github.com/turbot/steampipe@v1.7.0-rc.0.0.20240517123944-7cef272d4458/pkg/control/testdata/aws_dummy/cis_v130/section3.sp (about) 1 locals { 2 cis_v130_3_common_tags = merge(local.cis_v130_common_tags, { 3 cis_section_id = "3" 4 }) 5 } 6 7 benchmark "cis_v130_3" { 8 title = "3 Logging" 9 #documentation = file("docs/cis_v130_3.md") 10 children = [ 11 control.cis_v130_3_1, 12 control.cis_v130_3_2, 13 control.cis_v130_3_3, 14 control.cis_v130_3_4, 15 control.cis_v130_3_5, 16 control.cis_v130_3_6, 17 control.cis_v130_3_7, 18 control.cis_v130_3_8, 19 control.cis_v130_3_9, 20 control.cis_v130_3_10, 21 control.cis_v130_3_11 22 ] 23 tags = local.cis_v130_3_common_tags 24 } 25 26 control "cis_v130_3_1" { 27 title = "3.1 Ensure CloudTrail is enabled in all regions" 28 description = "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." 29 sql = query.ok.sql 30 #documentation = file("docs/cis_v130_3_1.md") 31 32 tags = merge(local.cis_v130_3_common_tags, { 33 cis_item_id = "3.1" 34 cis_type = "automated" 35 cis_levels = "1" 36 cis_controls = "6.2" 37 }) 38 } 39 40 control "cis_v130_3_2" { 41 title = "3.2 Ensure CloudTrail log file validation is enabled." 42 description = "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails." 43 sql = query.ok.sql 44 45 tags = merge(local.cis_v130_3_common_tags, { 46 cis_item_id = "3.2" 47 cis_type = "automated" 48 cis_levels = "2" 49 cis_controls = "6" 50 }) 51 } 52 53 control "cis_v130_3_3" { 54 title = "3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible" 55 description = "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs." 56 sql = query.ok.sql 57 #documentation = file("docs/cis_v130_3_3.md") 58 59 tags = merge(local.cis_v130_3_common_tags, { 60 cis_item_id = "3.3" 61 cis_type = "automated" 62 cis_levels = "1" 63 cis_controls = "14.6" 64 }) 65 } 66 67 control "cis_v130_3_4" { 68 title = "3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs" 69 description = "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs." 70 sql = query.ok.sql 71 #documentation = file("./cis_v130/docs/cis_v130_3_4.md") 72 73 tags = merge(local.cis_v130_3_common_tags, { 74 "cis_item_id" = "3.4" 75 "cis_type" = "automated" 76 "cis_level" = "1" 77 "cis_control" = "6.2" 78 }) 79 } 80 81 control "cis_v130_3_5" { 82 title = "3.5 Ensure AWS Config is enabled in all regions" 83 description = "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions." 84 sql = query.ok.sql 85 #documentation = file("./cis_v130/docs/cis_v130_3_5.md") 86 87 tags = merge(local.cis_v130_3_common_tags, { 88 "cis_item_id" = "3.5" 89 "cis_type" = "automated" 90 "cis_level" = "1" 91 "cis_control" = "1.4,11.2,16.1" 92 }) 93 } 94 95 control "cis_v130_3_6" { 96 title = "3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket" 97 description = "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket." 98 sql = query.ok.sql 99 #documentation = file("./cis_v130/docs/cis_v130_3_6.md") 100 101 tags = merge(local.cis_v130_3_common_tags, { 102 "cis_item_id" = "3.6" 103 "cis_type" = "automated" 104 "cis_level" = "1" 105 "cis_control" = "6.2,14.9" 106 }) 107 } 108 109 control "cis_v130_3_7" { 110 title = "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs" 111 description = "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS." 112 sql = query.ok.sql 113 #documentation = file("./cis_v130/docs/cis_v130_3_7.md") 114 115 tags = merge(local.cis_v130_3_common_tags, { 116 "cis_item_id" = "3.7" 117 "cis_type" = "automated" 118 "cis_level" = "2" 119 "cis_control" = "6" 120 }) 121 } 122 123 control "cis_v130_3_8" { 124 title = "3.8 Ensure rotation for customer created CMKs is enabled" 125 description = "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled." 126 sql = query.ok.sql 127 #documentation = file("./cis_v130/docs/cis_v130_3_8.md") 128 129 tags = merge(local.cis_v130_3_common_tags, { 130 "cis_item_id" = "3.8" 131 "cis_type" = "automated" 132 "cis_level" = "2" 133 "cis_control" = "6" 134 }) 135 } 136 137 control "cis_v130_3_9" { 138 title = "3.9 Ensure VPC flow logging is enabled in all VPCs" 139 description = "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs." 140 sql = query.ok.sql 141 #documentation = file("./cis_v130/docs/cis_v130_3_9.md") 142 143 tags = merge(local.cis_v130_3_common_tags, { 144 "cis_item_id" = "3.9" 145 "cis_type" = "automated" 146 "cis_level" = "2" 147 "cis_control" = "6.2,12.5" 148 }) 149 } 150 151 control "cis_v130_3_10" { 152 title = "3.10 Ensure that Object-level logging for write events is enabled for S3 bucket" 153 description = "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." 154 sql = query.ok.sql 155 documentation = file("./cis_v130/docs/cis_v130_3_10.md") 156 157 tags = merge(local.cis_v130_3_common_tags, { 158 "cis_item_id" = "3.10" 159 "cis_type" = "automated" 160 "cis_level" = "2" 161 "cis_control" = "6.2,6.3" 162 }) 163 } 164 165 control "cis_v130_3_11" { 166 title = "3.11 Ensure that Object-level logging for read events is enabled for S3 bucket" 167 description = "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." 168 sql = query.ok.sql 169 # documentation = file("./cis_v130/docs/cis_v130_3_11.md") 170 171 tags = merge(local.cis_v130_3_common_tags, { 172 "cis_item_id" = "3.11" 173 "cis_type" = "automated" 174 "cis_level" = "2" 175 "cis_control" = "6.2,6.3" 176 }) 177 }