Enhancements
- Optimized
log_group_metric_*
queries to minimize API usage, achieving faster performance. (#802)
What's new?
- Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance benchmark (powerpipe benchmark run aws_compliance.benchmark.rbi_itf_nbfc). (#798)
Enhancements
- Added runtime variable support for control
lambda_function_use_latest_runtime
. (#791)
Bug fixes
- Fixed the
ecr_repository_image_scan_on_push_enabled
query to use the correct common dimensions. (#793)
Enhancements
- Optimized several queries to minimize API usage, achieving faster performance. (#786)
Bug fixes
- Updated the
foundational_security_lambda_2
control to check the latest runtime as per the AWS FSBP document. (#778) (Thanks @sbldevnet for the contribution!) - Fixed the title of
secretsmanager_secret_unused_90_day
control. (#783)
Breaking changes
- The
Foundational Security Best Practices v1.0.0
benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)- The
foundational_security_elbv2
sub-benchmark have been removed. - The following controls are no longer included in the benchmarks:
foundational_security_cloudfront_2
foundational_security_ec2_22
foundational_security_s3_4
- The
Enhancements
- The
Foundational Security Best Practices v1.0.0
benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)- The following sub-benchmarks have been added to the
foundational_security
benchmark:foundational_security_appsync
foundational_security_backup
foundational_security_eventbridge
foundational_security_fsx
foundational_security_msk
foundational_security_pca
foundational_security_route53
foundational_security_sfn
- The following controls have been added to the benchmarks:
foundational_security_acm_2
foundational_security_appsync_2
foundational_security_backup_1
foundational_security_cloudfront_13
foundational_security_dms_6
foundational_security_dms_7
foundational_security_dms_8
foundational_security_dms_9
foundational_security_docdb_3
foundational_security_docdb_4
foundational_security_docdb_5
foundational_security_dms_9
foundational_security_dynamodb_6
foundational_security_ec2_51
foundational_security_ecs_9
foundational_security_eks_8
foundational_security_elasticbeanstalk_3
foundational_security_emr_2
foundational_security_eventbridge_3
foundational_security_fsx_1
foundational_security_msk_1
foundational_security_networkfirewall_2
foundational_security_networkfirewall_9
foundational_security_opensearch_10
foundational_security_pca_1
foundational_security_rds_34
foundational_security_rds_35
foundational_security_route53_2
foundational_security_s3_19
foundational_security_sfn_1
foundational_security_waf_12
- The following sub-benchmarks have been added to the
Dependencies
- AWS plugin
v0.132.0
or higher is now required. (#773)
Bug fixes
- Updated the titles of various controls in the
foundational_security
benchmark according to the latest document. (#765) - Fixed the
foundational_security_ecr_1
control to correctly evaluate results, taking into account whether ECR enhanced scanning is enabled at the region level. (#766)
Powerpipe
Powerpipe is now the preferred way to run this mod! Migrating from Steampipe →
All v0.x versions of this mod will work in both Steampipe and Powerpipe, but v1.0.0 onwards will be in Powerpipe format only.
Enhancements
- Focus documentation on Powerpipe commands.
- Show how to combine Powerpipe mods with Steampipe plugins.
Dependencies
- AWS plugin
v0.131.0
or higher is now required. (#747)
Enhancements
- Added 11 new controls to the
All Controls
benchmark across the following services: (#747)API Gateway
DMS
EMR
MQ
VPC
Bug fixes
- Fixed the
foundational_security_ssm_2
control to correctly evaluate results when patches are not applicable for SSM managed EC2 instances. (#761)
What's new?
- Added CIS v3.0.0 benchmark (
steampipe check benchmark.cis_v300
). (#755)
Breaking changes
- Removed the
iam_root_user_virtual_mfa
control since it is not recommended as good practice. (#743) - Replaced
iam_account_password_policy_strong
withiam_account_password_policy_strong_min_reuse_24
in the benchmarksGDPR
,FFIEC
andCISA Cyber Essentials
to align more accurately with the requirements of the AWS Config rule. (#739)
Bug fixes
- Updated the dashboard image to correctly list all the 25 benchmarks. (#748)
Enhancements
- Added 50 new controls to the
All Controls
benchmark across the following services: (#736)ACM
CloudFront
CloudTrail
Config
DocumentDB
EC2
ECS
EKS
ElastiCache
ELB
EMR
Kinesis
RDS
Redshift
S3
SNS
SQS
SSM
VPC
Enhancements
- Added the following controls to the
All Controls
benchmark: (#733)api_gateway_rest_api_public_endpoint_with_authorizer
dlm_ebs_snapshot_lifecycle_policy_enabled
docdb_cluster_instance_encryption_at_rest_enabled
ebs_volume_snapshot_exists
elasticache_cluster_no_public_subnet
iam_role_no_administrator_access_policy_attached
iam_user_access_key_unused_45
iam_user_console_access_unused_45
neptune_db_cluster_no_public_subnet
Breaking changes
- Updated the plugin dependency section of the mod to use
min_version
instead ofversion
. (#728)
Enhancements
- Added the following controls to the
All Controls
benchmark: (#727)glue_connection_ssl_enabled
vpc_peering_connection_route_table_least_privilege
Enhancements
- Added the following controls to the
All Controls
benchmark: (#722)athena_workgroup_enforce_configuration_enabled
iam_inline_policy_no_administrative_privileges
Bug fixes
- Fixed README to include correct reference to the
All Controls
benchmark. (#721) (Thanks @vil02 for the contribution!) - Fixed typos in several compliance control descriptions. (#719) (Thanks @pdecat for the contribution!)
Bug fixes
- Added the missing
resource
column in the queries ofglue_data_catalog_encryption_settings_metadata_encryption_enabled
andglue_data_catalog_encryption_settings_password_encryption_enabled
controls. (#715)
Breaking changes
- The
Other Compliance Checks
benchmark (steampipe check benchmark.other_checks
) has been removed and replaced by the newAll Controls
benchmark (steampipe check benchmark.all_controls
). This new benchmark includes 353 service-specific controls. (#710)
Breaking changes
- The
CIS Controls v8 IG1
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#706)- The following sub-benchmarks have been removed from the
cis_controls_v8_ig1
benchmark:cis_controls_v8_ig1_13
cis_controls_v8_ig1_16
- The following controls have been added to the benchmarks:
ebs_attached_volume_encryption_enabled
iam_account_password_policy_strong_min_reuse_24
s3_bucket_policy_restrict_public_access
ssm_document_prohibit_public_access
waf_web_acl_logging_enabled
- The following controls are no longer included in the benchmarks:
apigateway_stage_use_waf_web_acl
codebuild_project_artifact_encryption_enabled
codebuild_project_environment_privileged_mode_disabled
codebuild_project_logging_enabled
codebuild_project_plaintext_env_variables_no_sensitive_aws_values
codebuild_project_source_repo_oauth_configured
ebs_volume_encryption_at_rest_enabled
iam_account_password_policy_min_length_14
s3_bucket_policy_restricts_cross_account_permission_changes
- The following sub-benchmarks have been removed from the
Enhancements
-
The
Foundational Security Best Practices v1.0.0
benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#704)- The following sub-benchmarks have been added to the
foundational_security
benchmark:foundational_security_athena
foundational_security_docdb
foundational_security_neptune
- The following controls have been added to the benchmarks:
foundational_security_rds_27
- The following sub-benchmarks have been added to the
-
The
AWS Audit Manager Control Tower Guardrails
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#705)- The following controls have been added to the benchmarks:
ebs_volume_unused
rds_db_instance_encryption_at_rest_enabled
- The following controls are no longer included in the benchmarks:
ebs_attached_volume_delete_on_termination_enabled
rds_db_snapshot_encrypted_at_rest
- The following controls have been added to the benchmarks:
Enhancements
-
Added the following controls to
Other Compliance Checks
benchmark: (#697)appstream_fleet_default_internet_access_disabled
appstream_fleet_idle_disconnect_timeout_600_seconds
appstream_fleet_max_user_duration_36000_seconds
appstream_fleet_session_disconnect_timeout_300_seconds
backup_report_plan_configured
directory_service_certificate_expires_90_days
directory_service_directory_snapshots_limit
directory_service_directory_sns_notifications_enabled
kms_cmk_unused
-
Updated the
lambda_function_use_latest_runtime
andfoundational_security_lambda_2
controls to use latest runtimes for each language. (#696) (Thanks to @papaharry for the contribution!)
