Benchmark: CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity
Description
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.
Controls Access Credentials to Protected Assets - Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian.
Removes Access to Protected Assets When Appropriate - Processes are in place to remove credential access when an individual no longer requires such access.
Reviews Appropriateness of Access Credentials - The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.soc_2_cc_6_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.soc_2_cc_6_2 --shareControls
- ACM certificates should not expire within 30 days
- API Gateway stage cache encryption at rest should be enabled
- CloudTrail trail logs should be encrypted with KMS CMK
- DMS replication instances should not be publicly accessible
- Attached EBS volumes should have encryption enabled
- EBS snapshots should not be publicly restorable
- EBS default encryption should be enabled
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- EC2 instances should be managed by AWS Systems Manager
- EFS file system encryption at rest should be enabled
- ELB application load balancers should be drop HTTP headers
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- ELB classic load balancers should use SSL certificates
- ELB classic load balancers should only use SSL or HTTPS listeners
- EMR cluster Kerberos should be enabled
- EMR cluster master nodes should not have public IP addresses
- ES domain encryption at rest should be enabled
- ES domains should be in a VPC
- Elasticsearch domain node-to-node encryption should be enabled
- IAM password policies for users should have strong configurations
- IAM groups should have at least one user
- IAM groups, users, and roles should not have any inline policies
- IAM policy should not have statements with admin access
- IAM root user should not have access keys
- IAM user access keys should be rotated at least every 90 days
- IAM users should be in at least one group
- IAM user should not have any inline or attached policies
- IAM user credentials that have not been used in 90 days should be disabled
- KMS keys should not be pending deletion
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- Log group encryption at rest should be enabled
- RDS DB instance encryption at rest should be enabled
- RDS DB instances should prohibit public access
- RDS DB snapshots should be encrypted at rest
- RDS snapshots should prohibit public access
- Redshift cluster encryption in transit should be enabled
- Redshift cluster audit logging and encryption should be enabled
- Redshift clusters should prohibit public access
- S3 bucket default encryption should be enabled
- S3 buckets should enforce SSL
- S3 bucket logging should be enabled
- S3 bucket object lock should be enabled
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- SageMaker endpoint configuration encryption should be enabled
- SageMaker notebook instances should not have direct internet access
- SageMaker notebook instance encryption should be enabled
- Secrets Manager secrets should have automatic rotation enabled
- Secrets Manager secrets should be rotated as per the rotation schedule
- SNS topics should be encrypted at rest
- SSM managed instance associations should be compliant
- VPC default security group should not allow inbound and outbound traffic
- VPC EIPs should be associated with an EC2 instance or ENI
- VPC security groups should be associated with at least one ENI
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0