Add AWS GDPR compliance framework. Closes #266 #267
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
conformance_pack/config.sp
Outdated
| description = "This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources." | ||
| sql = query.config_enabled_all_regions.sql | ||
|
|
||
| tags = merge(local.conformance_pack_codebuild_common_tags, { |
There was a problem hiding this comment.
Suggested change
| tags = merge(local.conformance_pack_codebuild_common_tags, { | |
| tags = merge(local. conformance_pack_config_common_tags, { |
|
|
||
| control "cloudtrail_bucket_not_public" { | ||
| title = "Ensure the S3 bucket CloudTrail logs to is not publicly accessible" | ||
| description = "CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy,or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.." |
There was a problem hiding this comment.
Suggested change
| description = "CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy,or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs.." | |
| description = "CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy,or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs." |
cbruno10
requested changes
Sep 21, 2021
gdpr/gdpr.sp
Outdated
| } | ||
|
|
||
| benchmark "gdpr" { | ||
| title = "AWS General Data Protection Regulation (GDPR)" |
There was a problem hiding this comment.
I don't think we need the word "AWS" in here since we're already in the AWS Compliance mod.
Suggested change
| title = "AWS General Data Protection Regulation (GDPR)" | |
| title = "General Data Protection Regulation (GDPR)" |
In the UI, ideally it'd be great if GDPR is visible on the sidebar too, right now it's cut off, but can you please check if it's visible entirely on the sidebar once we remove "AWS"?
| @@ -0,0 +1,40 @@ | |||
| benchmark "article_32_security_of_processing" { | |||
There was a problem hiding this comment.
Suggested change
| benchmark "article_32_security_of_processing" { | |
| benchmark "article_32" { |
Do we need the full article name in here too? I think we can shorten to just the number instead
| @@ -0,0 +1,40 @@ | |||
| benchmark "article_32_security_of_processing" { | |||
| title = "Article 32 Security of processing" | |||
| documentation = file("./gdpr/docs/article_32_security_of_processing.md") | |||
There was a problem hiding this comment.
Suggested change
| documentation = file("./gdpr/docs/article_32_security_of_processing.md") | |
| documentation = file("./gdpr/docs/article_32.md") |
| control.wafv2_web_acl_logging_enabled | ||
| ] | ||
|
|
||
| tags = local.gdpr_common_tags |
There was a problem hiding this comment.
Can we add a tag here, maybe gdpr_article = 32?
| @@ -0,0 +1,18 @@ | |||
| benchmark "article_30_records_of_processing_activities" { | |||
There was a problem hiding this comment.
Suggested change
| benchmark "article_30_records_of_processing_activities" { | |
| benchmark "article_30" { |
docs/index.md
Outdated
| @@ -4,7 +4,7 @@ repository: "https://github.com/turbot/steampipe-mod-aws-compliance" | |||
|
|
|||
| # AWS Compliance Mod | |||
|
|
|||
| Run individual configuration, compliance and security controls or full compliance benchmarks for `AWS Foundational Security Best Practices`, `CIS`, `HIPAA`, `NIST 800-53`, `NIST CSF`, `PCI DSS`, and `RBI Cyber Security Framework` across all your AWS accounts. | |||
| Run individual configuration, compliance and security controls or full compliance benchmarks for `AWS Foundational Security Best Practices`, `CIS`, `HIPAA`, `NIST 800-53`, `NIST CSF`, `PCI DSS`, `RBI Cyber Security Framework` and `GDPR` across all your AWS accounts. | |||
There was a problem hiding this comment.
Suggested change
| Run individual configuration, compliance and security controls or full compliance benchmarks for `AWS Foundational Security Best Practices`, `CIS`, `HIPAA`, `NIST 800-53`, `NIST CSF`, `PCI DSS`, `RBI Cyber Security Framework` and `GDPR` across all your AWS accounts. | |
| Run individual configuration, compliance and security controls or full compliance benchmarks for `AWS Foundational Security Best Practices`, `CIS`, `GDPR`, `HIPAA`, `NIST 800-53`, `NIST CSF`, `PCI DSS`, `RBI Cyber Security Framework` across all your AWS accounts. |
conformance_pack/vpc.sp
Outdated
| nist_800_53_rev_4 = "true" | ||
| nist_csf = "true" | ||
| rbi_cyber_security = "true" | ||
| cis_foundational_item_id = "2.9" |
There was a problem hiding this comment.
Why is this tag being added here? I'd only expect to see gdpr being added in this PR
conformance_pack/kms.sp
Outdated
| @@ -23,7 +23,9 @@ control "kms_cmk_rotation_enabled" { | |||
| sql = query.kms_cmk_rotation_enabled.sql | |||
|
|
|||
| tags = merge(local.conformance_pack_kms_common_tags, { | |||
| nist_800_53_rev_4 = "true" | |||
| rbi_cyber_security = "true" | |||
| cis_foundational_item_id = "2.8" | |||
There was a problem hiding this comment.
why are we adding this tag in this PR?
conformance_pack/iam.sp
Outdated
| }) | ||
| } | ||
|
|
There was a problem hiding this comment.
Cleanup trailing newlines
README.md
Outdated
| * [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_v321) | ||
| * [AWS Foundational Security Best Practices](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.foundational_security) | ||
| * [Reserve Bank of India (RBI) Cyber Security Framework](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.rbi_cyber_security) 🚀 New! | ||
| * [Reserve Bank of India (RBI) Cyber Security Framework](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.rbi_cyber_security) | ||
| * [General Data Protection Regulation (GDPR)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gdpr) |
There was a problem hiding this comment.
We should add the "New!" text at the end here
Also, I think we should move this one up to just below HIPAA (I'd consider it more important than those below that mark)
cbruno10
approved these changes
Sep 22, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist