monitoring + description: The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. + section-code: azure_hipaa_hitrust_v92_1211_09aa3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_keyvault_logging_enabled + - azure_keyvault_managed_hms_logging_enabled + - azure_sql_server_auditing_on diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1212_09ab1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1212_09ab1system.yaml index 78919108b..01102f6db 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1212_09ab1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1212_09ab1system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1212_09ab1system -Title: 09ab1System.1-09.ab 09.10 Monitoring -Description: All applicable legal requirements related to monitoring authorized access and unauthorized access attempts are met. -SectionCode: azure_hipaa_hitrust_v92_1212_09ab1system -Children: [] -Controls: - - azure_monitor_log_profile_enabled_for_all_categories -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1212_09ab1system + title: 09ab1System.1-09.ab 09.10 Monitoring + description: All applicable legal requirements related to monitoring authorized access and unauthorized access attempts are met. + section-code: azure_hipaa_hitrust_v92_1212_09ab1system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_monitor_log_profile_enabled_for_all_categories diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1213_09ab2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1213_09ab2system.yaml index dcbe152c6..0f0ff807f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1213_09ab2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1213_09ab2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1213_09ab2system -Title: 09ab2System.128-09.ab 09.10 Monitoring -Description: Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly. -SectionCode: azure_hipaa_hitrust_v92_1213_09ab2system -Children: [] -Controls: - - azure_securitycenter_automatic_provisioning_monitoring_agent_on -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1213_09ab2system + title: 09ab2System.128-09.ab 09.10 Monitoring + description: Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly. + section-code: azure_hipaa_hitrust_v92_1213_09ab2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_securitycenter_automatic_provisioning_monitoring_agent_on diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1214_09ab2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1214_09ab2system.yaml index 1eaf91720..83d66408f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1214_09ab2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1214_09ab2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1214_09ab2system -Title: 09ab2System.3456-09.ab 09.10 Monitoring -Description: Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures. -SectionCode: azure_hipaa_hitrust_v92_1214_09ab2system -Children: [] -Controls: - - azure_monitor_log_profile_enabled_for_all_regions -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1214_09ab2system + title: 09ab2System.3456-09.ab 09.10 Monitoring + description: Monitoring includes privileged operations, authorized access or unauthorized access attempts, including attempts to access deactivated accounts, and system alerts or failures. + section-code: azure_hipaa_hitrust_v92_1214_09ab2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_monitor_log_profile_enabled_for_all_regions diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1215_09ab2system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1215_09ab2system.yaml index f2901e16a..6268c5996 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1215_09ab2system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1215_09ab2system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1215_09ab2system -Title: 09ab2System.7-09.ab 09.10 Monitoring -Description: Auditing and monitoring systems employed by the organization support audit reduction and report generation. -SectionCode: azure_hipaa_hitrust_v92_1215_09ab2system -Children: [] -Controls: - - azure_compute_vm_log_analytics_agent_installed -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1215_09ab2system + title: 09ab2System.7-09.ab 09.10 Monitoring + description: Auditing and monitoring systems employed by the organization support audit reduction and report generation. + section-code: azure_hipaa_hitrust_v92_1215_09ab2system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_log_analytics_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1216_09ab3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1216_09ab3system.yaml index 809fa2da8..3ffc1fd8c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1216_09ab3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1216_09ab3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1216_09ab3system -Title: 09ab3System.12-09.ab 09.10 Monitoring -Description: Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. -SectionCode: azure_hipaa_hitrust_v92_1216_09ab3system -Children: [] -Controls: - - azure_compute_vm_scale_set_log_analytics_agent_installed -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1216_09ab3system + title: 09ab3System.12-09.ab 09.10 Monitoring + description: Automated systems are used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis, and identify and document anomalies. + section-code: azure_hipaa_hitrust_v92_1216_09ab3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_scale_set_log_analytics_agent_installed diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1217_09ab3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1217_09ab3system.yaml index b1e49bf26..46de499c9 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1217_09ab3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1217_09ab3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1217_09ab3system -Title: 09ab3System.3-09.ab 09.10 Monitoring -Description: Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations. -SectionCode: azure_hipaa_hitrust_v92_1217_09ab3system -Children: [] -Controls: - - azure_compute_vm_log_analytics_agent_installed_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1217_09ab3system + title: 09ab3System.3-09.ab 09.10 Monitoring + description: Alerts are generated for technical personnel to analyze and investigate suspicious activity or suspected violations. + section-code: azure_hipaa_hitrust_v92_1217_09ab3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_log_analytics_agent_installed_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1219_09ab3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1219_09ab3system.yaml index 53bf00fc9..9ef84898d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1219_09ab3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1219_09ab3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1219_09ab3system -Title: 09ab3System.10-09.ab 09.10 Monitoring -Description: The information system is able to automatically process audit records for events of interest based on selectable criteria. -SectionCode: azure_hipaa_hitrust_v92_1219_09ab3system -Children: [] -Controls: - - azure_monitor_log_profile_enabled_for_all_categories -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1219_09ab3system + title: 09ab3System.10-09.ab 09.10 Monitoring + description: The information system is able to automatically process audit records for events of interest based on selectable criteria. + section-code: azure_hipaa_hitrust_v92_1219_09ab3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_monitor_log_profile_enabled_for_all_categories diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1220_09ab3system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1220_09ab3system.yaml index d8a3086b4..82cb9f9a7 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1220_09ab3system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1220_09ab3system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1220_09ab3system -Title: 09ab3System.56-09.ab 09.10 Monitoring -Description: Monitoring includes inbound and outbound communications and file integrity monitoring. -SectionCode: azure_hipaa_hitrust_v92_1220_09ab3system -Children: [] -Controls: - - azure_securitycenter_automatic_provisioning_monitoring_agent_on -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1220_09ab3system + title: 09ab3System.56-09.ab 09.10 Monitoring + description: Monitoring includes inbound and outbound communications and file integrity monitoring. + section-code: azure_hipaa_hitrust_v92_1220_09ab3system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_securitycenter_automatic_provisioning_monitoring_agent_on diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1229_09c1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1229_09c1organizational.yaml index 9fa4e0903..1fd3507a7 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1229_09c1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1229_09c1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1229_09c1organizational -Title: 09c1Organizational.1-09.c 09.01 Documented Operating Procedures -Description: Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems. -SectionCode: azure_hipaa_hitrust_v92_1229_09c1organizational -Children: [] -Controls: - - azure_kubernetes_instance_rbac_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/KubernetesService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1229_09c1organizational + title: 09c1Organizational.1-09.c 09.01 Documented Operating Procedures + description: Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems. + section-code: azure_hipaa_hitrust_v92_1229_09c1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/KubernetesService + type: + - Benchmark + controls: + - azure_kubernetes_instance_rbac_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1230_09c2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1230_09c2organizational.yaml index ed0f7d168..924909339 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1230_09c2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1230_09c2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1230_09c2organizational -Title: 09c2Organizational.1-09.c 09.01 Documented Operating Procedures -Description: No single person is able to access, modify, or use information systems without authorization or detection. -SectionCode: azure_hipaa_hitrust_v92_1230_09c2organizational -Children: [] -Controls: - - azure_iam_no_custom_role -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/IAM - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1230_09c2organizational + title: 09c2Organizational.1-09.c 09.01 Documented Operating Procedures + description: No single person is able to access, modify, or use information systems without authorization or detection. + section-code: azure_hipaa_hitrust_v92_1230_09c2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/IAM + type: + - Benchmark + controls: + - azure_iam_no_custom_role diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1232_09c3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1232_09c3organizational.yaml index cf9d234d4..6e8f5fdbc 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1232_09c3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1232_09c3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1232_09c3organizational -Title: 09c3Organizational.12-09.c 09.01 Documented Operating Procedures -Description: Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. -SectionCode: azure_hipaa_hitrust_v92_1232_09c3organizational -Children: [] -Controls: - - azure_network_security_group_rdp_access_restricted -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Network - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1232_09c3organizational + title: 09c3Organizational.12-09.c 09.01 Documented Operating Procedures + description: Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. + section-code: azure_hipaa_hitrust_v92_1232_09c3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Network + type: + - Benchmark + controls: + - azure_network_security_group_rdp_access_restricted diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1270_09ad1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1270_09ad1system.yaml index cc142332c..87082c993 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1270_09ad1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1270_09ad1system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1270_09ad1system -Title: 09ad1System.12-09.ad 09.10 Monitoring -Description: The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis. -SectionCode: azure_hipaa_hitrust_v92_1270_09ad1system -Children: [] -Controls: - - azure_monitor_log_alert_for_administrative_operations -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1270_09ad1system + title: 09ad1System.12-09.ad 09.10 Monitoring + description: The organization ensures proper logging is enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis. + section-code: azure_hipaa_hitrust_v92_1270_09ad1system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_monitor_log_alert_for_administrative_operations diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1271_09ad1system.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1271_09ad1system.yaml index 5cb26dca1..9473cebfe 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1271_09ad1system.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1271_09ad1system.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1271_09ad1system -Title: 09ad1System.1-09.ad 09.10 Monitoring -Description: An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. -SectionCode: azure_hipaa_hitrust_v92_1271_09ad1system -Children: [] -Controls: - - azure_monitor_log_alert_for_administrative_operations -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Monitor - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1271_09ad1system + title: 09ad1System.1-09.ad 09.10 Monitoring + description: An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. + section-code: azure_hipaa_hitrust_v92_1271_09ad1system + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Monitor + type: + - Benchmark + controls: + - azure_monitor_log_alert_for_administrative_operations diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1277_09c2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1277_09c2organizational.yaml index 19deda13c..106a1609d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1277_09c2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1277_09c2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1277_09c2organizational -Title: 09c2Organizational.4-09.c 09.01 Documented Operating Procedures -Description: The initiation of an event is separated from its authorization to reduce the possibility of collusion. -SectionCode: azure_hipaa_hitrust_v92_1277_09c2organizational -Children: [] -Controls: - - azure_compute_vm_meet_security_options_user_account_control_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1277_09c2organizational + title: 09c2Organizational.4-09.c 09.01 Documented Operating Procedures + description: The initiation of an event is separated from its authorization to reduce the possibility of collusion. + section-code: azure_hipaa_hitrust_v92_1277_09c2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_security_options_user_account_control_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1325_09s1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1325_09s1organizational.yaml index 61fc27694..7ca3f4609 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1325_09s1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1325_09s1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1325_09s1organizational -Title: 09s1Organizational.3-09.s 09.08 Exchange of Information -Description: Ensure the exchange of information within an organization and with any external entity is secured and protected, and carried out in compliance with relevant legislation and exchange agreements. -SectionCode: azure_hipaa_hitrust_v92_1325_09s1organizational -Children: [] -Controls: - - azure_appservice_function_app_remote_debugging_disabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1325_09s1organizational + title: 09s1Organizational.3-09.s 09.08 Exchange of Information + description: Ensure the exchange of information within an organization and with any external entity is secured and protected, and carried out in compliance with relevant legislation and exchange agreements. + section-code: azure_hipaa_hitrust_v92_1325_09s1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_function_app_remote_debugging_disabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1401_05i1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1401_05i1organizational.yaml index 497e9798f..021fc2aeb 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1401_05i1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1401_05i1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1401_05i1organizational -Title: Access to the organizations information and systems by external parties -Description: Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations. -SectionCode: azure_hipaa_hitrust_v92_1401_05i1organizational -Children: [] -Controls: - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Storage - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1401_05i1organizational + title: Access to the organizations information and systems by external parties + description: Access to the organizations information and systems by external parties is not permitted until due diligence has been conducted, the appropriate controls have been implemented, and a contract/agreement reflecting the security requirements is signed acknowledging they understand and accept their obligations. + section-code: azure_hipaa_hitrust_v92_1401_05i1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Storage + type: + - Benchmark + controls: + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1402_05i1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1402_05i1organizational.yaml index 478a75c4a..6648e0911 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1402_05i1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1402_05i1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1402_05i1organizational -Title: Remote access connections between the organization and external parties are encrypted -Description: "" -SectionCode: azure_hipaa_hitrust_v92_1402_05i1organizational -Children: [] -Controls: - - azure_appservice_function_app_only_https_accessible -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1402_05i1organizational + title: Remote access connections between the organization and external parties are encrypted + description: Remote access connections between the organization and external parties are encrypted + section-code: azure_hipaa_hitrust_v92_1402_05i1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_function_app_only_https_accessible diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1403_05i1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1403_05i1organizational.yaml index f716a8776..994d207f0 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1403_05i1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1403_05i1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1403_05i1organizational -Title: Access granted to external parties is limited to the minimum necessary and granted only for the duration required -Description: "" -SectionCode: azure_hipaa_hitrust_v92_1403_05i1organizational -Children: [] -Controls: - - azure_appservice_api_app_use_https -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/AppService - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1403_05i1organizational + title: Access granted to external parties is limited to the minimum necessary and granted only for the duration required + description: Access granted to external parties is limited to the minimum necessary and granted only for the duration required + section-code: azure_hipaa_hitrust_v92_1403_05i1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/AppService + type: + - Benchmark + controls: + - azure_appservice_api_app_use_https diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1418_05i1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1418_05i1organizational.yaml index 1ba797b06..1c36d315f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1418_05i1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1418_05i1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1418_05i1organizational -Title: The identification of risks related to external party access takes into account a minimal set of specifically defined issues -Description: "" -SectionCode: azure_hipaa_hitrust_v92_1418_05i1organizational -Children: [] -Controls: - - azure_mysql_ssl_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1418_05i1organizational + title: The identification of risks related to external party access takes into account a minimal set of specifically defined issues + description: The identification of risks related to external party access takes into account a minimal set of specifically defined issues + section-code: azure_hipaa_hitrust_v92_1418_05i1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark + controls: + - azure_mysql_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1450_05i2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1450_05i2organizational.yaml index afd39ba93..f1a9ed4ef 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1450_05i2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1450_05i2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1450_05i2organizational -Title: 05i2Organizational.2-05.i 05.02 External Parties -Description: The organization obtains satisfactory assurances that reasonable information security exists across their information supply chain by performing an annual review, which includes all partners/third party-providers upon which their information supply chain depends. -SectionCode: azure_hipaa_hitrust_v92_1450_05i2organizational -Children: [] -Controls: - - azure_postgres_sql_ssl_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/PostgreSQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1450_05i2organizational + title: 05i2Organizational.2-05.i 05.02 External Parties + description: The organization obtains satisfactory assurances that reasonable information security exists across their information supply chain by performing an annual review, which includes all partners/third party-providers upon which their information supply chain depends. + section-code: azure_hipaa_hitrust_v92_1450_05i2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/PostgreSQL + type: + - Benchmark + controls: + - azure_postgres_sql_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1451_05icsporganizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1451_05icsporganizational.yaml index b30120f26..54d0a6d74 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1451_05icsporganizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1451_05icsporganizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1451_05icsporganizational -Title: 05iCSPOrganizational.2-05.i 05.02 External Parties -Description: Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. -SectionCode: azure_hipaa_hitrust_v92_1451_05icsporganizational -Children: [] -Controls: - - azure_redis_cache_ssl_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Redis - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1451_05icsporganizational + title: 05iCSPOrganizational.2-05.i 05.02 External Parties + description: Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. + section-code: azure_hipaa_hitrust_v92_1451_05icsporganizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Redis + type: + - Benchmark + controls: + - azure_redis_cache_ssl_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1616_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1616_09l1organizational.yaml index c1a83cbe6..b0af93510 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1616_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1616_09l1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1616_09l1organizational -Title: 09l1Organizational.16-09.l 09.05 Information Back-Up -Description: Backup copies of information and software are made and tests of the media and restoration procedures are regularly performed at appropriate intervals. -SectionCode: azure_hipaa_hitrust_v92_1616_09l1organizational -Children: [] -Controls: - - azure_sql_database_long_term_geo_redundant_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1616_09l1organizational + title: 09l1Organizational.16-09.l 09.05 Information Back-Up + description: Backup copies of information and software are made and tests of the media and restoration procedures are regularly performed at appropriate intervals. + section-code: azure_hipaa_hitrust_v92_1616_09l1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_sql_database_long_term_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1617_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1617_09l1organizational.yaml index 46edc2ab9..c410aee05 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1617_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1617_09l1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1617_09l1organizational -Title: 09l1Organizational.23-09.l 09.05 Information Back-Up -Description: A formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements. -SectionCode: azure_hipaa_hitrust_v92_1617_09l1organizational -Children: [] -Controls: - - azure_mysql_db_server_geo_redundant_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1617_09l1organizational + title: 09l1Organizational.23-09.l 09.05 Information Back-Up + description: A formal definition of the level of backup required for each system is defined and documented including how each system will be restored, the scope of data to be imaged, frequency of imaging, and duration of retention based on relevant contractual, legal, regulatory and business requirements. + section-code: azure_hipaa_hitrust_v92_1617_09l1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark + controls: + - azure_mysql_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1618_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1618_09l1organizational.yaml index 32211d9f9..9240cd80d 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1618_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1618_09l1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1618_09l1organizational -Title: 09l1Organizational.45-09.l 09.05 Information Back-Up -Description: The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. -SectionCode: azure_hipaa_hitrust_v92_1618_09l1organizational -Children: [] -Controls: - - azure_postgres_db_server_geo_redundant_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/PostgreSQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1618_09l1organizational + title: 09l1Organizational.45-09.l 09.05 Information Back-Up + description: The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location. + section-code: azure_hipaa_hitrust_v92_1618_09l1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/PostgreSQL + type: + - Benchmark + controls: + - azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1619_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1619_09l1organizational.yaml index 5a2b1b275..6d0bc6cb5 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1619_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1619_09l1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1619_09l1organizational -Title: 09l1Organizational.7-09.l 09.05 Information Back-Up -Description: Inventory records for the backup copies, including content and current location, are maintained. -SectionCode: azure_hipaa_hitrust_v92_1619_09l1organizational -Children: [] -Controls: - - azure_mariadb_server_geo_redundant_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MariaDB - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1619_09l1organizational + title: 09l1Organizational.7-09.l 09.05 Information Back-Up + description: Inventory records for the backup copies, including content and current location, are maintained. + section-code: azure_hipaa_hitrust_v92_1619_09l1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MariaDB + type: + - Benchmark + controls: + - azure_mariadb_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1620_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1620_09l1organizational.yaml index aa410d3d9..580e8cc6a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1620_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1620_09l1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1620_09l1organizational -Title: 09l1Organizational.8-09.l 09.05 Information Back-Up -Description: When the backup service is delivered by the third party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. -SectionCode: azure_hipaa_hitrust_v92_1620_09l1organizational -Children: [] -Controls: - - azure_compute_vm_azure_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1620_09l1organizational + title: 09l1Organizational.8-09.l 09.05 Information Back-Up + description: When the backup service is delivered by the third party, the service level agreement includes the detailed protections to control confidentiality, integrity and availability of the backup information. + section-code: azure_hipaa_hitrust_v92_1620_09l1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_azure_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1621_09l2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1621_09l2organizational.yaml index bc4da2b21..b436556b7 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1621_09l2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1621_09l2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1621_09l2organizational -Title: 09l2Organizational.1-09.l 09.05 Information Back-Up -Description: Automated tools are used to track all backups. -SectionCode: azure_hipaa_hitrust_v92_1621_09l2organizational -Children: [] -Controls: - - azure_sql_database_long_term_geo_redundant_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1621_09l2organizational + title: 09l2Organizational.1-09.l 09.05 Information Back-Up + description: Automated tools are used to track all backups. + section-code: azure_hipaa_hitrust_v92_1621_09l2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_sql_database_long_term_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1622_09l2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1622_09l2organizational.yaml index 44360f7e3..dc9a94f36 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1622_09l2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1622_09l2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1622_09l2organizational -Title: 09l2Organizational.23-09.l 09.05 Information Back-Up -Description: The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster. -SectionCode: azure_hipaa_hitrust_v92_1622_09l2organizational -Children: [] -Controls: - - azure_mysql_db_server_geo_redundant_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MySQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1622_09l2organizational + title: 09l2Organizational.23-09.l 09.05 Information Back-Up + description: The integrity and security of the backup copies are maintained to ensure future availability, and any potential accessibility problems with the backup copies are identified and mitigated in the event of an area-wide disaster. + section-code: azure_hipaa_hitrust_v92_1622_09l2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MySQL + type: + - Benchmark + controls: + - azure_mysql_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1623_09l2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1623_09l2organizational.yaml index 2f855b3a2..e305acfcc 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1623_09l2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1623_09l2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1623_09l2organizational -Title: 09l2Organizational.4-09.l 09.05 Information Back-Up -Description: Covered information is backed-up in an encrypted format to ensure confidentiality. -SectionCode: azure_hipaa_hitrust_v92_1623_09l2organizational -Children: [] -Controls: - - azure_postgres_db_server_geo_redundant_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/PostgreSQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1623_09l2organizational + title: 09l2Organizational.4-09.l 09.05 Information Back-Up + description: Covered information is backed-up in an encrypted format to ensure confidentiality. + section-code: azure_hipaa_hitrust_v92_1623_09l2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/PostgreSQL + type: + - Benchmark + controls: + - azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1624_09l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1624_09l3organizational.yaml index 1d59878c2..666572d12 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1624_09l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1624_09l3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1624_09l3organizational -Title: 09l3Organizational.12-09.l 09.05 Information Back-Up -Description: The organization performs incremental or differential backups daily and full backups weekly to separate media. -SectionCode: azure_hipaa_hitrust_v92_1624_09l3organizational -Children: [] -Controls: - - azure_mariadb_server_geo_redundant_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MariaDB - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1624_09l3organizational + title: 09l3Organizational.12-09.l 09.05 Information Back-Up + description: The organization performs incremental or differential backups daily and full backups weekly to separate media. + section-code: azure_hipaa_hitrust_v92_1624_09l3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MariaDB + type: + - Benchmark + controls: + - azure_mariadb_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1625_09l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1625_09l3organizational.yaml index 2043e9882..7cacc599f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1625_09l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1625_09l3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1625_09l3organizational -Title: 09l3Organizational.34-09.l 09.05 Information Back-Up -Description: Three (3) generations of backups (full plus all related incremental or differential backups) are stored off-site, and both on-site and off-site backups are logged with name, date, time and action. -SectionCode: azure_hipaa_hitrust_v92_1625_09l3organizational -Children: [] -Controls: - - azure_compute_vm_azure_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1625_09l3organizational + title: 09l3Organizational.34-09.l 09.05 Information Back-Up + description: Three (3) generations of backups (full plus all related incremental or differential backups) are stored off-site, and both on-site and off-site backups are logged with name, date, time and action. + section-code: azure_hipaa_hitrust_v92_1625_09l3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_azure_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1626_09l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1626_09l3organizational.yaml index cc489ce6c..547fb6711 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1626_09l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1626_09l3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1626_09l3organizational -Title: 09l3Organizational.5-09.l 09.05 Information Back-Up -Description: The organization ensures a current, retrievable copy of covered information is available before movement of servers. -SectionCode: azure_hipaa_hitrust_v92_1626_09l3organizational -Children: [] -Controls: - - azure_postgres_db_server_geo_redundant_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/PostgreSQL - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1626_09l3organizational + title: 09l3Organizational.5-09.l 09.05 Information Back-Up + description: The organization ensures a current, retrievable copy of covered information is available before movement of servers. + section-code: azure_hipaa_hitrust_v92_1626_09l3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/PostgreSQL + type: + - Benchmark + controls: + - azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1627_09l3organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1627_09l3organizational.yaml index 238a3cc1e..ced0e9b0f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1627_09l3organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1627_09l3organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1627_09l3organizational -Title: 09l3Organizational.6-09.l 09.05 Information Back-Up -Description: The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter. -SectionCode: azure_hipaa_hitrust_v92_1627_09l3organizational -Children: [] -Controls: - - azure_mariadb_server_geo_redundant_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/MariaDB - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1627_09l3organizational + title: 09l3Organizational.6-09.l 09.05 Information Back-Up + description: The organization tests backup information following each backup to verify media reliability and information integrity, and at least annually thereafter. + section-code: azure_hipaa_hitrust_v92_1627_09l3organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/MariaDB + type: + - Benchmark + controls: + - azure_mariadb_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1634_12b1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1634_12b1organizational.yaml index 7722eb4ed..4dd8f06c1 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1634_12b1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1634_12b1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1634_12b1organizational -Title: 12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management -Description: The organization identifies the critical business processes requiring business continuity. -SectionCode: azure_hipaa_hitrust_v92_1634_12b1organizational -Children: [] -Controls: - - azure_compute_vm_disaster_recovery_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1634_12b1organizational + title: 12b1Organizational.1-12.b 12.01 Information Security Aspects of Business Continuity Management + description: The organization identifies the critical business processes requiring business continuity. + section-code: azure_hipaa_hitrust_v92_1634_12b1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_disaster_recovery_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1635_12b1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1635_12b1organizational.yaml index ade84aa92..f4dab75cd 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1635_12b1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1635_12b1organizational.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_1635_12b1organizational -Title: 12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management -Description: Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. -SectionCode: azure_hipaa_hitrust_v92_1635_12b1organizational -Children: [] -Controls: - - azure_keyvault_managed_hms_purge_protection_enabled - - azure_keyvault_purge_protection_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/KeyVault - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1635_12b1organizational + title: 12b1Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management + description: Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. + section-code: azure_hipaa_hitrust_v92_1635_12b1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/KeyVault + type: + - Benchmark + controls: + - azure_keyvault_managed_hms_purge_protection_enabled + - azure_keyvault_purge_protection_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1637_12b2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1637_12b2organizational.yaml index 457092148..3a4e6e298 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1637_12b2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1637_12b2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1637_12b2organizational -Title: 12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management -Description: Business impact analysis are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. -SectionCode: azure_hipaa_hitrust_v92_1637_12b2organizational -Children: [] -Controls: - - azure_compute_vm_meet_security_options_requirement_windows -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1637_12b2organizational + title: 12b2Organizational.2-12.b 12.01 Information Security Aspects of Business Continuity Management + description: Business impact analysis are used to evaluate the consequences of disasters, security failures, loss of service, and service availability. + section-code: azure_hipaa_hitrust_v92_1637_12b2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_meet_security_options_requirement_windows diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1638_12b2organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1638_12b2organizational.yaml index a3143bc5b..8ab31b258 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1638_12b2organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1638_12b2organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1638_12b2organizational -Title: 12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management -Description: Business continuity risk assessments (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. -SectionCode: azure_hipaa_hitrust_v92_1638_12b2organizational -Children: [] -Controls: - - azure_compute_vm_disaster_recovery_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1638_12b2organizational + title: 12b2Organizational.345-12.b 12.01 Information Security Aspects of Business Continuity Management + description: Business continuity risk assessments (i) are carried out annually with full involvement from owners of business resources and processes; (ii) consider all business processes and is not limited to the information assets, but includes the results specific to information security; and (iii) identifies, quantifies, and prioritizes risks against key business objectives and criteria relevant to the organization, including critical resources, impacts of disruptions, allowable outage times, and recovery priorities. + section-code: azure_hipaa_hitrust_v92_1638_12b2organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_disaster_recovery_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1699_09l1organizational.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1699_09l1organizational.yaml index ba05ee8d3..0d70cff80 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1699_09l1organizational.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_1699_09l1organizational.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_1699_09l1organizational -Title: Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices -Description: "" -SectionCode: azure_hipaa_hitrust_v92_1699_09l1organizational -Children: [] -Controls: - - azure_compute_vm_azure_backup_enabled -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_1699_09l1organizational + title: Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices + description: Workforce members roles and responsibilities in the data backup process are identified and communicated to the workforce; in particular, Bring Your Own Device (BYOD) users are required to perform backups of organizational and/or client data on their devices + section-code: azure_hipaa_hitrust_v92_1699_09l1organizational + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_azure_backup_enabled diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_access_control.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_access_control.yaml index 7385392cb..674a3a259 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_access_control.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_access_control.yaml @@ -1,47 +1,52 @@ -ID: azure_hipaa_hitrust_v92_access_control -Title: Access Control -Description: Default and unnecessary system accounts are removed, disabled, or otherwise secured (e.g., the passwords are changed, and privileges are reduced to the lowest access levels). Account managers are notified when users' access rights change (e.g., termination, change in position) and modify the user's account accordingly. -SectionCode: access_control -Children: - - azure_hipaa_hitrust_v92_11109_01q1organizational - - azure_hipaa_hitrust_v92_11111_01q2system - - azure_hipaa_hitrust_v92_11112_01q2organizational - - azure_hipaa_hitrust_v92_1116_01j1organizational - - azure_hipaa_hitrust_v92_1118_01j2organizational - - azure_hipaa_hitrust_v92_11180_01c3system - - azure_hipaa_hitrust_v92_1119_01j2organizational - - azure_hipaa_hitrust_v92_1120_09ab3system - - azure_hipaa_hitrust_v92_1121_01j3organizational - - azure_hipaa_hitrust_v92_1123_01q1system - - azure_hipaa_hitrust_v92_1125_01q2system - - azure_hipaa_hitrust_v92_1127_01q2system - - azure_hipaa_hitrust_v92_1143_01c1system - - azure_hipaa_hitrust_v92_1144_01c1system - - azure_hipaa_hitrust_v92_1145_01c2system - - azure_hipaa_hitrust_v92_1146_01c2system - - azure_hipaa_hitrust_v92_1147_01c2system - - azure_hipaa_hitrust_v92_1148_01c2system - - azure_hipaa_hitrust_v92_1150_01c2system - - azure_hipaa_hitrust_v92_1151_01c3system - - azure_hipaa_hitrust_v92_1152_01c3system - - azure_hipaa_hitrust_v92_1153_01c3system - - azure_hipaa_hitrust_v92_1175_01j1organizational - - azure_hipaa_hitrust_v92_1178_01j2organizational - - azure_hipaa_hitrust_v92_1179_01j3organizational - - azure_hipaa_hitrust_v92_1192_01l1organizational - - azure_hipaa_hitrust_v92_1193_01l2organizational - - azure_hipaa_hitrust_v92_1194_01l2organizational - - azure_hipaa_hitrust_v92_1195_01l3organizational - - azure_hipaa_hitrust_v92_1197_01l3organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_access_control + title: Access Control + description: Default and unnecessary system accounts are removed, disabled, or otherwise secured (e.g., the passwords are changed, and privileges are reduced to the lowest access levels). Account managers are notified when users' access rights change (e.g., termination, change in position) and modify the user's account accordingly. + section-code: access_control + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_11109_01q1organizational + - id: azure_hipaa_hitrust_v92_11111_01q2system + - id: azure_hipaa_hitrust_v92_11112_01q2organizational + - id: azure_hipaa_hitrust_v92_1116_01j1organizational + - id: azure_hipaa_hitrust_v92_1118_01j2organizational + - id: azure_hipaa_hitrust_v92_11180_01c3system + - id: azure_hipaa_hitrust_v92_1119_01j2organizational + - id: azure_hipaa_hitrust_v92_1120_09ab3system + - id: azure_hipaa_hitrust_v92_1121_01j3organizational + - id: azure_hipaa_hitrust_v92_1123_01q1system + - id: azure_hipaa_hitrust_v92_1125_01q2system + - id: azure_hipaa_hitrust_v92_1127_01q2system + - id: azure_hipaa_hitrust_v92_1143_01c1system + - id: azure_hipaa_hitrust_v92_1144_01c1system + - id: azure_hipaa_hitrust_v92_1145_01c2system + - id: azure_hipaa_hitrust_v92_1146_01c2system + - id: azure_hipaa_hitrust_v92_1147_01c2system + - id: azure_hipaa_hitrust_v92_1148_01c2system + - id: azure_hipaa_hitrust_v92_1150_01c2system + - id: azure_hipaa_hitrust_v92_1151_01c3system + - id: azure_hipaa_hitrust_v92_1152_01c3system + - id: azure_hipaa_hitrust_v92_1153_01c3system + - id: azure_hipaa_hitrust_v92_1175_01j1organizational + - id: azure_hipaa_hitrust_v92_1178_01j2organizational + - id: azure_hipaa_hitrust_v92_1179_01j3organizational + - id: azure_hipaa_hitrust_v92_1192_01l1organizational + - id: azure_hipaa_hitrust_v92_1193_01l2organizational + - id: azure_hipaa_hitrust_v92_1194_01l2organizational + - id: azure_hipaa_hitrust_v92_1195_01l3organizational + - id: azure_hipaa_hitrust_v92_1197_01l3organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_audit_logging_and_monitoring.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_audit_logging_and_monitoring.yaml index 529e7b529..1effe4194 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_audit_logging_and_monitoring.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_audit_logging_and_monitoring.yaml @@ -1,43 +1,48 @@ -ID: azure_hipaa_hitrust_v92_audit_logging_and_monitoring -Title: Audit Logging & Monitoring -Description: Audit logging refers to the process of recording and tracking all system activities, such as user logins, data access, and modifications made to sensitive information. By implementing comprehensive audit logging, the website will maintain a detailed trail of events, enabling organizations to track and investigate any potential security breaches or unauthorized access. Furthermore, monitoring mechanisms will be put in place to actively observe and analyze system activities in real time. This includes the monitoring of network traffic, system logs, and user behaviour to detect any anomalous or suspicious activities promptly. -SectionCode: audit_logging_and_monitoring -Children: - - azure_hipaa_hitrust_v92_1202_09aa1system - - azure_hipaa_hitrust_v92_1203_09aa1system - - azure_hipaa_hitrust_v92_1204_09aa1system - - azure_hipaa_hitrust_v92_1205_09aa2system - - azure_hipaa_hitrust_v92_1207_09aa2system - - azure_hipaa_hitrust_v92_1208_09aa3system - - azure_hipaa_hitrust_v92_1209_09aa3system - - azure_hipaa_hitrust_v92_1210_09aa3system - - azure_hipaa_hitrust_v92_12100_09ab2system - - azure_hipaa_hitrust_v92_12101_09ab1organizational - - azure_hipaa_hitrust_v92_12102_09ab1organizational - - azure_hipaa_hitrust_v92_1211_09aa3system - - azure_hipaa_hitrust_v92_1212_09ab1system - - azure_hipaa_hitrust_v92_1213_09ab2system - - azure_hipaa_hitrust_v92_1214_09ab2system - - azure_hipaa_hitrust_v92_1215_09ab2system - - azure_hipaa_hitrust_v92_1216_09ab3system - - azure_hipaa_hitrust_v92_1217_09ab3system - - azure_hipaa_hitrust_v92_1219_09ab3system - - azure_hipaa_hitrust_v92_1220_09ab3system - - azure_hipaa_hitrust_v92_1229_09c1organizational - - azure_hipaa_hitrust_v92_1230_09c2organizational - - azure_hipaa_hitrust_v92_1232_09c3organizational - - azure_hipaa_hitrust_v92_1270_09ad1system - - azure_hipaa_hitrust_v92_1271_09ad1system - - azure_hipaa_hitrust_v92_1277_09c2organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_audit_logging_and_monitoring + title: Audit Logging & Monitoring + description: Audit logging refers to the process of recording and tracking all system activities, such as user logins, data access, and modifications made to sensitive information. By implementing comprehensive audit logging, the website will maintain a detailed trail of events, enabling organizations to track and investigate any potential security breaches or unauthorized access. Furthermore, monitoring mechanisms will be put in place to actively observe and analyze system activities in real time. This includes the monitoring of network traffic, system logs, and user behaviour to detect any anomalous or suspicious activities promptly. + section-code: audit_logging_and_monitoring + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_1202_09aa1system + - id: azure_hipaa_hitrust_v92_1203_09aa1system + - id: azure_hipaa_hitrust_v92_1204_09aa1system + - id: azure_hipaa_hitrust_v92_1205_09aa2system + - id: azure_hipaa_hitrust_v92_1207_09aa2system + - id: azure_hipaa_hitrust_v92_1208_09aa3system + - id: azure_hipaa_hitrust_v92_1209_09aa3system + - id: azure_hipaa_hitrust_v92_1210_09aa3system + - id: azure_hipaa_hitrust_v92_12100_09ab2system + - id: azure_hipaa_hitrust_v92_12101_09ab1organizational + - id: azure_hipaa_hitrust_v92_12102_09ab1organizational + - id: azure_hipaa_hitrust_v92_1211_09aa3system + - id: azure_hipaa_hitrust_v92_1212_09ab1system + - id: azure_hipaa_hitrust_v92_1213_09ab2system + - id: azure_hipaa_hitrust_v92_1214_09ab2system + - id: azure_hipaa_hitrust_v92_1215_09ab2system + - id: azure_hipaa_hitrust_v92_1216_09ab3system + - id: azure_hipaa_hitrust_v92_1217_09ab3system + - id: azure_hipaa_hitrust_v92_1219_09ab3system + - id: azure_hipaa_hitrust_v92_1220_09ab3system + - id: azure_hipaa_hitrust_v92_1229_09c1organizational + - id: azure_hipaa_hitrust_v92_1230_09c2organizational + - id: azure_hipaa_hitrust_v92_1232_09c3organizational + - id: azure_hipaa_hitrust_v92_1270_09ad1system + - id: azure_hipaa_hitrust_v92_1271_09ad1system + - id: azure_hipaa_hitrust_v92_1277_09c2organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_back_up.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_back_up.yaml index 8edf94c71..957dbea2b 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_back_up.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_back_up.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_back_up -Title: Back-up -Description: Ensure the maintenance, integrity, and availability of organizational information. Back-up copies of information and software shall be taken and tested regularly. -SectionCode: back_up -Children: - - azure_hipaa_hitrust_v92_1699_09l1organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_back_up + title: Back-up + description: Ensure the maintenance, integrity, and availability of organizational information. Back-up copies of information and software shall be taken and tested regularly. + section-code: back_up + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_1699_09l1organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery.yaml index 0de91ff11..74265f004 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery.yaml @@ -1,33 +1,38 @@ -ID: azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery -Title: Business Continuity & Disaster Recovery -Description: The organization identifies the critical business processes requiring business continuity. Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. -SectionCode: business_continuity_and_disaster_recovery -Children: - - azure_hipaa_hitrust_v92_1616_09l1organizational - - azure_hipaa_hitrust_v92_1617_09l1organizational - - azure_hipaa_hitrust_v92_1618_09l1organizational - - azure_hipaa_hitrust_v92_1619_09l1organizational - - azure_hipaa_hitrust_v92_1620_09l1organizational - - azure_hipaa_hitrust_v92_1621_09l2organizational - - azure_hipaa_hitrust_v92_1622_09l2organizational - - azure_hipaa_hitrust_v92_1623_09l2organizational - - azure_hipaa_hitrust_v92_1624_09l3organizational - - azure_hipaa_hitrust_v92_1625_09l3organizational - - azure_hipaa_hitrust_v92_1626_09l3organizational - - azure_hipaa_hitrust_v92_1627_09l3organizational - - azure_hipaa_hitrust_v92_1634_12b1organizational - - azure_hipaa_hitrust_v92_1635_12b1organizational - - azure_hipaa_hitrust_v92_1637_12b2organizational - - azure_hipaa_hitrust_v92_1638_12b2organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery + title: Business Continuity & Disaster Recovery + description: The organization identifies the critical business processes requiring business continuity. Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. + section-code: business_continuity_and_disaster_recovery + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_1616_09l1organizational + - id: azure_hipaa_hitrust_v92_1617_09l1organizational + - id: azure_hipaa_hitrust_v92_1618_09l1organizational + - id: azure_hipaa_hitrust_v92_1619_09l1organizational + - id: azure_hipaa_hitrust_v92_1620_09l1organizational + - id: azure_hipaa_hitrust_v92_1621_09l2organizational + - id: azure_hipaa_hitrust_v92_1622_09l2organizational + - id: azure_hipaa_hitrust_v92_1623_09l2organizational + - id: azure_hipaa_hitrust_v92_1624_09l3organizational + - id: azure_hipaa_hitrust_v92_1625_09l3organizational + - id: azure_hipaa_hitrust_v92_1626_09l3organizational + - id: azure_hipaa_hitrust_v92_1627_09l3organizational + - id: azure_hipaa_hitrust_v92_1634_12b1organizational + - id: azure_hipaa_hitrust_v92_1635_12b1organizational + - id: azure_hipaa_hitrust_v92_1637_12b2organizational + - id: azure_hipaa_hitrust_v92_1638_12b2organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_configuration_management.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_configuration_management.yaml index 9cfe000a7..3efe6970c 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_configuration_management.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_configuration_management.yaml @@ -1,29 +1,34 @@ -ID: azure_hipaa_hitrust_v92_configuration_management -Title: Configuration Management -Description: Configuration management involves implementing processes and controls to effectively manage and track changes to information systems, ensuring their integrity and security. In the context of compliance, organizations need to establish a robust configuration management program that includes documenting the baseline configuration of systems, implementing change management procedures, and conducting regular configuration reviews and audits. -SectionCode: configuration_management -Children: - - azure_hipaa_hitrust_v92_0605_10h1system - - azure_hipaa_hitrust_v92_0635_10k1organizational - - azure_hipaa_hitrust_v92_0636_10k2organizational - - azure_hipaa_hitrust_v92_0637_10k2organizational - - azure_hipaa_hitrust_v92_0638_10k2organizational - - azure_hipaa_hitrust_v92_0639_10k2organizational - - azure_hipaa_hitrust_v92_0640_10k2organizational - - azure_hipaa_hitrust_v92_0641_10k2organizational - - azure_hipaa_hitrust_v92_0642_10k3organizational - - azure_hipaa_hitrust_v92_0643_10k3organizational - - azure_hipaa_hitrust_v92_0644_10k3organizational - - azure_hipaa_hitrust_v92_0662_09scsporganizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_configuration_management + title: Configuration Management + description: Configuration management involves implementing processes and controls to effectively manage and track changes to information systems, ensuring their integrity and security. In the context of compliance, organizations need to establish a robust configuration management program that includes documenting the baseline configuration of systems, implementing change management procedures, and conducting regular configuration reviews and audits. + section-code: configuration_management + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_0605_10h1system + - id: azure_hipaa_hitrust_v92_0635_10k1organizational + - id: azure_hipaa_hitrust_v92_0636_10k2organizational + - id: azure_hipaa_hitrust_v92_0637_10k2organizational + - id: azure_hipaa_hitrust_v92_0638_10k2organizational + - id: azure_hipaa_hitrust_v92_0639_10k2organizational + - id: azure_hipaa_hitrust_v92_0640_10k2organizational + - id: azure_hipaa_hitrust_v92_0641_10k2organizational + - id: azure_hipaa_hitrust_v92_0642_10k3organizational + - id: azure_hipaa_hitrust_v92_0643_10k3organizational + - id: azure_hipaa_hitrust_v92_0644_10k3organizational + - id: azure_hipaa_hitrust_v92_0662_09scsporganizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_control_of_operational_software.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_control_of_operational_software.yaml index 3833ee0cb..c1fa97c1a 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_control_of_operational_software.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_control_of_operational_software.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_control_of_operational_software -Title: Control of Operational Software -Description: There shall be procedures in place to control the installation of software on operational systems. -SectionCode: control_of_operational_software -Children: - - azure_hipaa_hitrust_v92_0606_10h2system - - azure_hipaa_hitrust_v92_0607_10h2system -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_control_of_operational_software + title: Control of Operational Software + description: There shall be procedures in place to control the installation of software on operational systems. + section-code: control_of_operational_software + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_0606_10h2system + - id: azure_hipaa_hitrust_v92_0607_10h2system diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_education_training_and_awareness.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_education_training_and_awareness.yaml index cf0f0f0a6..e7d4f2762 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_education_training_and_awareness.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_education_training_and_awareness.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_education_training_and_awareness -Title: Education, Training and Awareness -Description: The organization prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements. -SectionCode: education_training_and_awareness -Children: - - azure_hipaa_hitrust_v92_1325_09s1organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_education_training_and_awareness + title: Education, Training and Awareness + description: The organization prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements. + section-code: education_training_and_awareness + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_1325_09s1organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_endpoint_protection.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_endpoint_protection.yaml index f329b9a39..cae4299ef 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_endpoint_protection.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_endpoint_protection.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_endpoint_protection -Title: Endpoint Protection -Description: Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. -SectionCode: endpoint_protection -Children: - - azure_hipaa_hitrust_v92_0201_09j1organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_endpoint_protection + title: Endpoint Protection + description: Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. + section-code: endpoint_protection + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_0201_09j1organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties.yaml index 7cd21486c..a1d955433 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties.yaml @@ -1,21 +1,26 @@ -ID: azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties -Title: Identification of Risks Related to External Parties -Description: The risks to the organization's information and information assets from business processes involving external parties shall be identified, and appropriate controls implemented before granting access. -SectionCode: identification_of_risks_related_to_external_parties -Children: - - azure_hipaa_hitrust_v92_1401_05i1organizational - - azure_hipaa_hitrust_v92_1402_05i1organizational - - azure_hipaa_hitrust_v92_1403_05i1organizational - - azure_hipaa_hitrust_v92_1418_05i1organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties + title: Identification of Risks Related to External Parties + description: The risks to the organization's information and information assets from business processes involving external parties shall be identified, and appropriate controls implemented before granting access. + section-code: identification_of_risks_related_to_external_parties + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_1401_05i1organizational + - id: azure_hipaa_hitrust_v92_1402_05i1organizational + - id: azure_hipaa_hitrust_v92_1403_05i1organizational + - id: azure_hipaa_hitrust_v92_1418_05i1organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_controls.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_controls.yaml index 47b34be76..2879cd12f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_controls.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_controls.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_network_controls -Title: Network Controls -Description: The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. -SectionCode: network_controls -Children: - - azure_hipaa_hitrust_v92_0867_09m3organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_network_controls + title: Network Controls + description: The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation of wireless access points (WAPs) unless explicitly authorized in writing by the CIO or his/her designated representative. + section-code: network_controls + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_0867_09m3organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_protection.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_protection.yaml index 72579c360..f06feab27 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_protection.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_network_protection.yaml @@ -1,45 +1,50 @@ -ID: azure_hipaa_hitrust_v92_network_protection -Title: Network Protection -Description: The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. -SectionCode: network_protection -Children: - - azure_hipaa_hitrust_v92_0805_01m1organizational - - azure_hipaa_hitrust_v92_0806_01m2organizational - - azure_hipaa_hitrust_v92_0809_01n2organizational - - azure_hipaa_hitrust_v92_0810_01n2organizational - - azure_hipaa_hitrust_v92_0811_01n2organizational - - azure_hipaa_hitrust_v92_0812_01n2organizational - - azure_hipaa_hitrust_v92_0814_01n1organizational - - azure_hipaa_hitrust_v92_0835_09n1organizational - - azure_hipaa_hitrust_v92_0836_09_n2organizational - - azure_hipaa_hitrust_v92_0837_09_n2Organizational - - azure_hipaa_hitrust_v92_0858_09m1organizational - - azure_hipaa_hitrust_v92_0859_09m1organizational - - azure_hipaa_hitrust_v92_0860_09m1organizational - - azure_hipaa_hitrust_v92_0861_09m2organizational - - azure_hipaa_hitrust_v92_0862_09m2organizational - - azure_hipaa_hitrust_v92_0863_09m2organizational - - azure_hipaa_hitrust_v92_0864_09m2organizational - - azure_hipaa_hitrust_v92_0865_09m2organizational - - azure_hipaa_hitrust_v92_0866_09m3organizational - - azure_hipaa_hitrust_v92_0868_09m3organizational - - azure_hipaa_hitrust_v92_0869_09m3organizational - - azure_hipaa_hitrust_v92_0870_09m3organizational - - azure_hipaa_hitrust_v92_0871_09m3organizational - - azure_hipaa_hitrust_v92_0885_09n2organizational - - azure_hipaa_hitrust_v92_0886_09n2Organizational - - azure_hipaa_hitrust_v92_0887_09n2organizational - - azure_hipaa_hitrust_v92_0888_09n2Organizational - - azure_hipaa_hitrust_v92_0894_01m2organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_network_protection + title: Network Protection + description: The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. + section-code: network_protection + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_0805_01m1organizational + - id: azure_hipaa_hitrust_v92_0806_01m2organizational + - id: azure_hipaa_hitrust_v92_0809_01n2organizational + - id: azure_hipaa_hitrust_v92_0810_01n2organizational + - id: azure_hipaa_hitrust_v92_0811_01n2organizational + - id: azure_hipaa_hitrust_v92_0812_01n2organizational + - id: azure_hipaa_hitrust_v92_0814_01n1organizational + - id: azure_hipaa_hitrust_v92_0835_09n1organizational + - id: azure_hipaa_hitrust_v92_0836_09_n2organizational + - id: azure_hipaa_hitrust_v92_0837_09_n2Organizational + - id: azure_hipaa_hitrust_v92_0858_09m1organizational + - id: azure_hipaa_hitrust_v92_0859_09m1organizational + - id: azure_hipaa_hitrust_v92_0860_09m1organizational + - id: azure_hipaa_hitrust_v92_0861_09m2organizational + - id: azure_hipaa_hitrust_v92_0862_09m2organizational + - id: azure_hipaa_hitrust_v92_0863_09m2organizational + - id: azure_hipaa_hitrust_v92_0864_09m2organizational + - id: azure_hipaa_hitrust_v92_0865_09m2organizational + - id: azure_hipaa_hitrust_v92_0866_09m3organizational + - id: azure_hipaa_hitrust_v92_0868_09m3organizational + - id: azure_hipaa_hitrust_v92_0869_09m3organizational + - id: azure_hipaa_hitrust_v92_0870_09m3organizational + - id: azure_hipaa_hitrust_v92_0871_09m3organizational + - id: azure_hipaa_hitrust_v92_0885_09n2organizational + - id: azure_hipaa_hitrust_v92_0886_09n2Organizational + - id: azure_hipaa_hitrust_v92_0887_09n2organizational + - id: azure_hipaa_hitrust_v92_0888_09n2Organizational + - id: azure_hipaa_hitrust_v92_0894_01m2organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_on_line_transactions.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_on_line_transactions.yaml index abca406ca..2612ccac1 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_on_line_transactions.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_on_line_transactions.yaml @@ -1,18 +1,23 @@ -ID: azure_hipaa_hitrust_v92_on_line_transactions -Title: On-line Transactions -Description: Information involved in online transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. -SectionCode: on_line_transactions -Children: - - azure_hipaa_hitrust_v92_0946_09y2organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_on_line_transactions + title: On-line Transactions + description: Information involved in online transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. + section-code: on_line_transactions + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_0946_09y2organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_portable_media_security.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_portable_media_security.yaml index d4ae603b2..077f1e4c3 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_portable_media_security.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_portable_media_security.yaml @@ -1,20 +1,25 @@ -ID: azure_hipaa_hitrust_v92_portable_media_security -Title: Portable Media Security -Description: The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. -SectionCode: portable_media_security -Children: - - azure_hipaa_hitrust_v92_0301_09o1organizational - - azure_hipaa_hitrust_v92_0302_09o2organizational - - azure_hipaa_hitrust_v92_0304_09o3organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_portable_media_security + title: Portable Media Security + description: The organization, based on the data classification level, registers media (including laptops) prior to use, places reasonable restrictions on how such media be used, and provides an appropriate level of physical and logical protection (including encryption) for media containing covered information until properly destroyed or sanitized. + section-code: portable_media_security + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_0301_09o1organizational + - id: azure_hipaa_hitrust_v92_0302_09o2organizational + - id: azure_hipaa_hitrust_v92_0304_09o3organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_privilege_management.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_privilege_management.yaml index 9885a545a..ae17ab4c7 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_privilege_management.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_privilege_management.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_privilege_management -Title: Privilege Management -Description: Privilege management is a crucial aspect of HIPAA and HITRUST compliance, focusing on access control to protect sensitive health information. It involves implementing role-based access controls, strong authentication measures, regular reviews of access privileges, and robust logging and monitoring systems. By enforcing these measures, organizations can ensure that only authorized individuals have appropriate access to electronic protected health information, reducing the risk of unauthorized disclosure and maintaining compliance with HIPAA and HITRUST standards. -SectionCode: privilege_management -Children: - - azure_hipaa_hitrust_v92_1149_01c2system - - azure_hipaa_hitrust_v92_1154_01c3system -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_privilege_management + title: Privilege Management + description: Privilege management is a crucial aspect of HIPAA and HITRUST compliance, focusing on access control to protect sensitive health information. It involves implementing role-based access controls, strong authentication measures, regular reviews of access privileges, and robust logging and monitoring systems. By enforcing these measures, organizations can ensure that only authorized individuals have appropriate access to electronic protected health information, reducing the risk of unauthorized disclosure and maintaining compliance with HIPAA and HITRUST standards. + section-code: privilege_management + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_1149_01c2system + - id: azure_hipaa_hitrust_v92_1154_01c3system diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_third_party_assurance.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_third_party_assurance.yaml index 0d37cf22f..5100d58b6 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_third_party_assurance.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_third_party_assurance.yaml @@ -1,19 +1,24 @@ -ID: azure_hipaa_hitrust_v92_third_party_assurance -Title: Third Party Assurance -Description: Where software development is outsourced, the development process is monitored by the organization and includes independent security and code reviews. -SectionCode: third_party_assurance -Children: - - azure_hipaa_hitrust_v92_1450_05i2organizational - - azure_hipaa_hitrust_v92_1451_05icsporganizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_third_party_assurance + title: Third Party Assurance + description: Where software development is outsourced, the development process is monitored by the organization and includes independent security and code reviews. + section-code: third_party_assurance + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_1450_05i2organizational + - id: azure_hipaa_hitrust_v92_1451_05icsporganizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_transmission_protection.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_transmission_protection.yaml index e54af806b..3822c2f7f 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_transmission_protection.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_transmission_protection.yaml @@ -1,29 +1,34 @@ -ID: azure_hipaa_hitrust_v92_transmission_protection -Title: Transmission Protection -Description: The organization uses FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by organization-defined alternative physical measures. -SectionCode: transmission_protection -Children: - - azure_hipaa_hitrust_v92_0901_09s1organizational - - azure_hipaa_hitrust_v92_0902_09s2organizational - - azure_hipaa_hitrust_v92_0912_09s1organizational - - azure_hipaa_hitrust_v92_0913_09s1organizational - - azure_hipaa_hitrust_v92_0915_09s2organizational - - azure_hipaa_hitrust_v92_0916_09s2organizational - - azure_hipaa_hitrust_v92_0943_09y1organizational - - azure_hipaa_hitrust_v92_0945_09y1organizational - - azure_hipaa_hitrust_v92_0947_09y2organizational - - azure_hipaa_hitrust_v92_0948_09y2organizational - - azure_hipaa_hitrust_v92_0949_09y2organizational - - azure_hipaa_hitrust_v92_0960_09scsporganizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_transmission_protection + title: Transmission Protection + description: The organization uses FIPS-validated cryptographic mechanisms during transmission to prevent unauthorized disclosure of information and detect changes to information unless otherwise protected by organization-defined alternative physical measures. + section-code: transmission_protection + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_0901_09s1organizational + - id: azure_hipaa_hitrust_v92_0902_09s2organizational + - id: azure_hipaa_hitrust_v92_0912_09s1organizational + - id: azure_hipaa_hitrust_v92_0913_09s1organizational + - id: azure_hipaa_hitrust_v92_0915_09s2organizational + - id: azure_hipaa_hitrust_v92_0916_09s2organizational + - id: azure_hipaa_hitrust_v92_0943_09y1organizational + - id: azure_hipaa_hitrust_v92_0945_09y1organizational + - id: azure_hipaa_hitrust_v92_0947_09y2organizational + - id: azure_hipaa_hitrust_v92_0948_09y2organizational + - id: azure_hipaa_hitrust_v92_0949_09y2organizational + - id: azure_hipaa_hitrust_v92_0960_09scsporganizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_authentication_for_external_connections.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_authentication_for_external_connections.yaml index a535c48c3..1ebf8cf61 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_authentication_for_external_connections.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_authentication_for_external_connections.yaml @@ -1,22 +1,27 @@ -ID: azure_hipaa_hitrust_v92_user_authentication_for_external_connections -Title: User Authentication for External Connections -Description: When accessing electronic protected health information (ePHI) from external sources, it's crucial to prioritize user authentication as part of our commitment to HIPAA and HITRUST compliance. To ensure secure access, we have implemented strong authentication measures, including unique user IDs, strong passwords, and multi-factor authentication. These measures verify the identity of individuals accessing ePHI remotely, ensuring that only authorized users with the right credentials can establish secure connections. By prioritizing user authentication, we protect the confidentiality of sensitive health information and minimize the risk of unauthorized access. -SectionCode: user_authentication_for_external_connections -Children: - - azure_hipaa_hitrust_v92_1117_01j1organizational - - azure_hipaa_hitrust_v92_1173_01j1organizational - - azure_hipaa_hitrust_v92_1174_01j1organizational - - azure_hipaa_hitrust_v92_1176_01j2organizational - - azure_hipaa_hitrust_v92_1177_01j2organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_user_authentication_for_external_connections + title: User Authentication for External Connections + description: When accessing electronic protected health information (ePHI) from external sources, it's crucial to prioritize user authentication as part of our commitment to HIPAA and HITRUST compliance. To ensure secure access, we have implemented strong authentication measures, including unique user IDs, strong passwords, and multi-factor authentication. These measures verify the identity of individuals accessing ePHI remotely, ensuring that only authorized users with the right credentials can establish secure connections. By prioritizing user authentication, we protect the confidentiality of sensitive health information and minimize the risk of unauthorized access. + section-code: user_authentication_for_external_connections + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_1117_01j1organizational + - id: azure_hipaa_hitrust_v92_1173_01j1organizational + - id: azure_hipaa_hitrust_v92_1174_01j1organizational + - id: azure_hipaa_hitrust_v92_1176_01j2organizational + - id: azure_hipaa_hitrust_v92_1177_01j2organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_identification_and_authentication.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_identification_and_authentication.yaml index 4787fb09f..9276a7189 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_identification_and_authentication.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_user_identification_and_authentication.yaml @@ -1,21 +1,26 @@ -ID: azure_hipaa_hitrust_v92_user_identification_and_authentication -Title: User Identification and Authentication -Description: User identification and authentication play a crucial role. This involves implementing strong measures to verify the identity of users accessing electronic protected health information (ePHI). To comply with these standards, organizations should establish unique user IDs and enforce the use of strong passwords or passphrases. Additionally, implementing multi-factor authentication adds an extra layer of security by requiring users to provide additional verification, such as a code sent to their mobile device, in addition to their login credentials. By implementing robust user identification and authentication practices, organizations can ensure that only authorized individuals can access ePHI, reducing the risk of unauthorized disclosure and maintaining compliance with HIPAA and HITRUST 9.2 regulations. -SectionCode: user_identification_and_authentication -Children: - - azure_hipaa_hitrust_v92_11110_01q1organizational - - azure_hipaa_hitrust_v92_11208_01q1organizational - - azure_hipaa_hitrust_v92_11210_01q2organizational - - azure_hipaa_hitrust_v92_11211_01q2organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_user_identification_and_authentication + title: User Identification and Authentication + description: User identification and authentication play a crucial role. This involves implementing strong measures to verify the identity of users accessing electronic protected health information (ePHI). To comply with these standards, organizations should establish unique user IDs and enforce the use of strong passwords or passphrases. Additionally, implementing multi-factor authentication adds an extra layer of security by requiring users to provide additional verification, such as a code sent to their mobile device, in addition to their login credentials. By implementing robust user identification and authentication practices, organizations can ensure that only authorized individuals can access ePHI, reducing the risk of unauthorized disclosure and maintaining compliance with HIPAA and HITRUST 9.2 regulations. + section-code: user_identification_and_authentication + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_11110_01q1organizational + - id: azure_hipaa_hitrust_v92_11208_01q1organizational + - id: azure_hipaa_hitrust_v92_11210_01q2organizational + - id: azure_hipaa_hitrust_v92_11211_01q2organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_vulnerability_management.