diff --git a/CHANGELOG.md b/CHANGELOG.md index 716a009c..ba060c75 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +## v0.98 [2024-08-30] + +_What's new?_ + +- Added Australian Cyber Security Center (ACSC) Essential Eight benchmark (`powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight`). ([#823](https://github.com/turbot/steampipe-mod-aws-compliance/pull/823)) + ## v0.97 [2024-08-12] _What's new?_ diff --git a/README.md b/README.md index 43294d95..426f5dce 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ > > All v0.x versions of this mod will work in both Steampipe and Powerpipe, but v1.0.0 onwards will be in Powerpipe format only. -540+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including **the latest (v3.0.0) CIS benchmark**, CIS AWS Compute Services, PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, NIST 800-172, Reserve Bank of India, Audit Manager Control Tower, and more! +540+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including **the latest (v3.0.0) CIS benchmark**, CIS AWS Compute Services, PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, NIST 800-172, Reserve Bank of India, Audit Manager Control Tower, Australian Cyber Security Center (ACSC) Essential Eight, and more! Run checks in a dashboard: ![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v300_dashboard.png) diff --git a/acsc_essential_eight/acsc_essential_eight.sp b/acsc_essential_eight/acsc_essential_eight.sp new file mode 100644 index 00000000..527946dc --- /dev/null +++ b/acsc_essential_eight/acsc_essential_eight.sp @@ -0,0 +1,21 @@ +locals { + acsc_essential_eight_common_tags = merge(local.aws_compliance_common_tags, { + acsc_essential_eight = "true" + type = "Benchmark" + }) +} + +benchmark "acsc_essential_eight" { + title = "Australian Cyber Security Center (ACSC) Essential Eight" + description = "The Australian Cyber Security Center (ACSC) Essential Eight is a set of baseline security strategies designed to mitigate cyber security incidents. The Essential Eight is a prioritized list of mitigation strategies that organizations can implement to protect their systems against a range of adversaries. The Essential Eight is based on the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents." + documentation = file("./acsc_essential_eight/docs/acsc_essential_eight_overview.md") + children = [ + benchmark.acsc_essential_eight_ml_1, + benchmark.acsc_essential_eight_ml_2, + benchmark.acsc_essential_eight_ml_3 + ] + + tags = merge(local.acsc_essential_eight_common_tags, { + type = "Benchmark" + }) +} diff --git a/acsc_essential_eight/docs/acsc_essential_eight_overview.md b/acsc_essential_eight/docs/acsc_essential_eight_overview.md new file mode 100644 index 00000000..92295670 --- /dev/null +++ b/acsc_essential_eight/docs/acsc_essential_eight_overview.md @@ -0,0 +1,5 @@ +## Overview + +The ACSC Essential Eight is a set of baseline security strategies designed to mitigate cybersecurity incidents. The Essential Eight is a prioritized list of mitigation strategies that organizations can implement to protect their systems against a range of adversaries. The Essential Eight is based on the Australian Signals Directorate (ASD)’s experience in cyber operations and incident response. The Essential Eight is designed to be complementary to other cybersecurity frameworks, such as the NIST Cybersecurity Framework and ISO 27001. + +The Essential Eight is divided into two groups: Essential Eight Maturity Model and Essential Eight Strategies. The Essential Eight Maturity Model is a set of maturity levels that organizations can use to assess their cybersecurity posture. The Essential Eight Strategies are a set of mitigation strategies that organizations can implement to protect their systems against a range of adversaries. \ No newline at end of file diff --git a/acsc_essential_eight/ml_1 .sp b/acsc_essential_eight/ml_1 .sp new file mode 100644 index 00000000..227335fa --- /dev/null +++ b/acsc_essential_eight/ml_1 .sp @@ -0,0 +1,459 @@ +locals { + acsc_essential_eight_ml_1_common_tags = merge(local.acsc_essential_eight_common_tags, { + maturity_level = "1" + }) +} + +benchmark "acsc_essential_eight_ml_1" { + title = "ACSC Essential Eight Maturity Level 1" + description = "The availability category refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers." + + children = [ + benchmark.acsc_essential_eight_ml_1_2, + benchmark.acsc_essential_eight_ml_1_5, + benchmark.acsc_essential_eight_ml_1_6, + benchmark.acsc_essential_eight_ml_1_7, + benchmark.acsc_essential_eight_ml_1_8 + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_2" { + title = "ACSC-EE-ML1-2: Patch applications ML1" + description = "A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities." + + children = [ + benchmark.acsc_essential_eight_ml_1_2_5 + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_2_5" { + title = "ACSC-EE-ML1-2.5: Patch applications ML1" + description = "Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_5" { + title = "ACSC-EE-ML1-5: Restrict administrative privileges ML1" + description = "The restriction of administrative privileges is the practice of limiting the number of privileged accounts and the extent of their access to systems and data." + + children = [ + benchmark.acsc_essential_eight_ml_1_5_2, + benchmark.acsc_essential_eight_ml_1_5_3, + benchmark.acsc_essential_eight_ml_1_5_4, + benchmark.acsc_essential_eight_ml_1_5_5 + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_5_2" { + title = "ACSC-EE-ML1-5.2: Restrict administrative privileges ML1" + description = "Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_5_3" { + title = "ACSC-EE-ML1-5.3: Restrict administrative privileges ML1" + description = "Privileged users use separate privileged and unprivileged operating environments." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.codebuild_project_source_repo_oauth_configured, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_5_4" { + title = "ACSC-EE-ML1-5.4: Restrict administrative privileges ML1" + description = "Unprivileged accounts cannot logon to privileged operating environments." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_5_5" { + title = "ACSC-EE-ML1-5.5: Restrict administrative privileges ML1" + description = "Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.codebuild_project_source_repo_oauth_configured, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_6" { + title = "ACSC-EE-ML1-6: Patch operating systems ML1" + description = "The patching of operating systems is the practice of applying patches, updates or vendor mitigations to security vulnerabilities in operating systems." + + children = [ + benchmark.acsc_essential_eight_ml_1_6_2, + benchmark.acsc_essential_eight_ml_1_6_3, + benchmark.acsc_essential_eight_ml_1_6_4, + benchmark.acsc_essential_eight_ml_1_6_5, + benchmark.acsc_essential_eight_ml_1_6_6, + benchmark.acsc_essential_eight_ml_1_6_7 + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_6_2" { + title = "ACSC-EE-ML1-6.2: Patch operating systems ML1" + description = "A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_6_3" { + title = "ACSC-EE-ML1-6.3: Patch operating systems ML1" + description = "A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_6_4" { + title = "ACSC-EE-ML1-6.4: Patch operating systems ML1" + description = "A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_6_5" { + title = "ACSC-EE-ML1-6.5: Patch operating systems ML1" + description = "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_6_6" { + title = "ACSC-EE-ML1-6.6: Patch operating systems ML1" + description = "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_6_7" { + title = "ACSC-EE-ML1-6.7: Patch operating systems ML1" + description = "Operating systems that are no longer supported by vendors are replaced." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_7" { + title = "ACSC-EE-ML1-7: Application control ML1" + description = "Application control is the practice of restricting the execution of applications to those that have been authorised and are known to be secure." + + children = [ + benchmark.acsc_essential_eight_ml_1_7_1, + benchmark.acsc_essential_eight_ml_1_7_2, + benchmark.acsc_essential_eight_ml_1_7_3, + benchmark.acsc_essential_eight_ml_1_7_4 + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_7_1" { + title = "ACSC-EE-ML1-7.1: Multi-factor authentication ML1" + description = "Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_7_2" { + title = "ACSC-EE-ML1-7.2: Multi-factor authentication ML1" + description = "Multi-factor authentication is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_7_3" { + title = "ACSC-EE-ML1-7.3: Multi-factor authentication ML1" + description = "Multi-factor authentication (where available) is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_7_4" { + title = "ACSC-EE-ML1-7.4: Multi-factor authentication ML1" + description = "Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_8" { + title = "ACSC-EE-ML1-8: Regular backups ML1" + description = "Regular backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements." + + children = [ + benchmark.acsc_essential_eight_ml_1_8_1, + benchmark.acsc_essential_eight_ml_1_8_2, + benchmark.acsc_essential_eight_ml_1_8_3, + benchmark.acsc_essential_eight_ml_1_8_5, + benchmark.acsc_essential_eight_ml_1_8_6 + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_8_1" { + title = "ACSC-EE-ML1-8.1: Regular backups ML1" + description = "Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements." + + children = [ + control.backup_plan_min_retention_35_days, + control.backup_recovery_point_min_retention_35_days, + control.docdb_cluster_backup_retention_period_7_days, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.dynamodb_table_protected_by_backup_plan, + control.ebs_volume_in_backup_plan, + control.ebs_volume_protected_by_backup_plan, + control.ec2_instance_protected_by_backup_plan, + control.efs_file_system_in_backup_plan, + control.efs_file_system_protected_by_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.fsx_file_system_protected_by_backup_plan, + control.neptune_db_cluster_automated_backup_enabled, + control.rds_db_cluster_aurora_backtracking_enabled, + control.rds_db_cluster_aurora_protected_by_backup_plan, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_8_2" { + title = "ACSC-EE-ML1-8.2: Regular backups ML1" + description = "Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time." + + children = [ + control.backup_plan_min_retention_35_days, + control.backup_recovery_point_min_retention_35_days, + control.docdb_cluster_backup_retention_period_7_days, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.dynamodb_table_protected_by_backup_plan, + control.ebs_volume_in_backup_plan, + control.ebs_volume_protected_by_backup_plan, + control.ec2_instance_protected_by_backup_plan, + control.efs_file_system_in_backup_plan, + control.efs_file_system_protected_by_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.fsx_file_system_protected_by_backup_plan, + control.neptune_db_cluster_automated_backup_enabled, + control.rds_db_cluster_aurora_backtracking_enabled, + control.rds_db_cluster_aurora_protected_by_backup_plan, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_8_3" { + title = "ACSC-EE-ML1-8.3: Regular backups ML1" + description = "Backups of important data, software and configuration settings are retained in a secure and resilient manner." + + children = [ + control.backup_plan_min_retention_35_days, + control.backup_recovery_point_min_retention_35_days, + control.docdb_cluster_backup_retention_period_7_days, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.dynamodb_table_protected_by_backup_plan, + control.ebs_volume_in_backup_plan, + control.ebs_volume_protected_by_backup_plan, + control.ec2_instance_protected_by_backup_plan, + control.efs_file_system_in_backup_plan, + control.efs_file_system_protected_by_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.fsx_file_system_protected_by_backup_plan, + control.neptune_db_cluster_automated_backup_enabled, + control.rds_db_cluster_aurora_backtracking_enabled, + control.rds_db_cluster_aurora_protected_by_backup_plan, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_8_5" { + title = "ACSC-EE-ML1-8.5: Regular backups ML1" + description = "Unprivileged accounts cannot access backups belonging to other accounts." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_readonly_root_filesystem, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_user_in_group, + control.opensearch_domain_fine_grained_access_enabled, + control.s3_bucket_policy_restricts_cross_account_permission_changes, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_1_8_6" { + title = "ACSC-EE-ML1-8.6: Regular backups ML1" + description = "Unprivileged accounts are prevented from modifying and deleting backups." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_readonly_root_filesystem, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_user_in_group, + control.opensearch_domain_fine_grained_access_enabled, + control.s3_bucket_policy_restricts_cross_account_permission_changes, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} \ No newline at end of file diff --git a/acsc_essential_eight/ml_2.sp b/acsc_essential_eight/ml_2.sp new file mode 100644 index 00000000..764f0938 --- /dev/null +++ b/acsc_essential_eight/ml_2.sp @@ -0,0 +1,856 @@ +locals { + acsc_essential_eight_ml_2_common_tags = merge(local.acsc_essential_eight_common_tags, { + maturity_level = "2" + }) +} + +benchmark "acsc_essential_eight_ml_2" { + title = "ACSC Essential Eight Maturity Level 2" + description = "The Essential Eight Maturity Model is a prioritised list of strategies to mitigate cyber security incidents. The model consists of 8 essential strategies that organisations can implement to protect their systems from a range of adversaries." + + children = [ + benchmark.acsc_essential_eight_ml_2_1, + benchmark.acsc_essential_eight_ml_2_2, + benchmark.acsc_essential_eight_ml_2_5, + benchmark.acsc_essential_eight_ml_2_6, + benchmark.acsc_essential_eight_ml_2_7, + benchmark.acsc_essential_eight_ml_2_8 + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_1" { + title = "ACSC-EE-ML2-1: Patch applications ML2" + description = "An automated method of asset discovery is used at least weekly to support the detection of assets for subsequent vulnerability scanning activities." + + children = [ + benchmark.acsc_essential_eight_ml_2_1_3 + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_1_3" { + title = "ACSC-EE-ML2-1.3: Application control ML2" + description = "Allowed and blocked execution events on workstations and internet-facing servers are logged." + + children = [ + control.apigateway_rest_api_stage_xray_tracing_enabled, + control.apigateway_stage_logging_enabled, + control.appsync_graphql_api_field_level_logging_enabled, + control.cloudfront_distribution_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.codebuild_project_logging_enabled, + control.dms_replication_task_source_database_logging_enabled, + control.dms_replication_task_target_database_logging_enabled, + control.ec2_client_vpn_endpoint_client_connection_logging_enabled, + control.ecs_task_definition_logging_enabled, + control.eks_cluster_control_plane_audit_logging_enabled, + control.elastic_beanstalk_environment_logs_to_cloudwatch, + control.elb_application_classic_lb_logging_enabled, + control.elb_classic_lb_desync_mitigation_mode, + control.gatewayv2_stage_access_logging_enabled, + control.neptune_db_cluster_audit_logging_enabled, + control.networkfirewall_firewall_logging_enabled, + control.rds_db_cluster_aurora_mysql_audit_logging_enabled, + control.rds_db_cluster_events_subscription, + control.rds_db_instance_events_subscription, + control.rds_db_instance_logging_enabled, + control.rds_db_parameter_group_events_subscription, + control.rds_db_security_group_events_subscription, + control.redshift_cluster_audit_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.route53_zone_query_logging_enabled, + control.s3_bucket_logging_enabled, + control.sfn_state_machine_logging_enabled, + control.vpc_flow_logs_enabled, + control.waf_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_2" { + title = "ACSC-EE-ML2-2: Patch operating systems ML2" + description = "An automated method of asset discovery is used at least weekly to support the detection of assets for subsequent vulnerability scanning activities." + + children = [ + benchmark.acsc_essential_eight_ml_2_2_5 + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_2_5" { + title = "ACSC-EE-ML2-2.5: Patch applications ML2" + description = "A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5" { + title = "ACSC-EE-ML2-5: Restrict administrative privileges ML2" + description = "Requests for privileged access to systems and applications are validated when first requested." + + children = [ + benchmark.acsc_essential_eight_ml_2_5_2, + benchmark.acsc_essential_eight_ml_2_5_3, + benchmark.acsc_essential_eight_ml_2_5_4, + benchmark.acsc_essential_eight_ml_2_5_5, + benchmark.acsc_essential_eight_ml_2_5_6, + benchmark.acsc_essential_eight_ml_2_5_7, + benchmark.acsc_essential_eight_ml_2_5_8, + benchmark.acsc_essential_eight_ml_2_5_9, + benchmark.acsc_essential_eight_ml_2_5_10, + benchmark.acsc_essential_eight_ml_2_5_11, + benchmark.acsc_essential_eight_ml_2_5_12 + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_2" { + title = "ACSC-EE-ML2-5.2: Restrict administrative privileges ML2" + description = "Privileged access to systems and applications is automatically disabled after 12 months unless revalidated." + + children = [ + control.account_part_of_organizations, + control.backup_recovery_point_manual_deletion_disabled, + control.codebuild_project_environment_privileged_mode_disabled, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_container_readonly_root_filesystem, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_all_policy_no_service_wild_card, + control.iam_group_user_role_no_inline_policies, + control.iam_managed_policy_attached_to_role, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_policy_unused, + control.iam_root_user_no_access_keys, + control.iam_user_no_inline_attached_policies, + control.neptune_db_cluster_iam_authentication_enabled, + control.opensearch_domain_fine_grained_access_enabled, + control.rds_db_cluster_iam_authentication_enabled, + control.rds_db_instance_iam_authentication_enabled, + control.s3_bucket_acls_should_prohibit_user_access, + control.s3_bucket_policy_restrict_public_access, + control.s3_bucket_policy_restricts_cross_account_permission_changes, + control.sagemaker_notebook_instance_root_access_disabled + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_3" { + title = "ACSC-EE-ML2-5.3: Restrict administrative privileges ML2" + description = "Privileged access to systems and applications is automatically disabled after 45 days of inactivity." + + children = [ + control.account_part_of_organizations, + control.backup_recovery_point_manual_deletion_disabled, + control.codebuild_project_environment_privileged_mode_disabled, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_container_readonly_root_filesystem, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_all_policy_no_service_wild_card, + control.iam_group_user_role_no_inline_policies, + control.iam_managed_policy_attached_to_role, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_policy_unused, + control.iam_root_user_no_access_keys, + control.iam_user_no_inline_attached_policies, + control.neptune_db_cluster_iam_authentication_enabled, + control.opensearch_domain_fine_grained_access_enabled, + control.rds_db_cluster_iam_authentication_enabled, + control.rds_db_instance_iam_authentication_enabled, + control.s3_bucket_acls_should_prohibit_user_access, + control.s3_bucket_policy_restrict_public_access, + control.s3_bucket_policy_restricts_cross_account_permission_changes, + control.sagemaker_notebook_instance_root_access_disabled + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_4" { + title = "ACSC-EE-ML2-5.4: Restrict administrative privileges ML2" + description = "Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_5" { + title = "ACSC-EE-ML2-5.5: Restrict administrative privileges ML2" + description = "Privileged users use separate privileged and unprivileged operating environments." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_6" { + title = "ACSC-EE-ML2-5.6: Restrict administrative privileges ML2" + description = "Privileged operating environments are not virtualised within unprivileged operating environments." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_7" { + title = "ACSC-EE-ML2-5.7: Restrict administrative privileges ML2" + description = "Unprivileged accounts cannot logon to privileged operating environments." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_8" { + title = "ACSC-EE-ML2-5.8: Restrict administrative privileges ML2" + description = "Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_9" { + title = "ACSC-EE-ML2-5.9: Restrict administrative privileges ML2" + description = "Unprivileged accounts cannot logon to privileged operating environments." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_10" { + title = "ACSC-EE-ML2-5.10: Restrict administrative privileges ML2" + description = "Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_11" { + title = "ACSC-EE-ML2-5.11: Restrict administrative privileges ML2" + description = "Privileged access events are logged." + + children = [ + control.apigateway_rest_api_stage_xray_tracing_enabled, + control.apigateway_stage_logging_enabled, + control.appsync_graphql_api_field_level_logging_enabled, + control.cloudfront_distribution_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.codebuild_project_logging_enabled, + control.dms_replication_task_source_database_logging_enabled, + control.dms_replication_task_target_database_logging_enabled, + control.ec2_client_vpn_endpoint_client_connection_logging_enabled, + control.ecs_task_definition_logging_enabled, + control.eks_cluster_control_plane_audit_logging_enabled, + control.elastic_beanstalk_environment_logs_to_cloudwatch, + control.elb_application_classic_lb_logging_enabled, + control.elb_classic_lb_desync_mitigation_mode, + control.gatewayv2_stage_access_logging_enabled, + control.neptune_db_cluster_audit_logging_enabled, + control.networkfirewall_firewall_logging_enabled, + control.rds_db_cluster_aurora_mysql_audit_logging_enabled, + control.rds_db_cluster_events_subscription, + control.rds_db_instance_events_subscription, + control.rds_db_instance_logging_enabled, + control.rds_db_parameter_group_events_subscription, + control.rds_db_security_group_events_subscription, + control.redshift_cluster_audit_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.route53_zone_query_logging_enabled, + control.s3_bucket_logging_enabled, + control.sfn_state_machine_logging_enabled, + control.vpc_flow_logs_enabled, + control.waf_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_5_12" { + title = "ACSC-EE-ML2-5.12: Restrict administrative privileges ML2" + description = "Privileged account and group management events are logged." + + children = [ + control.apigateway_rest_api_stage_xray_tracing_enabled, + control.apigateway_stage_logging_enabled, + control.appsync_graphql_api_field_level_logging_enabled, + control.cloudfront_distribution_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.codebuild_project_logging_enabled, + control.dms_replication_task_source_database_logging_enabled, + control.dms_replication_task_target_database_logging_enabled, + control.ec2_client_vpn_endpoint_client_connection_logging_enabled, + control.ecs_task_definition_logging_enabled, + control.eks_cluster_control_plane_audit_logging_enabled, + control.elastic_beanstalk_environment_logs_to_cloudwatch, + control.elb_application_classic_lb_logging_enabled, + control.elb_classic_lb_desync_mitigation_mode, + control.gatewayv2_stage_access_logging_enabled, + control.neptune_db_cluster_audit_logging_enabled, + control.networkfirewall_firewall_logging_enabled, + control.rds_db_cluster_aurora_mysql_audit_logging_enabled, + control.rds_db_cluster_events_subscription, + control.rds_db_instance_events_subscription, + control.rds_db_instance_logging_enabled, + control.rds_db_parameter_group_events_subscription, + control.rds_db_security_group_events_subscription, + control.redshift_cluster_audit_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.route53_zone_query_logging_enabled, + control.s3_bucket_logging_enabled, + control.sfn_state_machine_logging_enabled, + control.vpc_flow_logs_enabled, + control.waf_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_6" { + title = "ACSC-EE-ML2-6: Multi-factor authentication ML2" + description = "Multi-factor authentication is enabled for all users and administrators." + + children = [ + benchmark.acsc_essential_eight_ml_2_6_2, + benchmark.acsc_essential_eight_ml_2_6_3, + benchmark.acsc_essential_eight_ml_2_6_4, + benchmark.acsc_essential_eight_ml_2_6_5, + benchmark.acsc_essential_eight_ml_2_6_6, + benchmark.acsc_essential_eight_ml_2_6_7 + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_6_2" { + title = "ACSC-EE-ML2-6.2: Patch operating systems ML2" + description = "A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] +} + +benchmark "acsc_essential_eight_ml_2_6_3" { + title = "ACSC-EE-ML2-6.3: Patch operating systems ML2" + description = "A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] +} + +benchmark "acsc_essential_eight_ml_2_6_4" { + title = "ACSC-EE-ML2-6.4: Patch operating systems ML2" + description = "A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] +} + +benchmark "acsc_essential_eight_ml_2_6_5" { + title = "ACSC-EE-ML2-6.5: Patch operating systems ML2" + description = "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of Internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_6_6" { + title = "ACSC-EE-ML2-6.6: Patch operating systems ML2" + description = "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_6_7" { + title = "ACSC-EE-ML2-6.7: Patch operating systems ML2" + description = "Operating systems that are no longer supported by vendors are replaced." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_7" { + title = "ACSC-EE-ML2-7: Application control ML2" + description = "Allowed and blocked execution events on workstations and internet-facing servers are logged." + + children = [ + benchmark.acsc_essential_eight_ml_2_7_1, + benchmark.acsc_essential_eight_ml_2_7_4, + benchmark.acsc_essential_eight_ml_2_7_5, + benchmark.acsc_essential_eight_ml_2_7_6, + benchmark.acsc_essential_eight_ml_2_7_7 + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_7_1" { + title = "ACSC-EE-ML2-7.1: Multi-factor authentication ML2" + description = "Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_7_4" { + title = "ACSC-EE-ML2-7.4: Multi-factor authentication ML2" + description = "Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_7_5" { + title = "ACSC-EE-ML2-7.5: Multi-factor authentication ML2" + description = "Multi-factor authentication is used to authenticate privileged users of systems." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_7_6" { + title = "ACSC-EE-ML2-7.6: Multi-factor authentication ML2" + description = "Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_7_7" { + title = "ACSC-EE-ML2-7.7: Multi-factor authentication ML2" + description = "Successful and unsuccessful multi-factor authentication events are logged." + + children = [ + control.apigateway_rest_api_stage_xray_tracing_enabled, + control.apigateway_stage_logging_enabled, + control.appsync_graphql_api_field_level_logging_enabled, + control.cloudfront_distribution_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.codebuild_project_logging_enabled, + control.dms_replication_task_source_database_logging_enabled, + control.dms_replication_task_target_database_logging_enabled, + control.ec2_client_vpn_endpoint_client_connection_logging_enabled, + control.ecs_task_definition_logging_enabled, + control.eks_cluster_control_plane_audit_logging_enabled, + control.elastic_beanstalk_environment_logs_to_cloudwatch, + control.elb_application_classic_lb_logging_enabled, + control.elb_classic_lb_desync_mitigation_mode, + control.gatewayv2_stage_access_logging_enabled, + control.neptune_db_cluster_audit_logging_enabled, + control.networkfirewall_firewall_logging_enabled, + control.rds_db_cluster_aurora_mysql_audit_logging_enabled, + control.rds_db_cluster_events_subscription, + control.rds_db_instance_events_subscription, + control.rds_db_instance_logging_enabled, + control.rds_db_parameter_group_events_subscription, + control.rds_db_security_group_events_subscription, + control.redshift_cluster_audit_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.route53_zone_query_logging_enabled, + control.s3_bucket_logging_enabled, + control.sfn_state_machine_logging_enabled, + control.vpc_flow_logs_enabled, + control.waf_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_8" { + title = "ACSC-EE-ML2-8: Daily backups ML2" + description = "Backups are taken daily and retained for at least 7 days." + + children = [ + benchmark.acsc_essential_eight_ml_2_8_1, + benchmark.acsc_essential_eight_ml_2_8_2, + benchmark.acsc_essential_eight_ml_2_8_3, + benchmark.acsc_essential_eight_ml_2_8_5, + benchmark.acsc_essential_eight_ml_2_8_6, + benchmark.acsc_essential_eight_ml_2_8_7, + benchmark.acsc_essential_eight_ml_2_8_8 + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_8_1" { + title = "ACSC-EE-ML2-8.1: Regular backups ML2" + description = "Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements." + + children = [ + control.backup_plan_min_retention_35_days, + control.backup_recovery_point_min_retention_35_days, + control.docdb_cluster_backup_retention_period_7_days, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.dynamodb_table_protected_by_backup_plan, + control.ebs_volume_in_backup_plan, + control.ebs_volume_protected_by_backup_plan, + control.ec2_instance_protected_by_backup_plan, + control.efs_file_system_in_backup_plan, + control.efs_file_system_protected_by_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.fsx_file_system_protected_by_backup_plan, + control.neptune_db_cluster_automated_backup_enabled, + control.rds_db_cluster_aurora_backtracking_enabled, + control.rds_db_cluster_aurora_protected_by_backup_plan, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_8_2" { + title = "ACSC-EE-ML2-8.2: Regular backups ML2" + description = "Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time." + + children = [ + control.backup_plan_min_retention_35_days, + control.backup_recovery_point_min_retention_35_days, + control.docdb_cluster_backup_retention_period_7_days, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.dynamodb_table_protected_by_backup_plan, + control.ebs_volume_in_backup_plan, + control.ebs_volume_protected_by_backup_plan, + control.ec2_instance_protected_by_backup_plan, + control.efs_file_system_in_backup_plan, + control.efs_file_system_protected_by_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.fsx_file_system_protected_by_backup_plan, + control.neptune_db_cluster_automated_backup_enabled, + control.rds_db_cluster_aurora_backtracking_enabled, + control.rds_db_cluster_aurora_protected_by_backup_plan, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_8_3" { + title = "ACSC-EE-ML2-8.3: Regular backups ML2" + description = "Backups of important data, software and configuration settings are retained in a secure and resilient manner." + + children = [ + control.backup_plan_min_retention_35_days, + control.backup_recovery_point_min_retention_35_days, + control.docdb_cluster_backup_retention_period_7_days, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.dynamodb_table_protected_by_backup_plan, + control.ebs_volume_in_backup_plan, + control.ebs_volume_protected_by_backup_plan, + control.ec2_instance_protected_by_backup_plan, + control.efs_file_system_in_backup_plan, + control.efs_file_system_protected_by_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.fsx_file_system_protected_by_backup_plan, + control.neptune_db_cluster_automated_backup_enabled, + control.rds_db_cluster_aurora_backtracking_enabled, + control.rds_db_cluster_aurora_protected_by_backup_plan, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_8_5" { + title = "ACSC-EE-ML2-8.5: Regular backups ML2" + description = "Unprivileged accounts cannot access backups belonging to other accounts." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_readonly_root_filesystem, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_user_in_group, + control.opensearch_domain_fine_grained_access_enabled, + control.s3_bucket_policy_restricts_cross_account_permission_changes, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_8_6" { + title = "ACSC-EE-ML2-8.6: Regular backups ML2" + description = "Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts." + + children = [ + control.backup_recovery_point_manual_deletion_disabled, + control.cloudtrail_bucket_not_public, + control.codebuild_project_environment_privileged_mode_disabled, + control.dms_replication_instance_not_publicly_accessible, + control.docdb_cluster_snapshot_restrict_public_access, + control.ebs_snapshot_not_publicly_restorable, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_container_readonly_root_filesystem, + control.ecs_task_definition_no_root_user, + control.efs_access_point_enforce_root_directory, + control.efs_access_point_enforce_user_identity, + control.emr_account_public_access_blocked, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.lambda_function_restrict_public_access, + control.neptune_db_cluster_snapshot_prohibit_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_access_point_restrict_public_access, + control.s3_bucket_mfa_delete_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_document_prohibit_public_access + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} + +benchmark "acsc_essential_eight_ml_2_8_7" { + title = "ACSC-EE-ML2-8.7: Regular backups ML2" + description = "Unprivileged accounts are prevented from modifying and deleting backups." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_readonly_root_filesystem, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_user_in_group, + control.opensearch_domain_fine_grained_access_enabled, + control.s3_bucket_policy_restricts_cross_account_permission_changes, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_1_common_tags +} + +benchmark "acsc_essential_eight_ml_2_8_8" { + title = "ACSC-EE-ML2-8.8: Regular backups ML2" + description = "Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups." + + children = [ + control.backup_recovery_point_manual_deletion_disabled, + control.cloudtrail_bucket_not_public, + control.codebuild_project_environment_privileged_mode_disabled, + control.dms_replication_instance_not_publicly_accessible, + control.docdb_cluster_snapshot_restrict_public_access, + control.ebs_snapshot_not_publicly_restorable, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_container_readonly_root_filesystem, + control.ecs_task_definition_no_root_user, + control.efs_access_point_enforce_root_directory, + control.efs_access_point_enforce_user_identity, + control.emr_account_public_access_blocked, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.lambda_function_restrict_public_access, + control.neptune_db_cluster_snapshot_prohibit_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_access_point_restrict_public_access, + control.s3_bucket_mfa_delete_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_document_prohibit_public_access + ] + + tags = local.acsc_essential_eight_ml_2_common_tags +} diff --git a/acsc_essential_eight/ml_3.sp b/acsc_essential_eight/ml_3.sp new file mode 100644 index 00000000..e4e18324 --- /dev/null +++ b/acsc_essential_eight/ml_3.sp @@ -0,0 +1,1056 @@ +locals { + acsc_essential_eight_ml_3_common_tags = merge(local.acsc_essential_eight_common_tags, { + maturity_level = "3" + }) +} + +benchmark "acsc_essential_eight_ml_3" { + title = "ACSC Essential Eight Maturity Level 3" + description = "The Essential Eight Maturity Model is a prioritised list of strategies to mitigate cyber security incidents. The model consists of 8 essential strategies that organisations can implement to protect their systems from a range of adversaries." + + children = [ + benchmark.acsc_essential_eight_ml_3_1, + benchmark.acsc_essential_eight_ml_3_2, + benchmark.acsc_essential_eight_ml_3_4, + benchmark.acsc_essential_eight_ml_3_5, + benchmark.acsc_essential_eight_ml_3_6, + benchmark.acsc_essential_eight_ml_3_7, + benchmark.acsc_essential_eight_ml_3_8 + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_1" { + title = "ACSC-EE-ML3-1: Application control ML3" + description = "Application control is implemented on workstations and servers." + + children = [ + benchmark.acsc_essential_eight_ml_3_1_6, + benchmark.acsc_essential_eight_ml_3_1_7, + benchmark.acsc_essential_eight_ml_3_1_8, + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_1_6" { + title = "ACSC-EE-ML3-1.6: Application control ML3" + description = "Allowed and blocked execution events on workstations and servers are centrally logged." + + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.es_domain_audit_logging_enabled, + control.es_domain_logs_to_cloudwatch, + control.opensearch_domain_audit_logging_enabled, + control.opensearch_domain_logs_to_cloudwatch + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_1_7" { + title = "ACSC-EE-ML3-1.7: Application control ML3" + description = "Event logs are protected from unauthorised modification and deletion." + + children = [ + control.cloudtrail_bucket_not_public, + control.cloudtrail_security_trail_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.cloudtrail_trail_validation_enabled, + control.log_group_encryption_at_rest_enabled, + control.s3_public_access_block_bucket + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_1_8" { + title = "ACSC-EE-ML3-1.8: Application control ML3" + description = "Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected." + + children = [ + control.apigateway_rest_api_stage_xray_tracing_enabled, + control.cloudwatch_alarm_action_enabled, + control.ec2_instance_detailed_monitoring_enabled, + control.log_metric_filter_bucket_policy, + control.log_metric_filter_cloudtrail_configuration, + control.log_metric_filter_config_configuration, + control.log_metric_filter_console_authentication_failure, + control.log_metric_filter_console_login_mfa, + control.log_metric_filter_disable_or_delete_cmk, + control.log_metric_filter_iam_policy, + control.log_metric_filter_network_acl, + control.log_metric_filter_network_gateway, + control.log_metric_filter_root_login, + control.log_metric_filter_route_table, + control.log_metric_filter_security_group, + control.log_metric_filter_unauthorized_api, + control.log_metric_filter_vpc, + control.securityhub_enabled, + control.sns_topic_notification_delivery_status_enabled, + control.wafv2_rule_group_logging_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_2" { + title = "ACSC-EE-ML3-2: Patch applications ML3" + description = "All workstations and servers have the latest security-relevant patches applied." + + children = [ + benchmark.acsc_essential_eight_ml_3_2_2, + benchmark.acsc_essential_eight_ml_3_2_9, + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_2_2" { + title = "ACSC-EE-ML3-2.2: Patch applications ML3" + description = "A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_2_9" { + title = "ACSC-EE-ML3-2.9: Patch applications ML3" + description = "Applications that are no longer supported by vendors are removed." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_4" { + title = "ACSC-EE-ML3-4: User application hardening ML3" + description = "Web browsers do not process Java from the internet." + + children = [ + benchmark.acsc_essential_eight_ml_3_4_18 + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_4_18" { + title = "ACSC-EE-ML3-4.18: User application hardening ML3" + description = "Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected." + + children = [ + control.apigateway_rest_api_stage_xray_tracing_enabled, + control.cloudwatch_alarm_action_enabled, + control.ec2_instance_detailed_monitoring_enabled, + control.log_metric_filter_bucket_policy, + control.log_metric_filter_cloudtrail_configuration, + control.log_metric_filter_config_configuration, + control.log_metric_filter_console_authentication_failure, + control.log_metric_filter_console_login_mfa, + control.log_metric_filter_disable_or_delete_cmk, + control.log_metric_filter_iam_policy, + control.log_metric_filter_network_acl, + control.log_metric_filter_network_gateway, + control.log_metric_filter_root_login, + control.log_metric_filter_route_table, + control.log_metric_filter_security_group, + control.log_metric_filter_unauthorized_api, + control.log_metric_filter_vpc, + control.securityhub_enabled, + control.sns_topic_notification_delivery_status_enabled, + control.wafv2_rule_group_logging_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5" { + title = "ACSC-EE-ML3-5: Restrict administrative privileges ML3" + description = "Requests for privileged access to systems and applications are validated when first requested." + + children = [ + benchmark.acsc_essential_eight_ml_3_5_2, + benchmark.acsc_essential_eight_ml_3_5_3, + benchmark.acsc_essential_eight_ml_3_5_4, + benchmark.acsc_essential_eight_ml_3_5_5, + benchmark.acsc_essential_eight_ml_3_5_6, + benchmark.acsc_essential_eight_ml_3_5_7, + benchmark.acsc_essential_eight_ml_3_5_8, + benchmark.acsc_essential_eight_ml_3_5_9, + benchmark.acsc_essential_eight_ml_3_5_11, + benchmark.acsc_essential_eight_ml_3_5_12, + benchmark.acsc_essential_eight_ml_3_5_14, + benchmark.acsc_essential_eight_ml_3_5_15, + benchmark.acsc_essential_eight_ml_3_5_16, + benchmark.acsc_essential_eight_ml_3_5_17 + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_2" { + title = "ACSC-EE-ML3-5.2: Restrict administrative privileges ML3" + description = "Privileged access is restricted to the minimum number of people required." + + children = [ + control.account_part_of_organizations, + control.backup_recovery_point_manual_deletion_disabled, + control.codebuild_project_environment_privileged_mode_disabled, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_container_readonly_root_filesystem, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_all_policy_no_service_wild_card, + control.iam_group_user_role_no_inline_policies, + control.iam_managed_policy_attached_to_role, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_policy_unused, + control.iam_root_user_no_access_keys, + control.iam_user_no_inline_attached_policies, + control.neptune_db_cluster_iam_authentication_enabled, + control.opensearch_domain_fine_grained_access_enabled, + control.rds_db_cluster_iam_authentication_enabled, + control.rds_db_instance_iam_authentication_enabled, + control.s3_bucket_acls_should_prohibit_user_access, + control.s3_bucket_policy_restrict_public_access, + control.s3_bucket_policy_restricts_cross_account_permission_changes, + control.sagemaker_notebook_instance_root_access_disabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_3" { + title = "ACSC-EE-ML3-5.3: Restrict administrative privileges ML3" + description = "Privileged access to systems and applications is automatically disabled after 45 days of inactivity." + + children = [ + control.account_part_of_organizations, + control.backup_recovery_point_manual_deletion_disabled, + control.codebuild_project_environment_privileged_mode_disabled, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_container_readonly_root_filesystem, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_all_policy_no_service_wild_card, + control.iam_group_user_role_no_inline_policies, + control.iam_managed_policy_attached_to_role, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_policy_unused, + control.iam_root_user_no_access_keys, + control.iam_user_no_inline_attached_policies, + control.neptune_db_cluster_iam_authentication_enabled, + control.opensearch_domain_fine_grained_access_enabled, + control.rds_db_cluster_iam_authentication_enabled, + control.rds_db_instance_iam_authentication_enabled, + control.s3_bucket_acls_should_prohibit_user_access, + control.s3_bucket_policy_restrict_public_access, + control.s3_bucket_policy_restricts_cross_account_permission_changes, + control.sagemaker_notebook_instance_root_access_disabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_4" { + title = "ACSC-EE-ML3-5.4: Restrict administrative privileges ML3" + description = "Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties." + + children = [ + control.ecs_task_definition_container_readonly_root_filesystem, + control.iam_user_in_group, + control.opensearch_domain_fine_grained_access_enabled, + control.s3_bucket_policy_restricts_cross_account_permission_changes + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_5" { + title = "ACSC-EE-ML3-5.5: Restrict administrative privileges ML3" + description = "Privileged accounts are prevented from accessing the internet, email and web services." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_6" { + title = "ACSC-EE-ML3-5.6: Restrict administrative privileges ML3" + description = "Privileged users use separate privileged and unprivileged operating environments." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_7" { + title = "ACSC-EE-ML3-5.7: Restrict administrative privileges ML3" + description = "Privileged operating environments are not virtualised within unprivileged operating environments." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_8" { + title = "ACSC-EE-ML3-5.8: Restrict administrative privileges ML3" + description = "Unprivileged accounts cannot logon to privileged operating environments." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_9" { + title = "ACSC-EE-ML3-5.9: Restrict administrative privileges ML3" + description = "Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_11" { + title = "ACSC-EE-ML3-5.11: Restrict administrative privileges ML3" + description = "Administrative activities are conducted through jump servers." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_3_common_tags + +} + +benchmark "acsc_essential_eight_ml_3_5_12" { + title = "ACSC-EE-ML3-5.12: Restrict administrative privileges ML3" + description = "Credentials for local administrator accounts and service accounts are long, unique, unpredictable and managed." + + children = [ + control.codebuild_project_environment_privileged_mode_disabled, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_no_root_user, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.sagemaker_notebook_instance_root_access_disabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_14" { + title = "ACSC-EE-ML3-5.14: Restrict administrative privileges ML3" + description = "Privileged access events are centrally logged." + + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.es_domain_audit_logging_enabled, + control.es_domain_logs_to_cloudwatch, + control.opensearch_domain_audit_logging_enabled, + control.opensearch_domain_logs_to_cloudwatch + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_15" { + title = "ACSC-EE-ML3-5.15: Restrict administrative privileges ML3" + description = "Privileged account and group management events are centrally logged." + + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.es_domain_audit_logging_enabled, + control.es_domain_logs_to_cloudwatch, + control.opensearch_domain_audit_logging_enabled, + control.opensearch_domain_logs_to_cloudwatch + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_16" { + title = "ACSC-EE-ML3-5.16: Restrict administrative privileges ML3" + description = "Event logs are protected from unauthorised modification and deletion." + + children = [ + control.cloudtrail_bucket_not_public, + control.cloudtrail_security_trail_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.cloudtrail_trail_validation_enabled, + control.log_group_encryption_at_rest_enabled, + control.s3_public_access_block_bucket + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_5_17" { + title = "ACSC-EE-ML3-5.17: Restrict administrative privileges ML3" + description = "Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected." + + children = [ + control.apigateway_rest_api_stage_xray_tracing_enabled, + control.cloudwatch_alarm_action_enabled, + control.ec2_instance_detailed_monitoring_enabled, + control.log_metric_filter_bucket_policy, + control.log_metric_filter_cloudtrail_configuration, + control.log_metric_filter_config_configuration, + control.log_metric_filter_console_authentication_failure, + control.log_metric_filter_console_login_mfa, + control.log_metric_filter_disable_or_delete_cmk, + control.log_metric_filter_iam_policy, + control.log_metric_filter_network_acl, + control.log_metric_filter_network_gateway, + control.log_metric_filter_root_login, + control.log_metric_filter_route_table, + control.log_metric_filter_security_group, + control.log_metric_filter_unauthorized_api, + control.log_metric_filter_vpc, + control.securityhub_enabled, + control.sns_topic_notification_delivery_status_enabled, + control.wafv2_rule_group_logging_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_6" { + title = "ACSC-EE-ML3-6: Patch operating systems ML3" + description = "An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities." + + children = [ + benchmark.acsc_essential_eight_ml_3_6_2, + benchmark.acsc_essential_eight_ml_3_6_3, + benchmark.acsc_essential_eight_ml_3_6_4, + benchmark.acsc_essential_eight_ml_3_6_5, + benchmark.acsc_essential_eight_ml_3_6_6, + benchmark.acsc_essential_eight_ml_3_6_7, + benchmark.acsc_essential_eight_ml_3_6_8 + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_6_2" { + title = "ACSC-EE-ML3-6.2: Patch operating systems ML3" + description = "A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_6_3" { + title = "ACSC-EE-ML3-6.3: Patch operating systems ML3" + description = "A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_6_4" { + title = "ACSC-EE-ML3-6.4: Patch operating systems ML3" + description = "A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices." + + children = [ + control.ecr_repository_image_scan_on_push_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_6_5" { + title = "ACSC-EE-ML3-6.5: Patch operating systems ML3" + description = "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of Internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_6_6" { + title = "ACSC-EE-ML3-6.6: Patch operating systems ML3" + description = "Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_6_7" { + title = "ACSC-EE-ML3-6.7: Patch operating systems ML3" + description = "The latest release, or the previous release, of operating systems are used." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_6_8" { + title = "ACSC-EE-ML3-6.8: Patch operating systems ML3" + description = "Operating systems that are no longer supported by vendors are replaced." + + children = [ + control.ecs_service_fargate_using_latest_platform_version, + control.eks_cluster_with_latest_kubernetes_version, + control.elastic_beanstalk_environment_managed_updates_enabled, + control.elasticache_cluster_auto_minor_version_upgrade_enabled, + control.lambda_function_use_latest_runtime, + control.opensearch_domain_updated_with_latest_service_software_version, + control.rds_db_instance_automatic_minor_version_upgrade_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7" { + title = "ACSC-EE-ML3-7: Restrict administrative privileges ML3" + description = "Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services." + + children = [ + benchmark.acsc_essential_eight_ml_3_7_1, + benchmark.acsc_essential_eight_ml_3_7_2, + benchmark.acsc_essential_eight_ml_3_7_3, + benchmark.acsc_essential_eight_ml_3_7_4, + benchmark.acsc_essential_eight_ml_3_7_5, + benchmark.acsc_essential_eight_ml_3_7_6, + benchmark.acsc_essential_eight_ml_3_7_7, + benchmark.acsc_essential_eight_ml_3_7_8, + benchmark.acsc_essential_eight_ml_3_7_9, + benchmark.acsc_essential_eight_ml_3_7_10 + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7_1" { + title = "ACSC-EE-ML3-7.1: Multi-factor authentication ML3" + description = "Multi-factor authentication is used by an organisation's users if they authenticate to their organisations internet-facing services." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7_2" { + title = "ACSC-EE-ML3-7.2: Multi-factor authentication ML3" + description = "Multi-factor authentication is used by an organisations users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7_3" { + title = "ACSC-EE-ML3-7.3: Multi-factor authentication ML3" + description = "Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7_4" { + title = "ACSC-EE-ML3-7.4: Multi-factor authentication ML3" + description = "Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisations internet-facing services." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7_5" { + title = "ACSC-EE-ML3-7.5: Multi-factor authentication ML3" + description = "Multi-factor authentication is used to authenticate privileged users of systems." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7_6" { + title = "ACSC-EE-ML3-7.6: Multi-factor authentication ML3" + description = "Multi-factor authentication is used to authenticate users accessing important data repositories." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7_7" { + title = "ACSC-EE-ML3-7.7: Multi-factor authentication ML3" + description = "Multi-factor authentication is phishing-resistant and uses either: something users have and something users know, or something users have that is unlocked by something users know or are." + + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.s3_bucket_mfa_delete_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7_8" { + title = "ACSC-EE-ML3-7.8: Multi-factor authentication ML3" + description = "Successful and unsuccessful multi-factor authentication events are centrally logged." + + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.es_domain_audit_logging_enabled, + control.es_domain_logs_to_cloudwatch, + control.opensearch_domain_audit_logging_enabled, + control.opensearch_domain_logs_to_cloudwatch + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7_9" { + title = "ACSC-EE-ML3-7.9: Multi-factor authentication ML3" + description = "Event logs are protected from unauthorised modification and deletion." + + children = [ + control.cloudtrail_bucket_not_public, + control.cloudtrail_security_trail_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.cloudtrail_trail_validation_enabled, + control.log_group_encryption_at_rest_enabled, + control.s3_public_access_block_bucket + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_7_10" { + title = "ACSC-EE-ML3-7.10: Multi-factor authentication ML3" + description = "Event logs are monitored for signs of compromise and actioned when any signs of compromise are detected." + + children = [ + control.apigateway_rest_api_stage_xray_tracing_enabled, + control.cloudwatch_alarm_action_enabled, + control.ec2_instance_detailed_monitoring_enabled, + control.log_metric_filter_bucket_policy, + control.log_metric_filter_cloudtrail_configuration, + control.log_metric_filter_config_configuration, + control.log_metric_filter_console_authentication_failure, + control.log_metric_filter_console_login_mfa, + control.log_metric_filter_disable_or_delete_cmk, + control.log_metric_filter_iam_policy, + control.log_metric_filter_network_acl, + control.log_metric_filter_network_gateway, + control.log_metric_filter_root_login, + control.log_metric_filter_route_table, + control.log_metric_filter_security_group, + control.log_metric_filter_unauthorized_api, + control.log_metric_filter_vpc, + control.securityhub_enabled, + control.sns_topic_notification_delivery_status_enabled, + control.wafv2_rule_group_logging_enabled + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_8" { + title = "ACSC-EE-ML3-8: Regular backups ML3" + description = "Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements." + + children = [ + benchmark.acsc_essential_eight_ml_3_8_1, + benchmark.acsc_essential_eight_ml_3_8_2, + benchmark.acsc_essential_eight_ml_3_8_3, + benchmark.acsc_essential_eight_ml_3_8_5, + benchmark.acsc_essential_eight_ml_3_8_6, + benchmark.acsc_essential_eight_ml_3_8_7, + benchmark.acsc_essential_eight_ml_3_8_8, + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_8_1" { + title = "ACSC-EE-ML3-8.1: Regular backups ML3" + description = "Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements." + + children = [ + control.backup_plan_min_retention_35_days, + control.backup_recovery_point_min_retention_35_days, + control.docdb_cluster_backup_retention_period_7_days, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.dynamodb_table_protected_by_backup_plan, + control.ebs_volume_in_backup_plan, + control.ebs_volume_protected_by_backup_plan, + control.ec2_instance_protected_by_backup_plan, + control.efs_file_system_in_backup_plan, + control.efs_file_system_protected_by_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.fsx_file_system_protected_by_backup_plan, + control.neptune_db_cluster_automated_backup_enabled, + control.rds_db_cluster_aurora_backtracking_enabled, + control.rds_db_cluster_aurora_protected_by_backup_plan, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days + ] + + tags = local.acsc_essential_eight_ml_3_common_tags + +} + +benchmark "acsc_essential_eight_ml_3_8_2" { + title = "ACSC-EE-ML3-8.2: Regular backups ML3" + description = "Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time." + + children = [ + control.backup_plan_min_retention_35_days, + control.backup_recovery_point_min_retention_35_days, + control.docdb_cluster_backup_retention_period_7_days, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.dynamodb_table_protected_by_backup_plan, + control.ebs_volume_in_backup_plan, + control.ebs_volume_protected_by_backup_plan, + control.ec2_instance_protected_by_backup_plan, + control.efs_file_system_in_backup_plan, + control.efs_file_system_protected_by_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.fsx_file_system_protected_by_backup_plan, + control.neptune_db_cluster_automated_backup_enabled, + control.rds_db_cluster_aurora_backtracking_enabled, + control.rds_db_cluster_aurora_protected_by_backup_plan, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days + ] + + tags = local.acsc_essential_eight_ml_3_common_tags + +} + +benchmark "acsc_essential_eight_ml_3_8_3" { + title = "ACSC-EE-ML3-8.3: Regular backups ML3" + description = "Backups of important data, software and configuration settings are retained in a secure and resilient manner." + + children = [ + control.backup_plan_min_retention_35_days, + control.backup_recovery_point_min_retention_35_days, + control.docdb_cluster_backup_retention_period_7_days, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.dynamodb_table_protected_by_backup_plan, + control.ebs_volume_in_backup_plan, + control.ebs_volume_protected_by_backup_plan, + control.ec2_instance_protected_by_backup_plan, + control.efs_file_system_in_backup_plan, + control.efs_file_system_protected_by_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.fsx_file_system_protected_by_backup_plan, + control.neptune_db_cluster_automated_backup_enabled, + control.rds_db_cluster_aurora_backtracking_enabled, + control.rds_db_cluster_aurora_protected_by_backup_plan, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days + ] + + tags = local.acsc_essential_eight_ml_3_common_tags + +} + +benchmark "acsc_essential_eight_ml_3_8_5" { + title = "ACSC-EE-ML3-8.5: Regular backups ML3" + description = "Unprivileged accounts cannot access backups belonging to other accounts, nor their own accounts." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_readonly_root_filesystem, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_user_in_group, + control.opensearch_domain_fine_grained_access_enabled, + control.s3_bucket_policy_restricts_cross_account_permission_changes, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_3_common_tags + +} + +benchmark "acsc_essential_eight_ml_3_8_6" { + title = "ACSC-EE-ML3-8.6: Regular backups ML3" + description = "Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts, nor their own accounts." + + children = [ + control.backup_recovery_point_manual_deletion_disabled, + control.cloudtrail_bucket_not_public, + control.codebuild_project_environment_privileged_mode_disabled, + control.dms_replication_instance_not_publicly_accessible, + control.docdb_cluster_snapshot_restrict_public_access, + control.ebs_snapshot_not_publicly_restorable, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_container_readonly_root_filesystem, + control.ecs_task_definition_no_root_user, + control.efs_access_point_enforce_root_directory, + control.efs_access_point_enforce_user_identity, + control.emr_account_public_access_blocked, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.lambda_function_restrict_public_access, + control.neptune_db_cluster_snapshot_prohibit_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_access_point_restrict_public_access, + control.s3_bucket_mfa_delete_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_document_prohibit_public_access + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} + +benchmark "acsc_essential_eight_ml_3_8_7" { + title = "ACSC-EE-ML3-8.7: Regular backups ML3" + description = "Unprivileged accounts are prevented from modifying and deleting backups." + + children = [ + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_iam_profile_attached, + control.ecs_task_definition_container_readonly_root_filesystem, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_user_in_group, + control.opensearch_domain_fine_grained_access_enabled, + control.s3_bucket_policy_restricts_cross_account_permission_changes, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.acsc_essential_eight_ml_3_common_tags + +} + +benchmark "acsc_essential_eight_ml_3_8_8" { + title = "ACSC-EE-ML3-8.8: Regular backups ML3" + description = "Privileged accounts (including backup administrator accounts) are prevented from modifying and deleting backups during their retention period." + + children = [ + control.backup_recovery_point_manual_deletion_disabled, + control.cloudtrail_bucket_not_public, + control.codebuild_project_environment_privileged_mode_disabled, + control.dms_replication_instance_not_publicly_accessible, + control.docdb_cluster_snapshot_restrict_public_access, + control.ebs_snapshot_not_publicly_restorable, + control.ecs_task_definition_container_non_privileged, + control.ecs_task_definition_container_readonly_root_filesystem, + control.ecs_task_definition_no_root_user, + control.efs_access_point_enforce_root_directory, + control.efs_access_point_enforce_user_identity, + control.emr_account_public_access_blocked, + control.eventbridge_custom_bus_resource_based_policy_attached, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_inline_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.lambda_function_restrict_public_access, + control.neptune_db_cluster_snapshot_prohibit_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_access_point_restrict_public_access, + control.s3_bucket_mfa_delete_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.sagemaker_notebook_instance_root_access_disabled, + control.ssm_document_prohibit_public_access + ] + + tags = local.acsc_essential_eight_ml_3_common_tags +} diff --git a/all_controls/elasticbeanstalk.sp b/all_controls/elasticbeanstalk.sp index 079379fa..13d00058 100644 --- a/all_controls/elasticbeanstalk.sp +++ b/all_controls/elasticbeanstalk.sp @@ -9,7 +9,8 @@ benchmark "all_controls_elasticbeanstalk" { description = "This section contains recommendations for configuring Elastic Beanstalk resources." children = [ control.elastic_beanstalk_enhanced_health_reporting_enabled, - control.elastic_beanstalk_environment_logs_to_cloudwatch + control.elastic_beanstalk_environment_logs_to_cloudwatch, + control.elastic_beanstalk_environment_managed_updates_enabled ] tags = merge(local.all_controls_elasticbeanstalk_common_tags, { diff --git a/conformance_pack/account.sp b/conformance_pack/account.sp index d4fc1c93..8e15c98b 100644 --- a/conformance_pack/account.sp +++ b/conformance_pack/account.sp @@ -10,10 +10,11 @@ control "account_part_of_organizations" { query = query.account_part_of_organizations tags = merge(local.conformance_pack_iam_common_tags, { - cis_controls_v8_ig1 = "true" - gxp_21_cfr_part_11 = "true" - nist_800_53_rev_5 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + cis_controls_v8_ig1 = "true" + gxp_21_cfr_part_11 = "true" + nist_800_53_rev_5 = "true" + nist_csf = "true" }) } diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp index 8052cfa7..ee8338cc 100644 --- a/conformance_pack/apigateway.sp +++ b/conformance_pack/apigateway.sp @@ -17,7 +17,9 @@ control "gatewayv2_stage_access_logging_enabled" { description = "This control checks if AWS API Gateway V2 stages have access logging configured. This control fails if access log settings aren't defined." query = query.gatewayv2_stage_access_logging_enabled - tags = local.conformance_pack_apigateway_common_tags + tags = merge(local.conformance_pack_apigateway_common_tags, { + acsc_essential_eight = "true" + }) } control "apigateway_stage_cache_encryption_at_rest_enabled" { @@ -49,6 +51,7 @@ control "apigateway_stage_logging_enabled" { query = query.apigateway_stage_logging_enabled tags = merge(local.conformance_pack_apigateway_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -93,6 +96,7 @@ control "apigateway_rest_api_stage_xray_tracing_enabled" { query = query.apigateway_rest_api_stage_xray_tracing_enabled tags = merge(local.conformance_pack_apigateway_common_tags, { + acsc_essential_eight = "true" hipaa_final_omnibus_security_rule_2013 = "true" nist_csf = "true" }) diff --git a/conformance_pack/appsync.sp b/conformance_pack/appsync.sp index 30b63708..42584c06 100644 --- a/conformance_pack/appsync.sp +++ b/conformance_pack/appsync.sp @@ -9,7 +9,9 @@ control "appsync_graphql_api_field_level_logging_enabled" { description = "This control checks whether an AWS AppSync API has field-level logging turned on. The control fails if the field resolver log level is set to None. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the field resolver log level is either ERROR or ALL." query = query.appsync_graphql_api_field_level_logging_enabled - tags = local.conformance_pack_appsync_common_tags + tags = merge(local.conformance_pack_appsync_common_tags, { + acsc_essential_eight = "true" + }) } query "appsync_graphql_api_field_level_logging_enabled" { diff --git a/conformance_pack/backup.sp b/conformance_pack/backup.sp index 8c67e58e..4dc0a202 100644 --- a/conformance_pack/backup.sp +++ b/conformance_pack/backup.sp @@ -10,6 +10,7 @@ control "backup_recovery_point_manual_deletion_disabled" { query = query.backup_recovery_point_manual_deletion_disabled tags = merge(local.conformance_pack_backup_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" @@ -30,6 +31,7 @@ control "backup_plan_min_retention_35_days" { query = query.backup_plan_min_retention_35_days tags = merge(local.conformance_pack_backup_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" @@ -71,6 +73,7 @@ control "backup_recovery_point_min_retention_35_days" { query = query.backup_recovery_point_min_retention_35_days tags = merge(local.conformance_pack_backup_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" diff --git a/conformance_pack/cloudfront.sp b/conformance_pack/cloudfront.sp index 9590e400..302423ca 100644 --- a/conformance_pack/cloudfront.sp +++ b/conformance_pack/cloudfront.sp @@ -83,6 +83,7 @@ control "cloudfront_distribution_logging_enabled" { query = query.cloudfront_distribution_logging_enabled tags = merge(local.conformance_pack_cloudfront_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" hipaa_final_omnibus_security_rule_2013 = "true" hipaa_security_rule_2003 = "true" diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp index 8a819096..75d65401 100644 --- a/conformance_pack/cloudtrail.sp +++ b/conformance_pack/cloudtrail.sp @@ -26,6 +26,7 @@ control "cloudtrail_trail_integrated_with_logs" { query = query.cloudtrail_trail_integrated_with_logs tags = merge(local.conformance_pack_cloudtrail_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -52,6 +53,7 @@ control "cloudtrail_s3_data_events_enabled" { query = query.cloudtrail_s3_data_events_enabled tags = merge(local.conformance_pack_cloudtrail_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -79,6 +81,7 @@ control "cloudtrail_trail_logs_encrypted_with_kms_cmk" { query = query.cloudtrail_trail_logs_encrypted_with_kms_cmk tags = merge(local.conformance_pack_cloudtrail_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -104,6 +107,7 @@ control "cloudtrail_multi_region_trail_enabled" { query = query.cloudtrail_multi_region_trail_enabled tags = merge(local.conformance_pack_cloudtrail_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -130,6 +134,7 @@ control "cloudtrail_trail_validation_enabled" { query = query.cloudtrail_trail_validation_enabled tags = merge(local.conformance_pack_cloudtrail_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -153,6 +158,7 @@ control "cloudtrail_trail_enabled" { query = query.cloudtrail_trail_enabled tags = merge(local.conformance_pack_cloudtrail_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -179,14 +185,15 @@ control "cloudtrail_security_trail_enabled" { query = query.cloudtrail_security_trail_enabled tags = merge(local.conformance_pack_cloudtrail_common_tags, { - cis_controls_v8_ig1 = "true" - gdpr = "true" - gxp_21_cfr_part_11 = "true" - gxp_eu_annex_11 = "true" - nist_800_171_rev_2 = "true" - nist_800_53_rev_4 = "true" - nist_csf = "true" - soc_2 = "true" + acsc_essential_eight = "true" + cis_controls_v8_ig1 = "true" + gdpr = "true" + gxp_21_cfr_part_11 = "true" + gxp_eu_annex_11 = "true" + nist_800_171_rev_2 = "true" + nist_800_53_rev_4 = "true" + nist_csf = "true" + soc_2 = "true" }) } @@ -208,9 +215,10 @@ control "cloudtrail_bucket_not_public" { query = query.cloudtrail_bucket_not_public tags = merge(local.conformance_pack_cloudtrail_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } diff --git a/conformance_pack/cloudwatch.sp b/conformance_pack/cloudwatch.sp index dcb472aa..bdb6c17e 100644 --- a/conformance_pack/cloudwatch.sp +++ b/conformance_pack/cloudwatch.sp @@ -18,6 +18,7 @@ control "cloudwatch_alarm_action_enabled" { query = query.cloudwatch_alarm_action_enabled tags = merge(local.conformance_pack_cloudwatch_common_tags, { + acsc_essential_eight_ml_3 = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" ffiec = "true" @@ -106,9 +107,10 @@ control "log_metric_filter_unauthorized_api" { query = query.log_metric_filter_unauthorized_api tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -118,9 +120,10 @@ control "log_metric_filter_console_login_mfa" { query = query.log_metric_filter_console_login_mfa tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -130,6 +133,7 @@ control "log_metric_filter_root_login" { query = query.log_metric_filter_root_login tags = merge(local.conformance_pack_cloudwatch_common_tags, { + acsc_essential_eight = "true" gdpr = "true" hipaa_final_omnibus_security_rule_2013 = "true" hipaa_security_rule_2003 = "true" @@ -145,10 +149,11 @@ control "log_metric_filter_iam_policy" { query = query.log_metric_filter_iam_policy tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" - pci_dss_v321 = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" + pci_dss_v321 = "true" }) } @@ -170,9 +175,10 @@ control "log_metric_filter_route_table" { query = query.log_metric_filter_route_table tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -182,9 +188,10 @@ control "log_metric_filter_network_gateway" { query = query.log_metric_filter_network_gateway tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -194,9 +201,10 @@ control "log_metric_filter_network_acl" { query = query.log_metric_filter_network_acl tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -206,9 +214,10 @@ control "log_metric_filter_security_group" { query = query.log_metric_filter_security_group tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -218,9 +227,10 @@ control "log_metric_filter_config_configuration" { query = query.log_metric_filter_config_configuration tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -230,9 +240,10 @@ control "log_metric_filter_bucket_policy" { query = query.log_metric_filter_bucket_policy tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -242,8 +253,9 @@ control "log_metric_filter_disable_or_delete_cmk" { query = query.log_metric_filter_disable_or_delete_cmk tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_csf = "true" }) } @@ -253,6 +265,7 @@ control "log_metric_filter_console_authentication_failure" { query = query.log_metric_filter_console_authentication_failure tags = merge(local.conformance_pack_cloudwatch_common_tags, { + acsc_essential_eight = "true" gdpr = "true" hipaa_final_omnibus_security_rule_2013 = "true" hipaa_security_rule_2003 = "true" @@ -267,9 +280,10 @@ control "log_metric_filter_cloudtrail_configuration" { query = query.log_metric_filter_cloudtrail_configuration tags = merge(local.conformance_pack_cloudwatch_common_tags, { - gdpr = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } diff --git a/conformance_pack/codebuild.sp b/conformance_pack/codebuild.sp index 51bac071..e9c354e5 100644 --- a/conformance_pack/codebuild.sp +++ b/conformance_pack/codebuild.sp @@ -37,6 +37,7 @@ control "codebuild_project_source_repo_oauth_configured" { query = query.codebuild_project_source_repo_oauth_configured tags = merge(local.conformance_pack_codebuild_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" @@ -63,8 +64,9 @@ control "codebuild_project_environment_privileged_mode_disabled" { description = "This control checks if an AWS CodeBuild project environment has privileged mode enabled. This control fails when an AWS CodeBuild project environment has privileged mode enabled." query = query.codebuild_project_environment_privileged_mode_disabled tags = merge(local.conformance_pack_codebuild_common_tags, { - nist_csf = "true" - pci_dss_v321 = "true" + acsc_essential_eight = "true" + nist_csf = "true" + pci_dss_v321 = "true" }) } @@ -74,6 +76,7 @@ control "codebuild_project_logging_enabled" { query = query.codebuild_project_logging_enabled tags = merge(local.conformance_pack_codebuild_common_tags, { + acsc_essential_eight = "true" hipaa_final_omnibus_security_rule_2013 = "true" hipaa_security_rule_2003 = "true" nist_csf = "true" diff --git a/conformance_pack/dms.sp b/conformance_pack/dms.sp index e5120085..dc102f19 100644 --- a/conformance_pack/dms.sp +++ b/conformance_pack/dms.sp @@ -10,6 +10,7 @@ control "dms_replication_instance_not_publicly_accessible" { query = query.dms_replication_instance_not_publicly_accessible tags = merge(local.conformance_pack_dms_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -38,35 +39,39 @@ control "dms_certificate_not_expired" { } control "dms_replication_instance_automatic_minor_version_upgrade_enabled" { - title = "DMS replication instances should have automatic minor version upgrade enabled" - description = "This control checks if automatic minor version upgrade is enabled for an AWS DMS replication instance. The control fails if automatic minor version upgrade isn't enabled for a DMS replication instance." - query = query.dms_replication_instance_automatic_minor_version_upgrade_enabled + title = "DMS replication instances should have automatic minor version upgrade enabled" + description = "This control checks if automatic minor version upgrade is enabled for an AWS DMS replication instance. The control fails if automatic minor version upgrade isn't enabled for a DMS replication instance." + query = query.dms_replication_instance_automatic_minor_version_upgrade_enabled tags = local.conformance_pack_dms_common_tags } control "dms_endpoint_ssl_configured" { - title = "DMS endpoints should use SSL" - description = "This control checks whether an AWS DMS endpoint uses an SSL connection. The control fails if the endpoint doesn't use SSL." - query = query.dms_endpoint_ssl_configured + title = "DMS endpoints should use SSL" + description = "This control checks whether an AWS DMS endpoint uses an SSL connection. The control fails if the endpoint doesn't use SSL." + query = query.dms_endpoint_ssl_configured tags = local.conformance_pack_dms_common_tags } control "dms_replication_task_target_database_logging_enabled" { - title = "DMS replication tasks for the target database should have logging enabled" - description = "This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks TARGET_APPLY and TARGET_LOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT." - query = query.dms_replication_task_target_database_logging_enabled + title = "DMS replication tasks for the target database should have logging enabled" + description = "This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks TARGET_APPLY and TARGET_LOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT." + query = query.dms_replication_task_target_database_logging_enabled - tags = local.conformance_pack_dms_common_tags + tags = merge(local.conformance_pack_dms_common_tags, { + acsc_essential_eight = "true" + }) } control "dms_replication_task_source_database_logging_enabled" { - title = "DMS replication tasks for the source database should have logging enabled" - description = "This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks SOURCE_CAPTURE and SOURCE_UNLOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT." - query = query.dms_replication_task_source_database_logging_enabled + title = "DMS replication tasks for the source database should have logging enabled" + description = "This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks SOURCE_CAPTURE and SOURCE_UNLOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT." + query = query.dms_replication_task_source_database_logging_enabled - tags = local.conformance_pack_dms_common_tags + tags = merge(local.conformance_pack_dms_common_tags, { + acsc_essential_eight = "true" + }) } query "dms_replication_instance_not_publicly_accessible" { diff --git a/conformance_pack/docdb.sp b/conformance_pack/docdb.sp index ece94b28..84a9601d 100644 --- a/conformance_pack/docdb.sp +++ b/conformance_pack/docdb.sp @@ -17,7 +17,9 @@ control "docdb_cluster_backup_retention_period_7_days" { description = "This control checks whether an AWS DocumentDB cluster has a backup retention period greater than or equal to 7 days. The control fails if the backup retention period is less than 7 days." query = query.docdb_cluster_backup_retention_period_7_days - tags = local.conformance_pack_docdb_common_tags + tags = merge(local.conformance_pack_docdb_common_tags, { + acsc_essential_eight = "true" + }) } control "docdb_cluster_instance_logging_enabled" { @@ -45,11 +47,13 @@ control "docdb_cluster_deletion_protection_enabled" { } control "docdb_cluster_snapshot_restrict_public_access" { - title = "Amazon DocumentDB manual cluster snapshots should not be public" - description = "This control checks whether an Amazon DocumentDB manual cluster snapshot is public. The control fails if the manual cluster snapshot is public." - query = query.docdb_cluster_snapshot_restrict_public_access + title = "Amazon DocumentDB manual cluster snapshots should not be public" + description = "This control checks whether an Amazon DocumentDB manual cluster snapshot is public. The control fails if the manual cluster snapshot is public." + query = query.docdb_cluster_snapshot_restrict_public_access - tags = local.conformance_pack_docdb_common_tags + tags = merge(local.conformance_pack_docdb_common_tags, { + acsc_essential_eight = "true" + }) } query "docdb_cluster_instance_logging_enabled" { diff --git a/conformance_pack/dynamodb.sp b/conformance_pack/dynamodb.sp index 58ecae13..293c8545 100644 --- a/conformance_pack/dynamodb.sp +++ b/conformance_pack/dynamodb.sp @@ -31,6 +31,7 @@ control "dynamodb_table_point_in_time_recovery_enabled" { query = query.dynamodb_table_point_in_time_recovery_enabled tags = merge(local.conformance_pack_dynamodb_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -78,6 +79,7 @@ control "dynamodb_table_in_backup_plan" { query = query.dynamodb_table_in_backup_plan tags = merge(local.conformance_pack_dynamodb_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" ffiec = "true" @@ -117,6 +119,7 @@ control "dynamodb_table_protected_by_backup_plan" { query = query.dynamodb_table_protected_by_backup_plan tags = merge(local.conformance_pack_dynamodb_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" diff --git a/conformance_pack/ebs.sp b/conformance_pack/ebs.sp index 678c3f3f..5fca7dab 100644 --- a/conformance_pack/ebs.sp +++ b/conformance_pack/ebs.sp @@ -10,6 +10,7 @@ control "ebs_snapshot_not_publicly_restorable" { query = query.ebs_snapshot_not_publicly_restorable tags = merge(local.conformance_pack_ebs_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -74,6 +75,7 @@ control "ebs_volume_in_backup_plan" { query = query.ebs_volume_in_backup_plan tags = merge(local.conformance_pack_ebs_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" ffiec = "true" @@ -110,6 +112,7 @@ control "ebs_volume_protected_by_backup_plan" { query = query.ebs_volume_protected_by_backup_plan tags = merge(local.conformance_pack_ebs_common_tags, { + acsc_essential_eight = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" ffiec = "true" diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index fe5f97c8..e36f0d57 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -48,6 +48,7 @@ control "ec2_instance_detailed_monitoring_enabled" { query = query.ec2_instance_detailed_monitoring_enabled tags = merge(local.conformance_pack_ec2_common_tags, { + acsc_essential_eight = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" hipaa_final_omnibus_security_rule_2013 = "true" @@ -206,6 +207,7 @@ control "ec2_instance_protected_by_backup_plan" { query = query.ec2_instance_protected_by_backup_plan tags = merge(local.conformance_pack_ec2_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" @@ -228,6 +230,7 @@ control "ec2_instance_iam_profile_attached" { query = query.ec2_instance_iam_profile_attached tags = merge(local.conformance_pack_ec2_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" @@ -452,11 +455,13 @@ control "ec2_instance_no_iam_passrole_and_lambda_invoke_function_access" { } control "ec2_client_vpn_endpoint_client_connection_logging_enabled" { - title = "EC2 Client VPN endpoints should have client connection logging enabled" - description = "This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled." - query = query.ec2_client_vpn_endpoint_client_connection_logging_enabled + title = "EC2 Client VPN endpoints should have client connection logging enabled" + description = "This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled." + query = query.ec2_client_vpn_endpoint_client_connection_logging_enabled - tags = local.conformance_pack_ec2_common_tags + tags = merge(local.conformance_pack_ec2_common_tags, { + acsc_essential_eight = "true" + }) } control "ec2_ami_ebs_encryption_enabled" { diff --git a/conformance_pack/ecr.sp b/conformance_pack/ecr.sp index cfc9b348..7f60a634 100644 --- a/conformance_pack/ecr.sp +++ b/conformance_pack/ecr.sp @@ -10,7 +10,8 @@ control "ecr_repository_image_scan_on_push_enabled" { query = query.ecr_repository_image_scan_on_push_enabled tags = merge(local.conformance_pack_ecr_common_tags, { - nist_csf = "true" + acsc_essential_eight = "true" + nist_csf = "true" }) } diff --git a/conformance_pack/ecs.sp b/conformance_pack/ecs.sp index a80f124b..3bed26de 100644 --- a/conformance_pack/ecs.sp +++ b/conformance_pack/ecs.sp @@ -76,7 +76,9 @@ control "ecs_task_definition_logging_enabled" { description = "Ensure logging is enabled for task definitions so that you can access your containerized application logs for debugging and auditing purposes. On top of centralized logging, these log drivers often include additional capabilities that are useful for operation." query = query.ecs_task_definition_logging_enabled - tags = local.conformance_pack_ecs_common_tags + tags = merge(local.conformance_pack_ecs_common_tags, { + acsc_essential_eight = "true" + }) } control "ecs_cluster_container_insights_enabled" { @@ -95,7 +97,8 @@ control "ecs_task_definition_container_non_privileged" { query = query.ecs_task_definition_container_non_privileged tags = merge(local.conformance_pack_ecs_common_tags, { - nist_csf = "true" + acsc_essential_eight = "true" + nist_csf = "true" }) } @@ -105,7 +108,8 @@ control "ecs_task_definition_container_readonly_root_filesystem" { query = query.ecs_task_definition_container_readonly_root_filesystem tags = merge(local.conformance_pack_ecs_common_tags, { - nist_csf = "true" + acsc_essential_eight = "true" + nist_csf = "true" }) } @@ -135,7 +139,8 @@ control "ecs_service_fargate_using_latest_platform_version" { query = query.ecs_service_fargate_using_latest_platform_version tags = merge(local.conformance_pack_ecs_common_tags, { - nist_csf = "true" + acsc_essential_eight = "true" + nist_csf = "true" }) } @@ -144,7 +149,9 @@ control "ecs_task_definition_no_root_user" { description = "This control checks if ECS task definitions have root user. This control fails if the ECS task definitions have root user." query = query.ecs_task_definition_no_root_user - tags = local.conformance_pack_ecs_common_tags + tags = merge(local.conformance_pack_ecs_common_tags, { + acsc_essential_eight = "true" + }) } control "ecs_cluster_no_active_services_count" { diff --git a/conformance_pack/efs.sp b/conformance_pack/efs.sp index 87ee7335..ec0db5f9 100644 --- a/conformance_pack/efs.sp +++ b/conformance_pack/efs.sp @@ -33,6 +33,7 @@ control "efs_file_system_in_backup_plan" { query = query.efs_file_system_in_backup_plan tags = merge(local.conformance_pack_efs_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" @@ -56,6 +57,7 @@ control "efs_file_system_protected_by_backup_plan" { query = query.efs_file_system_protected_by_backup_plan tags = merge(local.conformance_pack_efs_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" @@ -94,9 +96,10 @@ control "efs_access_point_enforce_user_identity" { query = query.efs_access_point_enforce_user_identity tags = merge(local.conformance_pack_efs_common_tags, { - nist_csf = "true" - pci_dss_v321 = "true" - rbi_itf_nbfc = "true" + acsc_essential_eight = "true" + nist_csf = "true" + pci_dss_v321 = "true" + rbi_itf_nbfc = "true" }) } @@ -106,8 +109,9 @@ control "efs_access_point_enforce_root_directory" { query = query.efs_access_point_enforce_root_directory tags = merge(local.conformance_pack_efs_common_tags, { - nist_csf = "true" - rbi_itf_nbfc = "true" + acsc_essential_eight = "true" + nist_csf = "true" + rbi_itf_nbfc = "true" }) } diff --git a/conformance_pack/eks.sp b/conformance_pack/eks.sp index bedc792e..22536151 100644 --- a/conformance_pack/eks.sp +++ b/conformance_pack/eks.sp @@ -36,7 +36,9 @@ control "eks_cluster_control_plane_audit_logging_enabled" { description = "AWS EKS clusters should have control plane audit logging enabled. These logs make it easy to secure and run clusters." query = query.eks_cluster_control_plane_audit_logging_enabled - tags = local.conformance_pack_eks_common_tags + tags = merge(local.conformance_pack_eks_common_tags, { + acsc_essential_eight = "true" + }) } control "eks_cluster_no_default_vpc" { @@ -53,8 +55,9 @@ control "eks_cluster_with_latest_kubernetes_version" { query = query.eks_cluster_with_latest_kubernetes_version tags = merge(local.conformance_pack_eks_common_tags, { - nist_csf = "true" - pci_dss_v321 = "true" + acsc_essential_eight = "true" + nist_csf = "true" + pci_dss_v321 = "true" }) } diff --git a/conformance_pack/elasticache.sp b/conformance_pack/elasticache.sp index e48cd22a..f9316117 100644 --- a/conformance_pack/elasticache.sp +++ b/conformance_pack/elasticache.sp @@ -9,7 +9,9 @@ control "elasticache_cluster_auto_minor_version_upgrade_enabled" { description = "This control evaluates whether ElastiCache for Redis automatically applies minor version upgrades to cache clusters. This control fails if ElastiCache for Redis cache clusters do not have minor version upgrades automatically applied." query = query.elasticache_cluster_auto_minor_version_upgrade_enabled - tags = local.conformance_pack_elasticache_common_tags + tags = merge(local.conformance_pack_elasticache_common_tags, { + acsc_essential_eight = "true" + }) } control "elasticache_replication_group_auto_failover_enabled" { @@ -58,6 +60,7 @@ control "elasticache_redis_cluster_automatic_backup_retention_15_days" { query = query.elasticache_redis_cluster_automatic_backup_retention_15_days tags = merge(local.conformance_pack_elasticache_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" diff --git a/conformance_pack/elasticbeanstalk.sp b/conformance_pack/elasticbeanstalk.sp index a398253f..5e73c2f6 100644 --- a/conformance_pack/elasticbeanstalk.sp +++ b/conformance_pack/elasticbeanstalk.sp @@ -20,11 +20,23 @@ control "elastic_beanstalk_enhanced_health_reporting_enabled" { } control "elastic_beanstalk_environment_logs_to_cloudwatch" { - title = "Elastic Beanstalk should stream logs to CloudWatch" - description = "This control checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs. The control fails if an Elastic Beanstalk environment isn't configured to send logs to CloudWatch Logs. Optionally, you can provide a custom value for the RetentionInDays parameter if you want the control to pass only if logs are retained for the specified number of days before expiration." + title = "Elastic Beanstalk should stream logs to CloudWatch" + description = "This control checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs. The control fails if an Elastic Beanstalk environment isn't configured to send logs to CloudWatch Logs. Optionally, you can provide a custom value for the RetentionInDays parameter if you want the control to pass only if logs are retained for the specified number of days before expiration." query = query.elastic_beanstalk_environment_logs_to_cloudwatch - tags = local.conformance_pack_elasticbeanstalk_common_tags + tags = merge(local.conformance_pack_elasticbeanstalk_common_tags, { + acsc_essential_eight = "true" + }) +} + +control "elastic_beanstalk_environment_managed_updates_enabled" { + title = "Elastic Beanstalk environment should have managed updates enabled" + description = "This control checks whether managed platform updates in an AWS Elastic Beanstalk environment is enabled. The rule is COMPLIANT if the value for ManagedActionsEnabled is set to true. The rule is NON_COMPLIANT if the value for ManagedActionsEnabled is set to false, or if a parameter is provided and its value does not match the existing configurations." + query = query.elastic_beanstalk_environment_managed_updates_enabled + + tags = merge(local.conformance_pack_elasticbeanstalk_common_tags, { + acsc_essential_eight = "true" + }) } query "elastic_beanstalk_enhanced_health_reporting_enabled" { @@ -78,3 +90,36 @@ query "elastic_beanstalk_environment_logs_to_cloudwatch" { left join beanstalk_environment_logs_enabled as l on e.arn = l.arn; EOQ } + +query "elastic_beanstalk_environment_managed_updates_enabled" { + sql = <<-EOQ + with beanstalk_environment_logs_enabled as ( + select + distinct e.arn + from + aws_elastic_beanstalk_environment as e, + jsonb_array_elements(e.configuration_settings) as c, + jsonb_array_elements(c -> 'OptionSettings') as s + where + s ->> 'OptionName' = 'ManagedActionsEnabled' + and s ->> 'Value' = 'true' + group by + arn + ) + select + e.arn as resource, + case + when l.arn is not null then 'ok' + else 'alarm' + end as status, + case + when l.arn is