Benchmark: 11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

Usage

Browse dashboards and select 11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand:

steampipe dashboard

Or run the benchmarks in your terminal:

steampipe check aws_compliance.benchmark.gxp_21_cfr_part_11_11_10_g

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share aws_compliance.benchmark.gxp_21_cfr_part_11_11_10_g

Controls

• AWS account should be part of AWS Organizations
• DMS replication instances should not be publicly accessible
• DynamoDB table should be encrypted with AWS KMS
• Attached EBS volumes should have encryption enabled
• EBS snapshots should not be publicly restorable
• EBS default encryption should be enabled
• EC2 instances should have IAM profile attached
• EC2 instances should be in a VPC
• EC2 instances should not have a public IP address
• EC2 instances should use IMDSv2
• ECS task definition container definitions should be checked for host mode
• EFS file system encryption at rest should be enabled
• EMR cluster Kerberos should be enabled
• EMR cluster master nodes should not have public IP addresses
• ES domain encryption at rest should be enabled
• ES domains should be in a VPC
• Elasticsearch domain node-to-node encryption should be enabled
• IAM password policies for users should have strong configurations
• Ensure IAM policy should not grant full access to service
• IAM groups should have at least one user
• IAM groups, users, and roles should not have any inline policies
• Ensure managed IAM policies should not allow blocked actions on KMS keys
• Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys
• IAM policy should not have statements with admin access
• IAM root user hardware MFA should be enabled
• IAM root user MFA should be enabled
• IAM root user should not have access keys
• IAM user access keys should be rotated at least every 90 days
• IAM users with console access should have MFA enabled
• IAM users should be in at least one group
• IAM user MFA should be enabled
• IAM user should not have any inline or attached policies
• IAM user credentials that have not been used in 90 days should be disabled
• Lambda functions should be in a VPC
• Lambda functions should restrict public access
• RDS DB instances should prohibit public access
• RDS snapshots should prohibit public access
• AWS Redshift enhanced VPC routing should be enabled
• AWS Redshift clusters should be encrypted with KMS
• Redshift clusters should prohibit public access
• S3 bucket policy should prohibit public access
• S3 buckets should prohibit public read access
• S3 buckets should prohibit public write access
• S3 public access should be blocked at account level
• S3 public access should be blocked at bucket levels
• SageMaker notebook instances should not have direct internet access
• Secrets Manager secrets should have automatic rotation enabled
• Secrets Manager secrets should be rotated as per the rotation schedule
• SSM documents should not be public
• VPC default security group should not allow inbound and outbound traffic
• VPC internet gateways should be attached to authorized vpc
• VPC route table should restrict public access to IGW
• VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
• VPC subnet auto assign public IP should be disabled

Tags