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_vulnerability_management.yaml index 92c27d1ea..a311ba107 100755 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_vulnerability_management.yaml +++ b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/azure_hipaa_hitrust_v92_vulnerability_management.yaml @@ -1,27 +1,32 @@ -ID: azure_hipaa_hitrust_v92_vulnerability_management -Title: Vulnerability Management -Description: Applications developed by the organization are based on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing. -SectionCode: vulnerability_management -Children: - - azure_hipaa_hitrust_v92_0709_10m1organizational - - azure_hipaa_hitrust_v92_0710_10m2organizational - - azure_hipaa_hitrust_v92_0711_10m2organizational - - azure_hipaa_hitrust_v92_0713_10m2organizational - - azure_hipaa_hitrust_v92_0714_10m2organizational - - azure_hipaa_hitrust_v92_0715_10m2organizational - - azure_hipaa_hitrust_v92_0716_10m3organizational - - azure_hipaa_hitrust_v92_0717_10m3organizational - - azure_hipaa_hitrust_v92_0718_10m3organizational - - azure_hipaa_hitrust_v92_0719_10m3organizational -Controls: [] -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_hipaa_hitrust_v92_vulnerability_management + title: Vulnerability Management + description: Applications developed by the organization are based on secure coding guidelines to prevent common vulnerabilities or undergo appropriate testing. + section-code: vulnerability_management + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + hipaa_hitrust_v92: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_hipaa_hitrust_v92_0709_10m1organizational + - id: azure_hipaa_hitrust_v92_0710_10m2organizational + - id: azure_hipaa_hitrust_v92_0711_10m2organizational + - id: azure_hipaa_hitrust_v92_0713_10m2organizational + - id: azure_hipaa_hitrust_v92_0714_10m2organizational + - id: azure_hipaa_hitrust_v92_0715_10m2organizational + - id: azure_hipaa_hitrust_v92_0716_10m3organizational + - id: azure_hipaa_hitrust_v92_0717_10m3organizational + - id: azure_hipaa_hitrust_v92_0718_10m3organizational + - id: azure_hipaa_hitrust_v92_0719_10m3organizational diff --git a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/root.yaml b/compliance/frameworks/azure/azure_hipaa_hitrust_v92/root.yaml deleted file mode 100755 index bde08212f..000000000 --- a/compliance/frameworks/azure/azure_hipaa_hitrust_v92/root.yaml +++ /dev/null @@ -1,46 +0,0 @@ -ID: azure_hipaa_hitrust_v92 -Title: HIPAA HITRUST 9.2 -Description: The HIPAA HITRUST 9.2 provides a combined set of predefined compliance and security best-practice checks for Health Insurance Portability and Accountability Act. -SectionCode: azure_hipaa_hitrust_v92 -Children: - - azure_hipaa_hitrust_v92_privilege_management - - azure_hipaa_hitrust_v92_user_authentication_for_external_connections - - azure_hipaa_hitrust_v92_user_identification_and_authentication - - azure_hipaa_hitrust_v92_endpoint_protection - - azure_hipaa_hitrust_v92_portable_media_security - - azure_hipaa_hitrust_v92_identification_of_risks_related_to_external_parties - - azure_hipaa_hitrust_v92_configuration_management - - azure_hipaa_hitrust_v92_vulnerability_management - - azure_hipaa_hitrust_v92_network_protection - - azure_hipaa_hitrust_v92_back_up - - azure_hipaa_hitrust_v92_network_controls - - azure_hipaa_hitrust_v92_on_line_transactions - - azure_hipaa_hitrust_v92_transmission_protection - - azure_hipaa_hitrust_v92_control_of_operational_software - - azure_hipaa_hitrust_v92_access_control - - azure_hipaa_hitrust_v92_audit_logging_and_monitoring - - azure_hipaa_hitrust_v92_education_training_and_awareness - - azure_hipaa_hitrust_v92_third_party_assurance - - azure_hipaa_hitrust_v92_business_continuity_and_disaster_recovery -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - hipaa_hitrust_v92: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Laws & Regulations - - Frameworks - - Privacy - plugin: - - azure - service: - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/azure/azure_msb/azure_msb.yaml b/compliance/frameworks/azure/azure_msb/azure_msb.yaml new file mode 100644 index 000000000..1e8de24cc --- /dev/null +++ b/compliance/frameworks/azure/azure_msb/azure_msb.yaml @@ -0,0 +1,34 @@ +framework: + id: azure_msb + title: Azure MSB + description: Azure MSB + section-code: azure_msb_main + metadata: + defaults: + auto-assign: true + enabled: true + tracks-drift-events: false + tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v200_2 + - id: azure_cis_v200_3 + - id: azure_cis_v200_4 + - id: azure_msb_5 + - id: azure_cis_v200_6 + - id: azure_cis_v200_7 + - id: azure_cis_v200_8 + - id: azure_cis_v200_9 + - id: azure_cis_v200_10 + - id: azure_msb_ask diff --git a/compliance/frameworks/azure/azure_msb/azure_msb_5.yaml b/compliance/frameworks/azure/azure_msb/azure_msb_5.yaml index 3f0d67047..a203876cd 100755 --- a/compliance/frameworks/azure/azure_msb/azure_msb_5.yaml +++ b/compliance/frameworks/azure/azure_msb/azure_msb_5.yaml @@ -1,24 +1,29 @@ -ID: azure_msb_5 -Title: Logging and Monitoring -Description: "" -SectionCode: "5" -Children: - - azure_cis_v200_5_1 - - azure_cis_v200_5_2 - - azure_cis_v200_5_5 -Controls: [] -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_msb_5 + title: Logging and Monitoring + description: Logging and Monitoring + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_cis_v200_5_1 + - id: azure_cis_v200_5_2 + - id: azure_cis_v200_5_5 diff --git a/compliance/frameworks/azure/azure_msb/azure_msb_aks.yaml b/compliance/frameworks/azure/azure_msb/azure_msb_aks.yaml index 4622db0c1..25c42fc4b 100755 --- a/compliance/frameworks/azure/azure_msb/azure_msb_aks.yaml +++ b/compliance/frameworks/azure/azure_msb/azure_msb_aks.yaml @@ -1,31 +1,36 @@ -ID: azure_msb_ask -Title: AKS -Description: "" -SectionCode: "11" -Children: [] -Controls: - - azure_check_for_kubernetes_version - - azure_enable_defender_for_cloud_for_aks_clusters - - azure_enable_kubernetes_role_based_access_control - - azure_kubernetes_api_version - - azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges - - azure_use_azure_cni_add_on_for_managing_network_resources - - azure_use_microsoft_entra_id_integration_for_aks_clusters - - azure_use_network_contributor_role_for_managing_azure_network_resources - - azure_use_system_assigned_managed_identities_for_aks_clusters - - azure_use_user_assigned_managed_identities_for_aks_clusters -Tags: - category: - - Compliance - cis: - - "true" - cis_section_id: - - "5" - cis_version: - - v2.0.0 - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_msb_ask + title: AKS + description: AKS + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + cis: + - "true" + cis_section_id: + - "5" + cis_version: + - v2.0.0 + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_check_for_kubernetes_version + - azure_enable_defender_for_cloud_for_aks_clusters + - azure_enable_kubernetes_role_based_access_control + - azure_kubernetes_api_version + - azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges + - azure_use_azure_cni_add_on_for_managing_network_resources + - azure_use_microsoft_entra_id_integration_for_aks_clusters + - azure_use_network_contributor_role_for_managing_azure_network_resources + - azure_use_system_assigned_managed_identities_for_aks_clusters + - azure_use_user_assigned_managed_identities_for_aks_clusters diff --git a/compliance/frameworks/azure/azure_msb/root.yaml b/compliance/frameworks/azure/azure_msb/root.yaml deleted file mode 100755 index 556e956cc..000000000 --- a/compliance/frameworks/azure/azure_msb/root.yaml +++ /dev/null @@ -1,33 +0,0 @@ -ID: azure_msb -Title: "Azure MSB" -Description: "Azure MSB" -SectionCode: "azure_msb_main" -Children: - - azure_cis_v200_2 - - azure_cis_v200_3 - - azure_cis_v200_4 - - azure_msb_5 - - azure_cis_v200_6 - - azure_cis_v200_7 - - azure_cis_v200_8 - - azure_cis_v200_9 - - azure_cis_v200_10 - - azure_msb_ask -Controls: [] -Defaults: - AutoAssign: true - Enabled: true - TracksDriftEvents: false -Tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2.yaml new file mode 100644 index 000000000..020b48d21 --- /dev/null +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2.yaml @@ -0,0 +1,21 @@ +framework: + id: azure_nist_sp_800_171_rev_2 + title: NIST SP 800-171 Revision 2 + description: NIST SP 800-171 Revision 2 signifies a significant endeavor to enhance cybersecurity practices, specifically tailored for organizations engaging with the U.S. federal government. + section-code: azure_nist_sp_800_171_rev_2 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_nist_sp_800_171_rev_2_3_1 + - id: azure_nist_sp_800_171_rev_2_3_3 + - id: azure_nist_sp_800_171_rev_2_3_4 + - id: azure_nist_sp_800_171_rev_2_3_5 + - id: azure_nist_sp_800_171_rev_2_3_6 + - id: azure_nist_sp_800_171_rev_2_3_8 + - id: azure_nist_sp_800_171_rev_2_3_11 + - id: azure_nist_sp_800_171_rev_2_3_13 + - id: azure_nist_sp_800_171_rev_2_3_14 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1.yaml index 5a84e2d86..24934c3e9 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1.yaml @@ -1,15 +1,20 @@ -ID: azure_nist_sp_800_171_rev_2_3_1 -Title: Access Control -Description: This family of requirements deals with access to networks, systems, and information. The 22 different requirements help to ensure only authorized users access the system. Requirements also safeguard the flow of sensitive information within the network and provide guidance on network devices in the system. -SectionCode: "3_1" -Children: - - azure_nist_sp_800_171_rev_2_3_1_1 - - azure_nist_sp_800_171_rev_2_3_1_2 - - azure_nist_sp_800_171_rev_2_3_1_3 - - azure_nist_sp_800_171_rev_2_3_1_4 - - azure_nist_sp_800_171_rev_2_3_1_5 - - azure_nist_sp_800_171_rev_2_3_1_12 - - azure_nist_sp_800_171_rev_2_3_1_13 - - azure_nist_sp_800_171_rev_2_3_1_14 -Controls: [] -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_1 + title: Access Control + description: This family of requirements deals with access to networks, systems, and information. The 22 different requirements help to ensure only authorized users access the system. Requirements also safeguard the flow of sensitive information within the network and provide guidance on network devices in the system. + section-code: "3_1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_nist_sp_800_171_rev_2_3_1_1 + - id: azure_nist_sp_800_171_rev_2_3_1_2 + - id: azure_nist_sp_800_171_rev_2_3_1_3 + - id: azure_nist_sp_800_171_rev_2_3_1_4 + - id: azure_nist_sp_800_171_rev_2_3_1_5 + - id: azure_nist_sp_800_171_rev_2_3_1_12 + - id: azure_nist_sp_800_171_rev_2_3_1_13 + - id: azure_nist_sp_800_171_rev_2_3_1_14 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11.yaml index d7f2caf1c..7d28ae88d 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11.yaml @@ -1,9 +1,14 @@ -ID: azure_nist_sp_800_171_rev_2_3_11 -Title: Risk Assessment -Description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. -SectionCode: "3_11" -Children: - - azure_nist_sp_800_171_rev_2_3_11_2 - - azure_nist_sp_800_171_rev_2_3_11_3 -Controls: [] -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_11 + title: Risk Assessment + description: The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. + section-code: "3_11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_nist_sp_800_171_rev_2_3_11_2 + - id: azure_nist_sp_800_171_rev_2_3_11_3 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_2.yaml index 8ad3e2252..a15937647 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_2.yaml @@ -1,21 +1,26 @@ -ID: azure_nist_sp_800_171_rev_2_3_11_2 -Title: 11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified -Description: 'Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning.' -SectionCode: "2" -Children: [] -Controls: - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled - - azure_sql_server_azure_defender_enabled - - azure_synapse_workspace_vulnerability_assessment_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_11_2 + title: 11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified + description: "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_mssql_managed_instance_vulnerability_assessment_enabled + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_database_vulnerability_findings_resolved + - azure_sql_server_and_databases_va_enabled + - azure_sql_server_azure_defender_enabled + - azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_3.yaml index 68758b3b0..1af66218d 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_11_3.yaml @@ -1,21 +1,26 @@ -ID: azure_nist_sp_800_171_rev_2_3_11_3 -Title: 11.3 Remediate vulnerabilities in accordance with risk assessments -Description: Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. -SectionCode: "3" -Children: [] -Controls: - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled - - azure_sql_server_azure_defender_enabled - - azure_synapse_workspace_vulnerability_assessment_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_11_3 + title: 11.3 Remediate vulnerabilities in accordance with risk assessments + description: Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_mssql_managed_instance_vulnerability_assessment_enabled + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_database_vulnerability_findings_resolved + - azure_sql_server_and_databases_va_enabled + - azure_sql_server_azure_defender_enabled + - azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13.yaml index 7c4890bc1..3e47aad0b 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13.yaml @@ -1,14 +1,19 @@ -ID: azure_nist_sp_800_171_rev_2_3_13 -Title: System and Communications Protection -Description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. -SectionCode: "3_13" -Children: - - azure_nist_sp_800_171_rev_2_3_13_1 - - azure_nist_sp_800_171_rev_2_3_13_2 - - azure_nist_sp_800_171_rev_2_3_13_5 - - azure_nist_sp_800_171_rev_2_3_13_6 - - azure_nist_sp_800_171_rev_2_3_13_8 - - azure_nist_sp_800_171_rev_2_3_13_10 - - azure_nist_sp_800_171_rev_2_3_13_16 -Controls: [] -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_13 + title: System and Communications Protection + description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. + section-code: "3_13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_nist_sp_800_171_rev_2_3_13_1 + - id: azure_nist_sp_800_171_rev_2_3_13_2 + - id: azure_nist_sp_800_171_rev_2_3_13_5 + - id: azure_nist_sp_800_171_rev_2_3_13_6 + - id: azure_nist_sp_800_171_rev_2_3_13_8 + - id: azure_nist_sp_800_171_rev_2_3_13_10 + - id: azure_nist_sp_800_171_rev_2_3_13_16 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_1.yaml index fe3e39b22..03173f2f7 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_1.yaml @@ -1,51 +1,56 @@ -ID: azure_nist_sp_800_171_rev_2_3_13_1 -Title: 13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems -Description: Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. -SectionCode: "1" -Children: [] -Controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_cognitive_account_private_link_used - - azure_cognitive_service_local_auth_disabled - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_13_1 + title: 13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems + description: Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_apimanagement_service_with_virtual_network + - azure_app_configuration_private_link_used + - azure_application_gateway_waf_enabled + - azure_cognitive_account_private_link_used + - azure_cognitive_service_local_auth_disabled + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_jit_access_protected + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_with_firewall_rules + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_frontdoor_waf_enabled + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_firewall_enabled + - azure_keyvault_vault_private_link_used + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_postgres_server_private_link_used + - azure_postgresql_server_public_network_access_disabled + - azure_redis_cache_uses_private_link + - azure_search_service_public_network_access_disabled + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_sql_db_public_network_access_disabled + - azure_sql_server_uses_private_link + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_10.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_10.yaml index 0135c90c5..d94ddfad9 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_10.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_10.yaml @@ -1,31 +1,36 @@ -ID: azure_nist_sp_800_171_rev_2_3_13_10 -Title: 13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems -Description: Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. -SectionCode: "10" -Children: [] -Controls: - - azure_batch_account_encrypted_with_cmk - - azure_cognitive_account_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed - - azure_compute_os_and_data_disk_encrypted_with_cmk - - azure_container_instance_container_group_encrypted_using_cmk - - azure_container_registry_encrypted_with_cmk - - azure_cosmosdb_account_encryption_at_rest_using_cmk - - azure_data_factory_encrypted_with_cmk - - azure_eventhub_namespace_cmk_encryption_enabled - - azure_hdinsight_cluster_encrypted_at_rest_with_cmk - - azure_hdinsight_cluster_encryption_at_host_enabled - - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk - - azure_hpc_cache_encrypted_with_cmk - - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk - - azure_kusto_cluster_encrypted_at_rest_with_cmk - - azure_machine_learning_workspace_encrypted_with_cmk - - azure_mssql_managed_instance_encryption_at_rest_using_cmk - - azure_mysql_server_encrypted_at_rest_using_cmk - - azure_postgres_sql_server_encrypted_at_rest_using_cmk - - azure_servicebus_premium_namespace_cmk_encrypted - - azure_sql_server_tde_protector_cmk_encrypted - - azure_storage_account_encryption_at_rest_using_cmk - - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk - - azure_synapse_workspace_encryption_at_rest_using_cmk -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_13_10 + title: 13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems + description: Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, policies, directives, regulations, and standards specifying appropriate options, levels, and parameters. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_batch_account_encrypted_with_cmk + - azure_cognitive_account_encrypted_with_cmk + - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed + - azure_compute_os_and_data_disk_encrypted_with_cmk + - azure_container_instance_container_group_encrypted_using_cmk + - azure_container_registry_encrypted_with_cmk + - azure_cosmosdb_account_encryption_at_rest_using_cmk + - azure_data_factory_encrypted_with_cmk + - azure_eventhub_namespace_cmk_encryption_enabled + - azure_hdinsight_cluster_encrypted_at_rest_with_cmk + - azure_hdinsight_cluster_encryption_at_host_enabled + - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk + - azure_hpc_cache_encrypted_with_cmk + - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk + - azure_kusto_cluster_encrypted_at_rest_with_cmk + - azure_machine_learning_workspace_encrypted_with_cmk + - azure_mssql_managed_instance_encryption_at_rest_using_cmk + - azure_mysql_server_encrypted_at_rest_using_cmk + - azure_postgres_sql_server_encrypted_at_rest_using_cmk + - azure_servicebus_premium_namespace_cmk_encrypted + - azure_sql_server_tde_protector_cmk_encrypted + - azure_storage_account_encryption_at_rest_using_cmk + - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk + - azure_synapse_workspace_encryption_at_rest_using_cmk diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_16.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_16.yaml index b3b6fa0c9..171db311c 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_16.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_16.yaml @@ -1,19 +1,24 @@ -ID: azure_nist_sp_800_171_rev_2_3_13_16 -Title: 13.16 Protect the confidentiality of CUI at rest -Description: Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. -SectionCode: "16" -Children: [] -Controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_automation_account_variable_encryption_enabled - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_databox_edge_device_double_encryption_enabled - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_mysql_server_infrastructure_encryption_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_infrastructure_encryption_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_13_16 + title: 13.16 Protect the confidentiality of CUI at rest + description: Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_app_service_environment_internal_encryption_enabled + - azure_automation_account_variable_encryption_enabled + - azure_compute_vm_and_sacle_set_encryption_at_host_enabled + - azure_databox_edge_device_double_encryption_enabled + - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host + - azure_kusto_cluster_disk_encryption_enabled + - azure_kusto_cluster_double_encryption_enabled + - azure_mysql_server_infrastructure_encryption_enabled + - azure_postgresql_server_infrastructure_encryption_enabled + - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign + - azure_sql_server_transparent_data_encryption_enabled + - azure_storage_account_infrastructure_encryption_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_2.yaml index 8a9a9ab16..7bb6d8aa0 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_2.yaml @@ -1,51 +1,56 @@ -ID: azure_nist_sp_800_171_rev_2_3_13_2 -Title: 13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems -Description: Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. -SectionCode: "2" -Children: [] -Controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_cognitive_account_private_link_used - - azure_cognitive_service_local_auth_disabled - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_13_2 + title: 13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems + description: Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_apimanagement_service_with_virtual_network + - azure_app_configuration_private_link_used + - azure_application_gateway_waf_enabled + - azure_cognitive_account_private_link_used + - azure_cognitive_service_local_auth_disabled + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_jit_access_protected + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_with_firewall_rules + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_frontdoor_waf_enabled + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_firewall_enabled + - azure_keyvault_vault_private_link_used + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_postgres_server_private_link_used + - azure_postgresql_server_public_network_access_disabled + - azure_redis_cache_uses_private_link + - azure_search_service_public_network_access_disabled + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_sql_db_public_network_access_disabled + - azure_sql_server_uses_private_link + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_5.yaml index 05ea0706d..21b17ee72 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_5.yaml @@ -1,51 +1,56 @@ -ID: azure_nist_sp_800_171_rev_2_3_13_5 -Title: 13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks -Description: Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. -SectionCode: "5" -Children: [] -Controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_cognitive_account_private_link_used - - azure_cognitive_service_local_auth_disabled - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_13_5 + title: 13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks + description: Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_apimanagement_service_with_virtual_network + - azure_app_configuration_private_link_used + - azure_application_gateway_waf_enabled + - azure_cognitive_account_private_link_used + - azure_cognitive_service_local_auth_disabled + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_jit_access_protected + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_with_firewall_rules + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_frontdoor_waf_enabled + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_firewall_enabled + - azure_keyvault_vault_private_link_used + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_postgres_server_private_link_used + - azure_postgresql_server_public_network_access_disabled + - azure_redis_cache_uses_private_link + - azure_search_service_public_network_access_disabled + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_sql_db_public_network_access_disabled + - azure_sql_server_uses_private_link + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_6.yaml index 8d3c2cc33..8838ed2aa 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_6.yaml @@ -1,27 +1,32 @@ -ID: azure_nist_sp_800_171_rev_2_3_13_6 -Title: 13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception) -Description: This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. -SectionCode: "6" -Children: [] -Controls: - - azure_application_gateway_waf_enabled - - azure_cognitive_service_local_auth_disabled - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_cosmosdb_account_with_firewall_rules - - azure_frontdoor_waf_enabled - - azure_keyvault_firewall_enabled - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_public_network_access_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgresql_server_public_network_access_disabled - - azure_search_service_public_network_access_disabled - - azure_sql_db_public_network_access_disabled - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_13_6 + title: 13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception) + description: This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_application_gateway_waf_enabled + - azure_cognitive_service_local_auth_disabled + - azure_compute_vm_jit_access_protected + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_cosmosdb_account_with_firewall_rules + - azure_frontdoor_waf_enabled + - azure_keyvault_firewall_enabled + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_public_network_access_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_postgresql_server_public_network_access_disabled + - azure_search_service_public_network_access_disabled + - azure_sql_db_public_network_access_disabled + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_8.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_8.yaml index 010af568b..0ae4abe83 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_8.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_13_8.yaml @@ -1,18 +1,23 @@ -ID: azure_nist_sp_800_171_rev_2_3_13_8 -Title: 13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards -Description: This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. -SectionCode: "8" -Children: [] -Controls: - - azure_appservice_api_app_latest_tls_version - - azure_appservice_function_app_ftps_enabled - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_appservice_web_app_ftps_enabled - - azure_appservice_web_app_use_https - - azure_hdinsight_cluster_encryption_in_transit_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_ssl_enabled - - azure_redis_cache_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_13_8 + title: 13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards + description: This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_api_app_latest_tls_version + - azure_appservice_function_app_ftps_enabled + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_appservice_web_app_ftps_enabled + - azure_appservice_web_app_use_https + - azure_hdinsight_cluster_encryption_in_transit_enabled + - azure_mysql_ssl_enabled + - azure_postgres_sql_ssl_enabled + - azure_redis_cache_ssl_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14.yaml index 25d7bfb02..9d03fbf94 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14.yaml @@ -1,14 +1,19 @@ -ID: azure_nist_sp_800_171_rev_2_3_14 -Title: System and Information Integrity -Description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. -SectionCode: "3_14" -Children: - - azure_nist_sp_800_171_rev_2_3_14_1 - - azure_nist_sp_800_171_rev_2_3_14_2 - - azure_nist_sp_800_171_rev_2_3_14_3 - - azure_nist_sp_800_171_rev_2_3_14_4 - - azure_nist_sp_800_171_rev_2_3_14_5 - - azure_nist_sp_800_171_rev_2_3_14_6 - - azure_nist_sp_800_171_rev_2_3_14_7 -Controls: [] -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_14 + title: System and Information Integrity + description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. + section-code: "3_14" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_nist_sp_800_171_rev_2_3_14_1 + - id: azure_nist_sp_800_171_rev_2_3_14_2 + - id: azure_nist_sp_800_171_rev_2_3_14_3 + - id: azure_nist_sp_800_171_rev_2_3_14_4 + - id: azure_nist_sp_800_171_rev_2_3_14_5 + - id: azure_nist_sp_800_171_rev_2_3_14_6 + - id: azure_nist_sp_800_171_rev_2_3_14_7 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_1.yaml index ceb8e1ff5..065dcd8bb 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_1.yaml @@ -1,22 +1,27 @@ -ID: azure_nist_sp_800_171_rev_2_3_14_1 -Title: 14.1 Identify, report, and correct system flaws in a timely manner -Description: Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. -SectionCode: "1" -Children: [] -Controls: - - azure_appservice_function_app_latest_http_version - - azure_appservice_web_app_latest_http_version - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_14_1 + title: 14.1 Identify, report, and correct system flaws in a timely manner + description: Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_function_app_latest_http_version + - azure_appservice_web_app_latest_http_version + - azure_compute_vm_system_updates_installed + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_compute_vm_windows_defender_exploit_guard_enabled + - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_2.yaml index 54387a54c..dbc967683 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_2.yaml @@ -1,18 +1,23 @@ -ID: azure_nist_sp_800_171_rev_2_3_14_2 -Title: 14.2 Provide protection from malicious code at designated locations within organizational systems -Description: Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. -SectionCode: "2" -Children: [] -Controls: - - azure_compute_vm_malware_agent_automatic_upgrade_enabled - - azure_compute_vm_malware_agent_installed - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_14_2 + title: 14.2 Provide protection from malicious code at designated locations within organizational systems + description: Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_malware_agent_automatic_upgrade_enabled + - azure_compute_vm_malware_agent_installed + - azure_compute_vm_windows_defender_exploit_guard_enabled + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_3.yaml index 1aadc57fa..17768ee12 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_3.yaml @@ -1,18 +1,23 @@ -ID: azure_nist_sp_800_171_rev_2_3_14_3 -Title: 14.3 Monitor system security alerts and advisories and take action in response -Description: There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. -SectionCode: "3" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_14_3 + title: 14.3 Monitor system security alerts and advisories and take action in response + description: There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_4.yaml index ab90ce6a7..4e89ff1a3 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_4.yaml @@ -1,10 +1,15 @@ -ID: azure_nist_sp_800_171_rev_2_3_14_4 -Title: 14.4 Update malicious code protection mechanisms when new releases are available -Description: Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. -SectionCode: "4" -Children: [] -Controls: - - azure_compute_vm_malware_agent_automatic_upgrade_enabled - - azure_compute_vm_malware_agent_installed - - azure_compute_vm_windows_defender_exploit_guard_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_14_4 + title: 14.4 Update malicious code protection mechanisms when new releases are available + description: Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_malware_agent_automatic_upgrade_enabled + - azure_compute_vm_malware_agent_installed + - azure_compute_vm_windows_defender_exploit_guard_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_5.yaml index 92c159fb1..801af5bd6 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_5.yaml @@ -1,11 +1,16 @@ -ID: azure_nist_sp_800_171_rev_2_3_14_5 -Title: 14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed -Description: Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. -SectionCode: "5" -Children: [] -Controls: - - azure_compute_vm_malware_agent_automatic_upgrade_enabled - - azure_compute_vm_malware_agent_installed - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_14_5 + title: 14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed + description: Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_malware_agent_automatic_upgrade_enabled + - azure_compute_vm_malware_agent_installed + - azure_compute_vm_windows_defender_exploit_guard_enabled + - azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_6.yaml index daf465b4c..683aa90b8 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_6.yaml @@ -1,29 +1,34 @@ -ID: azure_nist_sp_800_171_rev_2_3_14_6 -Title: 14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks -Description: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. -SectionCode: "6" -Children: [] -Controls: - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_network_watcher_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_14_6 + title: 14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks + description: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_network_watcher_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_7.yaml index 8c7f1290e..8d932c3a4 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_14_7.yaml @@ -1,26 +1,31 @@ -ID: azure_nist_sp_800_171_rev_2_3_14_7 -Title: 14.7 Identify unauthorized use of organizational systems -Description: System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. -SectionCode: "7" -Children: [] -Controls: - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_network_watcher_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_14_7 + title: 14.7 Identify unauthorized use of organizational systems + description: System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_network_watcher_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_1.yaml index 40cfb0017..4f15a4857 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_1.yaml @@ -1,53 +1,58 @@ -ID: azure_nist_sp_800_171_rev_2_3_1_1 -Title: 1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems) -Description: Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. -SectionCode: "1" -Children: [] -Controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_account_private_link_used - - azure_cognitive_service_local_auth_disabled - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_account_with_password_linux - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_compute_vm_ssh_key_authentication_linux - - azure_compute_vm_uses_azure_resource_manager - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_deprecated_account - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_azure_ad_authentication_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_azure_resource_manager - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_1_1 + title: 1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems) + description: Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_app_configuration_private_link_used + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_remote_debugging_disabled + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_cognitive_account_private_link_used + - azure_cognitive_service_local_auth_disabled + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_account_with_password_linux + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux + - azure_compute_vm_ssh_key_authentication_linux + - azure_compute_vm_uses_azure_resource_manager + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_iam_deprecated_account_with_owner_roles + - azure_iam_deprecated_account + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_no_custom_role + - azure_iam_subscription_owner_max_3 + - azure_keyvault_vault_private_link_used + - azure_mysql_server_private_link_used + - azure_postgres_server_private_link_used + - azure_redis_cache_uses_private_link + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_signalr_service_private_link_used + - azure_spring_cloud_service_network_injection_enabled + - azure_sql_server_azure_ad_authentication_enabled + - azure_sql_server_uses_private_link + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_uses_azure_resource_manager + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_12.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_12.yaml index 4b4f3121a..3a76d9f78 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_12.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_12.yaml @@ -1,37 +1,42 @@ -ID: azure_nist_sp_800_171_rev_2_3_1_12 -Title: 1.12 Monitor and control remote access sessions -Description: Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). -SectionCode: "12" -Children: [] -Controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_1_12 + title: 1.12 Monitor and control remote access sessions + description: Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_app_configuration_private_link_used + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_remote_debugging_disabled + - azure_cognitive_account_private_link_used + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_vault_private_link_used + - azure_mysql_server_private_link_used + - azure_postgres_server_private_link_used + - azure_redis_cache_uses_private_link + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_spring_cloud_service_network_injection_enabled + - azure_sql_server_uses_private_link + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_13.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_13.yaml index fe47774de..06187c26e 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_13.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_13.yaml @@ -1,31 +1,36 @@ -ID: azure_nist_sp_800_171_rev_2_3_1_13 -Title: 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions -Description: Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. -SectionCode: "13" -Children: [] -Controls: - - azure_app_configuration_private_link_used - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_1_13 + title: 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions + description: Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. + section-code: "13" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_app_configuration_private_link_used + - azure_cognitive_account_private_link_used + - azure_compute_disk_access_uses_private_link + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_vault_private_link_used + - azure_mysql_server_private_link_used + - azure_postgres_server_private_link_used + - azure_redis_cache_uses_private_link + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_spring_cloud_service_network_injection_enabled + - azure_sql_server_uses_private_link + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_14.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_14.yaml index 906331c46..d46d5a916 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_14.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_14.yaml @@ -1,31 +1,36 @@ -ID: azure_nist_sp_800_171_rev_2_3_1_14 -Title: 1.14 Route remote access via managed access control points -Description: Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI. -SectionCode: "14" -Children: [] -Controls: - - azure_app_configuration_private_link_used - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_redis_cache_uses_private_link - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_1_14 + title: 1.14 Route remote access via managed access control points + description: Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI. + section-code: "14" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_app_configuration_private_link_used + - azure_cognitive_account_private_link_used + - azure_compute_disk_access_uses_private_link + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_vault_private_link_used + - azure_mysql_server_private_link_used + - azure_postgres_server_private_link_used + - azure_redis_cache_uses_private_link + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_spring_cloud_service_network_injection_enabled + - azure_sql_server_uses_private_link + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_2.yaml index ef5da2a68..50e9090eb 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_2.yaml @@ -1,22 +1,27 @@ -ID: azure_nist_sp_800_171_rev_2_3_1_2 -Title: 1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute -Description: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). -SectionCode: "2" -Children: [] -Controls: - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_compute_vm_uses_azure_resource_manager - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_deprecated_account - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled - - azure_storage_account_uses_azure_resource_manager -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_1_2 + title: 1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute + description: Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_remote_debugging_disabled + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_cognitive_service_local_auth_disabled + - azure_compute_vm_uses_azure_resource_manager + - azure_iam_deprecated_account_with_owner_roles + - azure_iam_deprecated_account + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_no_custom_role + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled + - azure_storage_account_uses_azure_resource_manager diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_3.yaml index bb92e77a7..c53cfaf3d 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_3.yaml @@ -1,50 +1,55 @@ -ID: azure_nist_sp_800_171_rev_2_3_1_3 -Title: 1.3 Control the flow of CUI in accordance with approved authorizations -Description: 'Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.' -SectionCode: "3" -Children: [] -Controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_appservice_web_app_cors_no_star - - azure_cognitive_account_private_link_used - - azure_cognitive_service_local_auth_disabled - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_redis_cache_uses_private_link - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_1_3 + title: 1.3 Control the flow of CUI in accordance with approved authorizations + description: "Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_apimanagement_service_with_virtual_network + - azure_app_configuration_private_link_used + - azure_appservice_web_app_cors_no_star + - azure_cognitive_account_private_link_used + - azure_cognitive_service_local_auth_disabled + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_jit_access_protected + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_with_firewall_rules + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_firewall_enabled + - azure_keyvault_vault_private_link_used + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_postgres_server_private_link_used + - azure_postgresql_server_public_network_access_disabled + - azure_redis_cache_uses_private_link + - azure_search_service_public_network_access_disabled + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_sql_db_public_network_access_disabled + - azure_sql_server_uses_private_link + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_4.yaml index 01b3bc84e..e9105e98f 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_4.yaml @@ -1,8 +1,13 @@ -ID: azure_nist_sp_800_171_rev_2_3_1_4 -Title: 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion -Description: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. -SectionCode: "4" -Children: [] -Controls: - - azure_iam_subscription_owner_more_than_1 -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_1_4 + title: 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion + description: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_5.yaml index 1f2277c09..83a7159be 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_1_5.yaml @@ -1,9 +1,14 @@ -ID: azure_nist_sp_800_171_rev_2_3_1_5 -Title: 1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts -Description: Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. -SectionCode: "5" -Children: [] -Controls: - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_1_5 + title: 1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts + description: Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_iam_no_custom_role + - azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3.yaml index 100b267ab..8f15c1087 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3.yaml @@ -1,11 +1,16 @@ -ID: azure_nist_sp_800_171_rev_2_3_3 -Title: Audit and Accountability -Description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. -SectionCode: "3_3" -Children: - - azure_nist_sp_800_171_rev_2_3_3_1 - - azure_nist_sp_800_171_rev_2_3_3_2 - - azure_nist_sp_800_171_rev_2_3_3_4 - - azure_nist_sp_800_171_rev_2_3_3_5 -Controls: [] -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_3 + title: Audit and Accountability + description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. + section-code: "3_3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_nist_sp_800_171_rev_2_3_3_1 + - id: azure_nist_sp_800_171_rev_2_3_3_2 + - id: azure_nist_sp_800_171_rev_2_3_3_4 + - id: azure_nist_sp_800_171_rev_2_3_3_5 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_1.yaml index fd315e616..1ec82a800 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_1.yaml @@ -1,40 +1,45 @@ -ID: azure_nist_sp_800_171_rev_2_3_3_1 -Title: 3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity -Description: An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. -SectionCode: "1" -Children: [] -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_database - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_auditing_storage_account_destination_retention_90_days - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_3_1 + title: 3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity + description: An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_batch_account_logging_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_datalake_analytics_account_logging_enabled + - azure_datalake_store_account_logging_enabled + - azure_eventhub_namespace_logging_enabled + - azure_iot_hub_logging_enabled + - azure_keyvault_logging_enabled + - azure_logic_app_workflow_logging_enabled + - azure_network_watcher_enabled + - azure_search_service_logging_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_database + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_servicebus_namespace_logging_enabled + - azure_sql_server_auditing_on + - azure_sql_server_auditing_storage_account_destination_retention_90_days + - azure_sql_server_azure_defender_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_2.yaml index 0c5ea932c..0784b012d 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_2.yaml @@ -1,40 +1,45 @@ -ID: azure_nist_sp_800_171_rev_2_3_3_2 -Title: 3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions -Description: This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). -SectionCode: "2" -Children: [] -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_database - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_auditing_storage_account_destination_retention_90_days - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_3_2 + title: 3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions + description: This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_batch_account_logging_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_datalake_analytics_account_logging_enabled + - azure_datalake_store_account_logging_enabled + - azure_eventhub_namespace_logging_enabled + - azure_iot_hub_logging_enabled + - azure_keyvault_logging_enabled + - azure_logic_app_workflow_logging_enabled + - azure_network_watcher_enabled + - azure_search_service_logging_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_database + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_servicebus_namespace_logging_enabled + - azure_sql_server_auditing_on + - azure_sql_server_auditing_storage_account_destination_retention_90_days + - azure_sql_server_azure_defender_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_4.yaml index 2226e795d..a72780477 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_4.yaml @@ -1,16 +1,21 @@ -ID: azure_nist_sp_800_171_rev_2_3_3_4 -Title: 3.4 Alert in the event of an audit logging process failure -Description: Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. -SectionCode: "4" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_3_4 + title: 3.4 Alert in the event of an audit logging process failure + description: Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_5.yaml index 0b7f65ed6..6d4212eb3 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_3_5.yaml @@ -1,16 +1,21 @@ -ID: azure_nist_sp_800_171_rev_2_3_3_5 -Title: 3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity -Description: Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems. -SectionCode: "5" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_3_5 + title: 3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity + description: Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4.yaml index 71ecc56a0..089e48188 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4.yaml @@ -1,10 +1,15 @@ -ID: azure_nist_sp_800_171_rev_2_3_4 -Title: Configuration Management -Description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. -SectionCode: "3_4" -Children: - - azure_nist_sp_800_171_rev_2_3_4_1 - - azure_nist_sp_800_171_rev_2_3_4_2 - - azure_nist_sp_800_171_rev_2_3_4_6 -Controls: [] -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_4 + title: Configuration Management + description: CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. + section-code: "3_4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_nist_sp_800_171_rev_2_3_4_1 + - id: azure_nist_sp_800_171_rev_2_3_4_2 + - id: azure_nist_sp_800_171_rev_2_3_4_6 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_1.yaml index fc70cf440..5ecd76f68 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_1.yaml @@ -1,16 +1,21 @@ -ID: azure_nist_sp_800_171_rev_2_3_4_1 -Title: 4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles -Description: Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. -SectionCode: "1" -Children: [] -Controls: - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_cors_no_star - - azure_appservice_function_app_remote_debugging_disabled - - azure_appservice_web_app_cors_no_star - - azure_appservice_web_app_incoming_client_cert_on - - azure_compute_vm_meet_security_baseline_requirements_linux - - azure_compute_vm_meet_security_baseline_requirements_windows - - azure_kubernetes_cluster_add_on_azure_policy_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_4_1 + title: 4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles + description: Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_client_certificates_on + - azure_appservice_function_app_cors_no_star + - azure_appservice_function_app_remote_debugging_disabled + - azure_appservice_web_app_cors_no_star + - azure_appservice_web_app_incoming_client_cert_on + - azure_compute_vm_meet_security_baseline_requirements_linux + - azure_compute_vm_meet_security_baseline_requirements_windows + - azure_kubernetes_cluster_add_on_azure_policy_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_2.yaml index 2a00b38bc..4aef2ccf7 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_2.yaml @@ -1,16 +1,21 @@ -ID: azure_nist_sp_800_171_rev_2_3_4_2 -Title: 4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems -Description: 'Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors.' -SectionCode: "2" -Children: [] -Controls: - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_cors_no_star - - azure_appservice_function_app_remote_debugging_disabled - - azure_appservice_web_app_cors_no_star - - azure_appservice_web_app_incoming_client_cert_on - - azure_compute_vm_meet_security_baseline_requirements_linux - - azure_compute_vm_meet_security_baseline_requirements_windows - - azure_kubernetes_cluster_add_on_azure_policy_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_4_2 + title: 4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems + description: "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_client_certificates_on + - azure_appservice_function_app_cors_no_star + - azure_appservice_function_app_remote_debugging_disabled + - azure_appservice_web_app_cors_no_star + - azure_appservice_web_app_incoming_client_cert_on + - azure_compute_vm_meet_security_baseline_requirements_linux + - azure_compute_vm_meet_security_baseline_requirements_windows + - azure_kubernetes_cluster_add_on_azure_policy_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_6.yaml index 84809b14a..47c838421 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_4_6.yaml @@ -1,8 +1,13 @@ -ID: azure_nist_sp_800_171_rev_2_3_4_6 -Title: 4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities -Description: Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. -SectionCode: "6" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_server -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_4_6 + title: 4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities + description: Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5.yaml index 95f85455f..4d29eb2a3 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5.yaml @@ -1,14 +1,19 @@ -ID: azure_nist_sp_800_171_rev_2_3_5 -Title: Identification and Authentication -Description: This family of requirements ensures only authenticated users can access the organization’s network or systems. The 11 requirements cover password and authentication procedures and policy, alongside the reliable identification of users. Requirements ensure the distinction between privileged and non-privileged accounts is reflected in network access. -SectionCode: "3_5" -Children: - - azure_nist_sp_800_171_rev_2_3_5_1 - - azure_nist_sp_800_171_rev_2_3_5_2 - - azure_nist_sp_800_171_rev_2_3_5_5 - - azure_nist_sp_800_171_rev_2_3_5_6 - - azure_nist_sp_800_171_rev_2_3_5_7 - - azure_nist_sp_800_171_rev_2_3_5_8 - - azure_nist_sp_800_171_rev_2_3_5_10 -Controls: [] -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_5 + title: Identification and Authentication + description: This family of requirements ensures only authenticated users can access the organization’s network or systems. The 11 requirements cover password and authentication procedures and policy, alongside the reliable identification of users. Requirements ensure the distinction between privileged and non-privileged accounts is reflected in network access. + section-code: "3_5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_nist_sp_800_171_rev_2_3_5_1 + - id: azure_nist_sp_800_171_rev_2_3_5_2 + - id: azure_nist_sp_800_171_rev_2_3_5_5 + - id: azure_nist_sp_800_171_rev_2_3_5_6 + - id: azure_nist_sp_800_171_rev_2_3_5_7 + - id: azure_nist_sp_800_171_rev_2_3_5_8 + - id: azure_nist_sp_800_171_rev_2_3_5_10 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_1.yaml index d284cd8a0..f7a8ebf53 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_1.yaml @@ -1,12 +1,17 @@ -ID: azure_nist_sp_800_171_rev_2_3_5_1 -Title: 5.1 Identify system users, processes acting on behalf of users, and devices -Description: Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. -SectionCode: "1" -Children: [] -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_5_1 + title: 5.1 Identify system users, processes acting on behalf of users, and devices + description: Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_cognitive_service_local_auth_disabled + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_10.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_10.yaml index 0826dee17..8830f8edd 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_10.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_10.yaml @@ -1,12 +1,17 @@ -ID: azure_nist_sp_800_171_rev_2_3_5_10 -Title: 5.10 Store and transmit only cryptographically-protected passwords -Description: Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. -SectionCode: "10" -Children: [] -Controls: - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_5_10 + title: 5.10 Store and transmit only cryptographically-protected passwords + description: Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_passwords_stored_using_reversible_encryption_windows diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_2.yaml index f9178de6c..c65756b29 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_2.yaml @@ -1,20 +1,25 @@ -ID: azure_nist_sp_800_171_rev_2_3_5_2 -Title: 5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. -Description: 'Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords.' -SectionCode: "2" -Children: [] -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows - - azure_compute_vm_ssh_key_authentication_linux - - azure_keyvault_key_expiration_set - - azure_keyvault_secret_expiration_set - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_5_2 + title: 5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. + description: "Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_cognitive_service_local_auth_disabled + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_passwords_stored_using_reversible_encryption_windows + - azure_compute_vm_ssh_key_authentication_linux + - azure_keyvault_key_expiration_set + - azure_keyvault_secret_expiration_set + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_5.yaml index 63080c8b5..1665633ee 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_5.yaml @@ -1,12 +1,17 @@ -ID: azure_nist_sp_800_171_rev_2_3_5_5 -Title: 5.5 Prevent reuse of identifiers for a defined period -Description: Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. -SectionCode: "5" -Children: [] -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_5_5 + title: 5.5 Prevent reuse of identifiers for a defined period + description: Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_cognitive_service_local_auth_disabled + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_6.yaml index 127aeb4b7..de54e5577 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_6.yaml @@ -1,13 +1,18 @@ -ID: azure_nist_sp_800_171_rev_2_3_5_6 -Title: 5.6 Disable identifiers after a defined period of inactivity -Description: Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. -SectionCode: "6" -Children: [] -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_iam_deprecated_account - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_5_6 + title: 5.6 Disable identifiers after a defined period of inactivity + description: Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_cognitive_service_local_auth_disabled + - azure_iam_deprecated_account + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_7.yaml index c9fe1e841..a4cf811e0 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_7.yaml @@ -1,12 +1,17 @@ -ID: azure_nist_sp_800_171_rev_2_3_5_7 -Title: 5.7 Enforce a minimum password complexity and change of characters when new passwords are created -Description: This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. -SectionCode: "7" -Children: [] -Controls: - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_min_password_length_14_windows - - azure_compute_vm_password_complexity_setting_enabled_windows -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_5_7 + title: 5.7 Enforce a minimum password complexity and change of characters when new passwords are created + description: This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_min_password_length_14_windows + - azure_compute_vm_password_complexity_setting_enabled_windows diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_8.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_8.yaml index 701a80cdc..415b226f9 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_8.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_5_8.yaml @@ -1,11 +1,16 @@ -ID: azure_nist_sp_800_171_rev_2_3_5_8 -Title: 5.8 Prohibit password reuse for a specified number of generations -Description: Password lifetime restrictions do not apply to temporary passwords. -SectionCode: "8" -Children: [] -Controls: - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_restrict_previous_24_passwords_resuse_windows -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_5_8 + title: 5.8 Prohibit password reuse for a specified number of generations + description: Password lifetime restrictions do not apply to temporary passwords. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_restrict_previous_24_passwords_resuse_windows diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6.yaml index 6f2174630..18e579ad5 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6.yaml @@ -1,8 +1,13 @@ -ID: azure_nist_sp_800_171_rev_2_3_6 -Title: Incident response -Description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. -SectionCode: "3_6" -Children: - - azure_nist_sp_800_171_rev_2_3_6_2 -Controls: [] -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_6 + title: Incident response + description: IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. + section-code: "3_6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_nist_sp_800_171_rev_2_3_6_2 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6_2.yaml index 30f8c187d..68acd26de 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_6_2.yaml @@ -1,10 +1,15 @@ -ID: azure_nist_sp_800_171_rev_2_3_6_2 -Title: 6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization -Description: Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. -SectionCode: "2" -Children: [] -Controls: - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_6_2 + title: 6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization + description: Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8.yaml index e1c8a901c..1284555d9 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8.yaml @@ -1,8 +1,13 @@ -ID: azure_nist_sp_800_171_rev_2_3_8 -Title: Media Protection -Description: This control family help organizations control access to sensitive media. Requirements cover best practice storage or destruction of sensitive information and media in both physical and digital formats. -SectionCode: "3_8" -Children: - - azure_nist_sp_800_171_rev_2_3_8_9 -Controls: [] -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_8 + title: Media Protection + description: This control family help organizations control access to sensitive media. Requirements cover best practice storage or destruction of sensitive information and media in both physical and digital formats. + section-code: "3_8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_nist_sp_800_171_rev_2_3_8_9 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8_9.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8_9.yaml index 436757768..ab14881a7 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8_9.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/azure_nist_sp_800_171_rev_2_3_8_9.yaml @@ -1,12 +1,17 @@ -ID: azure_nist_sp_800_171_rev_2_3_8_9 -Title: 8.9 Protect the confidentiality of backup CUI at storage locations -Description: Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. -SectionCode: "9" -Children: [] -Controls: - - azure_keyvault_purge_protection_enabled - - azure_keyvault_soft_delete_enabled - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_171_rev_2_3_8_9 + title: 8.9 Protect the confidentiality of backup CUI at storage locations + description: Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_keyvault_purge_protection_enabled + - azure_keyvault_soft_delete_enabled + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/root.yaml b/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/root.yaml deleted file mode 100755 index c71ab7c0f..000000000 --- a/compliance/frameworks/azure/azure_nist_sp_800_171_rev_2/root.yaml +++ /dev/null @@ -1,20 +0,0 @@ -ID: azure_nist_sp_800_171_rev_2 -Title: NIST SP 800-171 Revision 2 -Description: NIST SP 800-171 Revision 2 signifies a significant endeavor to enhance cybersecurity practices, specifically tailored for organizations engaging with the U.S. federal government. -SectionCode: azure_nist_sp_800_171_rev_2 -Children: - - azure_nist_sp_800_171_rev_2_3_1 - - azure_nist_sp_800_171_rev_2_3_3 - - azure_nist_sp_800_171_rev_2_3_4 - - azure_nist_sp_800_171_rev_2_3_5 - - azure_nist_sp_800_171_rev_2_3_6 - - azure_nist_sp_800_171_rev_2_3_8 - - azure_nist_sp_800_171_rev_2_3_11 - - azure_nist_sp_800_171_rev_2_3_13 - - azure_nist_sp_800_171_rev_2_3_14 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: {} diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5.yaml new file mode 100644 index 000000000..8189ca12a --- /dev/null +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5.yaml @@ -0,0 +1,35 @@ +framework: + id: azure_nist_sp_800_53_rev_5 + title: NIST SP 800-53 Revision 5 + description: NIST SP 800-53 Revision 5 represents a multi-year effort to develop the next generation of security and privacy controls needed to strengthen and support the U.S. federal government. + section-code: azure_nist_sp_800_53_rev_5 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Frameworks + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ac + - id: azure_nist_sp_800_53_rev_5_au + - id: azure_nist_sp_800_53_rev_5_cm + - id: azure_nist_sp_800_53_rev_5_cp + - id: azure_nist_sp_800_53_rev_5_ia + - id: azure_nist_sp_800_53_rev_5_ir + - id: azure_nist_sp_800_53_rev_5_ra + - id: azure_nist_sp_800_53_rev_5_sc + - id: azure_nist_sp_800_53_rev_5_si diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac.yaml index d57de6709..ef68abab4 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac.yaml @@ -1,24 +1,29 @@ -ID: azure_nist_sp_800_53_rev_5_ac -Title: Access Control (AC) -Description: The AC Control Family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. -SectionCode: ac -Children: - - azure_nist_sp_800_53_rev_5_ac_2 - - azure_nist_sp_800_53_rev_5_ac_3 - - azure_nist_sp_800_53_rev_5_ac_4 - - azure_nist_sp_800_53_rev_5_ac_5 - - azure_nist_sp_800_53_rev_5_ac_6 - - azure_nist_sp_800_53_rev_5_ac_16 - - azure_nist_sp_800_53_rev_5_ac_17 -Controls: [] -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac + title: Access Control (AC) + description: The AC Control Family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access. + section-code: ac + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ac_2 + - id: azure_nist_sp_800_53_rev_5_ac_3 + - id: azure_nist_sp_800_53_rev_5_ac_4 + - id: azure_nist_sp_800_53_rev_5_ac_5 + - id: azure_nist_sp_800_53_rev_5_ac_6 + - id: azure_nist_sp_800_53_rev_5_ac_16 + - id: azure_nist_sp_800_53_rev_5_ac_17 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_16.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_16.yaml index 905e49bb3..2fcea94a7 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_16.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_16.yaml @@ -1,19 +1,24 @@ -ID: azure_nist_sp_800_53_rev_5_ac_16 -Title: Security and Privacy Attributes (AC-16) -Description: Support and maintains the binding of security attributes to information in storage, in process, and in transition. -SectionCode: "16" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_sql_server_azure_defender_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_16 + title: Security and Privacy Attributes (AC-16) + description: Support and maintains the binding of security attributes to information in storage, in process, and in transition. + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17.yaml index 242f17048..d0c041692 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17.yaml @@ -1,51 +1,57 @@ -ID: azure_nist_sp_800_53_rev_5_ac_17 -Title: Remote Access (AC-17) -Description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. -SectionCode: "17" -Children: - - azure_nist_sp_800_53_rev_5_ac_17_1 -Controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_redis_cache_uses_private_link - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_image_builder_uses_private_link - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used - - azure_web_pub_sub_private_link_used -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_17 + title: Remote Access (AC-17) + description: Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems. + section-code: "17" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ac_17_1 + controls: + - azure_app_configuration_private_link_used + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_remote_debugging_disabled + - azure_redis_cache_uses_private_link + - azure_cognitive_account_private_link_used + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_image_builder_uses_private_link + - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_vault_private_link_used + - azure_mysql_server_private_link_used + - azure_postgres_server_private_link_used + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_spring_cloud_service_network_injection_enabled + - azure_sql_server_uses_private_link + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used + - azure_web_pub_sub_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17_1.yaml index eee38c6a5..b1cc52273 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_17_1.yaml @@ -1,50 +1,55 @@ -ID: azure_nist_sp_800_53_rev_5_ac_17_1 -Title: Monitoring and Control AC-17(1) -Description: The information system monitors and controls remote access methods. -SectionCode: "1" -Children: [] -Controls: - - azure_app_configuration_private_link_used - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_remote_debugging_disabled - - azure_redis_cache_uses_private_link - - azure_cognitive_account_private_link_used - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_image_builder_uses_private_link - - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_vault_private_link_used - - azure_mysql_server_private_link_used - - azure_postgres_server_private_link_used - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_spring_cloud_service_network_injection_enabled - - azure_sql_server_uses_private_link - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used - - azure_web_pub_sub_private_link_used -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_17_1 + title: Monitoring and Control AC-17(1) + description: The information system monitors and controls remote access methods. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_app_configuration_private_link_used + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_remote_debugging_disabled + - azure_redis_cache_uses_private_link + - azure_cognitive_account_private_link_used + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_image_builder_uses_private_link + - azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_vault_private_link_used + - azure_mysql_server_private_link_used + - azure_postgres_server_private_link_used + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_spring_cloud_service_network_injection_enabled + - azure_sql_server_uses_private_link + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used + - azure_web_pub_sub_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2.yaml index 03cc9a929..3ca207d40 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2.yaml @@ -1,32 +1,38 @@ -ID: azure_nist_sp_800_53_rev_5_ac_2 -Title: Account Management (AC-2) -Description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. -SectionCode: "2" -Children: - - azure_nist_sp_800_53_rev_5_ac_2_1 - - azure_nist_sp_800_53_rev_5_ac_2_7 - - azure_nist_sp_800_53_rev_5_ac_2_12 -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_2 + title: Account Management (AC-2) + description: Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ac_2_1 + - id: azure_nist_sp_800_53_rev_5_ac_2_7 + - id: azure_nist_sp_800_53_rev_5_ac_2_12 + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_cognitive_service_local_auth_disabled + - azure_iam_deprecated_account + - azure_iam_deprecated_account_with_owner_roles + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_no_custom_role + - azure_iam_subscription_owner_max_3 + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_1.yaml index 567f7de5b..fc6221da0 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_1.yaml @@ -1,20 +1,25 @@ -ID: azure_nist_sp_800_53_rev_5_ac_2_1 -Title: Automated System Account Management AC-2(1) -Description: The organization employs automated mechanisms to support the management of information system accounts. -SectionCode: "1" -Children: [] -Controls: - - azure_cognitive_service_local_auth_disabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_2_1 + title: Automated System Account Management AC-2(1) + description: The organization employs automated mechanisms to support the management of information system accounts. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cognitive_service_local_auth_disabled + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_12.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_12.yaml index f53da356c..e1c0cf968 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_12.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_12.yaml @@ -1,28 +1,33 @@ -ID: azure_nist_sp_800_53_rev_5_ac_2_12 -Title: Account Monitoring for Atypical Usage AC-2(12) -Description: The organization monitors information system accounts for organization-defined atypical use and reports atypical usage of information system accounts to organization-defined personnel or roles. -SectionCode: "12" -Children: [] -Controls: - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_compute_vm_jit_access_protected - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_2_12 + title: Account Monitoring for Atypical Usage AC-2(12) + description: The organization monitors information system accounts for organization-defined atypical use and reports atypical usage of information system accounts to organization-defined personnel or roles. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_arc_kubernetes_cluster_azure_defender_extension_installed + - azure_compute_vm_jit_access_protected + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_7.yaml index 1c70ac418..a81acd4a9 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_2_7.yaml @@ -1,21 +1,26 @@ -ID: azure_nist_sp_800_53_rev_5_ac_2_7 -Title: Privileged User Accounts AC-2(7) -Description: The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles, monitors privileged role assignments, and takes organization-defined actions when privileged role assignments are no longer appropriate. -SectionCode: "7" -Children: [] -Controls: - - azure_cognitive_service_local_auth_disabled - - azure_iam_no_custom_role - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_2_7 + title: Privileged User Accounts AC-2(7) + description: The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles, monitors privileged role assignments, and takes organization-defined actions when privileged role assignments are no longer appropriate. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_cognitive_service_local_auth_disabled + - azure_iam_no_custom_role + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3.yaml index 0bf603015..063e57dd6 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3.yaml @@ -1,34 +1,40 @@ -ID: azure_nist_sp_800_53_rev_5_ac_3 -Title: Access Enforcement (AC-3) -Description: Enforce approved authorizations for access to systems in accordance with policy. -SectionCode: "3" -Children: - - azure_nist_sp_800_53_rev_5_ac_3_7 -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_authorize_access_to_security_functions_and_information - - azure_cognitive_service_local_auth_disabled - - azure_compute_vm_account_with_password_linux - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_ssh_key_authentication_linux - - azure_compute_vm_uses_azure_resource_manager - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled - - azure_storage_account_uses_azure_resource_manager -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_3 + title: Access Enforcement (AC-3) + description: Enforce approved authorizations for access to systems in accordance with policy. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ac_3_7 + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_authorize_access_to_security_functions_and_information + - azure_cognitive_service_local_auth_disabled + - azure_compute_vm_account_with_password_linux + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_ssh_key_authentication_linux + - azure_compute_vm_uses_azure_resource_manager + - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled + - azure_iam_user_with_read_permission_on_subscription_mfa_enabled + - azure_iam_user_with_write_permission_on_subscription_mfa_enabled + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled + - azure_storage_account_uses_azure_resource_manager diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3_7.yaml index c32ecc389..3eae22b3d 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_3_7.yaml @@ -1,18 +1,23 @@ -ID: azure_nist_sp_800_53_rev_5_ac_3_7 -Title: Role-based Access Control AC-3(7) -Description: The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon organization-defined roles and users authorized to assume such roles. -SectionCode: "7" -Children: [] -Controls: - - azure_kubernetes_instance_rbac_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/KubernetesService - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_3_7 + title: Role-based Access Control AC-3(7) + description: The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon organization-defined roles and users authorized to assume such roles. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/KubernetesService + type: + - Benchmark + controls: + - azure_kubernetes_instance_rbac_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4.yaml index d841559ff..a01eb4f3c 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4.yaml @@ -1,67 +1,73 @@ -ID: azure_nist_sp_800_53_rev_5_ac_4 -Title: Information Flow Enforcement (AC-4) -Description: Enforce approved authorizations. Control information workflow between interconnected systems. -SectionCode: "4" -Children: - - azure_nist_sp_800_53_rev_5_ac_4_3 -Controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_appservice_web_app_cors_no_star - - azure_redis_cache_uses_private_link - - azure_cognitive_account_private_link_used - - azure_cognitive_account_public_network_access_disabled - - azure_cognitive_account_restrict_public_access - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_image_builder_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_non_internet_facing_protected_with_nsg - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_network_subnet_protected_by_firewall - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used - - azure_web_pub_sub_private_link_used -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_4 + title: Information Flow Enforcement (AC-4) + description: Enforce approved authorizations. Control information workflow between interconnected systems. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ac_4_3 + controls: + - azure_apimanagement_service_with_virtual_network + - azure_app_configuration_private_link_used + - azure_appservice_web_app_cors_no_star + - azure_redis_cache_uses_private_link + - azure_cognitive_account_private_link_used + - azure_cognitive_account_public_network_access_disabled + - azure_cognitive_account_restrict_public_access + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_adaptive_network_hardening_recommendation_applied + - azure_compute_vm_image_builder_uses_private_link + - azure_compute_vm_jit_access_protected + - azure_compute_vm_non_internet_facing_protected_with_nsg + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_with_firewall_rules + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_firewall_enabled + - azure_keyvault_vault_private_link_used + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_network_subnet_protected_by_firewall + - azure_postgres_server_private_link_used + - azure_postgresql_server_public_network_access_disabled + - azure_search_service_public_network_access_disabled + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_sql_db_public_network_access_disabled + - azure_sql_server_uses_private_link + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used + - azure_web_pub_sub_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4_3.yaml index 7e68630f1..d749430c3 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_4_3.yaml @@ -1,19 +1,24 @@ -ID: azure_nist_sp_800_53_rev_5_ac_4_3 -Title: Dynamic Information Flow Control AC-4(3) -Description: The information system enforces dynamic information flow control based on organization-defined policies. -SectionCode: "3" -Children: [] -Controls: - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_jit_access_protected -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_4_3 + title: Dynamic Information Flow Control AC-4(3) + description: The information system enforces dynamic information flow control based on organization-defined policies. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_adaptive_network_hardening_recommendation_applied + - azure_compute_vm_jit_access_protected diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_5.yaml index eac3f7cb3..9f6bda531 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_5.yaml @@ -1,18 +1,23 @@ -ID: azure_nist_sp_800_53_rev_5_ac_5 -Title: Separation of Duties (AC-5) -Description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. -SectionCode: "5" -Children: [] -Controls: - - azure_iam_subscription_owner_more_than_1 -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_5 + title: Separation of Duties (AC-5) + description: Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6.yaml index b1264b2f3..f758ad819 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6.yaml @@ -1,20 +1,26 @@ -ID: azure_nist_sp_800_53_rev_5_ac_6 -Title: Least Privilege (AC-6) -Description: Automate least privilege. Allow only authorized accesses for users and processes which are necessary. -SectionCode: "6" -Children: - - azure_nist_sp_800_53_rev_5_ac_6_7 -Controls: - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_6 + title: Least Privilege (AC-6) + description: Automate least privilege. Allow only authorized accesses for users and processes which are necessary. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ac_6_7 + controls: + - azure_iam_no_custom_role + - azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6_7.yaml index 2bb691b4f..f5c52d546 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ac_6_7.yaml @@ -1,19 +1,24 @@ -ID: azure_nist_sp_800_53_rev_5_ac_6_7 -Title: Review of User Privileges AC-6(7) -Description: The organization reviews organization-defined frequency the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges and reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. -SectionCode: "7" -Children: [] -Controls: - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ac_6_7 + title: Review of User Privileges AC-6(7) + description: The organization reviews organization-defined frequency the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges and reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_no_custom_role + - azure_iam_subscription_owner_max_3 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au.yaml index e9688a1c4..d6b92004e 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au.yaml @@ -1,20 +1,25 @@ -ID: azure_nist_sp_800_53_rev_5_au -Title: Audit and Accountability Control (AU) -Description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. -SectionCode: au -Children: - - azure_nist_sp_800_53_rev_5_au_6 - - azure_nist_sp_800_53_rev_5_au_11 - - azure_nist_sp_800_53_rev_5_au_12 -Controls: [] -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_au + title: Audit and Accountability Control (AU) + description: The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information. + section-code: au + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_au_6 + - id: azure_nist_sp_800_53_rev_5_au_11 + - id: azure_nist_sp_800_53_rev_5_au_12 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_11.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_11.yaml index adfb19401..f265bb062 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_11.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_11.yaml @@ -1,18 +1,23 @@ -ID: azure_nist_sp_800_53_rev_5_au_11 -Title: Audit Record Retention (AU-11) -Description: Retain audit records for security investigations. Meet regulatory and organizational data retention requirements. -SectionCode: "11" -Children: [] -Controls: - - azure_sql_server_auditing_storage_account_destination_retention_90_days -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/SQL - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_au_11 + title: Audit Record Retention (AU-11) + description: Retain audit records for security investigations. Meet regulatory and organizational data retention requirements. + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/SQL + type: + - Benchmark + controls: + - azure_sql_server_auditing_storage_account_destination_retention_90_days diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12.yaml index d7f010f12..f73d3d3b6 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12.yaml @@ -1,51 +1,57 @@ -ID: azure_nist_sp_800_53_rev_5_au_12 -Title: Audit Record Generation (AU-12) -Description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. -SectionCode: "12" -Children: - - azure_nist_sp_800_53_rev_5_au_12_1 -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_au_12 + title: Audit Record Generation (AU-12) + description: Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_au_12_1 + controls: + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_arc_kubernetes_cluster_azure_defender_extension_installed + - azure_batch_account_logging_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_datalake_analytics_account_logging_enabled + - azure_datalake_store_account_logging_enabled + - azure_eventhub_namespace_logging_enabled + - azure_iot_hub_logging_enabled + - azure_keyvault_logging_enabled + - azure_logic_app_workflow_logging_enabled + - azure_network_watcher_enabled + - azure_search_service_logging_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_servicebus_namespace_logging_enabled + - azure_sql_server_auditing_on + - azure_sql_server_azure_defender_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12_1.yaml index cbc533c5b..638f30f01 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_12_1.yaml @@ -1,50 +1,55 @@ -ID: azure_nist_sp_800_53_rev_5_au_12_1 -Title: System-wide and Time-correlated Audit Trail AU-12(1) -Description: The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance for the relationship between timestamps of individual records in the audit trail. -SectionCode: "1" -Children: [] -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_au_12_1 + title: System-wide and Time-correlated Audit Trail AU-12(1) + description: The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance for the relationship between timestamps of individual records in the audit trail. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_arc_kubernetes_cluster_azure_defender_extension_installed + - azure_batch_account_logging_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_datalake_analytics_account_logging_enabled + - azure_datalake_store_account_logging_enabled + - azure_eventhub_namespace_logging_enabled + - azure_iot_hub_logging_enabled + - azure_keyvault_logging_enabled + - azure_logic_app_workflow_logging_enabled + - azure_network_watcher_enabled + - azure_search_service_logging_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_servicebus_namespace_logging_enabled + - azure_sql_server_auditing_on + - azure_sql_server_azure_defender_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6.yaml index 4931f7577..cd6e6ab6f 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6.yaml @@ -1,32 +1,38 @@ -ID: azure_nist_sp_800_53_rev_5_au_6 -Title: Audit Record Review, Analysis, and Reporting (AU-6) -Description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. -SectionCode: "6" -Children: - - azure_nist_sp_800_53_rev_5_au_6_4 - - azure_nist_sp_800_53_rev_5_au_6_5 -Controls: - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_network_watcher_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_au_6 + title: Audit Record Review, Analysis, and Reporting (AU-6) + description: Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_au_6_4 + - id: azure_nist_sp_800_53_rev_5_au_6_5 + controls: + - azure_arc_kubernetes_cluster_azure_defender_extension_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_network_watcher_enabled + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_4.yaml index 15dfe9396..3b39b2dee 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_4.yaml @@ -1,50 +1,55 @@ -ID: azure_nist_sp_800_53_rev_5_au_6_4 -Title: Central Review and Analysis AU-6(4) -Description: The information system provides the capability to centrally review and analyze audit records from multiple components within the system. -SectionCode: "4" -Children: [] -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_au_6_4 + title: Central Review and Analysis AU-6(4) + description: The information system provides the capability to centrally review and analyze audit records from multiple components within the system. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_arc_kubernetes_cluster_azure_defender_extension_installed + - azure_batch_account_logging_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_datalake_analytics_account_logging_enabled + - azure_datalake_store_account_logging_enabled + - azure_eventhub_namespace_logging_enabled + - azure_iot_hub_logging_enabled + - azure_keyvault_logging_enabled + - azure_logic_app_workflow_logging_enabled + - azure_network_watcher_enabled + - azure_search_service_logging_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_servicebus_namespace_logging_enabled + - azure_sql_server_auditing_on + - azure_sql_server_azure_defender_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_5.yaml index b3d9fbc9b..4a68e4369 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_au_6_5.yaml @@ -1,50 +1,55 @@ -ID: azure_nist_sp_800_53_rev_5_au_6_5 -Title: Integrated Analysis of Audit Records AU-6(5) -Description: The organization integrates analysis of audit records with analysis of vulnerable scanning information, performance data, and information system monitoring information collected from other sources to further enhance the ability to identify inappropriate or unusual activity. -SectionCode: "5" -Children: [] -Controls: - - azure_appservice_web_app_diagnostic_logs_enabled - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_batch_account_logging_enabled - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_datalake_analytics_account_logging_enabled - - azure_datalake_store_account_logging_enabled - - azure_eventhub_namespace_logging_enabled - - azure_iot_hub_logging_enabled - - azure_keyvault_logging_enabled - - azure_logic_app_workflow_logging_enabled - - azure_network_watcher_enabled - - azure_search_service_logging_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_servicebus_namespace_logging_enabled - - azure_sql_server_auditing_on - - azure_sql_server_azure_defender_enabled - - azure_stream_analytics_job_logging_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_au_6_5 + title: Integrated Analysis of Audit Records AU-6(5) + description: The organization integrates analysis of audit records with analysis of vulnerable scanning information, performance data, and information system monitoring information collected from other sources to further enhance the ability to identify inappropriate or unusual activity. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_web_app_diagnostic_logs_enabled + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_arc_kubernetes_cluster_azure_defender_extension_installed + - azure_batch_account_logging_enabled + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_datalake_analytics_account_logging_enabled + - azure_datalake_store_account_logging_enabled + - azure_eventhub_namespace_logging_enabled + - azure_iot_hub_logging_enabled + - azure_keyvault_logging_enabled + - azure_logic_app_workflow_logging_enabled + - azure_network_watcher_enabled + - azure_search_service_logging_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_servicebus_namespace_logging_enabled + - azure_sql_server_auditing_on + - azure_sql_server_azure_defender_enabled + - azure_stream_analytics_job_logging_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm.yaml index 29ee163c3..bb3b3e43e 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm.yaml @@ -1,21 +1,26 @@ -ID: azure_nist_sp_800_53_rev_5_cm -Title: Configuration Management (CM) -Description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. -SectionCode: cm -Children: - - azure_nist_sp_800_53_rev_5_cm_6 - - azure_nist_sp_800_53_rev_5_cm_7 - - azure_nist_sp_800_53_rev_5_cm_10 - - azure_nist_sp_800_53_rev_5_cm_11 -Controls: [] -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cm + title: Configuration Management (CM) + description: CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control. + section-code: cm + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_cm_6 + - id: azure_nist_sp_800_53_rev_5_cm_7 + - id: azure_nist_sp_800_53_rev_5_cm_10 + - id: azure_nist_sp_800_53_rev_5_cm_11 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_10.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_10.yaml index fc9b92f1c..1fabeb4a4 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_10.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_10.yaml @@ -1,19 +1,24 @@ -ID: azure_nist_sp_800_53_rev_5_cm_10 -Title: Software Usage Restrictions (CM-10) -Description: The organization uses software and associated documentation in accordance with contract agreements and copyright laws, tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution, and controls and documents the use of peer-to-peer file-sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. -SectionCode: "10" -Children: [] -Controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cm_10 + title: Software Usage Restrictions (CM-10) + description: The organization uses software and associated documentation in accordance with contract agreements and copyright laws, tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution, and controls and documents the use of peer-to-peer file-sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. + section-code: "10" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_adaptive_application_controls_enabled + - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_11.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_11.yaml index 98b63d2ba..cc9703a24 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_11.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_11.yaml @@ -1,19 +1,24 @@ -ID: azure_nist_sp_800_53_rev_5_cm_11 -Title: User-installed Software (CM-11) -Description: The organization establishes organization-defined policies governing the installation of software by users, enforces software installation policies through organization-defined methods, and monitors policy compliance at organization-defined frequency. -SectionCode: "11" -Children: [] -Controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cm_11 + title: User-installed Software (CM-11) + description: The organization establishes organization-defined policies governing the installation of software by users, enforces software installation policies through organization-defined methods, and monitors policy compliance at organization-defined frequency. + section-code: "11" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_adaptive_application_controls_enabled + - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_6.yaml index 7a057e18c..bdfafef75 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_6.yaml @@ -1,38 +1,43 @@ -ID: azure_nist_sp_800_53_rev_5_cm_6 -Title: Configuration Settings (CM-6) -Description: The organization establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements; implements the configuration settings; identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. -SectionCode: "6" -Children: [] -Controls: - - azure_appservice_api_app_client_certificates_on - - azure_appservice_api_app_cors_no_star - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_cors_no_star - - azure_appservice_function_app_remote_debugging_disabled - - azure_compute_vm_meet_security_baseline_requirements_linux - - azure_compute_vm_meet_security_baseline_requirements_windows - - azure_kubernetes_cluster_add_on_azure_policy_enabled - - azure_kubernetes_cluster_container_cpu_and_memory_resource_limit - - azure_kubernetes_cluster_container_host_process_id_not_shared - - azure_kubernetes_cluster_container_privilege_escalation_restricted - - azure_kubernetes_cluster_container_use_allowed_apparmor_profile - - azure_kubernetes_cluster_container_use_allowed_capabilities - - azure_kubernetes_cluster_container_use_allowed_images - - azure_kubernetes_cluster_container_with_read_only_root_file_system - - azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path - - azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range - - azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id - - azure_kubernetes_cluster_privilege_containers_restricted - - azure_kubernetes_cluster_service_listen_to_allowed_ports -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cm_6 + title: Configuration Settings (CM-6) + description: The organization establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements; implements the configuration settings; identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_api_app_client_certificates_on + - azure_appservice_api_app_cors_no_star + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_client_certificates_on + - azure_appservice_function_app_cors_no_star + - azure_appservice_function_app_remote_debugging_disabled + - azure_compute_vm_meet_security_baseline_requirements_linux + - azure_compute_vm_meet_security_baseline_requirements_windows + - azure_kubernetes_cluster_add_on_azure_policy_enabled + - azure_kubernetes_cluster_container_cpu_and_memory_resource_limit + - azure_kubernetes_cluster_container_host_process_id_not_shared + - azure_kubernetes_cluster_container_privilege_escalation_restricted + - azure_kubernetes_cluster_container_use_allowed_apparmor_profile + - azure_kubernetes_cluster_container_use_allowed_capabilities + - azure_kubernetes_cluster_container_use_allowed_images + - azure_kubernetes_cluster_container_with_read_only_root_file_system + - azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path + - azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range + - azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id + - azure_kubernetes_cluster_privilege_containers_restricted + - azure_kubernetes_cluster_service_listen_to_allowed_ports diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7.yaml index 77a71077d..65671ca73 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7.yaml @@ -1,22 +1,28 @@ -ID: azure_nist_sp_800_53_rev_5_cm_7 -Title: Least Functionality (CM-7) -Description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of organization-defined prohibited or restricted functions, ports, protocols, and/or services. -SectionCode: "7" -Children: - - azure_nist_sp_800_53_rev_5_cm_7_2 - - azure_nist_sp_800_53_rev_5_cm_7_5 -Controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated - - azure_securitycenter_azure_defender_on_for_server -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cm_7 + title: Least Functionality (CM-7) + description: The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of organization-defined prohibited or restricted functions, ports, protocols, and/or services. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_cm_7_2 + - id: azure_nist_sp_800_53_rev_5_cm_7_5 + controls: + - azure_compute_vm_adaptive_application_controls_enabled + - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated + - azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_2.yaml index f5bbcc464..86f3347fc 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_2.yaml @@ -1,19 +1,24 @@ -ID: azure_nist_sp_800_53_rev_5_cm_7_2 -Title: Prevent Program Execution CM-7(2) -Description: The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, rules authorizing the terms and conditions of software program usage. -SectionCode: "2" -Children: [] -Controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cm_7_2 + title: Prevent Program Execution CM-7(2) + description: The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, rules authorizing the terms and conditions of software program usage. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_adaptive_application_controls_enabled + - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_5.yaml index b52f8d664..f55d5bbdc 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cm_7_5.yaml @@ -1,19 +1,24 @@ -ID: azure_nist_sp_800_53_rev_5_cm_7_5 -Title: Authorized Software ??? Allow-by-exception CM-7(5) -Description: The organization identifies organization-defined software programs authorized to execute on the information system, employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system, and reviews and updates the list of authorized software programs. -SectionCode: "5" -Children: [] -Controls: - - azure_compute_vm_adaptive_application_controls_enabled - - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cm_7_5 + title: Authorized Software ??? Allow-by-exception CM-7(5) + description: The organization identifies organization-defined software programs authorized to execute on the information system, employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system, and reviews and updates the list of authorized software programs. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_adaptive_application_controls_enabled + - azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp.yaml index 6c6ecdbd0..e6d12826a 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp.yaml @@ -1,20 +1,25 @@ -ID: azure_nist_sp_800_53_rev_5_cp -Title: Contingency Planning (CP) -Description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. -SectionCode: cp -Children: - - azure_nist_sp_800_53_rev_5_cp_6 - - azure_nist_sp_800_53_rev_5_cp_7 - - azure_nist_sp_800_53_rev_5_cp_9 -Controls: [] -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cp + title: Contingency Planning (CP) + description: The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution. + section-code: cp + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_cp_6 + - id: azure_nist_sp_800_53_rev_5_cp_7 + - id: azure_nist_sp_800_53_rev_5_cp_9 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6.yaml index e51446698..dc815a645 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6.yaml @@ -1,23 +1,29 @@ -ID: azure_nist_sp_800_53_rev_5_cp_6 -Title: Alternate Storage Site (CP-6) -Description: The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information and ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. -SectionCode: "6" -Children: - - azure_nist_sp_800_53_rev_5_cp_6_1 -Controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_sql_database_long_term_geo_redundant_backup_enabled - - azure_storage_account_geo_redundant_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cp_6 + title: Alternate Storage Site (CP-6) + description: The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information and ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_cp_6_1 + controls: + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled + - azure_sql_database_long_term_geo_redundant_backup_enabled + - azure_storage_account_geo_redundant_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6_1.yaml index d893fdcff..3e221fffe 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_6_1.yaml @@ -1,22 +1,27 @@ -ID: azure_nist_sp_800_53_rev_5_cp_6_1 -Title: Separation from Primary Site CP-6(1) -Description: The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. -SectionCode: "1" -Children: [] -Controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_sql_database_long_term_geo_redundant_backup_enabled - - azure_storage_account_geo_redundant_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cp_6_1 + title: Separation from Primary Site CP-6(1) + description: The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled + - azure_sql_database_long_term_geo_redundant_backup_enabled + - azure_storage_account_geo_redundant_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_7.yaml index 2f8ee7043..e239afa20 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_7.yaml @@ -1,18 +1,23 @@ -ID: azure_nist_sp_800_53_rev_5_cp_7 -Title: Alternate Processing Site (CP-7) -Description: The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable, ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption and ensure that the alternate processing site provides information security safeguards equivalent to that of the primary site. -SectionCode: "7" -Children: [] -Controls: - - azure_compute_vm_disaster_recovery_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cp_7 + title: Alternate Processing Site (CP-7) + description: The organization establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions/business functions within an organization-defined time period consistent with recovery time and recovery point objectives when the primary processing capabilities are unavailable, ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption and ensure that the alternate processing site provides information security safeguards equivalent to that of the primary site. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_disaster_recovery_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_9.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_9.yaml index ecb42ac0e..3d7acc21d 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_9.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_cp_9.yaml @@ -1,22 +1,27 @@ -ID: azure_nist_sp_800_53_rev_5_cp_9 -Title: System Backup (CP-9) -Description: The organization conducts backups of information system documentation including security-related documentation, user-level and system-level information contained in the information system with recovery time and recovery point objectives, and protects the confidentiality, integrity, and availability of backup information at storage locations. -SectionCode: "9" -Children: [] -Controls: - - azure_keyvault_purge_protection_enabled - - azure_keyvault_soft_delete_enabled - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_cp_9 + title: System Backup (CP-9) + description: The organization conducts backups of information system documentation including security-related documentation, user-level and system-level information contained in the information system with recovery time and recovery point objectives, and protects the confidentiality, integrity, and availability of backup information at storage locations. + section-code: "9" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_keyvault_purge_protection_enabled + - azure_keyvault_soft_delete_enabled + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia.yaml index ff0cba309..fec33383b 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia.yaml @@ -1,20 +1,25 @@ -ID: azure_nist_sp_800_53_rev_5_ia -Title: Identification and Authentication (IA) -Description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. -SectionCode: ia -Children: - - azure_nist_sp_800_53_rev_5_ia_2 - - azure_nist_sp_800_53_rev_5_ia_4 - - azure_nist_sp_800_53_rev_5_ia_5 -Controls: [] -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ia + title: Identification and Authentication (IA) + description: IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems. + section-code: ia + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ia_2 + - id: azure_nist_sp_800_53_rev_5_ia_4 + - id: azure_nist_sp_800_53_rev_5_ia_5 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2.yaml index 8427f4e02..d5e87f0df 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2.yaml @@ -1,27 +1,33 @@ -ID: azure_nist_sp_800_53_rev_5_ia_2 -Title: Identification and Authentication (organizational Users) (IA-2) -Description: Identify and authenticate organization users and processes. -SectionCode: "2" -Children: - - azure_nist_sp_800_53_rev_5_ia_2_1 - - azure_nist_sp_800_53_rev_5_ia_2_2 -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ia_2 + title: Identification and Authentication (organizational Users) (IA-2) + description: Identify and authenticate organization users and processes. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ia_2_1 + - id: azure_nist_sp_800_53_rev_5_ia_2_2 + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_cognitive_service_local_auth_disabled + - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled + - azure_iam_user_with_read_permission_on_subscription_mfa_enabled + - azure_iam_user_with_write_permission_on_subscription_mfa_enabled + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_1.yaml index 8b14e7597..dc80dd36b 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_1.yaml @@ -1,9 +1,14 @@ -ID: azure_nist_sp_800_53_rev_5_ia_2_1 -Title: Multi-factor Authentication to Privileged Accounts IA-2(1) -Description: Implement multi-factor authentication for access to privileged accounts. -SectionCode: "1" -Children: [] -Controls: - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_53_rev_5_ia_2_1 + title: Multi-factor Authentication to Privileged Accounts IA-2(1) + description: Implement multi-factor authentication for access to privileged accounts. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled + - azure_iam_user_with_write_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_2.yaml index d34c39b59..0f4c9da00 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_2_2.yaml @@ -1,8 +1,13 @@ -ID: azure_nist_sp_800_53_rev_5_ia_2_2 -Title: Multi-factor Authentication to Non-privileged Accounts -Description: Implement multi-factor authentication for access to non-privileged accounts. -SectionCode: "2" -Children: [] -Controls: - - azure_iam_user_with_read_permission_on_subscription_mfa_enabled -Tags: {} +control-group: + id: azure_nist_sp_800_53_rev_5_ia_2_2 + title: Multi-factor Authentication to Non-privileged Accounts + description: Implement multi-factor authentication for access to non-privileged accounts. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_iam_user_with_read_permission_on_subscription_mfa_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_4.yaml index acd034d06..07b436ef9 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_4.yaml @@ -1,22 +1,27 @@ -ID: azure_nist_sp_800_53_rev_5_ia_4 -Title: Identifier Management (IA-4) -Description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. -SectionCode: "4" -Children: [] -Controls: - - azure_appservice_function_app_uses_managed_identity - - azure_appservice_web_app_uses_managed_identity - - azure_cognitive_service_local_auth_disabled - - azure_servicefabric_cluster_active_directory_authentication_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ia_4 + title: Identifier Management (IA-4) + description: Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_function_app_uses_managed_identity + - azure_appservice_web_app_uses_managed_identity + - azure_cognitive_service_local_auth_disabled + - azure_servicefabric_cluster_active_directory_authentication_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5.yaml index a6a51d5e7..bfea36ab7 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5.yaml @@ -1,28 +1,34 @@ -ID: azure_nist_sp_800_53_rev_5_ia_5 -Title: Authenticator Management (IA-5) -Description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. -SectionCode: "5" -Children: - - azure_nist_sp_800_53_rev_5_ia_5_1 -Controls: - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_password_file_permissions_0644_linux - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows - - azure_compute_vm_ssh_key_authentication_linux - - azure_keyvault_certificate_validity_12_months - - azure_keyvault_key_expiration_set - - azure_keyvault_secret_expiration_set -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ia_5 + title: Authenticator Management (IA-5) + description: Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ia_5_1 + controls: + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_password_file_permissions_0644_linux + - azure_compute_vm_passwords_stored_using_reversible_encryption_windows + - azure_compute_vm_ssh_key_authentication_linux + - azure_keyvault_certificate_validity_12_months + - azure_keyvault_key_expiration_set + - azure_keyvault_secret_expiration_set diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5_1.yaml index 8212bf1fc..fc04b038a 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ia_5_1.yaml @@ -1,28 +1,33 @@ -ID: azure_nist_sp_800_53_rev_5_ia_5_1 -Title: Password-based Authentication IA-5(1) -Description: The information system, for password-based authentication, enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type; enforces at least the organization-defined number of changed characters when new passwords are created; stores and transmits only cryptographically-protected passwords; enforces password minimum and maximum lifetime restrictions of organization-defined numbers for lifetime minimum, lifetime maximum; prohibits password reuse for organization-defined number generations; and allows the use of a temporary password for system logons with an immediate change to a permanent password. -SectionCode: "1" -Children: [] -Controls: - - azure_compute_vm_guest_configuration_installed_linux - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_max_password_age_70_days_windows - - azure_compute_vm_min_password_age_1_day_windows - - azure_compute_vm_min_password_length_14_windows - - azure_compute_vm_password_complexity_setting_enabled_windows - - azure_compute_vm_password_file_permissions_0644_linux - - azure_compute_vm_passwords_stored_using_reversible_encryption_windows - - azure_compute_vm_restrict_previous_24_passwords_resuse_windows -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ia_5_1 + title: Password-based Authentication IA-5(1) + description: The information system, for password-based authentication, enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type; enforces at least the organization-defined number of changed characters when new passwords are created; stores and transmits only cryptographically-protected passwords; enforces password minimum and maximum lifetime restrictions of organization-defined numbers for lifetime minimum, lifetime maximum; prohibits password reuse for organization-defined number generations; and allows the use of a temporary password for system logons with an immediate change to a permanent password. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_guest_configuration_installed_linux + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_max_password_age_70_days_windows + - azure_compute_vm_min_password_age_1_day_windows + - azure_compute_vm_min_password_length_14_windows + - azure_compute_vm_password_complexity_setting_enabled_windows + - azure_compute_vm_password_file_permissions_0644_linux + - azure_compute_vm_passwords_stored_using_reversible_encryption_windows + - azure_compute_vm_restrict_previous_24_passwords_resuse_windows diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir.yaml index 425256d6a..aaaaefea3 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir.yaml @@ -1,20 +1,25 @@ -ID: azure_nist_sp_800_53_rev_5_ir -Title: Incident Response (IR) -Description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. -SectionCode: ir -Children: - - azure_nist_sp_800_53_rev_5_ir_4 - - azure_nist_sp_800_53_rev_5_ir_5 - - azure_nist_sp_800_53_rev_5_ir_6_2 -Controls: [] -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ir + title: Incident Response (IR) + description: IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan. + section-code: ir + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ir_4 + - id: azure_nist_sp_800_53_rev_5_ir_5 + - id: azure_nist_sp_800_53_rev_5_ir_6_2 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_4.yaml index cc4c49eb8..3c5a46dd0 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_4.yaml @@ -1,30 +1,35 @@ -ID: azure_nist_sp_800_53_rev_5_ir_4 -Title: Incident Handling (IR-4) -Description: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; coordinates incident handling activities with contingency planning activities; and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. -SectionCode: "4" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ir_4 + title: Incident Handling (IR-4) + description: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; coordinates incident handling activities with contingency planning activities; and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_5.yaml index b4b44d3ae..ee685f27c 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_5.yaml @@ -1,30 +1,35 @@ -ID: azure_nist_sp_800_53_rev_5_ir_5 -Title: Incident Monitoring (IR-5) -Description: The organization tracks and documents information system security incidents. -SectionCode: "5" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ir_5 + title: Incident Monitoring (IR-5) + description: The organization tracks and documents information system security incidents. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_6_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_6_2.yaml index cab7cb403..2f0d6e2ee 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_6_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ir_6_2.yaml @@ -1,20 +1,25 @@ -ID: azure_nist_sp_800_53_rev_5_ir_6_2 -Title: Vulnerabilities Related to Incidents IR-6(2) -Description: The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles. -SectionCode: "6_2" -Children: [] -Controls: - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ir_6_2 + title: Vulnerabilities Related to Incidents IR-6(2) + description: The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles. + section-code: "6_2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra.yaml index 5a1c5270f..dc2f658ab 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra.yaml @@ -1,18 +1,23 @@ -ID: azure_nist_sp_800_53_rev_5_ra -Title: Risk Assessment (RA) -Description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. -SectionCode: ra -Children: - - azure_nist_sp_800_53_rev_5_ra_5 -Controls: [] -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ra + title: Risk Assessment (RA) + description: The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts. + section-code: ra + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_ra_5 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra_5.yaml index b7fa19c7e..32ef7793c 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_ra_5.yaml @@ -1,37 +1,42 @@ -ID: azure_nist_sp_800_53_rev_5_ra_5 -Title: Vulnerability Monitoring and Scanning (RA-5) -Description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. -SectionCode: "5" -Children: [] -Controls: - - azure_compute_vm_container_security_configurations_vulnerabilities_remediated - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_compute_vm_vulnerability_findings_resolved_for_sql_server - - azure_container_registry_vulnerabilities_remediated - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled - - azure_sql_server_azure_defender_enabled - - azure_synapse_workspace_vulnerability_assessment_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_ra_5 + title: Vulnerability Monitoring and Scanning (RA-5) + description: Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_compute_vm_container_security_configurations_vulnerabilities_remediated + - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated + - azure_compute_vm_security_configuration_vulnerabilities_remediated + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_compute_vm_vulnerability_findings_resolved_for_sql_server + - azure_container_registry_vulnerabilities_remediated + - azure_mssql_managed_instance_vulnerability_assessment_enabled + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_database_vulnerability_findings_resolved + - azure_sql_server_and_databases_va_enabled + - azure_sql_server_azure_defender_enabled + - azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc.yaml index 8fda0f5aa..087acac4e 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc.yaml @@ -1,23 +1,28 @@ -ID: azure_nist_sp_800_53_rev_5_sc -Title: System and Communications Protection (SC) -Description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. -SectionCode: sc -Children: - - azure_nist_sp_800_53_rev_5_sc_3 - - azure_nist_sp_800_53_rev_5_sc_5 - - azure_nist_sp_800_53_rev_5_sc_7 - - azure_nist_sp_800_53_rev_5_sc_8 - - azure_nist_sp_800_53_rev_5_sc_12 - - azure_nist_sp_800_53_rev_5_sc_28 -Controls: [] -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_sc + title: System and Communications Protection (SC) + description: The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others. + section-code: sc + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_sc_3 + - id: azure_nist_sp_800_53_rev_5_sc_5 + - id: azure_nist_sp_800_53_rev_5_sc_7 + - id: azure_nist_sp_800_53_rev_5_sc_8 + - id: azure_nist_sp_800_53_rev_5_sc_12 + - id: azure_nist_sp_800_53_rev_5_sc_28 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_12.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_12.yaml index 80c21d8ee..6860b1588 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_12.