not null then title || ' managed actions Enabled.' + else title || ' managed actions disabled.' + end as reason + ${local.tag_dimensions_sql} + ${local.common_dimensions_sql} + from + aws_elastic_beanstalk_environment as e + left join beanstalk_environment_logs_enabled as l on e.arn = l.arn; + EOQ +} \ No newline at end of file diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp index 72b38566..f7567ec2 100644 --- a/conformance_pack/elb.sp +++ b/conformance_pack/elb.sp @@ -26,6 +26,7 @@ control "elb_application_classic_lb_logging_enabled" { query = query.elb_application_classic_lb_logging_enabled tags = merge(local.conformance_pack_elb_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -306,7 +307,8 @@ control "elb_classic_lb_desync_mitigation_mode" { query = query.elb_classic_lb_desync_mitigation_mode tags = merge(local.conformance_pack_elb_common_tags, { - pci_dss_v321 = "true" + acsc_essential_eight = "true" + pci_dss_v321 = "true" }) } diff --git a/conformance_pack/emr.sp b/conformance_pack/emr.sp index 42b0b745..ec9383e7 100644 --- a/conformance_pack/emr.sp +++ b/conformance_pack/emr.sp @@ -9,7 +9,9 @@ control "emr_account_public_access_blocked" { description = "The block public access feature prevents a cluster in a public subnet from launching when any security group associated with the cluster has a rule that allows inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0 (public access) on a port, unless the port has been specified as an exception - port 22 is an exception by default. This feature is enabled by default for each AWS Region in your AWS account and is not recommended to be turned off." query = query.emr_account_public_access_blocked - tags = local.conformance_pack_emr_common_tags + tags = merge(local.conformance_pack_emr_common_tags, { + acsc_essential_eight = "true" + }) } control "emr_cluster_kerberos_enabled" { diff --git a/conformance_pack/es.sp b/conformance_pack/es.sp index dc3356e4..1a616627 100644 --- a/conformance_pack/es.sp +++ b/conformance_pack/es.sp @@ -17,7 +17,9 @@ control "es_domain_audit_logging_enabled" { description = "This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled." query = query.es_domain_audit_logging_enabled - tags = local.conformance_pack_es_common_tags + tags = merge(local.conformance_pack_es_common_tags, { + acsc_essential_eight = "true" + }) } control "es_domain_data_nodes_min_3" { @@ -123,6 +125,7 @@ control "es_domain_logs_to_cloudwatch" { query = query.es_domain_logs_to_cloudwatch tags = merge(local.conformance_pack_es_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" diff --git a/conformance_pack/eventbridge.sp b/conformance_pack/eventbridge.sp index 8ec6503c..9dda8f90 100644 --- a/conformance_pack/eventbridge.sp +++ b/conformance_pack/eventbridge.sp @@ -9,7 +9,9 @@ control "eventbridge_custom_bus_resource_based_policy_attached" { description = "This control checks if an Amazon EventBridge custom event bus has a resource-based policy attached. This control fails if the custom event bus doesn't have a resource-based policy.." query = query.eventbridge_custom_bus_resource_based_policy_attached - tags = local.conformance_pack_eventbridge_common_tags + tags = merge(local.conformance_pack_eventbridge_common_tags, { + acsc_essential_eight = "true" + }) } query "eventbridge_custom_bus_resource_based_policy_attached" { diff --git a/conformance_pack/fsx.sp b/conformance_pack/fsx.sp index bc81492d..4dd91e73 100644 --- a/conformance_pack/fsx.sp +++ b/conformance_pack/fsx.sp @@ -10,6 +10,7 @@ control "fsx_file_system_protected_by_backup_plan" { query = query.fsx_file_system_protected_by_backup_plan tags = merge(local.conformance_pack_fsx_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" @@ -26,9 +27,9 @@ control "fsx_file_system_protected_by_backup_plan" { } control "fsx_file_system_copy_tags_to_backup_and_volume_enabled" { - title = "FSx for OpenZFS file systems should be configured to copy tags to backups and volumes" - description = "This control checks if an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes. The control fails if the OpenZFS file system isn't configured to copy tags to backups and volumes." - query = query.fsx_file_system_copy_tags_to_backup_and_volume_enabled + title = "FSx for OpenZFS file systems should be configured to copy tags to backups and volumes" + description = "This control checks if an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes. The control fails if the OpenZFS file system isn't configured to copy tags to backups and volumes." + query = query.fsx_file_system_copy_tags_to_backup_and_volume_enabled tags = local.conformance_pack_fsx_common_tags } diff --git a/conformance_pack/iam.sp b/conformance_pack/iam.sp index d938cb63..a42afd76 100644 --- a/conformance_pack/iam.sp +++ b/conformance_pack/iam.sp @@ -142,6 +142,7 @@ control "iam_policy_no_star_star" { query = query.iam_policy_no_star_star tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -168,6 +169,7 @@ control "iam_root_user_no_access_keys" { query = query.iam_root_user_no_access_keys tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -194,6 +196,7 @@ control "iam_root_user_hardware_mfa_enabled" { query = query.iam_root_user_hardware_mfa_enabled tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -219,6 +222,7 @@ control "iam_root_user_mfa_enabled" { query = query.iam_root_user_mfa_enabled tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" audit_manager_control_tower = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" @@ -266,6 +270,7 @@ control "iam_user_console_access_mfa_enabled" { query = query.iam_user_console_access_mfa_enabled tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" audit_manager_control_tower = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" @@ -292,6 +297,7 @@ control "iam_user_mfa_enabled" { query = query.iam_user_mfa_enabled tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" audit_manager_control_tower = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" @@ -317,6 +323,7 @@ control "iam_user_no_inline_attached_policies" { query = query.iam_user_no_inline_attached_policies tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -368,6 +375,7 @@ control "iam_user_in_group" { query = query.iam_user_in_group tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" @@ -390,6 +398,7 @@ control "iam_group_user_role_no_inline_policies" { query = query.iam_group_user_role_no_inline_policies tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -496,6 +505,7 @@ control "iam_all_policy_no_service_wild_card" { query = query.iam_all_policy_no_service_wild_card tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" @@ -517,6 +527,7 @@ control "iam_policy_custom_no_blocked_kms_actions" { query = query.iam_policy_custom_no_blocked_kms_actions tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" ffiec = "true" @@ -535,6 +546,7 @@ control "iam_policy_inline_no_blocked_kms_actions" { query = query.iam_policy_inline_no_blocked_kms_actions tags = merge(local.conformance_pack_iam_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" gxp_21_cfr_part_11 = "true" hipaa_final_omnibus_security_rule_2013 = "true" @@ -575,10 +587,11 @@ control "iam_managed_policy_attached_to_role" { query = query.iam_managed_policy_attached_to_role tags = merge(local.conformance_pack_iam_common_tags, { - cis_controls_v8_ig1 = "true" - gxp_21_cfr_part_11 = "true" - nist_csf = "true" - soc_2 = "true" + acsc_essential_eight = "true" + cis_controls_v8_ig1 = "true" + gxp_21_cfr_part_11 = "true" + nist_csf = "true" + soc_2 = "true" }) } @@ -588,10 +601,11 @@ control "iam_policy_unused" { query = query.iam_policy_unused tags = merge(local.conformance_pack_iam_common_tags, { - cis_controls_v8_ig1 = "true" - nist_800_171_rev_2 = "true" - nist_csf = "true" - soc_2 = "true" + acsc_essential_eight = "true" + cis_controls_v8_ig1 = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" + soc_2 = "true" }) } diff --git a/conformance_pack/lambda.sp b/conformance_pack/lambda.sp index 6716a461..1bc608c5 100644 --- a/conformance_pack/lambda.sp +++ b/conformance_pack/lambda.sp @@ -74,6 +74,7 @@ control "lambda_function_restrict_public_access" { query = query.lambda_function_restrict_public_access tags = merge(local.conformance_pack_lambda_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -144,7 +145,8 @@ control "lambda_function_use_latest_runtime" { query = query.lambda_function_use_latest_runtime tags = merge(local.conformance_pack_lambda_common_tags, { - nist_csf = "true" + acsc_essential_eight = "true" + nist_csf = "true" }) } diff --git a/conformance_pack/neptune.sp b/conformance_pack/neptune.sp index 91f38cf3..482e8b18 100644 --- a/conformance_pack/neptune.sp +++ b/conformance_pack/neptune.sp @@ -17,7 +17,9 @@ control "neptune_db_cluster_audit_logging_enabled" { description = "This control checks whether a Neptune DB cluster publishes audit logs to AWS CloudWatch Logs. The control fails if a Neptune DB cluster doesn't publish audit logs to CloudWatch Logs. EnableCloudWatchLogsExport should be set to Audit." query = query.neptune_db_cluster_audit_logging_enabled - tags = local.conformance_pack_neptune_common_tags + tags = merge(local.conformance_pack_neptune_common_tags, { + acsc_essential_eight = "true" + }) } control "neptune_db_cluster_snapshot_prohibit_public_access" { @@ -25,7 +27,9 @@ control "neptune_db_cluster_snapshot_prohibit_public_access" { description = "This control checks whether a Neptune manual DB cluster snapshot is public. The control fails if a Neptune manual DB cluster snapshot is public." query = query.neptune_db_cluster_snapshot_prohibit_public_access - tags = local.conformance_pack_neptune_common_tags + tags = merge(local.conformance_pack_neptune_common_tags, { + acsc_essential_eight = "true" + }) } control "neptune_db_cluster_deletion_protection_enabled" { @@ -41,7 +45,9 @@ control "neptune_db_cluster_automated_backup_enabled" { description = "This control checks whether a Neptune DB cluster has automated backups enabled, and a backup retention period greater than or equal to 7 days. The control fails if backups aren't enabled for the Neptune DB cluster, or if the retention period is less than 7 days." query = query.neptune_db_cluster_automated_backup_enabled - tags = local.conformance_pack_neptune_common_tags + tags = merge(local.conformance_pack_neptune_common_tags, { + acsc_essential_eight = "true" + }) } control "neptune_db_cluster_snapshot_encryption_at_rest_enabled" { @@ -57,7 +63,9 @@ control "neptune_db_cluster_iam_authentication_enabled" { description = "This control checks if a Neptune DB cluster has IAM database authentication enabled. The control fails if IAM database authentication isn't enabled for a Neptune DB cluster." query = query.neptune_db_cluster_iam_authentication_enabled - tags = local.conformance_pack_neptune_common_tags + tags = merge(local.conformance_pack_neptune_common_tags, { + acsc_essential_eight = "true" + }) } control "neptune_db_cluster_copy_tags_to_snapshot_enabled" { diff --git a/conformance_pack/networkfirewall.sp b/conformance_pack/networkfirewall.sp index d2b0e95b..a217295e 100644 --- a/conformance_pack/networkfirewall.sp +++ b/conformance_pack/networkfirewall.sp @@ -65,7 +65,9 @@ control "networkfirewall_firewall_logging_enabled" { description = "This control checks whether logging is enabled for an AWS Network Firewall firewall. The control fails if logging isn't enabled for at least one log type or if the logging destination doesn't exist." query = query.networkfirewall_firewall_logging_enabled - tags = local.conformance_pack_networkfirewall_common_tags + tags = merge(local.conformance_pack_networkfirewall_common_tags, { + acsc_essential_eight = "true" + }) } query "networkfirewall_stateless_rule_group_not_empty" { diff --git a/conformance_pack/opensearch.sp b/conformance_pack/opensearch.sp index 165ac29d..af015ea7 100644 --- a/conformance_pack/opensearch.sp +++ b/conformance_pack/opensearch.sp @@ -34,8 +34,9 @@ control "opensearch_domain_fine_grained_access_enabled" { query = query.opensearch_domain_fine_grained_access_enabled tags = merge(local.conformance_pack_opensearch_common_tags, { - nist_csf = "true" - pci_dss_v321 = "true" + acsc_essential_eight = "true" + nist_csf = "true" + pci_dss_v321 = "true" }) } @@ -61,10 +62,11 @@ control "opensearch_domain_audit_logging_enabled" { query = query.opensearch_domain_audit_logging_enabled tags = merge(local.conformance_pack_opensearch_common_tags, { - gxp_21_cfr_part_11 = "true" - nist_csf = "true" - pci_dss_v321 = "true" - soc_2 = "true" + acsc_essential_eight = "true" + gxp_21_cfr_part_11 = "true" + nist_csf = "true" + pci_dss_v321 = "true" + soc_2 = "true" }) } @@ -74,11 +76,12 @@ control "opensearch_domain_logs_to_cloudwatch" { query = query.opensearch_domain_logs_to_cloudwatch tags = merge(local.conformance_pack_opensearch_common_tags, { - gxp_21_cfr_part_11 = "true" - nist_csf = "true" - pci_dss_v321 = "true" - rbi_itf_nbfc = "true" - soc_2 = "true" + acsc_essential_eight = "true" + gxp_21_cfr_part_11 = "true" + nist_csf = "true" + pci_dss_v321 = "true" + rbi_itf_nbfc = "true" + soc_2 = "true" }) } @@ -132,7 +135,9 @@ control "opensearch_domain_updated_with_latest_service_software_version" { description = "This control checks whether AWS OpenSearch domain has any updates available. This control is non-compliant if the OpenSearch domain has any updates available." query = query.opensearch_domain_updated_with_latest_service_software_version - tags = local.conformance_pack_opensearch_common_tags + tags = merge(local.conformance_pack_opensearch_common_tags, { + acsc_essential_eight = "true" + }) } query "opensearch_domain_encryption_at_rest_enabled" { diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp index e185126b..4b232f67 100644 --- a/conformance_pack/rds.sp +++ b/conformance_pack/rds.sp @@ -33,7 +33,9 @@ control "rds_db_cluster_events_subscription" { description = "This control checks whether an AWS RDS event subscription exists that has notifications enabled for the following source type, event category key-value pairs." query = query.rds_db_cluster_events_subscription - tags = local.conformance_pack_rds_common_tags + tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" + }) } control "rds_db_instance_events_subscription" { @@ -41,7 +43,9 @@ control "rds_db_instance_events_subscription" { description = "This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs." query = query.rds_db_instance_events_subscription - tags = local.conformance_pack_rds_common_tags + tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" + }) } control "rds_db_parameter_group_events_subscription" { @@ -49,7 +53,9 @@ control "rds_db_parameter_group_events_subscription" { description = "This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs." query = query.rds_db_parameter_group_events_subscription - tags = local.conformance_pack_rds_common_tags + tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" + }) } control "rds_db_security_group_events_subscription" { @@ -57,7 +63,9 @@ control "rds_db_security_group_events_subscription" { description = "This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs." query = query.rds_db_security_group_events_subscription - tags = local.conformance_pack_rds_common_tags + tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" + }) } control "rds_db_instance_and_cluster_no_default_port" { @@ -82,6 +90,7 @@ control "rds_db_instance_backup_enabled" { query = query.rds_db_instance_backup_enabled tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -155,6 +164,7 @@ control "rds_db_instance_prohibit_public_access" { query = query.rds_db_instance_prohibit_public_access tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" audit_manager_control_tower = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" @@ -204,6 +214,7 @@ control "rds_db_snapshot_prohibit_public_access" { query = query.rds_db_snapshot_prohibit_public_access tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" audit_manager_control_tower = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" @@ -230,6 +241,7 @@ control "rds_db_instance_logging_enabled" { query = query.rds_db_instance_logging_enabled tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -256,6 +268,7 @@ control "rds_db_instance_in_backup_plan" { query = query.rds_db_instance_in_backup_plan tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" ffiec = "true" @@ -321,6 +334,7 @@ control "rds_db_instance_iam_authentication_enabled" { query = query.rds_db_instance_iam_authentication_enabled tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" hipaa_final_omnibus_security_rule_2013 = "true" hipaa_security_rule_2003 = "true" nist_800_171_rev_2 = "true" @@ -336,8 +350,9 @@ control "rds_db_cluster_iam_authentication_enabled" { query = query.rds_db_cluster_iam_authentication_enabled tags = merge(local.conformance_pack_rds_common_tags, { - nist_800_171_rev_2 = "true" - nist_csf = "true" + acsc_essential_eight = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -347,6 +362,7 @@ control "rds_db_cluster_aurora_protected_by_backup_plan" { query = query.rds_db_cluster_aurora_protected_by_backup_plan tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" @@ -369,6 +385,7 @@ control "rds_db_instance_protected_by_backup_plan" { query = query.rds_db_instance_protected_by_backup_plan tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" ffiec = "true" @@ -390,6 +407,7 @@ control "rds_db_instance_automatic_minor_version_upgrade_enabled" { query = query.rds_db_instance_automatic_minor_version_upgrade_enabled tags = merge(local.conformance_pack_rds_common_tags, { + acsc_essential_eight = "true" cisa_cyber_essentials = "true" ffiec = "true" nist_csf = "true" @@ -454,7 +472,8 @@ control "rds_db_cluster_aurora_backtracking_enabled" { query = query.rds_db_cluster_aurora_backtracking_enabled tags = merge(local.conformance_pack_rds_common_tags, { - nist_csf = "true" + acsc_essential_eight = "true" + nist_csf = "true" }) } @@ -529,7 +548,9 @@ control "rds_db_cluster_aurora_mysql_audit_logging_enabled" { description = "This control checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs. The control fails if the cluster isn't configured to publish audit logs to CloudWatch Logs." query = query.rds_db_cluster_aurora_mysql_audit_logging_enabled - tags = local.foundational_security_rds_common_tags + tags = merge(local.foundational_security_rds_common_tags, { + acsc_essential_eight = "true" + }) } query "rds_db_instance_backup_enabled" { diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp index 28d1bd65..3bf8d614 100644 --- a/conformance_pack/redshift.sp +++ b/conformance_pack/redshift.sp @@ -43,6 +43,7 @@ control "redshift_cluster_encryption_logging_enabled" { query = query.redshift_cluster_encryption_logging_enabled tags = merge(local.conformance_pack_redshift_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -70,6 +71,7 @@ control "redshift_cluster_prohibit_public_access" { query = query.redshift_cluster_prohibit_public_access tags = merge(local.conformance_pack_redshift_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -95,6 +97,7 @@ control "redshift_cluster_automatic_snapshots_min_7_days" { query = query.redshift_cluster_automatic_snapshots_min_7_days tags = merge(local.conformance_pack_redshift_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -140,6 +143,7 @@ control "redshift_cluster_maintenance_settings_check" { query = query.redshift_cluster_maintenance_settings_check tags = merge(local.conformance_pack_redshift_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" ffiec = "true" @@ -184,11 +188,12 @@ control "redshift_cluster_audit_logging_enabled" { query = query.redshift_cluster_audit_logging_enabled tags = merge(local.conformance_pack_redshift_common_tags, { - gxp_21_cfr_part_11 = "true" - nist_csf = "true" - pci_dss_v321 = "true" - rbi_itf_nbfc = "true" - soc_2 = "true" + acsc_essential_eight = "true" + gxp_21_cfr_part_11 = "true" + nist_csf = "true" + pci_dss_v321 = "true" + rbi_itf_nbfc = "true" + soc_2 = "true" }) } diff --git a/conformance_pack/route53.sp b/conformance_pack/route53.sp index 6f1184ce..149fd266 100644 --- a/conformance_pack/route53.sp +++ b/conformance_pack/route53.sp @@ -17,7 +17,9 @@ control "route53_zone_query_logging_enabled" { description = "Ensure Route 53 zones have query logging enabled." query = query.route53_zone_query_logging_enabled - tags = local.conformance_pack_route53_common_tags + tags = merge(local.conformance_pack_route53_common_tags, { + acsc_essential_eight = "true" + }) } control "route53_domain_expires_30_days" { diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp index 2752ac02..752e0e59 100644 --- a/conformance_pack/s3.sp +++ b/conformance_pack/s3.sp @@ -17,7 +17,9 @@ control "s3_bucket_mfa_delete_enabled" { description = "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication." query = query.s3_bucket_mfa_delete_enabled - tags = local.conformance_pack_s3_common_tags + tags = merge(local.conformance_pack_s3_common_tags, { + acsc_essential_eight = "true" + }) } control "s3_bucket_cross_region_replication_enabled" { @@ -102,6 +104,7 @@ control "s3_bucket_logging_enabled" { query = query.s3_bucket_logging_enabled tags = merge(local.conformance_pack_s3_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -146,6 +149,7 @@ control "s3_bucket_restrict_public_read_access" { query = query.s3_bucket_restrict_public_read_access tags = merge(local.conformance_pack_s3_common_tags, { + acsc_essential_eight = "true" audit_manager_control_tower = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" @@ -172,6 +176,7 @@ control "s3_bucket_restrict_public_write_access" { query = query.s3_bucket_restrict_public_write_access tags = merge(local.conformance_pack_s3_common_tags, { + acsc_essential_eight = "true" audit_manager_control_tower = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" @@ -232,6 +237,7 @@ control "s3_public_access_block_account" { query = query.s3_public_access_block_account tags = merge(local.conformance_pack_s3_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -292,6 +298,7 @@ control "s3_public_access_block_bucket" { query = query.s3_public_access_block_bucket tags = merge(local.conformance_pack_s3_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -310,7 +317,8 @@ control "s3_bucket_policy_restricts_cross_account_permission_changes" { query = query.s3_bucket_policy_restricts_cross_account_permission_changes tags = merge(local.conformance_pack_s3_common_tags, { - nist_csf = "true" + acsc_essential_eight = "true" + nist_csf = "true" }) } @@ -328,6 +336,7 @@ control "s3_bucket_policy_restrict_public_access" { query = query.s3_bucket_policy_restrict_public_access tags = merge(local.conformance_pack_s3_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" gxp_21_cfr_part_11 = "true" hipaa_final_omnibus_security_rule_2013 = "true" @@ -383,8 +392,9 @@ control "s3_bucket_acls_should_prohibit_user_access" { query = query.s3_bucket_acls_should_prohibit_user_access tags = merge(local.conformance_pack_s3_common_tags, { - nist_csf = "true" - rbi_itf_nbfc = "true" + acsc_essential_eight = "true" + nist_csf = "true" + rbi_itf_nbfc = "true" }) } @@ -401,7 +411,9 @@ control "s3_access_point_restrict_public_access" { description = "This control checks whether an Amazon S3 access point has block public access settings enabled. The control fails if block public access settings aren't enabled for the access point." query = query.s3_access_point_restrict_public_access - tags = local.conformance_pack_s3_common_tags + tags = merge(local.conformance_pack_s3_common_tags, { + acsc_essential_eight = "true" + }) } query "s3_bucket_cross_region_replication_enabled" { diff --git a/conformance_pack/sagemaker.sp b/conformance_pack/sagemaker.sp index b0093a99..901f0c63 100644 --- a/conformance_pack/sagemaker.sp +++ b/conformance_pack/sagemaker.sp @@ -18,6 +18,7 @@ control "sagemaker_notebook_instance_direct_internet_access_disabled" { query = query.sagemaker_notebook_instance_direct_internet_access_disabled tags = merge(local.conformance_pack_sagemaker_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -114,7 +115,9 @@ control "sagemaker_notebook_instance_root_access_disabled" { description = "Users with root access have administrator privileges and users can access and edit all files on a notebook instance. It is recommeneded to disable root access to restrict users from accessing and editing all the files." query = query.sagemaker_notebook_instance_root_access_disabled - tags = local.conformance_pack_sagemaker_common_tags + tags = merge(local.conformance_pack_sagemaker_common_tags, { + acsc_essential_eight = "true" + }) } control "sagemaker_training_job_in_vpc" { diff --git a/conformance_pack/securityhub.sp b/conformance_pack/securityhub.sp index c545d3ec..50c6adac 100644 --- a/conformance_pack/securityhub.sp +++ b/conformance_pack/securityhub.sp @@ -10,6 +10,7 @@ control "securityhub_enabled" { query = query.securityhub_enabled tags = merge(local.conformance_pack_securityhub_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" diff --git a/conformance_pack/sfn.sp b/conformance_pack/sfn.sp index d54fbe0f..1d36a197 100644 --- a/conformance_pack/sfn.sp +++ b/conformance_pack/sfn.sp @@ -9,7 +9,9 @@ control "sfn_state_machine_logging_enabled" { description = "This controls checks whether an AWS Step Functions state machine has logging turned on. The control fails if a state machine doesn't have logging turned on. If you provide a custom value for the logLevel parameter, the control passes only if the state machine has the specified logging level turned on." query = query.sfn_state_machine_logging_enabled - tags = local.conformance_pack_sfn_common_tags + tags = merge(local.conformance_pack_sfn_common_tags, { + acsc_essential_eight = "true" + }) } query "sfn_state_machine_logging_enabled" { diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp index e233fc7c..b57df7d2 100644 --- a/conformance_pack/sns.sp +++ b/conformance_pack/sns.sp @@ -41,8 +41,9 @@ control "sns_topic_notification_delivery_status_enabled" { query = query.sns_topic_notification_delivery_status_enabled tags = merge(local.conformance_pack_sns_common_tags, { - nist_csf = "true" - pci_dss_v321 = "true" + acsc_essential_eight = "true" + nist_csf = "true" + pci_dss_v321 = "true" }) } diff --git a/conformance_pack/ssm.sp b/conformance_pack/ssm.sp index e555da00..7262fda3 100644 --- a/conformance_pack/ssm.sp +++ b/conformance_pack/ssm.sp @@ -35,6 +35,7 @@ control "ssm_managed_instance_compliance_association_compliant" { query = query.ssm_managed_instance_compliance_association_compliant tags = merge(local.conformance_pack_ssm_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -60,6 +61,7 @@ control "ssm_managed_instance_compliance_patch_compliant" { query = query.ssm_managed_instance_compliance_patch_compliant tags = merge(local.conformance_pack_ssm_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -85,6 +87,7 @@ control "ssm_document_prohibit_public_access" { query = query.ssm_document_prohibit_public_access tags = merge(local.conformance_pack_ssm_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" gxp_21_cfr_part_11 = "true" hipaa_final_omnibus_security_rule_2013 = "true" diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index f79f2fe8..292e0742 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -10,6 +10,7 @@ control "vpc_flow_logs_enabled" { query = query.vpc_flow_logs_enabled tags = merge(local.conformance_pack_vpc_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -154,6 +155,7 @@ control "vpc_security_group_restrict_ingress_ssh_all" { query = query.vpc_security_group_restrict_ingress_ssh_all tags = merge(local.conformance_pack_vpc_common_tags, { + acsc_essential_eight = "true" audit_manager_control_tower = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" diff --git a/conformance_pack/waf.sp b/conformance_pack/waf.sp index e825f05d..bd7c1edc 100644 --- a/conformance_pack/waf.sp +++ b/conformance_pack/waf.sp @@ -43,6 +43,7 @@ control "waf_web_acl_logging_enabled" { query = query.waf_web_acl_logging_enabled tags = merge(local.conformance_pack_waf_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" hipaa_final_omnibus_security_rule_2013 = "true" hipaa_security_rule_2003 = "true" diff --git a/conformance_pack/wafv2.sp b/conformance_pack/wafv2.sp index 986d2a32..211d3549 100644 --- a/conformance_pack/wafv2.sp +++ b/conformance_pack/wafv2.sp @@ -10,6 +10,7 @@ control "wafv2_web_acl_logging_enabled" { query = query.wafv2_web_acl_logging_enabled tags = merge(local.conformance_pack_wafv2_common_tags, { + acsc_essential_eight = "true" cis_controls_v8_ig1 = "true" cisa_cyber_essentials = "true" fedramp_low_rev_4 = "true" @@ -39,11 +40,13 @@ control "wafv2_web_acl_rule_attached" { } control "wafv2_rule_group_logging_enabled" { - title = "AWS WAF rules should have CloudWatch metrics enabled" - description = "This control checks whether an AWS WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled." - query = query.wafv2_rule_group_logging_enabled + title = "AWS WAF rules should have CloudWatch metrics enabled" + description = "This control checks whether an AWS WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled." + query = query.wafv2_rule_group_logging_enabled - tags = local.conformance_pack_waf_common_tags + tags = merge(local.conformance_pack_wafv2_common_tags, { + acsc_essential_eight = "true" + }) } query "wafv2_web_acl_logging_enabled" { diff --git a/docs/index.md b/docs/index.md index 9658fabf..6be7f26b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,6 +1,6 @@ # AWS Compliance Mod -Run individual configuration, compliance and security controls or full compliance benchmarks for `Audit Manager Control Tower`, `AWS Foundational Security Best Practices`, `CIS`, `CIS AWS Compute Services`, `CISA Cyber Essentials`, `FedRAMP`, `FFIEC`, `GDPR`, `GxP 21 CFR Part 11`, `GxP EU Annex 11`, `HIPAA Final Omnibus Security Rule 2013`, `HIPAA Security Rule 2003`, `NIST 800-53`, `NIST CSF`, `NIST 800-172`, `PCI DSS`, `RBI Cyber Security Framework`, `SOC 2`, and more across all your AWS accounts. +Run individual configuration, compliance and security controls or full compliance benchmarks for `Audit Manager Control Tower`, `AWS Foundational Security Best Practices`, `CIS`, `CIS AWS Compute Services`, `CISA Cyber Essentials`, `FedRAMP`, `FFIEC`, `GDPR`, `GxP 21 CFR Part 11`, `GxP EU Annex 11`, `HIPAA Final Omnibus Security Rule 2013`, `HIPAA Security Rule 2003`, `NIST 800-53`, `NIST CSF`, `NIST 800-172`, `PCI DSS`, `RBI Cyber Security Framework`, `SOC 2`, `Australian Cyber Security Center (ACSC) Essential Eight` and more across all your AWS accounts.