github.com/turbot/steampipe@v1.7.0-rc.0.0.20240517123944-7cef272d4458/pkg/control/testdata/aws_dummy/cis_v130/section4.sp

github.com/turbot/steampipe@v1.7.0-rc.0.0.20240517123944-7cef272d4458/pkg/control/testdata/aws_dummy/cis_v130/section4.sp (about)

     1  locals {
     2    cis_v130_4_common_tags = merge(local.cis_v130_common_tags, {
     3      cis_section_id = "4"
     4    })
     5  }
     6  
     7  benchmark "cis_v130_4" {
     8    title = "4 Monitoring"
     9    #documentation = file("./cis_v130/docs/cis_v130_4.md")
    10    tags = local.cis_v130_4_common_tags
    11    children = [
    12      control.cis_v130_4_1,
    13      control.cis_v130_4_2,
    14      control.cis_v130_4_3,
    15      control.cis_v130_4_4,
    16      control.cis_v130_4_5,
    17      control.cis_v130_4_6,
    18      control.cis_v130_4_7,
    19      control.cis_v130_4_8,
    20      control.cis_v130_4_9,
    21      control.cis_v130_4_10,
    22      control.cis_v130_4_11,
    23      control.cis_v130_4_12,
    24      control.cis_v130_4_13,
    25      control.cis_v130_4_14,
    26      control.cis_v130_4_15
    27    ]
    28  }
    29  
    30  control "cis_v130_4_1" {
    31    title       = "4.1 Ensure a log metric filter and alarm exist for unauthorized API calls"
    32    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls."
    33    sql         = query.ok.sql
    34    #documentation = file("./cis_v130/docs/cis_v130_4_1.md")
    35  
    36    tags = merge(local.cis_v130_4_common_tags, {
    37      cis_item_id  = "4.1"
    38      cis_type     = "automated"
    39      cis_levels   = "1"
    40      cis_controls = "6.5,6.7"
    41    })
    42  }
    43  
    44  control "cis_v130_4_2" {
    45    title         = "4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA"
    46    description   = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA)."
    47    sql           = query.ok.sql
    48    #documentation = file("./cis_v130/docs/cis_v130_4_2.md")
    49  
    50    tags = merge(local.cis_v130_4_common_tags, {
    51      cis_item_id  = "4.2"
    52      cis_type     = "automated"
    53      cis_levels   = "1"
    54      cis_controls = "16"
    55    })
    56  }
    57  
    58  control "cis_v130_4_3" {
    59    title       = "4.3 Ensure a log metric filter and alarm exist for usage of \"root\" account"
    60    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts."
    61    sql         = query.info.sql
    62    #documentation = file("./cis_v130/docs/cis_v130_4_3.md")
    63  
    64    tags = merge(local.cis_v130_4_common_tags, {
    65      cis_item_id  = "4.3"
    66      cis_type     = "automated"
    67      cis_levels   = "1"
    68      cis_controls = "4.9"
    69    })
    70  }
    71  
    72  control "cis_v130_4_4" {
    73    title       = "4.4 Ensure a log metric filter and alarm exist for IAM policy changes"
    74    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies."
    75    sql         = query.ok.sql
    76    #documentation = file("./cis_v130/docs/cis_v130_4_4.md")
    77  
    78    tags = merge(local.cis_v130_4_common_tags, {
    79      cis_item_id  = "4.4"
    80      cis_type     = "automated"
    81      cis_levels   = "1"
    82      cis_controls = "16"
    83    })
    84  }
    85  
    86  control "cis_v130_4_5" {
    87    title       = "4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes"
    88    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations."
    89    sql         = query.ok.sql
    90    #documentation = file("./cis_v130/docs/cis_v130_4_5.md")
    91  
    92    tags = merge(local.cis_v130_4_common_tags, {
    93      cis_item_id  = "4.5"
    94      cis_type     = "automated"
    95      cis_levels   = "1"
    96      cis_controls = "6"
    97    })
    98  }
    99  
   100  control "cis_v130_4_6" {
   101    title       = "4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures"
   102    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts."
   103    sql         = query.info.sql
   104    #documentation = file("./cis_v130/docs/cis_v130_4_6.md")
   105  
   106    tags = merge(local.cis_v130_4_common_tags, {
   107      cis_item_id  = "4.6"
   108      cis_type     = "automated"
   109      cis_levels   = "2"
   110      cis_controls = "16"
   111    })
   112  }
   113  
   114  control "cis_v130_4_7" {
   115    title       = "4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs"
   116    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion."
   117    sql         = query.ok.sql
   118    #documentation = file("./cis_v130/docs/cis_v130_4_7.md")
   119  
   120    tags = merge(local.cis_v130_4_common_tags, {
   121      cis_item_id  = "4.7"
   122      cis_type     = "automated"
   123      cis_levels   = "2"
   124      cis_controls = "16"
   125    })
   126  }
   127  
   128  control "cis_v130_4_8" {
   129    title       = "4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes"
   130    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies."
   131    sql         = query.ok.sql
   132    #documentation = file("./cis_v130/docs/cis_v130_4_8.md")
   133  
   134    tags = merge(local.cis_v130_4_common_tags, {
   135      cis_item_id  = "4.8"
   136      cis_type     = "automated"
   137      cis_levels   = "1"
   138      cis_controls = "6.2,14"
   139    })
   140  }
   141  
   142  control "cis_v130_4_9" {
   143    title       = "4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes"
   144    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations."
   145    sql         = query.skip.sql
   146    #documentation = file("./cis_v130/docs/cis_v130_4_9.md")
   147  
   148    tags = merge(local.cis_v130_4_common_tags, {
   149      cis_item_id  = "4.9"
   150      cis_type     = "automated"
   151      cis_levels   = "2"
   152      cis_controls = "1.4,11.2,16.1"
   153    })
   154  }
   155  
   156  control "cis_v130_4_10" {
   157    title       = "4.10 Ensure a log metric filter and alarm exist for security group changes"
   158    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups."
   159    sql         = query.ok.sql
   160    #documentation = file("./cis_v130/docs/cis_v130_4_10.md")
   161  
   162    tags = merge(local.cis_v130_4_common_tags, {
   163      cis_item_id  = "4.10"
   164      cis_type     = "automated"
   165      cis_levels   = "2"
   166      cis_controls = "6.2,14.6"
   167    })
   168  }
   169  
   170  control "cis_v130_4_11" {
   171    title       = "4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)"
   172    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs."
   173    sql         = query.ok.sql
   174    #documentation = file("./cis_v130/docs/cis_v130_4_11.md")
   175  
   176    tags = merge(local.cis_v130_4_common_tags, {
   177      cis_item_id  = "4.11"
   178      cis_type     = "automated"
   179      cis_levels   = "2"
   180      cis_controls = "11.3"
   181    })
   182  }
   183  
   184  control "cis_v130_4_12" {
   185    title       = "4.12 Ensure a log metric filter and alarm exist for changes to network gateways"
   186    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways."
   187    sql         = query.ok.sql
   188    #documentation = file("./cis_v130/docs/cis_v130_4_12.md")
   189  
   190    tags = merge(local.cis_v130_4_common_tags, {
   191      cis_item_id  = "4.12"
   192      cis_type     = "automated"
   193      cis_levels   = "1"
   194      cis_controls = "6.2,11.3"
   195    })
   196  }
   197  
   198  control "cis_v130_4_13" {
   199    title       = "4.13 Ensure a log metric filter and alarm exist for route table changes"
   200    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables."
   201    sql         = query.ok.sql
   202    #documentation = file("./cis_v130/docs/cis_v130_4_13.md")
   203  
   204    tags = merge(local.cis_v130_4_common_tags, {
   205      cis_item_id  = "4.13"
   206      cis_type     = "automated"
   207      cis_levels   = "1"
   208      cis_controls = "6.2,11.3"
   209    })
   210  }
   211  
   212  control "cis_v130_4_14" {
   213    title       = "4.14 Ensure a log metric filter and alarm exist for VPC changes"
   214    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs."
   215    sql         = query.skip.sql
   216    #documentation = file("./cis_v130/docs/cis_v130_4_14.md")
   217  
   218    tags = merge(local.cis_v130_4_common_tags, {
   219      cis_item_id  = "4.14"
   220      cis_type     = "automated"
   221      cis_levels   = "1"
   222      cis_controls = "5.5"
   223    })
   224  }
   225  
   226  control "cis_v130_4_15" {
   227    title       = "4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes"
   228    description = "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account."
   229    sql         = query.ok.sql
   230    #documentation = file("./cis_v130/docs/cis_v130_4_15.md")
   231  
   232    tags = merge(local.cis_v130_4_common_tags, {
   233      cis_item_id  = "4.15"
   234      cis_type     = "automated"
   235      cis_levels   = "1"
   236      cis_controls = "6.2,14.6"
   237    })
   238  }