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_12.yaml @@ -1,50 +1,55 @@ -ID: azure_nist_sp_800_53_rev_5_sc_12 -Title: Cryptographic Key Establishment and Management (SC-12) -Description: The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction. -SectionCode: "12" -Children: [] -Controls: - - azure_automation_account_encrypted_with_cmk - - azure_batch_account_encrypted_with_cmk - - azure_bot_service_encrypted_with_cmk - - azure_cognitive_account_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk - - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed - - azure_container_instance_container_group_encrypted_using_cmk - - azure_container_registry_encrypted_with_cmk - - azure_cosmosdb_account_encryption_at_rest_using_cmk - - azure_data_factory_encrypted_with_cmk - - azure_databox_job_unlock_password_encrypted_with_cmk - - azure_eventhub_namespace_cmk_encryption_enabled - - azure_hdinsight_cluster_encrypted_at_rest_with_cmk - - azure_hdinsight_cluster_encryption_at_host_enabled - - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk - - azure_hpc_cache_encrypted_with_cmk - - azure_iot_hub_encrypted_with_cmk - - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk - - azure_kusto_cluster_encrypted_at_rest_with_cmk - - azure_logic_app_integration_service_environment_encrypted_with_cmk - - azure_machine_learning_workspace_encrypted_with_cmk - - azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account - - azure_monitor_log_cluster_encrypted_with_cmk - - azure_mssql_managed_instance_encryption_at_rest_using_cmk - - azure_mysql_server_encrypted_at_rest_using_cmk - - azure_postgres_sql_server_encrypted_at_rest_using_cmk - - azure_recovery_service_vault_encrypted_with_cmk - - azure_servicebus_premium_namespace_cmk_encrypted - - azure_sql_server_tde_protector_cmk_encrypted - - azure_storage_account_encryption_at_rest_using_cmk - - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk - - azure_stream_analytics_job_encrypted_with_cmk - - azure_synapse_workspace_encryption_at_rest_using_cmk -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_sc_12 + title: Cryptographic Key Establishment and Management (SC-12) + description: The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_automation_account_encrypted_with_cmk + - azure_batch_account_encrypted_with_cmk + - azure_bot_service_encrypted_with_cmk + - azure_cognitive_account_encrypted_with_cmk + - azure_compute_os_and_data_disk_encrypted_with_cmk + - azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed + - azure_container_instance_container_group_encrypted_using_cmk + - azure_container_registry_encrypted_with_cmk + - azure_cosmosdb_account_encryption_at_rest_using_cmk + - azure_data_factory_encrypted_with_cmk + - azure_databox_job_unlock_password_encrypted_with_cmk + - azure_eventhub_namespace_cmk_encryption_enabled + - azure_hdinsight_cluster_encrypted_at_rest_with_cmk + - azure_hdinsight_cluster_encryption_at_host_enabled + - azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk + - azure_hpc_cache_encrypted_with_cmk + - azure_iot_hub_encrypted_with_cmk + - azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk + - azure_kusto_cluster_encrypted_at_rest_with_cmk + - azure_logic_app_integration_service_environment_encrypted_with_cmk + - azure_machine_learning_workspace_encrypted_with_cmk + - azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account + - azure_monitor_log_cluster_encrypted_with_cmk + - azure_mssql_managed_instance_encryption_at_rest_using_cmk + - azure_mysql_server_encrypted_at_rest_using_cmk + - azure_postgres_sql_server_encrypted_at_rest_using_cmk + - azure_recovery_service_vault_encrypted_with_cmk + - azure_servicebus_premium_namespace_cmk_encrypted + - azure_sql_server_tde_protector_cmk_encrypted + - azure_storage_account_encryption_at_rest_using_cmk + - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk + - azure_stream_analytics_job_encrypted_with_cmk + - azure_synapse_workspace_encryption_at_rest_using_cmk diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28.yaml index 0e7ee4e3b..9bb8337a2 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28.yaml @@ -1,32 +1,38 @@ -ID: azure_nist_sp_800_53_rev_5_sc_28 -Title: Protection of Information at Rest (SC-28) -Description: The information system protects the confidentiality and integrity of organization-defined information at rest. -SectionCode: "28" -Children: - - azure_nist_sp_800_53_rev_5_sc_28_1 -Controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted - - azure_databox_edge_device_double_encryption_enabled - - azure_databox_job_double_encryption_enabled - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_monitor_log_cluster_infrastructure_encryption_enabled - - azure_mysql_server_infrastructure_encryption_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_infrastructure_encryption_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_sc_28 + title: Protection of Information at Rest (SC-28) + description: The information system protects the confidentiality and integrity of organization-defined information at rest. + section-code: "28" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_sc_28_1 + controls: + - azure_app_service_environment_internal_encryption_enabled + - azure_compute_vm_and_sacle_set_encryption_at_host_enabled + - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted + - azure_databox_edge_device_double_encryption_enabled + - azure_databox_job_double_encryption_enabled + - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host + - azure_kusto_cluster_disk_encryption_enabled + - azure_kusto_cluster_double_encryption_enabled + - azure_monitor_log_cluster_infrastructure_encryption_enabled + - azure_mysql_server_infrastructure_encryption_enabled + - azure_postgresql_server_infrastructure_encryption_enabled + - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign + - azure_sql_server_transparent_data_encryption_enabled + - azure_storage_account_infrastructure_encryption_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28_1.yaml index 0d52f351d..a8358845d 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_28_1.yaml @@ -1,31 +1,36 @@ -ID: azure_nist_sp_800_53_rev_5_sc_28_1 -Title: Cryptographic Protection SC-28(1) -Description: The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information on organization-defined information system components. -SectionCode: "1" -Children: [] -Controls: - - azure_app_service_environment_internal_encryption_enabled - - azure_compute_vm_and_sacle_set_encryption_at_host_enabled - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted - - azure_databox_edge_device_double_encryption_enabled - - azure_databox_job_double_encryption_enabled - - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host - - azure_kusto_cluster_disk_encryption_enabled - - azure_kusto_cluster_double_encryption_enabled - - azure_monitor_log_cluster_infrastructure_encryption_enabled - - azure_mysql_server_infrastructure_encryption_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_infrastructure_encryption_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_sc_28_1 + title: Cryptographic Protection SC-28(1) + description: The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information on organization-defined information system components. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_app_service_environment_internal_encryption_enabled + - azure_compute_vm_and_sacle_set_encryption_at_host_enabled + - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted + - azure_databox_edge_device_double_encryption_enabled + - azure_databox_job_double_encryption_enabled + - azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host + - azure_kusto_cluster_disk_encryption_enabled + - azure_kusto_cluster_double_encryption_enabled + - azure_monitor_log_cluster_infrastructure_encryption_enabled + - azure_mysql_server_infrastructure_encryption_enabled + - azure_postgresql_server_infrastructure_encryption_enabled + - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign + - azure_sql_server_transparent_data_encryption_enabled + - azure_storage_account_infrastructure_encryption_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_3.yaml index 445a6ebd4..bdf8b67f0 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_3.yaml @@ -1,21 +1,26 @@ -ID: azure_nist_sp_800_53_rev_5_sc_3 -Title: Security Function Isolation (SC-3) -Description: The information system isolates security functions from nonsecurity functions. -SectionCode: "3" -Children: [] -Controls: - - azure_compute_vm_monitor_missing_endpoint_protection_in_asc - - azure_compute_vm_scale_set_endpoint_protection_solution_installed - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_sc_3 + title: Security Function Isolation (SC-3) + description: The information system isolates security functions from nonsecurity functions. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_monitor_missing_endpoint_protection_in_asc + - azure_compute_vm_scale_set_endpoint_protection_solution_installed + - azure_compute_vm_windows_defender_exploit_guard_enabled + - azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_5.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_5.yaml index 1dc10ce1c..0348b76f0 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_5.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_5.yaml @@ -1,21 +1,26 @@ -ID: azure_nist_sp_800_53_rev_5_sc_5 -Title: Denial-of-service Protection (SC-5) -Description: The information system protects against or limits the effects of the organization-defined types of denial of service attacks or reference to a source for such information by employing organization-defined security safeguards. -SectionCode: "5" -Children: [] -Controls: - - azure_application_gateway_waf_enabled - - azure_frontdoor_waf_enabled - - azure_network_ddos_enabled - - azure_network_interface_ip_forwarding_disabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_sc_5 + title: Denial-of-service Protection (SC-5) + description: The information system protects against or limits the effects of the organization-defined types of denial of service attacks or reference to a source for such information by employing organization-defined security safeguards. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_application_gateway_waf_enabled + - azure_frontdoor_waf_enabled + - azure_network_ddos_enabled + - azure_network_interface_ip_forwarding_disabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7.yaml index f1198b07e..e8234e4b2 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7.yaml @@ -1,69 +1,75 @@ -ID: azure_nist_sp_800_53_rev_5_sc_7 -Title: Boundary Protection (SC-7) -Description: The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; implements subnetworks for publicly accessible system components that are physically or logically separated from internal organizational networks; and connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. -SectionCode: "7" -Children: - - azure_nist_sp_800_53_rev_5_sc_7_3 -Controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_redis_cache_uses_private_link - - azure_cognitive_account_private_link_used - - azure_cognitive_account_public_network_access_disabled - - azure_cognitive_account_restrict_public_access - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_image_builder_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_non_internet_facing_protected_with_nsg - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_machine_learning_workspace_private_link_used - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_network_subnet_protected_by_firewall - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used - - azure_web_pub_sub_private_link_used -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_sc_7 + title: Boundary Protection (SC-7) + description: The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; implements subnetworks for publicly accessible system components that are physically or logically separated from internal organizational networks; and connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. + section-code: "7" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_sc_7_3 + controls: + - azure_apimanagement_service_with_virtual_network + - azure_app_configuration_private_link_used + - azure_application_gateway_waf_enabled + - azure_redis_cache_uses_private_link + - azure_cognitive_account_private_link_used + - azure_cognitive_account_public_network_access_disabled + - azure_cognitive_account_restrict_public_access + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_adaptive_network_hardening_recommendation_applied + - azure_compute_vm_image_builder_uses_private_link + - azure_compute_vm_jit_access_protected + - azure_compute_vm_non_internet_facing_protected_with_nsg + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_with_firewall_rules + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_frontdoor_waf_enabled + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_firewall_enabled + - azure_keyvault_vault_private_link_used + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_machine_learning_workspace_private_link_used + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_network_subnet_protected_by_firewall + - azure_postgres_server_private_link_used + - azure_postgresql_server_public_network_access_disabled + - azure_search_service_public_network_access_disabled + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_sql_db_public_network_access_disabled + - azure_sql_server_uses_private_link + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used + - azure_web_pub_sub_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7_3.yaml index c6507ae19..06a132158 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_7_3.yaml @@ -1,68 +1,73 @@ -ID: azure_nist_sp_800_53_rev_5_sc_7_3 -Title: Access Points SC-7(3) -Description: The organization limits the number of external network connections to the information system. -SectionCode: "3" -Children: [] -Controls: - - azure_apimanagement_service_with_virtual_network - - azure_app_configuration_private_link_used - - azure_application_gateway_waf_enabled - - azure_redis_cache_uses_private_link - - azure_cognitive_account_private_link_used - - azure_cognitive_account_public_network_access_disabled - - azure_cognitive_account_restrict_public_access - - azure_compute_disk_access_uses_private_link - - azure_compute_vm_adaptive_network_hardening_recommendation_applied - - azure_compute_vm_image_builder_uses_private_link - - azure_compute_vm_jit_access_protected - - azure_compute_vm_non_internet_facing_protected_with_nsg - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_container_registry_restrict_public_access - - azure_container_registry_uses_private_link - - azure_cosmosdb_account_uses_private_link - - azure_cosmosdb_account_with_firewall_rules - - azure_data_factory_uses_private_link - - azure_eventgrid_domain_private_link_used - - azure_eventgrid_topic_private_link_used - - azure_eventhub_namespace_private_link_used - - azure_frontdoor_waf_enabled - - azure_healthcare_fhir_uses_private_link - - azure_keyvault_firewall_enabled - - azure_keyvault_vault_private_link_used - - azure_kubernetes_cluster_authorized_ip_range_defined - - azure_machine_learning_workspace_private_link_used - - azure_mariadb_server_public_network_access_disabled - - azure_mysql_server_private_link_used - - azure_mysql_server_public_network_access_disabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted - - azure_network_security_group_subnet_associated - - azure_network_subnet_protected_by_firewall - - azure_postgres_server_private_link_used - - azure_postgresql_server_public_network_access_disabled - - azure_search_service_public_network_access_disabled - - azure_search_service_uses_private_link - - azure_search_service_uses_sku_supporting_private_link - - azure_servicebus_name_space_private_link_used - - azure_signalr_service_private_link_used - - azure_sql_db_public_network_access_disabled - - azure_sql_server_uses_private_link - - azure_storage_account_block_public_access - - azure_storage_account_default_network_access_rule_denied - - azure_storage_account_restrict_network_access - - azure_storage_account_uses_private_link - - azure_storage_sync_private_link_used - - azure_synapse_workspace_private_link_used - - azure_web_pub_sub_private_link_used -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_sc_7_3 + title: Access Points SC-7(3) + description: The organization limits the number of external network connections to the information system. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_apimanagement_service_with_virtual_network + - azure_app_configuration_private_link_used + - azure_application_gateway_waf_enabled + - azure_redis_cache_uses_private_link + - azure_cognitive_account_private_link_used + - azure_cognitive_account_public_network_access_disabled + - azure_cognitive_account_restrict_public_access + - azure_compute_disk_access_uses_private_link + - azure_compute_vm_adaptive_network_hardening_recommendation_applied + - azure_compute_vm_image_builder_uses_private_link + - azure_compute_vm_jit_access_protected + - azure_compute_vm_non_internet_facing_protected_with_nsg + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_container_registry_restrict_public_access + - azure_container_registry_uses_private_link + - azure_cosmosdb_account_uses_private_link + - azure_cosmosdb_account_with_firewall_rules + - azure_data_factory_uses_private_link + - azure_eventgrid_domain_private_link_used + - azure_eventgrid_topic_private_link_used + - azure_eventhub_namespace_private_link_used + - azure_frontdoor_waf_enabled + - azure_healthcare_fhir_uses_private_link + - azure_keyvault_firewall_enabled + - azure_keyvault_vault_private_link_used + - azure_kubernetes_cluster_authorized_ip_range_defined + - azure_machine_learning_workspace_private_link_used + - azure_mariadb_server_public_network_access_disabled + - azure_mysql_server_private_link_used + - azure_mysql_server_public_network_access_disabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted + - azure_network_security_group_subnet_associated + - azure_network_subnet_protected_by_firewall + - azure_postgres_server_private_link_used + - azure_postgresql_server_public_network_access_disabled + - azure_search_service_public_network_access_disabled + - azure_search_service_uses_private_link + - azure_search_service_uses_sku_supporting_private_link + - azure_servicebus_name_space_private_link_used + - azure_signalr_service_private_link_used + - azure_sql_db_public_network_access_disabled + - azure_sql_server_uses_private_link + - azure_storage_account_block_public_access + - azure_storage_account_default_network_access_rule_denied + - azure_storage_account_restrict_network_access + - azure_storage_account_uses_private_link + - azure_storage_sync_private_link_used + - azure_synapse_workspace_private_link_used + - azure_web_pub_sub_private_link_used diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8.yaml index 190a1db0c..1b559caf2 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8.yaml @@ -1,31 +1,37 @@ -ID: azure_nist_sp_800_53_rev_5_sc_8 -Title: Transmission Confidentiality and Integrity (SC-8) -Description: The information system protects the confidentiality and integrity of transmitted information. -SectionCode: "8" -Children: - - azure_nist_sp_800_53_rev_5_sc_8_1 -Controls: - - azure_appservice_api_app_ftps_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_function_app_ftps_enabled - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_appservice_web_app_use_https - - azure_redis_cache_ssl_enabled - - azure_compute_vm_secure_communication_protocols_configured - - azure_hdinsight_cluster_encryption_in_transit_enabled - - azure_kubernetes_cluster_https_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_sc_8 + title: Transmission Confidentiality and Integrity (SC-8) + description: The information system protects the confidentiality and integrity of transmitted information. + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_sc_8_1 + controls: + - azure_appservice_api_app_ftps_enabled + - azure_appservice_api_app_latest_tls_version + - azure_appservice_function_app_ftps_enabled + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_appservice_web_app_use_https + - azure_redis_cache_ssl_enabled + - azure_compute_vm_secure_communication_protocols_configured + - azure_hdinsight_cluster_encryption_in_transit_enabled + - azure_kubernetes_cluster_https_enabled + - azure_mysql_ssl_enabled + - azure_postgres_sql_ssl_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8_1.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8_1.yaml index 7431d2830..bace71034 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8_1.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_sc_8_1.yaml @@ -1,30 +1,35 @@ -ID: azure_nist_sp_800_53_rev_5_sc_8_1 -Title: Cryptographic Protection SC-8(1) -Description: The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. -SectionCode: "1" -Children: [] -Controls: - - azure_appservice_api_app_ftps_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_function_app_ftps_enabled - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_appservice_web_app_use_https - - azure_redis_cache_ssl_enabled - - azure_compute_vm_secure_communication_protocols_configured - - azure_hdinsight_cluster_encryption_in_transit_enabled - - azure_kubernetes_cluster_https_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_ssl_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_sc_8_1 + title: Cryptographic Protection SC-8(1) + description: The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_api_app_ftps_enabled + - azure_appservice_api_app_latest_tls_version + - azure_appservice_function_app_ftps_enabled + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_appservice_web_app_use_https + - azure_redis_cache_ssl_enabled + - azure_compute_vm_secure_communication_protocols_configured + - azure_hdinsight_cluster_encryption_in_transit_enabled + - azure_kubernetes_cluster_https_enabled + - azure_mysql_ssl_enabled + - azure_postgres_sql_ssl_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si.yaml index f40c733ef..dbb338081 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si.yaml @@ -1,21 +1,26 @@ -ID: azure_nist_sp_800_53_rev_5_si -Title: System and Information Integrity (SI) -Description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. -SectionCode: si -Children: - - azure_nist_sp_800_53_rev_5_si_2 - - azure_nist_sp_800_53_rev_5_si_3 - - azure_nist_sp_800_53_rev_5_si_4 - - azure_nist_sp_800_53_rev_5_si_16 -Controls: [] -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_si + title: System and Information Integrity (SI) + description: The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection. + section-code: si + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_si_2 + - id: azure_nist_sp_800_53_rev_5_si_3 + - id: azure_nist_sp_800_53_rev_5_si_4 + - id: azure_nist_sp_800_53_rev_5_si_16 diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_16.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_16.yaml index 3b0c79996..5b6f6fdfc 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_16.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_16.yaml @@ -1,19 +1,24 @@ -ID: azure_nist_sp_800_53_rev_5_si_16 -Title: Memory Protection (SI-16) -Description: The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution. -SectionCode: "16" -Children: [] -Controls: - - azure_compute_vm_windows_defender_exploit_guard_enabled - - azure_securitycenter_azure_defender_on_for_server -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_si_16 + title: Memory Protection (SI-16) + description: The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution. + section-code: "16" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_windows_defender_exploit_guard_enabled + - azure_securitycenter_azure_defender_on_for_server diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2.yaml index 681e7c511..db72f1bd9 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2.yaml @@ -1,36 +1,42 @@ -ID: azure_nist_sp_800_53_rev_5_si_2 -Title: Flaw Remediation (SI-2) -Description: The organization identifies, reports, and corrects information system flaws, tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation, installs security-relevant software and firmware updates within the organization-defined time period of the release of the updates, and incorporates flaw remediation into the organizational configuration management process. -SectionCode: "2" -Children: - - azure_nist_sp_800_53_rev_5_si_2_6 -Controls: - - azure_appservice_function_app_latest_http_version - - azure_appservice_web_app_latest_http_version - - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated - - azure_compute_vm_scale_set_system_updates_installed - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_database_vulnerability_findings_resolved -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_si_2 + title: Flaw Remediation (SI-2) + description: The organization identifies, reports, and corrects information system flaws, tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation, installs security-relevant software and firmware updates within the organization-defined time period of the release of the updates, and incorporates flaw remediation into the organizational configuration management process. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_si_2_6 + controls: + - azure_appservice_function_app_latest_http_version + - azure_appservice_web_app_latest_http_version + - azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated + - azure_compute_vm_scale_set_system_updates_installed + - azure_compute_vm_security_configuration_vulnerabilities_remediated + - azure_compute_vm_system_updates_installed + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2_6.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2_6.yaml index eeb2798f5..e3c665be1 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2_6.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_2_6.yaml @@ -1,20 +1,25 @@ -ID: azure_nist_sp_800_53_rev_5_si_2_6 -Title: Removal of Previous Versions of Software and Firmware SI-2(6) -Description: The organization removes organization-defined software and firmware components after updated versions have been installed. -SectionCode: "6" -Children: [] -Controls: - - azure_appservice_function_app_latest_http_version - - azure_appservice_web_app_latest_http_version - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_si_2_6 + title: Removal of Previous Versions of Software and Firmware SI-2(6) + description: The organization removes organization-defined software and firmware components after updated versions have been installed. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_function_app_latest_http_version + - azure_appservice_web_app_latest_http_version + - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_3.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_3.yaml index 122473052..fdfe89fb7 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_3.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_3.yaml @@ -1,21 +1,26 @@ -ID: azure_nist_sp_800_53_rev_5_si_3 -Title: Malicious Code Protection (SI-3) -Description: The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system; and configures malicious code protection mechanisms to perform periodic scans of the information system and real-time scans of files from external sources at an endpoint, network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy, and block and quarantine malicious code, send alert to the administrator and take organization-defined action in response to malicious code detection. -SectionCode: "3" -Children: [] -Controls: - - azure_securitycenter_azure_defender_on_for_server - - azure_compute_vm_monitor_missing_endpoint_protection_in_asc - - azure_compute_vm_scale_set_endpoint_protection_solution_installed - - azure_compute_vm_windows_defender_exploit_guard_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_si_3 + title: Malicious Code Protection (SI-3) + description: The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system; and configures malicious code protection mechanisms to perform periodic scans of the information system and real-time scans of files from external sources at an endpoint, network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy, and block and quarantine malicious code, send alert to the administrator and take organization-defined action in response to malicious code detection. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_securitycenter_azure_defender_on_for_server + - azure_compute_vm_monitor_missing_endpoint_protection_in_asc + - azure_compute_vm_scale_set_endpoint_protection_solution_installed + - azure_compute_vm_windows_defender_exploit_guard_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4.yaml index 8b05183c0..2283bcb32 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4.yaml @@ -1,39 +1,45 @@ -ID: azure_nist_sp_800_53_rev_5_si_4 -Title: System Monitoring (SI-4) -Description: The organization monitors the information system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives and unauthorized local, network, and remote connections; identifies unauthorized use of the information system through organization-defined techniques and methods; deploys monitoring devices strategically within the information system to collect organization-determined essential information and at ad hoc locations within the system to track specific types of transactions of interest to the organization; protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and provides organization-defined system monitoring information to organization-defined personnel or roles as needed. -SectionCode: "4" -Children: - - azure_nist_sp_800_53_rev_5_si_4_12 -Controls: - - azure_arc_compute_machine_linux_log_analytics_agent_installed - - azure_arc_compute_machine_windows_log_analytics_agent_installed - - azure_arc_kubernetes_cluster_azure_defender_extension_installed - - azure_compute_vm_guest_configuration_installed - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_network_subnet_protected_by_firewall - - azure_network_watcher_enabled - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_containers - - azure_securitycenter_azure_defender_on_for_dns - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_azure_defender_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_si_4 + title: System Monitoring (SI-4) + description: The organization monitors the information system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives and unauthorized local, network, and remote connections; identifies unauthorized use of the information system through organization-defined techniques and methods; deploys monitoring devices strategically within the information system to collect organization-determined essential information and at ad hoc locations within the system to track specific types of transactions of interest to the organization; protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and provides organization-defined system monitoring information to organization-defined personnel or roles as needed. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_nist_sp_800_53_rev_5_si_4_12 + controls: + - azure_arc_compute_machine_linux_log_analytics_agent_installed + - azure_arc_compute_machine_windows_log_analytics_agent_installed + - azure_arc_kubernetes_cluster_azure_defender_extension_installed + - azure_compute_vm_guest_configuration_installed + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_network_subnet_protected_by_firewall + - azure_network_watcher_enabled + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_containers + - azure_securitycenter_azure_defender_on_for_dns + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4_12.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4_12.yaml index b3ba04d0d..138176071 100755 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4_12.yaml +++ b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/azure_nist_sp_800_53_rev_5_si_4_12.yaml @@ -1,20 +1,25 @@ -ID: azure_nist_sp_800_53_rev_5_si_4_12 -Title: Automated Organization-generated Alerts SI-4(12) -Description: The organization employs automated mechanisms to alert security personnel of the organization-defined activities that trigger alerts with security implications. -SectionCode: "12" -Children: [] -Controls: - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - plugin: - - azure - service: - - Azure/SecurityCenter - type: - - Benchmark +control-group: + id: azure_nist_sp_800_53_rev_5_si_4_12 + title: Automated Organization-generated Alerts SI-4(12) + description: The organization employs automated mechanisms to alert security personnel of the organization-defined activities that trigger alerts with security implications. + section-code: "12" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + nist_sp_800_53_rev_5: + - "true" + plugin: + - azure + service: + - Azure/SecurityCenter + type: + - Benchmark + controls: + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled diff --git a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/root.yaml b/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/root.yaml deleted file mode 100755 index 63cb2b48e..000000000 --- a/compliance/frameworks/azure/azure_nist_sp_800_53_rev_5/root.yaml +++ /dev/null @@ -1,34 +0,0 @@ -ID: azure_nist_sp_800_53_rev_5 -Title: NIST SP 800-53 Revision 5 -Description: NIST SP 800-53 Revision 5 represents a multi-year effort to develop the next generation of security and privacy controls needed to strengthen and support the U.S. federal government. -SectionCode: azure_nist_sp_800_53_rev_5 -Children: - - azure_nist_sp_800_53_rev_5_ac - - azure_nist_sp_800_53_rev_5_au - - azure_nist_sp_800_53_rev_5_cm - - azure_nist_sp_800_53_rev_5_cp - - azure_nist_sp_800_53_rev_5_ia - - azure_nist_sp_800_53_rev_5_ir - - azure_nist_sp_800_53_rev_5_ra - - azure_nist_sp_800_53_rev_5_sc - - azure_nist_sp_800_53_rev_5_si -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - nist_sp_800_53_rev_5: - - "true" - platform_benchmark_type: - - compliance - platform_category: - - Frameworks - plugin: - - azure - service: - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321.yaml new file mode 100644 index 000000000..94067bd55 --- /dev/null +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321.yaml @@ -0,0 +1,35 @@ +framework: + id: azure_pci_dss_v321 + title: PCI DSS 3.2.1 + description: The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. + section-code: azure_pci_dss_v321 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + platform_benchmark_type: + - compliance + platform_category: + - Certifications and Attestations + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_1 + - id: azure_pci_dss_v321_requirement_3 + - id: azure_pci_dss_v321_requirement_4 + - id: azure_pci_dss_v321_requirement_5 + - id: azure_pci_dss_v321_requirement_6 + - id: azure_pci_dss_v321_requirement_7 + - id: azure_pci_dss_v321_requirement_8 + - id: azure_pci_dss_v321_requirement_10 + - id: azure_pci_dss_v321_requirement_11 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1.yaml index a8cffbd5e..7faea7733 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1.yaml @@ -1,18 +1,23 @@ -ID: azure_pci_dss_v321_requirement_1 -Title: Requirement 1 - Install and maintain a firewall configuration to protect cardholder data -Description: Firewalls are devices that control computer traffic allowed into and out of an organization's network, and into sensitive areas within its internal network. Firewall functionality can also appear in other system components. Routers are hardware or software that connects two or more networks. All such networking devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. -SectionCode: requirement_1 -Children: - - azure_pci_dss_v321_requirement_1_3 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_1 + title: Requirement 1 - Install and maintain a firewall configuration to protect cardholder data + description: Firewalls are devices that control computer traffic allowed into and out of an organization's network, and into sensitive areas within its internal network. Firewall functionality can also appear in other system components. Routers are hardware or software that connects two or more networks. All such networking devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. + section-code: requirement_1 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_1_3 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10.yaml index 07bef3f0e..3bca84a61 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10.yaml @@ -1,18 +1,23 @@ -ID: azure_pci_dss_v321_requirement_10 -Title: Requirement 10 - Track and monitor all access to network resources and cardholder data -Description: Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs. -SectionCode: requirement_10 -Children: - - azure_pci_dss_v321_requirement_10_5 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_10 + title: Requirement 10 - Track and monitor all access to network resources and cardholder data + description: Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs. + section-code: requirement_10 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_10_5 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5.yaml index 4b7b53f97..4ccd72d53 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5.yaml @@ -1,18 +1,23 @@ -ID: azure_pci_dss_v321_requirement_10_5 -Title: PCI DSS requirement 10.5 -Description: Secure audit trails so they cannot be altered. -SectionCode: "5" -Children: - - azure_pci_dss_v321_requirement_10_5_4 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_10_5 + title: PCI DSS requirement 10.5 + description: Secure audit trails so they cannot be altered. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_10_5_4 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5_4.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5_4.yaml index 93770428b..8505d6bfe 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5_4.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_10_5_4.yaml @@ -1,21 +1,26 @@ -ID: azure_pci_dss_v321_requirement_10_5_4 -Title: PCI DSS requirement 10.5.4 -Description: Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. -SectionCode: "4" -Children: [] -Controls: - - azure_audit_diagnostic_setting - - azure_compute_vm_uses_azure_resource_manager - - azure_sql_server_auditing_on - - azure_storage_account_uses_azure_resource_manager -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_10_5_4 + title: PCI DSS requirement 10.5.4 + description: Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_audit_diagnostic_setting + - azure_compute_vm_uses_azure_resource_manager + - azure_sql_server_auditing_on + - azure_storage_account_uses_azure_resource_manager diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11.yaml index 1e1a3e740..4da615274 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11.yaml @@ -1,18 +1,23 @@ -ID: azure_pci_dss_v321_requirement_11 -Title: Requirement 11 - Regularly test security systems and processes -Description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configurations. -SectionCode: requirement_11 -Children: - - azure_pci_dss_v321_requirement_11_2 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_11 + title: Requirement 11 - Regularly test security systems and processes + description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configurations. + section-code: requirement_11 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_11_2 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2.yaml index e8f020d02..8e8c07a82 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2.yaml @@ -1,18 +1,23 @@ -ID: azure_pci_dss_v321_requirement_11_2 -Title: PCI DSS requirement 11.2 -Description: Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Address vulnerabilities and perform rescans as needed, until passing scans are achieved. After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans. Quarterly external scans must be performed by an Approved Scanning Vendor (ASV). Scans conducted after network changes and internal scans may be performed by internal staff. -SectionCode: "2" -Children: - - azure_pci_dss_v321_requirement_11_2_1 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_11_2 + title: PCI DSS requirement 11.2 + description: Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Address vulnerabilities and perform rescans as needed, until passing scans are achieved. After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans. Quarterly external scans must be performed by an Approved Scanning Vendor (ASV). Scans conducted after network changes and internal scans may be performed by internal staff. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_11_2_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2_1.yaml index 2c2629abd..f82e194c2 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_11_2_1.yaml @@ -1,22 +1,27 @@ -ID: azure_pci_dss_v321_requirement_11_2_1 -Title: PCI DSS requirement 11.2.1 -Description: Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. -SectionCode: "1" -Children: [] -Controls: - - azure_compute_vm_endpoint_protection_agent_installed - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_sql_database_vulnerability_findings_resolved -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_11_2_1 + title: PCI DSS requirement 11.2.1 + description: Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_compute_vm_endpoint_protection_agent_installed + - azure_compute_vm_security_configuration_vulnerabilities_remediated + - azure_compute_vm_system_updates_installed + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3.yaml index a2c647302..9dc6573de 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3.yaml @@ -1,19 +1,24 @@ -ID: azure_pci_dss_v321_requirement_1_3 -Title: PCI DSS requirement 1.3 -Description: Prohibit direct public access between the Internet and any system component in the cardholder data environment. -SectionCode: "3" -Children: - - azure_pci_dss_v321_requirement_1_3_2 - - azure_pci_dss_v321_requirement_1_3_4 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_1_3 + title: PCI DSS requirement 1.3 + description: Prohibit direct public access between the Internet and any system component in the cardholder data environment. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_1_3_2 + - id: azure_pci_dss_v321_requirement_1_3_4 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_2.yaml index 17d882ecd..a3905c772 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_2.yaml @@ -1,19 +1,24 @@ -ID: azure_pci_dss_v321_requirement_1_3_2 -Title: PCI DSS requirement 1.3.2 -Description: Limit inbound Internet traffic to IP addresses within the DMZ. -SectionCode: "2" -Children: [] -Controls: - - azure_compute_vm_remote_access_restricted_all_ports - - azure_storage_account_default_network_access_rule_denied -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_1_3_2 + title: PCI DSS requirement 1.3.2 + description: Limit inbound Internet traffic to IP addresses within the DMZ. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_compute_vm_remote_access_restricted_all_ports + - azure_storage_account_default_network_access_rule_denied diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_4.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_4.yaml index 6656839ba..909e2cef3 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_4.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_1_3_4.yaml @@ -1,19 +1,24 @@ -ID: azure_pci_dss_v321_requirement_1_3_4 -Title: PCI DSS requirement 1.3.4 -Description: Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. -SectionCode: "4" -Children: [] -Controls: - - azure_compute_vm_remote_access_restricted_all_ports - - azure_storage_account_default_network_access_rule_denied -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_1_3_4 + title: PCI DSS requirement 1.3.4 + description: Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_compute_vm_remote_access_restricted_all_ports + - azure_storage_account_default_network_access_rule_denied diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3.yaml index 0a337feec..e65c4b115 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3.yaml @@ -1,19 +1,24 @@ -ID: azure_pci_dss_v321_requirement_3 -Title: Requirement 3 - Protect stored cardholder data -Description: Cardholder data should not be stored unless it's necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored after authorization. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). -SectionCode: requirement_3 -Children: - - azure_pci_dss_v321_requirement_3_2 - - azure_pci_dss_v321_requirement_3_4 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_3 + title: Requirement 3 - Protect stored cardholder data + description: Cardholder data should not be stored unless it's necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored after authorization. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). + section-code: requirement_3 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_3_2 + - id: azure_pci_dss_v321_requirement_3_4 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_2.yaml index 5e4155615..5af3a10ce 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_2.yaml @@ -1,24 +1,29 @@ -ID: azure_pci_dss_v321_requirement_3_2 -Title: PCI DSS requirement 3.2 -Description: Do not store sensitive authentication data after authorization (even if it is encrypted). Render all sensitive authentication data unrecoverable upon completion of the authorization process. Issuers and related entities may store sensitive authentication data if there is a business justification, and the data is stored securely. -SectionCode: "2" -Children: [] -Controls: - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_3_2 + title: PCI DSS requirement 3.2 + description: Do not store sensitive authentication data after authorization (even if it is encrypted). Render all sensitive authentication data unrecoverable upon completion of the authorization process. Issuers and related entities may store sensitive authentication data if there is a business justification, and the data is stored securely. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_no_custom_role + - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled + - azure_iam_user_with_write_permission_on_subscription_mfa_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_4.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_4.yaml index aa0495efc..91380ea3e 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_4.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_3_4.yaml @@ -1,25 +1,30 @@ -ID: azure_pci_dss_v321_requirement_3_4 -Title: PCI DSS requirement 3.4 -Description: Render PAN unreadable anywhere it is stored - including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. -SectionCode: "4" -Children: [] -Controls: - - azure_appservice_api_app_use_https - - azure_appservice_function_app_only_https_accessible - - azure_automation_account_variable_encryption_enabled - - azure_redis_cache_ssl_enabled - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_database_transparent_data_encryption_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_3_4 + title: PCI DSS requirement 3.4 + description: Render PAN unreadable anywhere it is stored - including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_api_app_use_https + - azure_appservice_function_app_only_https_accessible + - azure_automation_account_variable_encryption_enabled + - azure_redis_cache_ssl_enabled + - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted + - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign + - azure_sql_database_transparent_data_encryption_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4.yaml index 1655bc525..05cb8fa78 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4.yaml @@ -1,18 +1,23 @@ -ID: azure_pci_dss_v321_requirement_4 -Title: Requirement 4 - Encrypt transmission of cardholder data across open, public networks -Description: Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks so it is important to prevent their ability to view this data. Encryption is one technology that can be used to render transmitted data unreadable by any unauthorized person. -SectionCode: requirement_4 -Children: - - azure_pci_dss_v321_requirement_4_1 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_4 + title: Requirement 4 - Encrypt transmission of cardholder data across open, public networks + description: Cyber criminals may be able to intercept transmissions of cardholder data over open, public networks so it is important to prevent their ability to view this data. Encryption is one technology that can be used to render transmitted data unreadable by any unauthorized person. + section-code: requirement_4 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_4_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4_1.yaml index 2e9cead40..ccb5c6072 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_4_1.yaml @@ -1,25 +1,30 @@ -ID: azure_pci_dss_v321_requirement_4_1 -Title: PCI DSS requirement 4.1 -Description: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission. -SectionCode: "1" -Children: [] -Controls: - - azure_appservice_api_app_use_https - - azure_appservice_function_app_only_https_accessible - - azure_automation_account_variable_encryption_enabled - - azure_redis_cache_ssl_enabled - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_database_transparent_data_encryption_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_4_1 + title: PCI DSS requirement 4.1 + description: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (eg. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_api_app_use_https + - azure_appservice_function_app_only_https_accessible + - azure_automation_account_variable_encryption_enabled + - azure_redis_cache_ssl_enabled + - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted + - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign + - azure_sql_database_transparent_data_encryption_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5.yaml index 16e02e987..347896a77 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5.yaml @@ -1,18 +1,23 @@ -ID: azure_pci_dss_v321_requirement_5 -Title: Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs -Description: Malicious software (a.k.a “malware”) exploits system vulnerabilities after entering the network via users' e-mail and other online business activities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may supplement (but not replace) anti-virus software. -SectionCode: requirement_5 -Children: - - azure_pci_dss_v321_requirement_5_1 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_5 + title: Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs + description: Malicious software (a.k.a “malware”) exploits system vulnerabilities after entering the network via users' e-mail and other online business activities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may supplement (but not replace) anti-virus software. + section-code: requirement_5 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_5_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5_1.yaml index 40ba8e4b6..c3f3415c4 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_5_1.yaml @@ -1,22 +1,27 @@ -ID: azure_pci_dss_v321_requirement_5_1 -Title: PCI DSS requirement 5.1 -Description: Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). For systems not affected commonly by malicious software, perform periodic evaluations to evaluate evolving malware threats and confirm whether such systems continue to not require anti-virus software. -SectionCode: "1" -Children: [] -Controls: - - azure_compute_vm_endpoint_protection_agent_installed - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_sql_database_vulnerability_findings_resolved -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_5_1 + title: PCI DSS requirement 5.1 + description: Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). For systems not affected commonly by malicious software, perform periodic evaluations to evaluate evolving malware threats and confirm whether such systems continue to not require anti-virus software. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_compute_vm_endpoint_protection_agent_installed + - azure_compute_vm_security_configuration_vulnerabilities_remediated + - azure_compute_vm_system_updates_installed + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6.yaml index 663752150..7503b4c90 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6.yaml @@ -1,20 +1,25 @@ -ID: azure_pci_dss_v321_requirement_6 -Title: Requirement 6 - Develop and maintain secure systems and applications -Description: Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code. All critical systems must have the most recently released software patches to prevent exploitation. Entities should apply patches to less-critical systems as soon as possible, based on a risk-based vulnerability management program. -SectionCode: requirement_6 -Children: - - azure_pci_dss_v321_requirement_6_2 - - azure_pci_dss_v321_requirement_6_5 - - azure_pci_dss_v321_requirement_6_6 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_6 + title: Requirement 6 - Develop and maintain secure systems and applications + description: Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code. All critical systems must have the most recently released software patches to prevent exploitation. Entities should apply patches to less-critical systems as soon as possible, based on a risk-based vulnerability management program. + section-code: requirement_6 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_6_2 + - id: azure_pci_dss_v321_requirement_6_5 + - id: azure_pci_dss_v321_requirement_6_6 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_2.yaml index 875b29068..6c1f05b4b 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_2.yaml @@ -1,22 +1,27 @@ -ID: azure_pci_dss_v321_requirement_6_2 -Title: PCI DSS requirement 6.2 -Description: Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. -SectionCode: "2" -Children: [] -Controls: - - azure_compute_vm_endpoint_protection_agent_installed - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_sql_database_vulnerability_findings_resolved -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_6_2 + title: PCI DSS requirement 6.2 + description: Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_compute_vm_endpoint_protection_agent_installed + - azure_compute_vm_security_configuration_vulnerabilities_remediated + - azure_compute_vm_system_updates_installed + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5.yaml index 8dee602bf..cadd25b55 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5.yaml @@ -1,18 +1,23 @@ -ID: azure_pci_dss_v321_requirement_6_5 -Title: PCI DSS requirement 6.5 -Description: Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory. -SectionCode: "5" -Children: - - azure_pci_dss_v321_requirement_6_5_3 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_6_5 + title: PCI DSS requirement 6.5 + description: Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines - including how sensitive data is handled in memory. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_6_5_3 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5_3.yaml index 81792374d..d0f297da0 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_5_3.yaml @@ -1,25 +1,30 @@ -ID: azure_pci_dss_v321_requirement_6_5_3 -Title: PCI DSS requirement 6.5.3 -Description: Insecure cryptographic storage. -SectionCode: "3" -Children: [] -Controls: - - azure_appservice_api_app_use_https - - azure_appservice_function_app_only_https_accessible - - azure_automation_account_variable_encryption_enabled - - azure_redis_cache_ssl_enabled - - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted - - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign - - azure_sql_database_transparent_data_encryption_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_6_5_3 + title: PCI DSS requirement 6.5.3 + description: Insecure cryptographic storage. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_appservice_api_app_use_https + - azure_appservice_function_app_only_https_accessible + - azure_automation_account_variable_encryption_enabled + - azure_redis_cache_ssl_enabled + - azure_compute_vm_temp_disks_cache_and_data_flows_encrypted + - azure_servicefabric_cluster_protection_level_as_encrypt_and_sign + - azure_sql_database_transparent_data_encryption_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_6.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_6.yaml index 9dd3db668..0dca3983e 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_6.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_6_6.yaml @@ -1,22 +1,27 @@ -ID: azure_pci_dss_v321_requirement_6_6 -Title: PCI DSS requirement 6.6 -Description: Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. -SectionCode: "6" -Children: [] -Controls: - - azure_compute_vm_endpoint_protection_agent_installed - - azure_compute_vm_security_configuration_vulnerabilities_remediated - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_sql_database_vulnerability_findings_resolved -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_6_6 + title: PCI DSS requirement 6.6 + description: Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_compute_vm_endpoint_protection_agent_installed + - azure_compute_vm_security_configuration_vulnerabilities_remediated + - azure_compute_vm_system_updates_installed + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_sql_database_vulnerability_findings_resolved diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7.yaml index c01cbda88..9d69c56a4 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7.yaml @@ -1,19 +1,24 @@ -ID: azure_pci_dss_v321_requirement_7 -Title: Requirement 7 - Restrict access to cardholder data by business need-to-know -Description: To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. -SectionCode: requirement_7 -Children: - - azure_pci_dss_v321_requirement_7_1 - - azure_pci_dss_v321_requirement_7_2 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_7 + title: Requirement 7 - Restrict access to cardholder data by business need-to-know + description: To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. + section-code: requirement_7 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_7_1 + - id: azure_pci_dss_v321_requirement_7_2 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1.yaml index a58fa1981..422fcc12b 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1.yaml @@ -1,20 +1,25 @@ -ID: azure_pci_dss_v321_requirement_7_1 -Title: PCI DSS requirement 7.1 -Description: Limit access to system components and cardholder data to only those individuals whose job requires such access. -SectionCode: "1" -Children: - - azure_pci_dss_v321_requirement_7_1_1 - - azure_pci_dss_v321_requirement_7_1_2 - - azure_pci_dss_v321_requirement_7_1_3 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_7_1 + title: PCI DSS requirement 7.1 + description: Limit access to system components and cardholder data to only those individuals whose job requires such access. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_7_1_1 + - id: azure_pci_dss_v321_requirement_7_1_2 + - id: azure_pci_dss_v321_requirement_7_1_3 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_1.yaml index c28ff4742..dadfbe4ac 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_1.yaml @@ -1,19 +1,24 @@ -ID: azure_pci_dss_v321_requirement_7_1_1 -Title: PCI DSS requirement 7.1.1 -Description: 'Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources.' -SectionCode: "1" -Children: [] -Controls: - - azure_iam_subscription_owner_max_3 - - azure_iam_subscription_owner_more_than_1 -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_7_1_1 + title: PCI DSS requirement 7.1.1 + description: "Define access needs for each role, including: - System components and data resources that each role needs to access for their job function - Level of privilege required (for example, user, administrator, etc.) for accessing resources." + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_subscription_owner_max_3 + - azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_2.yaml index 7388dc726..d04e39d7c 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_2.yaml @@ -1,19 +1,24 @@ -ID: azure_pci_dss_v321_requirement_7_1_2 -Title: PCI DSS requirement 7.1.2 -Description: Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. -SectionCode: "2" -Children: [] -Controls: - - azure_iam_subscription_owner_max_3 - - azure_iam_subscription_owner_more_than_1 -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_7_1_2 + title: PCI DSS requirement 7.1.2 + description: Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_subscription_owner_max_3 + - azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_3.yaml index 6cfabc997..307a276df 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_1_3.yaml @@ -1,19 +1,24 @@ -ID: azure_pci_dss_v321_requirement_7_1_3 -Title: PCI DSS requirement 7.1.3 -Description: Assign access based on individual personnel's job classification and function. -SectionCode: "3" -Children: [] -Controls: - - azure_iam_subscription_owner_max_3 - - azure_iam_subscription_owner_more_than_1 -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_7_1_3 + title: PCI DSS requirement 7.1.3 + description: Assign access based on individual personnel's job classification and function. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_subscription_owner_max_3 + - azure_iam_subscription_owner_more_than_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2.yaml index 97cf8ce7b..299627379 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2.yaml @@ -1,18 +1,23 @@ -ID: azure_pci_dss_v321_requirement_7_2 -Title: PCI DSS requirement 7.2 -Description: Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed. -SectionCode: "2" -Children: - - azure_pci_dss_v321_requirement_7_2_1 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_7_2 + title: PCI DSS requirement 7.2 + description: Establish an access control system(s) for systems components that restricts access based on a user's need to know, and is set to “deny all” unless specifically allowed. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_7_2_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2_1.yaml index 5ee57a56e..09ceff4ca 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_7_2_1.yaml @@ -1,24 +1,29 @@ -ID: azure_pci_dss_v321_requirement_7_2_1 -Title: PCI DSS requirement 7.2.1 -Description: Coverage of all system components. -SectionCode: "1" -Children: [] -Controls: - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_7_2_1 + title: PCI DSS requirement 7.2.1 + description: Coverage of all system components. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_no_custom_role + - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled + - azure_iam_user_with_write_permission_on_subscription_mfa_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8.yaml index 23c697a6e..4d32525e5 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8.yaml @@ -1,20 +1,25 @@ -ID: azure_pci_dss_v321_requirement_8 -Title: Requirement 8 - Identify and authenticate access to system components -Description: Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data. Requirements do not apply to accounts used by consumers (eg.,cardholders). -SectionCode: requirement_8 -Children: - - azure_pci_dss_v321_requirement_8_1 - - azure_pci_dss_v321_requirement_8_2 - - azure_pci_dss_v321_requirement_8_3 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_8 + title: Requirement 8 - Identify and authenticate access to system components + description: Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data. Requirements do not apply to accounts used by consumers (eg.,cardholders). + section-code: requirement_8 + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_8_1 + - id: azure_pci_dss_v321_requirement_8_2 + - id: azure_pci_dss_v321_requirement_8_3 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1.yaml index 853f5c6a2..f77fc0ea6 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1.yaml @@ -1,20 +1,25 @@ -ID: azure_pci_dss_v321_requirement_8_1 -Title: PCI DSS requirement 8.1 -Description: Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components. Assign all users a unique user name before allowing them to access system components or cardholder data. -SectionCode: "1" -Children: - - azure_pci_dss_v321_requirement_8_1_2 - - azure_pci_dss_v321_requirement_8_1_3 - - azure_pci_dss_v321_requirement_8_1_5 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_8_1 + title: PCI DSS requirement 8.1 + description: Define and implement policies and procedures to ensure proper user identification management for users and administrators on all system components. Assign all users a unique user name before allowing them to access system components or cardholder data. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_8_1_2 + - id: azure_pci_dss_v321_requirement_8_1_3 + - id: azure_pci_dss_v321_requirement_8_1_5 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_2.yaml index 15ce171ff..bfcc4d6b2 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_2.yaml @@ -1,22 +1,27 @@ -ID: azure_pci_dss_v321_requirement_8_1_2 -Title: PCI DSS requirement 8.1.2 -Description: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. -SectionCode: "2" -Children: [] -Controls: - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_deprecated_account - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_8_1_2 + title: PCI DSS requirement 8.1.2 + description: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_deprecated_account_with_owner_roles + - azure_iam_deprecated_account + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_3.yaml index 44729f045..bd4f57623 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_3.yaml @@ -1,19 +1,24 @@ -ID: azure_pci_dss_v321_requirement_8_1_3 -Title: PCI DSS requirement 8.1.3 -Description: Immediately revoke access for any terminated users. -SectionCode: "3" -Children: [] -Controls: - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_8_1_3 + title: PCI DSS requirement 8.1.3 + description: Immediately revoke access for any terminated users. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_deprecated_account + - azure_iam_deprecated_account_with_owner_roles diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_5.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_5.yaml index d1a1c3445..dd42d2ee8 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_5.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_1_5.yaml @@ -1,22 +1,27 @@ -ID: azure_pci_dss_v321_requirement_8_1_5 -Title: PCI DSS requirement 8.1.5 -Description: 'Manage IDs used by thid parties to access, support, or maintain system components via remote access. Remote access are as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use.' -SectionCode: "5" -Children: [] -Controls: - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_deprecated_account - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/ActiveDirectory - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_8_1_5 + title: PCI DSS requirement 8.1.5 + description: "Manage IDs used by thid parties to access, support, or maintain system components via remote access. Remote access are as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use." + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/ActiveDirectory + type: + - Benchmark + controls: + - azure_iam_deprecated_account_with_owner_roles + - azure_iam_deprecated_account + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2.yaml index 8f29e7e00..12a727a5f 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2.yaml @@ -1,19 +1,24 @@ -ID: azure_pci_dss_v321_requirement_8_2 -Title: PCI DSS requirement 8.2 -Description: 'Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric. Use strong authentication methods and render all passwords/passphrases unreadable during transmission and storage using strong cryptography.' -SectionCode: "2" -Children: - - azure_pci_dss_v321_requirement_8_2_3 - - azure_pci_dss_v321_requirement_8_2_5 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_8_2 + title: PCI DSS requirement 8.2 + description: "Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric. Use strong authentication methods and render all passwords/passphrases unreadable during transmission and storage using strong cryptography." + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_8_2_3 + - id: azure_pci_dss_v321_requirement_8_2_5 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_3.yaml index c3ed652a8..fa0daaa9f 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_3.yaml @@ -1,23 +1,28 @@ -ID: azure_pci_dss_v321_requirement_8_2_3 -Title: PCI DSS requirement 8.2.3 -Description: 'Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.' -SectionCode: "3" -Children: [] -Controls: - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_max_password_age_70_days_windows - - azure_compute_vm_min_password_length_14_windows - - azure_compute_vm_restrict_previous_24_passwords_resuse_windows -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_8_2_3 + title: PCI DSS requirement 8.2.3 + description: "Passwords/phrases must meet the following: - Require a minimum length of at least seven characters. - Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above." + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_max_password_age_70_days_windows + - azure_compute_vm_min_password_length_14_windows + - azure_compute_vm_restrict_previous_24_passwords_resuse_windows diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_5.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_5.yaml index a2a0c3e07..b2bc145e4 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_5.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_2_5.yaml @@ -1,23 +1,28 @@ -ID: azure_pci_dss_v321_requirement_8_2_5 -Title: PCI DSS requirement 8.2.5 -Description: Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. -SectionCode: "5" -Children: [] -Controls: - - azure_compute_vm_guest_configuration_installed_windows - - azure_compute_vm_guest_configuration_with_no_managed_identity - - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity - - azure_compute_vm_max_password_age_70_days_windows - - azure_compute_vm_min_password_length_14_windows - - azure_compute_vm_restrict_previous_24_passwords_resuse_windows -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure/Compute - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_8_2_5 + title: PCI DSS requirement 8.2.5 + description: Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure/Compute + type: + - Benchmark + controls: + - azure_compute_vm_guest_configuration_installed_windows + - azure_compute_vm_guest_configuration_with_no_managed_identity + - azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity + - azure_compute_vm_max_password_age_70_days_windows + - azure_compute_vm_min_password_length_14_windows + - azure_compute_vm_restrict_previous_24_passwords_resuse_windows diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3.yaml index 8a865b073..59d3e2720 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3.yaml @@ -1,18 +1,23 @@ -ID: azure_pci_dss_v321_requirement_8_3 -Title: PCI DSS requirement 8.3 -Description: Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication. This requires at least two of the three authentication methods described in 8.2 are used for authentication. Using one factor twice (e.g. using two separate passwords) is not considered multi-factor authentication. This requirement applies to administrative personnel with non-console access to the CDE from within the entity's network, and all remote network access (including for users, administrators, and third-parties) originating from outside the entity's network. -SectionCode: "3" -Children: - - azure_pci_dss_v321_requirement_8_3_1 -Controls: [] -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_8_3 + title: PCI DSS requirement 8.3 + description: Secure all individual non-console administrative access and all remote access to the cardholder data environment using multi-factor authentication. This requires at least two of the three authentication methods described in 8.2 are used for authentication. Using one factor twice (e.g. using two separate passwords) is not considered multi-factor authentication. This requirement applies to administrative personnel with non-console access to the CDE from within the entity's network, and all remote network access (including for users, administrators, and third-parties) originating from outside the entity's network. + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + control-group: + - id: azure_pci_dss_v321_requirement_8_3_1 diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3_1.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3_1.yaml index 2162e75bb..ec34f7567 100755 --- a/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3_1.yaml +++ b/compliance/frameworks/azure/azure_pci_dss_v321/azure_pci_dss_v321_requirement_8_3_1.yaml @@ -1,24 +1,29 @@ -ID: azure_pci_dss_v321_requirement_8_3_1 -Title: PCI DSS requirement 8.3.1 -Description: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. -SectionCode: "1" -Children: [] -Controls: - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled - - azure_iam_user_with_write_permission_on_subscription_mfa_enabled - - azure_sql_server_azure_ad_authentication_enabled -Tags: - category: - - Compliance - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark +control-group: + id: azure_pci_dss_v321_requirement_8_3_1 + title: PCI DSS requirement 8.3.1 + description: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: + category: + - Compliance + pci_dss_v321: + - "true" + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_no_custom_role + - azure_iam_user_with_owner_permission_on_subscription_mfa_enabled + - azure_iam_user_with_write_permission_on_subscription_mfa_enabled + - azure_sql_server_azure_ad_authentication_enabled diff --git a/compliance/frameworks/azure/azure_pci_dss_v321/root.yaml b/compliance/frameworks/azure/azure_pci_dss_v321/root.yaml deleted file mode 100755 index 2e5e11cc6..000000000 --- a/compliance/frameworks/azure/azure_pci_dss_v321/root.yaml +++ /dev/null @@ -1,34 +0,0 @@ -ID: azure_pci_dss_v321 -Title: PCI DSS 3.2.1 -Description: The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. -SectionCode: azure_pci_dss_v321 -Children: - - azure_pci_dss_v321_requirement_1 - - azure_pci_dss_v321_requirement_3 - - azure_pci_dss_v321_requirement_4 - - azure_pci_dss_v321_requirement_5 - - azure_pci_dss_v321_requirement_6 - - azure_pci_dss_v321_requirement_7 - - azure_pci_dss_v321_requirement_8 - - azure_pci_dss_v321_requirement_10 - - azure_pci_dss_v321_requirement_11 -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Certifications and Attestations - pci_dss_v321: - - "true" - plugin: - - azure - service: - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017.yaml new file mode 100644 index 000000000..e5d885b49 --- /dev/null +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017.yaml @@ -0,0 +1,17 @@ +framework: + id: azure_rbi_itf_nbfc_v2017 + title: Reserve Bank of India - IT Framework for NBFC Regulatory Compliance + description: Reserve Bank of India - IT Framework for NBFC Regulatory Compliance + section-code: azure_rbi_itf_nbfc_v2017 + metadata: + defaults: + auto-assign: false + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning + - id: azure_rbi_itf_nbfc_v2017_is_audit + - id: azure_rbi_itf_nbfc_v2017_it_governance + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security + - id: azure_rbi_itf_nbfc_v2017_it_operations diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning.yaml index 9f497c76d..dc37c04c9 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning.yaml @@ -1,8 +1,13 @@ -ID: azure_rbi_itf_nbfc_v2017_business_continuity_planning -Title: Business Continuity Planning -Description: "" -SectionCode: business_continuity_planning -Children: - - azure_rbi_itf_nbfc_v2017_business_continuity_planning_6 -Controls: [] -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_business_continuity_planning + title: Business Continuity Planning + description: Business Continuity Planning + section-code: business_continuity_planning + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6 diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6.yaml index 16f028b88..b6bfc6ca2 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6.yaml @@ -1,17 +1,23 @@ -ID: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6 -Title: Business Continuity Planning (BCP) and Disaster Recovery-6 -Description: "" -SectionCode: "6" -Children: - - azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2 - - azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3 - - azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4 -Controls: - - azure_compute_vm_disaster_recovery_enabled - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_recovery_service_vault_uses_private_link - - azure_recovery_service_vault_uses_private_link_for_backup - - azure_sql_database_long_term_geo_redundant_backup_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6 + title: Business Continuity Planning (BCP) and Disaster Recovery-6 + description: Business Continuity Planning (BCP) and Disaster Recovery-6 + section-code: "6" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2 + - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3 + - id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4 + controls: + - azure_compute_vm_disaster_recovery_enabled + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled + - azure_recovery_service_vault_uses_private_link + - azure_recovery_service_vault_uses_private_link_for_backup + - azure_sql_database_long_term_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2.yaml index 8a57a1c96..a0cbfee2e 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2.yaml @@ -1,13 +1,18 @@ -ID: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2 -Title: Recovery strategy / Contingency Plan-6.2 -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_compute_vm_disaster_recovery_enabled - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_recovery_service_vault_uses_private_link_for_backup - - azure_sql_database_long_term_geo_redundant_backup_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_2 + title: Recovery strategy / Contingency Plan-6.2 + description: Recovery strategy / Contingency Plan-6.2 + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_disaster_recovery_enabled + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled + - azure_recovery_service_vault_uses_private_link_for_backup + - azure_sql_database_long_term_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3.yaml index ec01120f9..b51f67c00 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3.yaml @@ -1,12 +1,17 @@ -ID: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3 -Title: Recovery strategy / Contingency Plan-6.3 -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled - - azure_recovery_service_vault_uses_private_link_for_backup - - azure_sql_database_long_term_geo_redundant_backup_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_3 + title: Recovery strategy / Contingency Plan-6.3 + description: Recovery strategy / Contingency Plan-6.3 + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled + - azure_recovery_service_vault_uses_private_link_for_backup + - azure_sql_database_long_term_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4.yaml index e94bcdf46..9e3dc90d3 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4.yaml @@ -1,10 +1,15 @@ -ID: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4 -Title: Recovery strategy / Contingency Plan-6.4 -Description: "" -SectionCode: "4" -Children: [] -Controls: - - azure_compute_vm_disaster_recovery_enabled - - azure_recovery_service_vault_uses_private_link - - azure_recovery_service_vault_uses_private_link_for_backup -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_business_continuity_planning_6_4 + title: Recovery strategy / Contingency Plan-6.4 + description: Recovery strategy / Contingency Plan-6.4 + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_disaster_recovery_enabled + - azure_recovery_service_vault_uses_private_link + - azure_recovery_service_vault_uses_private_link_for_backup diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit.yaml index 73ba3b34d..4ce1d24ca 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit.yaml @@ -1,8 +1,13 @@ -ID: azure_rbi_itf_nbfc_v2017_is_audit -Title: IS Audit -Description: "" -SectionCode: is_audit -Children: - - azure_rbi_itf_nbfc_v2017_is_audit_5 -Controls: [] -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_is_audit + title: IS Audit + description: IS Audit + section-code: is_audit + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_is_audit_5 diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5.yaml index 515b74491..68d717fe6 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5.yaml @@ -1,18 +1,24 @@ -ID: azure_rbi_itf_nbfc_v2017_is_audit_5 -Title: Policy for Information System Audit (IS Audit)-5 -Description: "" -SectionCode: "5" -Children: - - azure_rbi_itf_nbfc_v2017_is_audit_5_2 -Controls: - - azure_application_gateway_waf_enabled - - azure_application_gateway_waf_uses_specified_mode - - azure_compute_vm_remote_access_restricted_all_ports - - azure_compute_vm_tcp_udp_access_restricted_internet - - azure_cosmosdb_account_with_firewall_rules - - azure_frontdoor_waf_enabled - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_subnet_associated - - azure_network_sg_flowlog_enabled - - azure_network_watcher_flow_log_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_is_audit_5 + title: Policy for Information System Audit (IS Audit)-5 + description: Policy for Information System Audit (IS Audit)-5 + section-code: "5" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_is_audit_5_2 + controls: + - azure_application_gateway_waf_enabled + - azure_application_gateway_waf_uses_specified_mode + - azure_compute_vm_remote_access_restricted_all_ports + - azure_compute_vm_tcp_udp_access_restricted_internet + - azure_cosmosdb_account_with_firewall_rules + - azure_frontdoor_waf_enabled + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_subnet_associated + - azure_network_sg_flowlog_enabled + - azure_network_watcher_flow_log_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5_2.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5_2.yaml index 373fadf0a..1b77b40bb 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5_2.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_is_audit_5_2.yaml @@ -1,10 +1,15 @@ -ID: azure_rbi_itf_nbfc_v2017_is_audit_5_2 -Title: Policy for Information System Audit (IS Audit)-5.2 -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_mariadb_server_geo_redundant_backup_enabled - - azure_mysql_db_server_geo_redundant_backup_enabled - - azure_postgres_db_server_geo_redundant_backup_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_is_audit_5_2 + title: Policy for Information System Audit (IS Audit)-5.2 + description: Policy for Information System Audit (IS Audit)-5.2 + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_mariadb_server_geo_redundant_backup_enabled + - azure_mysql_db_server_geo_redundant_backup_enabled + - azure_postgres_db_server_geo_redundant_backup_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance.yaml index f8bfd3cd9..7f26de99a 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance.yaml @@ -1,8 +1,13 @@ -ID: azure_rbi_itf_nbfc_v2017_it_governance -Title: IT Governance -Description: "" -SectionCode: it_governance -Children: - - azure_rbi_itf_nbfc_v2017_it_governance_1 -Controls: [] -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_governance + title: IT Governance + description: IT Governance + section-code: it_governance + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_it_governance_1 diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1.yaml index 4abd9f6e4..5970db662 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1.yaml @@ -1,17 +1,23 @@ -ID: azure_rbi_itf_nbfc_v2017_it_governance_1 -Title: IT Governance-1 -Description: "" -SectionCode: "1" -Children: - - azure_rbi_itf_nbfc_v2017_it_governance_1_1 -Controls: - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_governance_1 + title: IT Governance-1 + description: IT Governance-1 + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_it_governance_1_1 + controls: + - azure_compute_vm_system_updates_installed + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version + - azure_mssql_managed_instance_vulnerability_assessment_enabled + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled + - azure_sql_database_vulnerability_findings_resolved + - azure_sql_server_and_databases_va_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1_1.