Enhancements
- The
NIST SP 800-171 (Rev. 2)
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#684)- The following controls have been added to the benchmarks:
elb_application_network_lb_use_ssl_certificate
- The following controls have been added to the benchmarks:
- The
PCI DSS v3.2.1
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#690)- The following controls have been added to the benchmarks:
rds_db_instance_iam_authentication_enabled
- The following controls are no longer included in the benchmarks:
rds_db_cluster_iam_authentication_enabled
- The following controls have been added to the benchmarks:
Bug fixes
- Fixed the formatting in CIS v2.0.0 benchmark documents which would cause several control pages to not render correctly on the hub. (#687)
What's new?
- Added CIS v2.0.0 benchmark (
steampipe check benchmark.cis_v200
). (#683)
Enhancements
- Added the following controls to
Other Compliance Checks
benchmark: (#678)autoscaling_ec2_launch_configuration_no_sensitive_data
eks_cluster_endpoint_public_access_restircted
guardduty_centrally_configured
iam_policy_custom_no_permissive_role_assumption
iam_role_cross_account_read_only_access_policy
iam_security_audit_role
lambda_function_restrict_public_url
lambda_function_variables_no_sensitive_data
rds_db_instance_connections_encryption_enabled
vpc_in_more_than_one_region
vpc_subnet_multi_az_enabled
vpc_subnet_public_and_private
workspaces_workspace_volume_encryption_enabled
Enhancements
- Added the following controls to
Other Compliance Checks
benchmark: (#675)cloudtrail_trail_bucket_mfa_enabled
efs_file_system_restrict_public_access
glacier_vault_restrict_public_access
iam_custom_policy_unattached_no_star_star
iam_policy_no_full_access_to_cloudtrail
iam_policy_no_full_access_to_kms
networkfirewall_firewall_in_vpc
opensearch_domain_cognito_authentication_enabled_for_kibana
opensearch_domain_internal_user_database_disabled
opensearch_domain_updated_with_latest_service_software_version
Bug fixes
- Fixed the
iam_role_unused_60
query to use the correct resource and common dimensions. (#672)
Breaking changes
- The
Foundational Security Best Practices v1.0.0
benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#669)- The following controls are no longer included in the benchmarks:
foundational_security_ec2_27
foundational_security_lambda_4
- The following controls are no longer included in the benchmarks:
Enhancements
- Added the following control to
Other Compliance Checks
benchmark: (#663)iam_role_unused_60
Bug fixes
- Fixed the filter pattern in
log_metric_filter_organization
query to correctly match the log event. (#664)
Enhancements
- Added the following controls to
Other Compliance Checks
benchmark: (#641) (#645)api_gatewayv2_route_authorizer_configured
apigateway_rest_api_endpoint_restrict_public_access
backup_plan_region_configured
backup_vault_region_configured
cloudfront_distribution_field_level_encryption_enabled
cloudtrail_trail_insight_selectors_and_logging_enabled
docdb_cluster_instance_logging_enabled
drs_job_enabled
ebs_snapshot_encryption_enabled
ec2_ami_restrict_public_access
guardduty_no_high_severity_findings
iam_access_analyzer_enabled_without_findings
vpc_security_group_allows_ingress_to_cassandra_ports
vpc_security_group_allows_ingress_to_memcached_port
vpc_security_group_allows_ingress_to_mongodb_ports
vpc_security_group_allows_ingress_to_oracle_ports
- The
HIPAA Security Rule 2003
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#654)- The following controls are no longer included in the benchmarks:
kms_key_decryption_restricted_in_iam_customer_managed_policy
kms_key_decryption_restricted_in_iam_inline_policy
- The following controls are no longer included in the benchmarks:
Bug fixes
- Fixed the
rds_db_instance_logging_enabled
query to filter outdocdb
instances. (#660)
Bug fixes
- Fixed the
wafv2_web_acl_rule_attached
query to correctly evaluate the number of rule(s) attached to multiple web ACLs instead of returning an error. (#655) - Fixed the
iam_policy_all_attached_no_star_star
query to skip AWS managed policies. (#643) - Fixed the
foundational_security_cloudtrail_1
control to refer the correct document. (#650) (Thanks @ajoga for the contribution!!)
Breaking changes
- The
NIST SP 800-171 (Rev. 2)
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#636)- The following benchmarks have been added:
nist_800_171_rev_2_2
- Added the following sub-benchmarks to
nist_800_171_rev_2_3_4
benchmark:nist_800_171_rev_2_3_4_3
nist_800_171_rev_2_3_4_4
nist_800_171_rev_2_3_4_5
- Added the following sub-benchmarks to
nist_800_171_rev_2_3_5
benchmark:nist_800_171_rev_2_3_5_1
nist_800_171_rev_2_3_5_4
nist_800_171_rev_2_3_5_9
- Added the following sub-benchmark to
nist_800_171_rev_2_3
benchmark:nist_800_171_rev_2_3_8
- Added the following sub-benchmarks to
nist_800_171_rev_2_3_12
benchmark:nist_800_171_rev_2_3_12_1
nist_800_171_rev_2_3_12_3
- Added the following sub-benchmark to
nist_800_171_rev_2_3_13
benchmark:nist_800_171_rev_2_3_13_10
- Removed the following sub-benchmark from
nist_800_171_rev_2_3_5
benchmark:nist_800_171_rev_2_3_5_10
- 40 new unique controls have been added across the benchmarks
- The following controls have been replaced in the benchmarks:
iam_account_password_policy_reuse_24
replaced byiam_account_password_policy_strong_min_reuse_24
s3_bucket_policy_restricts_cross_account_permission_changes
replaced bys3_bucket_policy_restrict_public_access
- The following controls are no longer included in the benchmarks:
dynamodb_table_encryption_enabled
ebs_volume_encryption_at_rest_enabled
elb_application_network_lb_use_ssl_certificate
iam_account_password_policy_min_length_14
iam_account_password_policy_one_lowercase_letter
iam_account_password_policy_one_number
iam_account_password_policy_one_symbol
iam_account_password_policy_one_uppercase_letter
iam_password_policy_expire_90
rds_db_cluster_deletion_protection_enabled
vpc_security_group_restricted_common_ports
- The following benchmarks have been added:
Enhancements
- The
HIPAA Security Rule 2003
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#635)- The following controls have been added to the benchmarks:
iam_policy_custom_no_blocked_kms_actions
iam_policy_inline_no_blocked_kms_actions
- The following controls have been replaced in the benchmarks:
vpc_endpoint_service_acceptance_required_enabled
replaced byvpc_configured_to_use_vpc_endpoints
vpc_security_group_restricted_common_ports
replaced byvpc_security_group_restrict_ingress_common_ports_all
vpc_security_group_allows_ingress_authorized_ports
replaced byvpc_igw_attached_to_authorized_vpc
- The following controls have been added to the benchmarks:
- The
HIPAA Final Omnibus Security Rule 2013
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#632)- Added
ssm_document_prohibit_public_access
control to the benchmarks - The following controls are no longer included in the benchmarks:
vpc_endpoint_service_acceptance_required_enabled
- Added
- The
GxP 21 CFR Part 11
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#638)- The following controls have been added to the benchmarks:
ebs_volume_unused
ssm_document_prohibit_public_access
- The following controls have been replaced in the benchmarks:
vpc_security_group_allows_ingress_authorized_ports
replaced byvpc_security_group_restrict_ingress_tcp_udp_all
iam_policy_custom_no_assume_role
replaced byiam_managed_policy_attached_to_role
- The following controls are no longer included in the benchmarks:
ebs_attached_volume_delete_on_termination_enabled
- The following controls have been added to the benchmarks:
Bug fixes
- Fixed the typo in the query name to use
vpc_security_group_unused
instead ofvpc_security_group_unsued
. (#640)
Enhancements
- The
NIST Cybersecurity Framework (CSF) v1.1
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#631)- The following controls have been added to the benchmarks:
cloudwatch_alarm_action_enabled_check
ssm_document_prohibit_public_access
vpc_configured_to_use_vpc_endpoints
- The following controls have been added to the benchmarks:
Enhancements
- The
PCI DSS v3.2.1
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#626)- The following controls have been added to the benchmarks:
log_metric_filter_root_login
vpc_configured_to_use_vpc_endpoints
waf_regional_rule_group_rule_attached
waf_regional_web_acl_rule_attached
- The following controls have been replaced in the benchmarks:
cloudwatch_alarm_action_enabled
replaced bycloudwatch_alarm_action_enabled_check
efs_file_system_encrypted_with_cmk
replaced byefs_file_system_encrypt_data_at_rest
s3_public_access_block_bucket_account
replaced bys3_public_access_block_account
- The following controls are no longer included in the benchmark:
elb_listener_use_secure_ssl_cipher
kms_key_decryption_restricted_in_iam_customer_managed_policy
kms_key_decryption_restricted_in_iam_inline_policy
vpc_endpoint_service_acceptance_required_enabled
- The following controls have been added to the benchmarks:
- The
S0C 2
benchmark has been updated to better align with the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#628)- The following controls have been added to the benchmarks:
waf_web_acl_logging_enabled
cloudwatch_alarm_action_enabled_check
- The following controls have been replaced in the benchmarks:
ebs_volume_encryption_at_rest_enabled
replaced byebs_attached_volume_encryption_enabled
s3_bucket_policy_restricts_cross_account_permission_changes
replaced bys3_bucket_policy_restrict_public_access
sagemaker_notebook_instance_encrypted_with_kms_cmk
replaced bysagemaker_notebook_instance_encryption_at_rest_enabled
iam_account_password_policy_min_length_14
replaced byiam_account_password_policy_strong_min_reuse_24
- The following controls have been added to the benchmarks:
Bug fixes
- Fixed dashboard localhost URLs in README and index doc. (#627)
What's new?
- Added the following new controls to the AWS Foundational Security Best Practices benchmark: (#614)
- EC2.20
- EKS.1
- ElastiCache.1
- ElastiCache.2
- ElastiCache.3
- ElastiCache.4
- ElastiCache.5
- ElastiCache.6
- ElastiCache.7
- ELB.1
- ELB.2
- ELB.9
- Opensearch.1
- Opensearch.2
- Opensearch.3
- Opensearch.4
- Opensearch.5
- Opensearch.6
- Opensearch.7
- Opensearch.8
- RDS.11
- Redshift.10
- S3.13
- SSM.4
- WAF.1
- WAF.2
- WAF.3
- WAF.4
Breaking changes
- The
NIST Cybersecurity Framework (CSF) v1.1
benchmark has been updated to better align with the official NIST document and the matching AWS Audit Manager NIST Cybersecurity Framework (CSF) v1.1 framework. The following updates have been made: (#604)- 100+ new controls have been added
- The following controls are no longer included in the benchmarks:
ebs_attached_volume_delete_on_termination_enabled
s3_public_access_block_bucket_account
sns_topic_encrypted_at_rest
vpc_security_group_associated_to_eni
Bug fixes
- Fixed the
lambda_function_in_vpc
and thelambda_function_multiple_az_configured
queries to correctly check if a function is present in a VPC or not. (#610)
Breaking changes
- The HIPAA benchmark has been updated to better align with official HIPAA document and the matching AWS Audit Manager Health Insurance Portability and Accountability Act (HIPAA) Final Omnibus Security Rule 2013 and AWS Audit Manager Health Insurance Portability and Accountability Act (HIPAA) Security Rule 2003 frameworks. The following updates have been made to the benchmark: (#605)
- The
hipaa
benchmark has been removed and replaced by two new benchmarks -hipaa_final_omnibus_security_rule_2013
(steampipe check benchmark.hipaa_final_omnibus_security_rule_2013
) andhipaa_security_rule_2003
(steampipe check benchmark.hipaa_security_rule_2003
). - 30+ new unique controls have been added across the two new benchmarks
- The following controls are no longer included in the benchmarks:
ebs_volume_encryption_at_rest_enabled
iam_account_password_policy_min_length_14
iam_account_password_policy_one_lowercase_letter
iam_account_password_policy_one_number
iam_account_password_policy_one_symbol
iam_account_password_policy_one_uppercase_letter
iam_account_password_policy_reuse_24
iam_password_policy_expire_90
log_metric_filter_console_login_mfa
s3_public_access_block_bucket_account
- All documentation has been updated on the Hub to better match official HIPAA Final Omnibus Security Rule 2013 and HIPAA Security Rule 2003 documentations.
- The
Breaking changes
- The
GxP 21 CFR Part 11
andGxP EU Annex 11
benchmarks have been updated to better align with AWS Audit Manager GxP 21 CFR Part 11 and AWS Audit Manager GxP EU Annex 11 frameworks. The following updates have been made: (#600)- New benchmarks added:
gxp_21_cfr_part_11_11_200_a
gxp_eu_annex_11_project_phase_4
gxp_eu_annex_11_operational_phase_7
gxp_eu_annex_11_operational_phase_8
gxp_eu_annex_11_operational_phase_12
gxp_eu_annex_11_operational_phase_13
- 45+ unique controls have been added across both the benchmarks
- The following controls are no longer included in the benchmark:
iam_account_password_policy_strong
vpc_security_group_restrict_ingress_tcp_udp_all
- New benchmarks added:
Breaking changes
- The PCI DSS v3.2.1 benchmark has been updated to better align with official PCI DSS v3.2.1 document and the matching AWS Audit Manager framework. The following updates have been made to the benchmark: (#570)
- The
pci_v321
benchmark has been removed and replaced by thepci_dss_v321
benchmark (steampipe check benchmark.pci_dss_v321
) - The benchmark is now organized by Requirements instead of AWS services and all children benchmarks now start with
pci_dss_v321_
instead ofpci_v321
, e.g.,steampipe check benchmark.pci_dss_v321_requirement_2
- 100+ new controls have been added
- The following controls are no longer included in the benchmark:
control.iam_root_user_virtual_mfa
kms_cmk_rotation_enabled
opensearch_domain_in_vpc
vpc_security_group_associated
- All documentation has been updated on the Hub to better match official PCI documentation.
- The
Dependencies
- AWS plugin
v0.97.0
or higher is now required. (#570)
Breaking changes
- Fixed the names of the following benchmarks to align with the AWS Audit Manager framework: (#581)
soc_2_cc_a_1
tosoc_2_a_1
soc_2_cc_a_1_1
tosoc_2_a_1_1
soc_2_cc_a_1_2
tosoc_2_a_1_2
soc_2_cc_a_1_3
tosoc_2_a_1_3
soc_2_cc_c_1
tosoc_2_c_1
soc_2_cc_c_1_1
tosoc_2_c_1_1
soc_2_cc_c_1_2
tosoc_2_c_1_2
soc_2_cc_c_1_3
tosoc_2_c_1_3
What's new?
- New benchmark added: (#581)
soc_2_c_1
(steampipe check benchmark.soc_2_c_1
)
- More than 200 controls were added to the following
SOC 2
sub-benchmarks: (#581)a_1_2
soc2_c_1_1
soc2_c_1_2
soc2_cc_1_3
soc2_cc_2_1
soc2_cc_3_1
soc2_cc_3_2
soc2_cc_3_4
soc2_cc_4_2
soc2_cc_6_1
soc2_cc_6_2
soc2_cc_6_3
soc2_cc_6_6
soc2_cc_6_7
soc2_cc_7_3
soc2_cc_7_4
soc2_cc_8_1
What's new?
- New AWS Foundational Security Best Practices control added: (#586)
- EC2.25 (
steampipe check control.foundational_security_ec2_25
)
- EC2.25 (
- Added
tags
as dimensions to group and filter findings. (see var.tag_dimensions) (#574) - Added
connection_name
in the common dimensions to group and filter findings. (see var.common_dimensions) (#574)
Bug fixes
- Fixed the sub-benchmark titles of
CIS Controls v8 IG1
benchmark to maintain consistency across other CIS benchmark titles. (#589)
Dependencies
- AWS plugin
v0.95.0
or higher is now required. (#579)
What's new?
- Added CIS Controls v8 IG1 benchmark (
steampipe check benchmark.cis_controls_v8_ig1
). (#568) - Add 30 new controls to Other Compliance Checks benchmark. (#563)
Bug fixes
- Fixed the
cloudtrail_multi_region_trail_enabled
query to correctly evaluate organizational trails. (#552) - Fixed
s3_bucket_restrict_*
queries to correctly check if buckets prohibit public read access or not. (#548) - Fixed
s3_bucket_acls_should_prohibit_user_access
query to correctly evaluate a bucket to be inok
state if it does not have ACLs for user access. (#549)
Bug fixes
- Fixed the
guardduty_enabled
query to no longer report false positive results on accounts which are members of an AWS organization where GuardDuty is managed by another account via Delegated Admin. (#551) - Fixed the
ec2_instance_ssm_managed
query to returninfo
instead of anerror
for instances that are in stopped state and are not managed by SSM. (#550)
Dependencies
- AWS plugin
v0.92.0
or higher is now required. (#545)
What's new?
- Added CIS v1.2.0 benchmark (
steampipe check benchmark.cis_v120
). (#535) - New AWS Foundational Security Best Practices control added: (#542)
- Account.1
- APIGateway.8
- APIGateway.9
- CloudFront.12
- CodeBuild.3
- SageMaker.2
- SageMaker.3
- WAF.10
What's new?
- New AWS Foundational Security Best Practices control added: (#529)
- AutoScaling.9 (
steampipe check control.foundational_security_autoscaling_9
)
- AutoScaling.9 (
Bug fixes
- Fixed the
acm_certificate_expires_30_days
query to correctly alarm the ACM certificates which are set to expire within 30 days. (#552) - Fixed typos in several compliance control descriptions to use
compliant
instead ofcomplaint
. (#522) (Thanks to @akumar-99 for the contribution!)
Enhancements
- Updated
iam_user_in_group
andvpc_default_security_group_restricts_all_traffic
queries to correctly handle empty column data. (#520)
Dependencies
- AWS plugin
v0.81.0
or higher is now required.
Bug fixes
- Fixed
apigateway_rest_api_authorizers_configured
,apigateway_stage_logging_enabled
,cloudformation_stack_notifications_enabled
,route53_zone_query_logging_enabled
,secretsmanager_secret_encrypted_with_kms_cmk
andvpc_igw_attached_to_authorized_vpc
queries to correctly handle columns when empty in their respective tables. (#517)
Enhancements
- Updated
cloudwatch_alarm_action_enabled
query to use updated column data inaws_cloudwatch_alarm
table. (#511)
Dependencies
- AWS plugin
v0.80.0
or higher is now required.
Bug fixes
- Fixed the
ecr_repository_prohibit_public_access
query to correctly check if the Cross-Account ECR repositories are public or not. (#513) - Fixed the
ebs_attached_volume_encryption_enabled
query to validate all EBS volumes instead of ignoring the unattached volumes. (#504) - Fixed the
secretsmanager_secret_encrypted_with_kms_cmk
query to correctly alarm if the secret is not encrypted with CMK. - Fixed typos in various CIS docs and NIST 800-53 benchmark title. (#508) (Thanks @akumar-99 for the contribution!)
What's new?
- Added queries with automated checks to the following CIS controls: (#502)
cis_v130_1_2
cis_v140_1_2
cis_v140_2_1_4
cis_v150_1_2
cis_v150_2_1_4
Dependencies
- AWS plugin
v0.78.0
or higher is now required.
What's new?
- Added the following new controls to the AWS Foundational Security Best Practices benchmark: (#489)
- S3.12
Bug fixes
- Fixed
guardduty_enabled
andsecurityhub_enabled
queries incorrectly showing the disabled service as enabled in regions if another connections' account has it enabled in the same region.
What's new?
- Added CIS v1.5.0 benchmark (
steampipe check benchmark.cis_v150
). (#496) - Added the following new controls to the AWS Foundational Security Best Practices benchmark: (#488)
- AutoScaling.6
Enhancements
- Updated
foundational_security_lambda_2
control to use latest runtimes for each language. (#497)
Bug fixes
- Fixed typo in
nist_800_53_rev_5_si_2_2
control title. (#490) (Thanks to @akumar-99 for the contribution!)
Breaking changes
- Removed the
cloudtrail_enabled_all_regions
control since it was no longer being used by any benchmark. (#485)
Bug fixes
- Fixed the
cis_v130_3_1
andcis_v140_3_1
controls to correctly use thecloudtrail_multi_region_read_write_enabled
query instead ofcloudtrail_enabled_all_regions
query. (#479) - Fixed the
article_25
andarticle_30
benchmarks to include thecloudtrail_multi_region_trail_enabled
control instead of thecloudtrail_enabled_all_regions
control. (#479) - Fixed the
pci_v321_cloudtrail_2
control to correctly use thecloudtrail_trail_enabled
query instead of thecloudtrail_enabled_all_regions
query. (#479)
What's new?
- Added GxP EU Annex 11 benchmark (
steampipe check benchmark.gxp_eu_annex_11
). (#452)
Bug fixes
- Fixed the
foundational_security_ec2
benchmark to correctly include thefoundational_security_ec2_27
control. (#474)
What's new?
- Added the following new controls to the AWS Foundational Security Best Practices benchmark: (#468)(#457)
- AutoScaling.3
- AutoScaling.4
- CloudFormation.1
- CloudFront.10
- EC2.23
- EC2.24
- EC2.27
- ECR.1
- ECR.2
- ECS.3
- ECS.4
- ECS.5
- ECS.8
- ECS.10
- ECS.12
- EFS.3
- EFS.4
- EKS.2
- ELB.12
- ELB.13
- ELB.14
- Kinesis.1
- NetworkFirewall.3
- NetworkFirewall.4
- NetworkFirewall.5
- OpenSearch.7
- Redshift.9
- S3.13
- SNS.2
- WAF.6
- WAF.7
- WAF.8
Enhancements
- Updated the
kms_cmk_rotation_enabled
query to skip KMS keys which are either inPendingDeletion
orDisabled
state since we cannot set rotation for such keys. (#466) (Thanks to @yorinasub17 for the contribution!)
