Add/Update AWS Audit Manager > NIST_800_171_REV_2 controls. Closes #625…

… (#636) Co-authored-by: Madhushree Ray <[email protected]>
turbot · Jun 1, 2023 · 13801f7 · 13801f7
1 parent 58f2306
commit 13801f7
Show file tree

Hide file tree

Showing 32 changed files with 409 additions and 111 deletions.
diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp
@@ -91,6 +91,7 @@ control "apigateway_stage_use_waf_web_acl" {
     fedramp_low_rev_4      = "true"
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
+    nist_800_171_rev_2     = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
     pci_dss_v321           = "true"

diff --git a/conformance_pack/autoscaling.sp b/conformance_pack/autoscaling.sp
@@ -48,6 +48,7 @@ control "autoscaling_launch_config_public_ip_disabled" {
     ffiec                                  = "true"
     gxp_21_cfr_part_11                     = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
+    nist_800_171_rev_2                     = "true"
     nist_800_53_rev_5                      = "true"
     nist_csf                               = "true"
     pci_dss_v321                           = "true"

diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp
@@ -176,8 +176,9 @@ control "cloudtrail_s3_logging_enabled" {
   query       = query.cloudtrail_s3_logging_enabled
 
   tags = merge(local.conformance_pack_cloudtrail_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -187,8 +188,9 @@ control "cloudtrail_bucket_not_public" {
   query       = query.cloudtrail_bucket_not_public
 
   tags = merge(local.conformance_pack_cloudtrail_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -198,7 +200,8 @@ control "cloudtrail_multi_region_read_write_enabled" {
   query       = query.cloudtrail_multi_region_read_write_enabled
 
   tags = merge(local.conformance_pack_cloudtrail_common_tags, {
-    nist_csf = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 

diff --git a/conformance_pack/cloudwatch.sp b/conformance_pack/cloudwatch.sp
@@ -99,8 +99,9 @@ control "log_metric_filter_unauthorized_api" {
   query       = query.log_metric_filter_unauthorized_api
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -110,8 +111,9 @@ control "log_metric_filter_console_login_mfa" {
   query       = query.log_metric_filter_console_login_mfa
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -124,6 +126,7 @@ control "log_metric_filter_root_login" {
     gdpr                                   = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
     hipaa_security_rule_2003               = "true"
+    nist_800_171_rev_2                     = "true"
     nist_csf                               = "true"
     pci_dss_v321                           = "true"
   })
@@ -135,9 +138,10 @@ control "log_metric_filter_iam_policy" {
   query       = query.log_metric_filter_iam_policy
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr         = "true"
-    nist_csf     = "true"
-    pci_dss_v321 = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
+    pci_dss_v321       = "true"
   })
 }
 
@@ -147,8 +151,9 @@ control "log_metric_filter_vpc" {
   query       = query.log_metric_filter_vpc
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -158,8 +163,9 @@ control "log_metric_filter_route_table" {
   query       = query.log_metric_filter_route_table
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -169,8 +175,9 @@ control "log_metric_filter_network_gateway" {
   query       = query.log_metric_filter_network_gateway
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -180,8 +187,9 @@ control "log_metric_filter_network_acl" {
   query       = query.log_metric_filter_network_acl
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -191,8 +199,9 @@ control "log_metric_filter_security_group" {
   query       = query.log_metric_filter_security_group
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -202,8 +211,9 @@ control "log_metric_filter_config_configuration" {
   query       = query.log_metric_filter_config_configuration
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -213,8 +223,9 @@ control "log_metric_filter_bucket_policy" {
   query       = query.log_metric_filter_bucket_policy
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 
@@ -238,6 +249,7 @@ control "log_metric_filter_console_authentication_failure" {
     gdpr                                   = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
     hipaa_security_rule_2003               = "true"
+    nist_800_171_rev_2                     = "true"
     nist_csf                               = "true"
   })
 }
@@ -248,8 +260,9 @@ control "log_metric_filter_cloudtrail_configuration" {
   query       = query.log_metric_filter_cloudtrail_configuration
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr               = "true"
+    nist_800_171_rev_2 = "true"
+    nist_csf           = "true"
   })
 }
 

diff --git a/conformance_pack/config.sp b/conformance_pack/config.sp
@@ -14,6 +14,7 @@ control "config_enabled_all_regions" {
     gxp_eu_annex_11                        = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
     hipaa_security_rule_2003               = "true"
+    nist_800_171_rev_2                     = "true"
     nist_csf                               = "true"
     pci_dss_v321                           = "true"
     soc_2                                  = "true"

diff --git a/conformance_pack/dynamodb.sp b/conformance_pack/dynamodb.sp
@@ -103,7 +103,6 @@ control "dynamodb_table_encryption_enabled" {
     gxp_eu_annex_11                        = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
     hipaa_security_rule_2003               = "true"
-    nist_800_171_rev_2                     = "true"
     nist_csf                               = "true"
     pci_dss_v321                           = "true"
   })

diff --git a/conformance_pack/ebs.sp b/conformance_pack/ebs.sp
@@ -37,7 +37,6 @@ control "ebs_volume_encryption_at_rest_enabled" {
     cis_controls_v8_ig1    = "true"
     fedramp_moderate_rev_4 = "true"
     gdpr                   = "true"
-    nist_800_171_rev_2     = "true"
     nist_800_53_rev_5      = "true"
     rbi_cyber_security     = "true"
   })

diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp
@@ -17,6 +17,7 @@ control "ec2_ebs_default_encryption_enabled" {
     gxp_eu_annex_11                        = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
     hipaa_security_rule_2003               = "true"
+    nist_800_171_rev_2                     = "true"
     nist_800_53_rev_4                      = "true"
     nist_800_53_rev_5                      = "true"
     nist_csf                               = "true"

diff --git a/conformance_pack/efs.sp b/conformance_pack/efs.sp
@@ -39,6 +39,7 @@ control "efs_file_system_in_backup_plan" {
     gxp_eu_annex_11                        = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
     hipaa_security_rule_2003               = "true"
+    nist_800_171_rev_2                     = "true"
     nist_800_53_rev_4                      = "true"
     nist_800_53_rev_5                      = "true"
     nist_csf                               = "true"

diff --git a/conformance_pack/elasticache.sp b/conformance_pack/elasticache.sp
@@ -19,6 +19,7 @@ control "elasticache_redis_cluster_automatic_backup_retention_15_days" {
     gxp_eu_annex_11                        = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
     hipaa_security_rule_2003               = "true"
+    nist_800_171_rev_2                     = "true"
     nist_800_53_rev_4                      = "true"
     nist_800_53_rev_5                      = "true"
     nist_csf                               = "true"

diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp
@@ -192,7 +192,6 @@ control "elb_application_network_lb_use_ssl_certificate" {
     gxp_21_cfr_part_11                     = "true"
     gxp_eu_annex_11                        = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
-    nist_800_171_rev_2                     = "true"
     nist_800_53_rev_5                      = "true"
     nist_csf                               = "true"
     pci_dss_v321                           = "true"

diff --git a/conformance_pack/es.sp b/conformance_pack/es.sp
@@ -89,6 +89,7 @@ control "es_domain_logs_to_cloudwatch" {
     ffiec                                  = "true"
     gxp_21_cfr_part_11                     = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
+    nist_800_171_rev_2                     = "true"
     nist_800_53_rev_5                      = "true"
     nist_csf                               = "true"
     pci_dss_v321                           = "true"

diff --git a/conformance_pack/iam.sp b/conformance_pack/iam.sp
@@ -13,6 +13,7 @@ control "iam_account_password_policy_strong_min_reuse_24" {
     gxp_21_cfr_part_11                     = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
     hipaa_security_rule_2003               = "true"
+    nist_800_171_rev_2                     = "true"
     nist_800_53_rev_4                      = "true"
     nist_csf                               = "true"
     pci_dss_v321                           = "true"
@@ -321,7 +322,6 @@ control "iam_account_password_policy_min_length_14" {
     fedramp_low_rev_4      = "true"
     fedramp_moderate_rev_4 = "true"
     gdpr                   = "true"
-    nist_800_171_rev_2     = "true"
     nist_800_53_rev_5      = "true"
   })
 }
@@ -332,8 +332,7 @@ control "iam_account_password_policy_reuse_24" {
   query       = query.iam_account_password_policy_reuse_24
 
   tags = merge(local.conformance_pack_iam_common_tags, {
-    gdpr               = "true"
-    nist_800_171_rev_2 = "true"
+    gdpr = "true"
   })
 }
 
@@ -356,8 +355,7 @@ control "iam_account_password_policy_one_lowercase_letter" {
   query       = query.iam_account_password_policy_one_lowercase_letter
 
   tags = merge(local.conformance_pack_iam_common_tags, {
-    gdpr               = "true"
-    nist_800_171_rev_2 = "true"
+    gdpr = "true"
   })
 }
 
@@ -367,8 +365,7 @@ control "iam_account_password_policy_one_uppercase_letter" {
   query       = query.iam_account_password_policy_one_uppercase_letter
 
   tags = merge(local.conformance_pack_iam_common_tags, {
-    gdpr               = "true"
-    nist_800_171_rev_2 = "true"
+    gdpr = "true"
   })
 }
 
@@ -378,8 +375,7 @@ control "iam_account_password_policy_one_number" {
   query       = query.iam_account_password_policy_one_number
 
   tags = merge(local.conformance_pack_iam_common_tags, {
-    gdpr               = "true"
-    nist_800_171_rev_2 = "true"
+    gdpr = "true"
   })
 }
 
@@ -389,8 +385,7 @@ control "iam_password_policy_expire_90" {
   query       = query.iam_account_password_policy_expire_90
 
   tags = merge(local.conformance_pack_iam_common_tags, {
-    gdpr               = "true"
-    nist_800_171_rev_2 = "true"
+    gdpr = "true"
   })
 }
 
@@ -400,8 +395,7 @@ control "iam_account_password_policy_one_symbol" {
   query       = query.iam_account_password_policy_one_symbol
 
   tags = merge(local.conformance_pack_iam_common_tags, {
-    gdpr               = "true"
-    nist_800_171_rev_2 = "true"
+    gdpr = "true"
   })
 }
 
@@ -417,6 +411,7 @@ control "iam_all_policy_no_service_wild_card" {
     ffiec                                  = "true"
     gxp_21_cfr_part_11                     = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
+    nist_800_171_rev_2                     = "true"
     nist_800_53_rev_5                      = "true"
     nist_csf                               = "true"
     pci_dss_v321                           = "true"
@@ -452,6 +447,7 @@ control "iam_policy_inline_no_blocked_kms_actions" {
     gxp_21_cfr_part_11                     = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
     hipaa_security_rule_2003               = "true"
+    nist_800_171_rev_2                     = "true"
     nist_csf                               = "true"
     pci_dss_v321                           = "true"
   })
@@ -520,6 +516,7 @@ control "iam_policy_unused" {
 
   tags = merge(local.conformance_pack_iam_common_tags, {
     cis_controls_v8_ig1 = "true"
+    nist_800_171_rev_2  = "true"
     nist_csf            = "true"
     soc_2               = "true"
   })

diff --git a/conformance_pack/kms.sp b/conformance_pack/kms.sp
@@ -16,6 +16,7 @@ control "kms_key_not_pending_deletion" {
     gxp_21_cfr_part_11                     = "true"
     hipaa_final_omnibus_security_rule_2013 = "true"
     hipaa_security_rule_2003               = "true"
+    nist_800_171_rev_2                     = "true"
     nist_800_53_rev_4                      = "true"
     nist_800_53_rev_5                      = "true"
     nist_csf                               = "true"
@@ -36,6 +37,7 @@ control "kms_cmk_rotation_enabled" {
     fedramp_moderate_rev_4 = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"