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1_1.yaml index 4e2af92db..dedefdcc7 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1_1.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_governance_1_1.yaml @@ -1,10 +1,15 @@ -ID: azure_rbi_itf_nbfc_v2017_it_governance_1_1 -Title: IT Governance-1.1 -Description: "" -SectionCode: "1" -Children: [] -Controls: - - azure_compute_vm_jit_access_protected - - azure_network_interface_ip_forwarding_disabled - - azure_network_security_group_remote_access_restricted -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_governance_1_1 + title: IT Governance-1.1 + description: IT Governance-1.1 + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_jit_access_protected + - azure_network_interface_ip_forwarding_disabled + - azure_network_security_group_remote_access_restricted diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security.yaml index 0db5a39fd..62dbb2a4d 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security.yaml @@ -1,8 +1,13 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security -Title: Information and Cyber Security -Description: "" -SectionCode: it_information_and_cyber_security -Children: - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3 -Controls: [] -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security + title: Information and Cyber Security + description: Information and Cyber Security + section-code: it_information_and_cyber_security + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3 diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3.yaml index a8d17b67e..cd14dcadb 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3.yaml @@ -1,11 +1,17 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3 -Title: Information Security-3 -Description: "" -SectionCode: "3" -Children: - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1 - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3 - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8 -Controls: - - azure_securitycenter_azure_defender_on_for_storage -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3 + title: Information Security-3 + description: Information Security-3 + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1 + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3 + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8 + controls: + - azure_securitycenter_azure_defender_on_for_storage diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1.yaml index c461211ff..12024f7f3 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1.yaml @@ -1,13 +1,18 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1 -Title: Identification and Classification of Information Assets-3.1 -Description: "" -SectionCode: "1" -Children: - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h -Controls: [] -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1 + title: Identification and Classification of Information Assets-3.1 + description: Identification and Classification of Information Assets-3.1 + section-code: "1" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g + - id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a.yaml index d2fbca684..f66e2653c 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a.yaml @@ -1,13 +1,18 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a -Title: Identification and Classification of Information Assets-3.1.a -Description: "" -SectionCode: a -Children: [] -Controls: - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_a + title: Identification and Classification of Information Assets-3.1.a + description: Identification and Classification of Information Assets-3.1.a + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_iam_deprecated_account + - azure_iam_deprecated_account_with_owner_roles + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_no_custom_role diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b.yaml index 10b5d0283..af1030ad6 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b.yaml @@ -1,11 +1,16 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b -Title: Segregation of Functions-3.1.b -Description: "" -SectionCode: b -Children: [] -Controls: - - azure_appservice_api_app_remote_debugging_disabled - - azure_appservice_function_app_client_certificates_on - - azure_appservice_function_app_remote_debugging_disabled - - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_b + title: Segregation of Functions-3.1.b + description: Segregation of Functions-3.1.b + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_api_app_remote_debugging_disabled + - azure_appservice_function_app_client_certificates_on + - azure_appservice_function_app_remote_debugging_disabled + - azure_compute_vm_guest_configuration_with_system_assigned_managed_identity diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c.yaml index da38fc65d..469d48ead 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c.yaml @@ -1,18 +1,23 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c -Title: Role based Access Control-3.1.c -Description: "" -SectionCode: c -Children: [] -Controls: - - azure_compute_vm_jit_access_protected - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_subscription_owner_max_3 - - azure_iam_subscription_owner_more_than_1 - - azure_log_profile_enabled_for_all_subscription - - azure_securitycenter_email_configured - - azure_securitycenter_security_alerts_to_owner_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_c + title: Role based Access Control-3.1.c + description: Role based Access Control-3.1.c + section-code: c + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_jit_access_protected + - azure_iam_deprecated_account + - azure_iam_deprecated_account_with_owner_roles + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_subscription_owner_max_3 + - azure_iam_subscription_owner_more_than_1 + - azure_log_profile_enabled_for_all_subscription + - azure_securitycenter_email_configured + - azure_securitycenter_security_alerts_to_owner_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f.yaml index b127cfbb0..93c45ed0f 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f.yaml @@ -1,26 +1,31 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f -Title: Maker-checker-3.1.f -Description: "" -SectionCode: f -Children: [] -Controls: - - azure_iam_deprecated_account - - azure_iam_deprecated_account_with_owner_roles - - azure_iam_external_user_with_owner_role - - azure_iam_external_user_with_read_permission - - azure_iam_external_user_with_write_permission - - azure_iam_no_custom_role - - azure_iam_subscription_owner_max_3 - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_keyvault - - azure_securitycenter_azure_defender_on_for_opensource_relational_db - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_securitycenter_email_configured - - azure_securitycenter_notify_alerts_configured - - azure_securitycenter_security_alerts_to_owner_enabled - - azure_sql_server_azure_defender_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_f + title: Maker-checker-3.1.f + description: Maker-checker-3.1.f + section-code: f + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_iam_deprecated_account + - azure_iam_deprecated_account_with_owner_roles + - azure_iam_external_user_with_owner_role + - azure_iam_external_user_with_read_permission + - azure_iam_external_user_with_write_permission + - azure_iam_no_custom_role + - azure_iam_subscription_owner_max_3 + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_keyvault + - azure_securitycenter_azure_defender_on_for_opensource_relational_db + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_securitycenter_email_configured + - azure_securitycenter_notify_alerts_configured + - azure_securitycenter_security_alerts_to_owner_enabled + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g.yaml index 5bf2d7ff8..f2b43a488 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g.yaml @@ -1,35 +1,40 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g -Title: Trails-3.1.g -Description: "" -SectionCode: g -Children: [] -Controls: - - azure_application_insights_block_log_ingestion_and_querying_from_public - - azure_compute_vm_log_analytics_agent_installed - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_compute_vm_network_traffic_data_collection_windows_agent_installed - - azure_compute_vm_scale_set_log_analytics_agent_installed - - azure_iam_subscription_owner_max_3 - - azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public - - azure_log_analytics_workspace_block_non_azure_ingestion - - azure_log_profile_enabled_for_all_subscription - - azure_monitor_log_profile_enabled_for_all_categories - - azure_monitor_log_profile_enabled_for_all_regions - - azure_monitor_log_profile_retention_365_days - - azure_network_sg_flowlog_enabled - - azure_network_watcher_flow_log_enabled - - azure_network_watcher_flow_log_traffic_analytics_enabled - - azure_postgres_db_server_log_checkpoints_on - - azure_postgres_db_server_log_connections_on - - azure_postgres_db_server_log_disconnections_on - - azure_securitycenter_automatic_provisioning_monitoring_agent_on - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_opensource_relational_db - - azure_securitycenter_azure_defender_on_for_resource_manager - - azure_securitycenter_azure_defender_on_for_server - - azure_securitycenter_azure_defender_on_for_sqldb - - azure_securitycenter_azure_defender_on_for_sqlservervm - - azure_securitycenter_azure_defender_on_for_storage - - azure_sql_server_auditing_storage_account_destination_retention_90_days - - azure_sql_server_azure_defender_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_g + title: Trails-3.1.g + description: Trails-3.1.g + section-code: g + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_application_insights_block_log_ingestion_and_querying_from_public + - azure_compute_vm_log_analytics_agent_installed + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_compute_vm_network_traffic_data_collection_windows_agent_installed + - azure_compute_vm_scale_set_log_analytics_agent_installed + - azure_iam_subscription_owner_max_3 + - azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public + - azure_log_analytics_workspace_block_non_azure_ingestion + - azure_log_profile_enabled_for_all_subscription + - azure_monitor_log_profile_enabled_for_all_categories + - azure_monitor_log_profile_enabled_for_all_regions + - azure_monitor_log_profile_retention_365_days + - azure_network_sg_flowlog_enabled + - azure_network_watcher_flow_log_enabled + - azure_network_watcher_flow_log_traffic_analytics_enabled + - azure_postgres_db_server_log_checkpoints_on + - azure_postgres_db_server_log_connections_on + - azure_postgres_db_server_log_disconnections_on + - azure_securitycenter_automatic_provisioning_monitoring_agent_on + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_opensource_relational_db + - azure_securitycenter_azure_defender_on_for_resource_manager + - azure_securitycenter_azure_defender_on_for_server + - azure_securitycenter_azure_defender_on_for_sqldb + - azure_securitycenter_azure_defender_on_for_sqlservervm + - azure_securitycenter_azure_defender_on_for_storage + - azure_sql_server_auditing_storage_account_destination_retention_90_days + - azure_sql_server_azure_defender_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h.yaml index 33eea0417..9ffbfb7dd 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h.yaml @@ -1,31 +1,36 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h -Title: Public Key Infrastructure (PKI)-3.1.h -Description: "" -SectionCode: h -Children: [] -Controls: - - azure_app_configuration_encryption_enabled - - azure_app_service_environment_internal_encryption_enabled - - azure_appservice_api_app_latest_tls_version - - azure_appservice_api_app_use_https - - azure_appservice_function_app_latest_tls_version - - azure_appservice_function_app_only_https_accessible - - azure_automation_account_variable_encryption_enabled - - azure_keyvault_firewall_enabled - - azure_keyvault_purge_protection_enabled - - azure_keyvault_secret_expiration_set - - azure_keyvault_soft_delete_enabled - - azure_keyvault_vault_private_link_used - - azure_kusto_cluster_disk_encryption_enabled - - azure_mysql_server_encrypted_at_rest_using_cmk - - azure_mysql_server_infrastructure_encryption_enabled - - azure_mysql_ssl_enabled - - azure_postgres_sql_server_encrypted_at_rest_using_cmk - - azure_postgres_sql_ssl_enabled - - azure_postgresql_server_infrastructure_encryption_enabled - - azure_sql_server_transparent_data_encryption_enabled - - azure_storage_account_encryption_at_rest_using_cmk - - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk - - azure_storage_account_infrastructure_encryption_enabled - - azure_storage_account_secure_transfer_required_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_1_h + title: Public Key Infrastructure (PKI)-3.1.h + description: Public Key Infrastructure (PKI)-3.1.h + section-code: h + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_app_configuration_encryption_enabled + - azure_app_service_environment_internal_encryption_enabled + - azure_appservice_api_app_latest_tls_version + - azure_appservice_api_app_use_https + - azure_appservice_function_app_latest_tls_version + - azure_appservice_function_app_only_https_accessible + - azure_automation_account_variable_encryption_enabled + - azure_keyvault_firewall_enabled + - azure_keyvault_purge_protection_enabled + - azure_keyvault_secret_expiration_set + - azure_keyvault_soft_delete_enabled + - azure_keyvault_vault_private_link_used + - azure_kusto_cluster_disk_encryption_enabled + - azure_mysql_server_encrypted_at_rest_using_cmk + - azure_mysql_server_infrastructure_encryption_enabled + - azure_mysql_ssl_enabled + - azure_postgres_sql_server_encrypted_at_rest_using_cmk + - azure_postgres_sql_ssl_enabled + - azure_postgresql_server_infrastructure_encryption_enabled + - azure_sql_server_transparent_data_encryption_enabled + - azure_storage_account_encryption_at_rest_using_cmk + - azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk + - azure_storage_account_infrastructure_encryption_enabled + - azure_storage_account_secure_transfer_required_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3.yaml index 02c0c5a21..65d550129 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3.yaml @@ -1,14 +1,19 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3 -Title: Vulnerability Management-3.3 -Description: "" -SectionCode: "3" -Children: [] -Controls: - - azure_compute_vm_system_updates_installed - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version - - azure_mssql_managed_instance_vulnerability_assessment_enabled - - azure_sql_database_vulnerability_findings_resolved - - azure_sql_server_and_databases_va_enabled - - azure_synapse_workspace_vulnerability_assessment_enabled -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_3 + title: Vulnerability Management-3.3 + description: Vulnerability Management-3.3 + section-code: "3" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_system_updates_installed + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_kubernetes_cluster_upgraded_with_non_vulnerable_version + - azure_mssql_managed_instance_vulnerability_assessment_enabled + - azure_sql_database_vulnerability_findings_resolved + - azure_sql_server_and_databases_va_enabled + - azure_synapse_workspace_vulnerability_assessment_enabled diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8.yaml index f171dc2fe..0be3d9b04 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8.yaml @@ -1,9 +1,14 @@ -ID: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8 -Title: Digital Signatures-3.8 -Description: "" -SectionCode: "8" -Children: [] -Controls: - - azure_appservice_function_app_client_certificates_on - - azure_appservice_web_app_client_certificates_on -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security_3_8 + title: Digital Signatures-3.8 + description: Digital Signatures-3.8 + section-code: "8" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_appservice_function_app_client_certificates_on + - azure_appservice_web_app_client_certificates_on diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations.yaml index 0cc8540c7..48cca2b09 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations.yaml @@ -1,8 +1,13 @@ -ID: azure_rbi_itf_nbfc_v2017_it_operations -Title: IT Operations -Description: "" -SectionCode: it_operations -Children: - - azure_rbi_itf_nbfc_v2017_it_operations_4 -Controls: [] -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_operations + title: IT Operations + description: IT Operations + section-code: it_operations + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_it_operations_4 diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4.yaml index a15582460..2d61a671e 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4.yaml @@ -1,9 +1,14 @@ -ID: azure_rbi_itf_nbfc_v2017_it_operations_4 -Title: IT Operations-4 -Description: "" -SectionCode: "4" -Children: - - azure_rbi_itf_nbfc_v2017_it_operations_4_2 - - azure_rbi_itf_nbfc_v2017_it_operations_4_4 -Controls: [] -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_operations_4 + title: IT Operations-4 + description: IT Operations-4 + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_it_operations_4_2 + - id: azure_rbi_itf_nbfc_v2017_it_operations_4_4 diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_2.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_2.yaml index bfe538ae3..6242ab25a 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_2.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_2.yaml @@ -1,8 +1,13 @@ -ID: azure_rbi_itf_nbfc_v2017_it_operations_4_2 -Title: IT Operations-4.2 -Description: "" -SectionCode: "2" -Children: [] -Controls: - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_operations_4_2 + title: IT Operations-4.2 + description: IT Operations-4.2 + section-code: "2" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4.yaml index 96a4b4f82..726ac6bbb 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4.yaml @@ -1,9 +1,14 @@ -ID: azure_rbi_itf_nbfc_v2017_it_operations_4_4 -Title: IT Operations-4.4 -Description: "" -SectionCode: "4" -Children: - - azure_rbi_itf_nbfc_v2017_it_operations_4_4_a - - azure_rbi_itf_nbfc_v2017_it_operations_4_4_b -Controls: [] -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_operations_4_4 + title: IT Operations-4.4 + description: IT Operations-4.4 + section-code: "4" + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + control-group: + - id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_a + - id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_b diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_a.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_a.yaml index 0e020b71d..96bb23f21 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_a.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_a.yaml @@ -1,10 +1,15 @@ -ID: azure_rbi_itf_nbfc_v2017_it_operations_4_4_a -Title: IT Operations-4.4.a -Description: "" -SectionCode: a -Children: [] -Controls: - - azure_compute_vm_vulnerability_assessment_solution_enabled - - azure_securitycenter_azure_defender_on_for_appservice - - azure_securitycenter_azure_defender_on_for_sqldb -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_a + title: IT Operations-4.4.a + description: IT Operations-4.4.a + section-code: a + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_vulnerability_assessment_solution_enabled + - azure_securitycenter_azure_defender_on_for_appservice + - azure_securitycenter_azure_defender_on_for_sqldb diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_b.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_b.yaml index 1238b3631..f05d2e1cd 100755 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_b.yaml +++ b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/azure_rbi_itf_nbfc_v2017_it_operations_4_4_b.yaml @@ -1,9 +1,14 @@ -ID: azure_rbi_itf_nbfc_v2017_it_operations_4_4_b -Title: IT Operations-4.4.b -Description: "" -SectionCode: b -Children: [] -Controls: - - azure_compute_vm_network_traffic_data_collection_linux_agent_installed - - azure_securitycenter_azure_defender_on_for_sqldb -Tags: {} +control-group: + id: azure_rbi_itf_nbfc_v2017_it_operations_4_4_b + title: IT Operations-4.4.b + description: IT Operations-4.4.b + section-code: b + metadata: + defaults: + auto-assign: null + enabled: false + tracks-drift-events: false + tags: {} + controls: + - azure_compute_vm_network_traffic_data_collection_linux_agent_installed + - azure_securitycenter_azure_defender_on_for_sqldb diff --git a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/root.yaml b/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/root.yaml deleted file mode 100755 index 34a8bcbe2..000000000 --- a/compliance/frameworks/azure/azure_rbi_itf_nbfc_v2017/root.yaml +++ /dev/null @@ -1,16 +0,0 @@ -ID: azure_rbi_itf_nbfc_v2017 -Title: Reserve Bank of India - IT Framework for NBFC Regulatory Compliance -Description: "" -SectionCode: azure_rbi_itf_nbfc_v2017 -Children: - - azure_rbi_itf_nbfc_v2017_business_continuity_planning - - azure_rbi_itf_nbfc_v2017_is_audit - - azure_rbi_itf_nbfc_v2017_it_governance - - azure_rbi_itf_nbfc_v2017_it_information_and_cyber_security - - azure_rbi_itf_nbfc_v2017_it_operations -Controls: [] -Defaults: - AutoAssign: false - Enabled: false - TracksDriftEvents: false -Tags: {} diff --git a/compliance/frameworks/tagging/root.yaml b/compliance/frameworks/tagging/root.yaml deleted file mode 100755 index 3dbbfa425..000000000 --- a/compliance/frameworks/tagging/root.yaml +++ /dev/null @@ -1,28 +0,0 @@ -ID: tagging -Title: Tagging -Description: Tagging -SectionCode: tagging -Children: - - tagging_aws_tagging - - tagging_azure_tagging -# - tagging_cost_controls -Controls: [] -Defaults: - AutoAssign: false - Enabled: true - TracksDriftEvents: false -Tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - - azure - service: - - AWS - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/tagging/tagging.yaml b/compliance/frameworks/tagging/tagging.yaml new file mode 100755 index 000000000..db8e35923 --- /dev/null +++ b/compliance/frameworks/tagging/tagging.yaml @@ -0,0 +1,211 @@ +framework: + id: tagging + title: Tagging + description: Tagging + section-code: tagging + metadata: + defaults: + auto-assign: false + enabled: true + tracks-drift-events: false + tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + - azure + service: + - AWS + - Azure + type: + - Benchmark + control-group: + - id: tagging_aws_tagging + title: AWS Tagging + description: AWS Tagging + section-code: tagging_aws_tagging + metadata: + tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - aws + service: + - AWS + type: + - Benchmark + controls: + - aws_mandatory_sql_accessanalyzer_analyzer_mandatory + - aws_mandatory_sql_api_gateway_stage_mandatory + - aws_mandatory_sql_cloudfront_distribution_mandatory + - aws_mandatory_sql_cloudtrail_trail_mandatory + - aws_mandatory_sql_cloudwatch_alarm_mandatory + - aws_mandatory_sql_cloudwatch_log_group_mandatory + - aws_mandatory_sql_codebuild_project_mandatory + - aws_mandatory_sql_codecommit_repository_mandatory + - aws_mandatory_sql_codepipeline_pipeline_mandatory + - aws_mandatory_sql_config_rule_mandatory + - aws_mandatory_sql_dax_cluster_mandatory + - aws_mandatory_sql_directory_service_directory_mandatory + - aws_mandatory_sql_dms_replication_instance_mandatory + - aws_mandatory_sql_dynamodb_table_mandatory + - aws_mandatory_sql_ebs_snapshot_mandatory + - aws_mandatory_sql_ebs_volume_mandatory + - aws_mandatory_sql_ec2_application_load_balancer_mandatory + - aws_mandatory_sql_ec2_classic_load_balancer_mandatory + - aws_mandatory_sql_ec2_gateway_load_balancer_mandatory + - aws_mandatory_sql_ec2_instance_mandatory + - aws_mandatory_sql_ec2_network_load_balancer_mandatory + - aws_mandatory_sql_ec2_reserved_instance_mandatory + - aws_mandatory_sql_ecr_repository_mandatory + - aws_mandatory_sql_ecs_container_instance_mandatory + - aws_mandatory_sql_ecs_service_mandatory + - aws_mandatory_sql_efs_file_system_mandatory + - aws_mandatory_sql_eks_addon_mandatory + - aws_mandatory_sql_eks_cluster_mandatory + - aws_mandatory_sql_elastic_beanstalk_application_mandatory + - aws_mandatory_sql_elastic_beanstalk_environment_mandatory + - aws_mandatory_sql_elasticache_cluster_mandatory + - aws_mandatory_sql_elasticsearch_domain_mandatory + - aws_mandatory_sql_eventbridge_rule_mandatory + - aws_mandatory_sql_guardduty_detector_mandatory + - aws_mandatory_sql_iam_role_mandatory + - aws_mandatory_sql_iam_server_certificate_mandatory + - aws_mandatory_sql_iam_user_mandatory + - aws_mandatory_sql_inspector_assessment_template_mandatory + - aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory + - aws_mandatory_sql_kms_key_mandatory + - aws_mandatory_sql_lambda_function_mandatory + - aws_mandatory_sql_rds_db_cluster_mandatory + - aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory + - aws_mandatory_sql_rds_db_cluster_snapshot_mandatory + - aws_mandatory_sql_rds_db_instance_mandatory + - aws_mandatory_sql_rds_db_option_group_mandatory + - aws_mandatory_sql_rds_db_parameter_group_mandatory + - aws_mandatory_sql_rds_db_snapshot_mandatory + - aws_mandatory_sql_rds_db_subnet_group_mandatory + - aws_mandatory_sql_redshift_cluster_mandatory + - aws_mandatory_sql_route53_domain_mandatory + - aws_mandatory_sql_route53_resolver_endpoint_mandatory + - aws_mandatory_sql_s3_bucket_mandatory + - aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory + - aws_mandatory_sql_sagemaker_model_mandatory + - aws_mandatory_sql_sagemaker_notebook_instance_mandatory + - aws_mandatory_sql_sagemaker_training_job_mandatory + - aws_mandatory_sql_secretsmanager_secret_mandatory + - aws_mandatory_sql_ssm_parameter_mandatory + - aws_mandatory_sql_vpc_eip_mandatory + - aws_mandatory_sql_vpc_mandatory + - aws_mandatory_sql_vpc_nat_gateway_mandatory + - aws_mandatory_sql_vpc_network_acl_mandatory + - aws_mandatory_sql_vpc_security_group_mandatory + - aws_mandatory_sql_vpc_vpn_connection_mandatory + - aws_mandatory_sql_wafv2_ip_set_mandatory + - aws_mandatory_sql_wafv2_regex_pattern_set_mandatory + - aws_mandatory_sql_wafv2_rule_group_mandatory + - aws_mandatory_sql_wafv2_web_acl_mandatory + - id: tagging_azure_tagging + title: Azure Tagging + description: Azure Tagging + section-code: tagging_azure_tagging + metadata: + tags: + category: + - Compliance + platform_benchmark_type: + - compliance + platform_category: + - Best Practices + plugin: + - azure + service: + - Azure + type: + - Benchmark + controls: + - azure_mandatory_sql_resource_group_api_management_mandatory + - azure_mandatory_sql_resource_group_app_service_environment_mandatory + - azure_mandatory_sql_resource_group_app_service_function_app_mandatory + - azure_mandatory_sql_resource_group_app_service_plan_mandatory + - azure_mandatory_sql_resource_group_app_service_web_app_mandatory + - azure_mandatory_sql_resource_group_application_security_group_mandatory + - azure_mandatory_sql_resource_group_batch_account_mandatory + - azure_mandatory_sql_resource_group_compute_availability_set_mandatory + - azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory + - azure_mandatory_sql_resource_group_compute_disk_mandatory + - azure_mandatory_sql_resource_group_compute_image_mandatory + - azure_mandatory_sql_resource_group_compute_snapshot_mandatory + - azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory + - azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory + - azure_mandatory_sql_resource_group_container_registry_mandatory + - azure_mandatory_sql_resource_group_cosmosdb_account_mandatory + - azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory + - azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory + - azure_mandatory_sql_resource_group_data_factory_mandatory + - azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory + - azure_mandatory_sql_resource_group_data_lake_store_mandatory + - azure_mandatory_sql_resource_group_eventhub_namespace_mandatory + - azure_mandatory_sql_resource_group_express_route_circuit_mandatory + - azure_mandatory_sql_resource_group_firewall_mandatory + - azure_mandatory_sql_resource_group_iothub_mandatory + - azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory + - azure_mandatory_sql_resource_group_key_vault_key_mandatory + - azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory + - azure_mandatory_sql_resource_group_key_vault_mandatory + - azure_mandatory_sql_resource_group_key_vault_secret_mandatory + - azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory + - azure_mandatory_sql_resource_group_lb_mandatory + - azure_mandatory_sql_resource_group_log_alert_mandatory + - azure_mandatory_sql_resource_group_log_profile_mandatory + - azure_mandatory_sql_resource_group_logic_app_workflow_mandatory + - azure_mandatory_sql_resource_group_mariadb_server_mandatory + - azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory + - azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory + - azure_mandatory_sql_resource_group_mysql_server_mandatory + - azure_mandatory_sql_resource_group_network_interface_mandatory + - azure_mandatory_sql_resource_group_network_security_group_mandatory + - azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory + - azure_mandatory_sql_resource_group_network_watcher_mandatory + - azure_mandatory_sql_resource_group_postgresql_server_mandatory + - azure_mandatory_sql_resource_group_public_ip_mandatory + - azure_mandatory_sql_resource_group_recovery_services_vault_mandatory + - azure_mandatory_sql_resource_group_redis_cache_mandatory + - azure_mandatory_sql_resource_group_route_table_mandatory + - azure_mandatory_sql_resource_group_search_service_mandatory + - azure_mandatory_sql_resource_group_servicebus_namespace_mandatory + - azure_mandatory_sql_resource_group_sql_database_mandatory + - azure_mandatory_sql_resource_group_sql_server_mandatory + - azure_mandatory_sql_resource_group_storage_account_mandatory + - azure_mandatory_sql_resource_group_stream_analytics_job_mandatory + - azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory + - azure_mandatory_sql_resource_group_virtual_network_mandatory + - azure_mandatory_sql_subscription_resource_group_mandatory +# - id: tagging_cost_controls +# title: Cost Controls +# description: Cost Controls +# section-code: cost_controls +# metadata: +# tags: +# category: +# - Compliance +# platform_benchmark_type: +# - compliance +# platform_category: +# - Best Practices +# plugin: +# - aws +# service: +# - AWS +# type: +# - Benchmark +# controls: +# - platform_mom_cost_growth_15 +# - platform_connection_mom_cost_growth \ No newline at end of file diff --git a/compliance/frameworks/tagging/tagging_aws_tagging.yaml b/compliance/frameworks/tagging/tagging_aws_tagging.yaml deleted file mode 100755 index 353aefe64..000000000 --- a/compliance/frameworks/tagging/tagging_aws_tagging.yaml +++ /dev/null @@ -1,88 +0,0 @@ -ID: tagging_aws_tagging -Title: AWS Tagging -Description: AWS Tagging -SectionCode: tagging_aws_tagging -Children: [] -Controls: - - aws_mandatory_sql_accessanalyzer_analyzer_mandatory - - aws_mandatory_sql_api_gateway_stage_mandatory - - aws_mandatory_sql_cloudfront_distribution_mandatory - - aws_mandatory_sql_cloudtrail_trail_mandatory - - aws_mandatory_sql_cloudwatch_alarm_mandatory - - aws_mandatory_sql_cloudwatch_log_group_mandatory - - aws_mandatory_sql_codebuild_project_mandatory - - aws_mandatory_sql_codecommit_repository_mandatory - - aws_mandatory_sql_codepipeline_pipeline_mandatory - - aws_mandatory_sql_config_rule_mandatory - - aws_mandatory_sql_dax_cluster_mandatory - - aws_mandatory_sql_directory_service_directory_mandatory - - aws_mandatory_sql_dms_replication_instance_mandatory - - aws_mandatory_sql_dynamodb_table_mandatory - - aws_mandatory_sql_ebs_snapshot_mandatory - - aws_mandatory_sql_ebs_volume_mandatory - - aws_mandatory_sql_ec2_application_load_balancer_mandatory - - aws_mandatory_sql_ec2_classic_load_balancer_mandatory - - aws_mandatory_sql_ec2_gateway_load_balancer_mandatory - - aws_mandatory_sql_ec2_instance_mandatory - - aws_mandatory_sql_ec2_network_load_balancer_mandatory - - aws_mandatory_sql_ec2_reserved_instance_mandatory - - aws_mandatory_sql_ecr_repository_mandatory - - aws_mandatory_sql_ecs_container_instance_mandatory - - aws_mandatory_sql_ecs_service_mandatory - - aws_mandatory_sql_efs_file_system_mandatory - - aws_mandatory_sql_eks_addon_mandatory - - aws_mandatory_sql_eks_cluster_mandatory - - aws_mandatory_sql_elastic_beanstalk_application_mandatory - - aws_mandatory_sql_elastic_beanstalk_environment_mandatory - - aws_mandatory_sql_elasticache_cluster_mandatory - - aws_mandatory_sql_elasticsearch_domain_mandatory - - aws_mandatory_sql_eventbridge_rule_mandatory - - aws_mandatory_sql_guardduty_detector_mandatory - - aws_mandatory_sql_iam_role_mandatory - - aws_mandatory_sql_iam_server_certificate_mandatory - - aws_mandatory_sql_iam_user_mandatory - - aws_mandatory_sql_inspector_assessment_template_mandatory - - aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory - - aws_mandatory_sql_kms_key_mandatory - - aws_mandatory_sql_lambda_function_mandatory - - aws_mandatory_sql_rds_db_cluster_mandatory - - aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory - - aws_mandatory_sql_rds_db_cluster_snapshot_mandatory - - aws_mandatory_sql_rds_db_instance_mandatory - - aws_mandatory_sql_rds_db_option_group_mandatory - - aws_mandatory_sql_rds_db_parameter_group_mandatory - - aws_mandatory_sql_rds_db_snapshot_mandatory - - aws_mandatory_sql_rds_db_subnet_group_mandatory - - aws_mandatory_sql_redshift_cluster_mandatory - - aws_mandatory_sql_route53_domain_mandatory - - aws_mandatory_sql_route53_resolver_endpoint_mandatory - - aws_mandatory_sql_s3_bucket_mandatory - - aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory - - aws_mandatory_sql_sagemaker_model_mandatory - - aws_mandatory_sql_sagemaker_notebook_instance_mandatory - - aws_mandatory_sql_sagemaker_training_job_mandatory - - aws_mandatory_sql_secretsmanager_secret_mandatory - - aws_mandatory_sql_ssm_parameter_mandatory - - aws_mandatory_sql_vpc_eip_mandatory - - aws_mandatory_sql_vpc_mandatory - - aws_mandatory_sql_vpc_nat_gateway_mandatory - - aws_mandatory_sql_vpc_network_acl_mandatory - - aws_mandatory_sql_vpc_security_group_mandatory - - aws_mandatory_sql_vpc_vpn_connection_mandatory - - aws_mandatory_sql_wafv2_ip_set_mandatory - - aws_mandatory_sql_wafv2_regex_pattern_set_mandatory - - aws_mandatory_sql_wafv2_rule_group_mandatory - - aws_mandatory_sql_wafv2_web_acl_mandatory -Tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/tagging/tagging_azure_tagging.yaml b/compliance/frameworks/tagging/tagging_azure_tagging.yaml deleted file mode 100755 index dac372f61..000000000 --- a/compliance/frameworks/tagging/tagging_azure_tagging.yaml +++ /dev/null @@ -1,76 +0,0 @@ -ID: tagging_azure_tagging -Title: Azure Tagging -Description: Azure Tagging -SectionCode: tagging_azure_tagging -Children: [] -Controls: - - azure_mandatory_sql_resource_group_api_management_mandatory - - azure_mandatory_sql_resource_group_app_service_environment_mandatory - - azure_mandatory_sql_resource_group_app_service_function_app_mandatory - - azure_mandatory_sql_resource_group_app_service_plan_mandatory - - azure_mandatory_sql_resource_group_app_service_web_app_mandatory - - azure_mandatory_sql_resource_group_application_security_group_mandatory - - azure_mandatory_sql_resource_group_batch_account_mandatory - - azure_mandatory_sql_resource_group_compute_availability_set_mandatory - - azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory - - azure_mandatory_sql_resource_group_compute_disk_mandatory - - azure_mandatory_sql_resource_group_compute_image_mandatory - - azure_mandatory_sql_resource_group_compute_snapshot_mandatory - - azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory - - azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory - - azure_mandatory_sql_resource_group_container_registry_mandatory - - azure_mandatory_sql_resource_group_cosmosdb_account_mandatory - - azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory - - azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory - - azure_mandatory_sql_resource_group_data_factory_mandatory - - azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory - - azure_mandatory_sql_resource_group_data_lake_store_mandatory - - azure_mandatory_sql_resource_group_eventhub_namespace_mandatory - - azure_mandatory_sql_resource_group_express_route_circuit_mandatory - - azure_mandatory_sql_resource_group_firewall_mandatory - - azure_mandatory_sql_resource_group_iothub_mandatory - - azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory - - azure_mandatory_sql_resource_group_key_vault_key_mandatory - - azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory - - azure_mandatory_sql_resource_group_key_vault_mandatory - - azure_mandatory_sql_resource_group_key_vault_secret_mandatory - - azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory - - azure_mandatory_sql_resource_group_lb_mandatory - - azure_mandatory_sql_resource_group_log_alert_mandatory - - azure_mandatory_sql_resource_group_log_profile_mandatory - - azure_mandatory_sql_resource_group_logic_app_workflow_mandatory - - azure_mandatory_sql_resource_group_mariadb_server_mandatory - - azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory - - azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory - - azure_mandatory_sql_resource_group_mysql_server_mandatory - - azure_mandatory_sql_resource_group_network_interface_mandatory - - azure_mandatory_sql_resource_group_network_security_group_mandatory - - azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory - - azure_mandatory_sql_resource_group_network_watcher_mandatory - - azure_mandatory_sql_resource_group_postgresql_server_mandatory - - azure_mandatory_sql_resource_group_public_ip_mandatory - - azure_mandatory_sql_resource_group_recovery_services_vault_mandatory - - azure_mandatory_sql_resource_group_redis_cache_mandatory - - azure_mandatory_sql_resource_group_route_table_mandatory - - azure_mandatory_sql_resource_group_search_service_mandatory - - azure_mandatory_sql_resource_group_servicebus_namespace_mandatory - - azure_mandatory_sql_resource_group_sql_database_mandatory - - azure_mandatory_sql_resource_group_sql_server_mandatory - - azure_mandatory_sql_resource_group_storage_account_mandatory - - azure_mandatory_sql_resource_group_stream_analytics_job_mandatory - - azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory - - azure_mandatory_sql_resource_group_virtual_network_mandatory - - azure_mandatory_sql_subscription_resource_group_mandatory -Tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - azure - service: - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/tagging/tagging_cost_controls.yaml b/compliance/frameworks/tagging/tagging_cost_controls.yaml deleted file mode 100755 index a9fed28f0..000000000 --- a/compliance/frameworks/tagging/tagging_cost_controls.yaml +++ /dev/null @@ -1,21 +0,0 @@ -ID: tagging_cost_controls -Title: Cost Controls -Description: Cost Controls -SectionCode: cost_controls -Children: [] -Controls: -# - platform_mom_cost_growth_15 -# - platform_connection_mom_cost_growth -Tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/test-framework/root.yaml b/compliance/frameworks/test-framework/root.yaml deleted file mode 100755 index e1012c6f2..000000000 --- a/compliance/frameworks/test-framework/root.yaml +++ /dev/null @@ -1,27 +0,0 @@ -ID: test_benchmark -Title: Testing -Description: Testing Benchmark -SectionCode: tagging -Children: - - testing_aws_tagging - - testing_cost_controls -Controls: [] -Defaults: - AutoAssign: false - Enabled: true - TracksDriftEvents: false -Tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - - azure - service: - - AWS - - Azure - type: - - Benchmark diff --git a/compliance/frameworks/test-framework/testing_aws_tagging.yaml b/compliance/frameworks/test-framework/testing_aws_tagging.yaml deleted file mode 100755 index 1bea484cb..000000000 --- a/compliance/frameworks/test-framework/testing_aws_tagging.yaml +++ /dev/null @@ -1,20 +0,0 @@ -ID: testing_aws_tagging -Title: AWS Tagging -Description: AWS Tagging -SectionCode: testing_aws_tagging -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark diff --git a/compliance/frameworks/test-framework/testing_cost_controls.yaml b/compliance/frameworks/test-framework/testing_cost_controls.yaml deleted file mode 100755 index afc9e1f9c..000000000 --- a/compliance/frameworks/test-framework/testing_cost_controls.yaml +++ /dev/null @@ -1,20 +0,0 @@ -ID: testing_cost_controls -Title: Cost Controls -Description: Cost Controls -SectionCode: testing_cost_controls -Children: [] -Controls: - - aws_guardduty_enabled -Tags: - category: - - Compliance - platform_benchmark_type: - - compliance - platform_category: - - Best Practices - plugin: - - aws - service: - - AWS - type: - - Benchmark