Breaking changes
- Renamed the control and the query
dynamodb_table_encrypted_with_kms_cmk
todynamodb_table_encrypted_with_kms
to maintain consistency with AWS documentation. (#467) (Thanks to @pdecat for the contribution!)
Dependencies
- AWS plugin
v0.71.0
or higher is now required. (#470)
What's new?
- Added CISA Cyber Essentials benchmark (
steampipe check benchmark.cisa_cyber_essentials
). (#454)
Bug fixes
- Added the missing
resource
column in thevpc_flow_logs_enabled
query so that all the controls using this query will get executed correctly instead of returning an error. (#463) (Thanks to @yorinasub17 for the contribution!)
What's new?
- Added NIST 800-171 Revision 2 benchmark (
steampipe check benchmark.nist_800_171_rev_2
). (#453)
Enhancements
- Updated
guardduty_enabled
,iam_access_analyzer_enabled
andsecurityhub_enabled
queries to skip the regions which have been disabled. (#451)
Dependencies
- AWS plugin
v0.68.0
or higher is now required (#446)
What's new?
- Added GxP 21 CFR Part 11 benchmark (
steampipe check benchmark.gxp_21_cfr_part_11
). (#436) - Added Other Compliance Checks benchmark (
steampipe check benchmark.other
). (#431)
Enhancements
- Updated the
config_enabled_all_regions
query to skip the regions which have been disabled. (#437) (Thanks to @yorinasub17 for the contribution!)
Bug fixes
- Fixed the
vpc_flow_logs_enabled
query to skip VPCs which are shared with the owner account, since flow logs cannot be enabled for shared VPCs. (#444)
What's new?
- Added Federal Financial Institutions Examination Council (FFIEC) benchmark (
steampipe check benchmark.ffiec
). (#420)
Bug fixes
- Fixed the
backup_plan_min_retention_35_days
query to check if the backup plan retention period is more than35
days instead of37
days. (#424) - Fixed the
lambda_function_restrict_public_access
query to correctly evaluate if a lambda function is restricting public access or not. (#422)
Enhancements
- Updated the
NIST 800-53
link in the docs/index.md file to reference the latestNIST 800-53 Revision 5
document. (#407)
Bug fixes
- Fixed the typo in the query name to use
ebs_volume_unused
instead ofebs_volume_unsued
. (#412) - Fixed the typo
Prinipal
inlambda_function_restrict_public_access
query. (#413)
What's new?
- Added NIST 800-53 Revision 5 benchmark (
steampipe check benchmark.nist_800_53_rev_5
). (#399)
Bug fixes
- Fixed the
rds_db_instance_deletion_protection_enabled
query to skip Amazon RDS Aurora, DocumentDB and Neptune DB instances, since deletion protection can only be enabled at the cluster level for such instances. (#401) - Fixed the
foundational_security_s3_9
control to correctly references3_bucket_logging_enabled
query instead ofs3_bucket_public_access_blocked
query. (#403)
What's new?
- Added FedRAMP Low Revision 4 benchmark (
steampipe check benchmark.fedramp_low_rev_4
). - Added FedRAMP Moderate Revision 4 benchmark (
steampipe check benchmark.fedramp_moderate_rev_4
).
Bug fixes
- Fixed
lambda_function_multiple_az_configured
query to correctly check if Lambda functions have more than one availability zone. (#392) - Fixed
lambda_function_use_latest_runtime
query to correctly returnskip
instead ofalarm
if the deployment package type iszip
. (#392)
Dependencies
- AWS plugin
v0.59.0
or higher is now required. (#390)
What's new?
- New PCI v3.2.1 benchmark added: (#385)
- OpenSearch (
steampipe check benchmark.pci_v321_opensearch
)
- OpenSearch (
- New PCI v3.2.1 controls added: (#385)
- OpenSearch.1 (
steampipe check control.pci_v321_opensearch_1
) - OpenSearch.2 (
steampipe check control.pci_v321_opensearch_2
)
- OpenSearch.1 (
Enhancements
- Updated docs/index.md and README with new dashboard screenshots and latest format. (#379)
Bug fixes
- Fixed incorrect doc link for
pci_v321_s3_5
control. (#381)
Bug fixes
- Fixed
resource
column inguardduty_enabled
query to be the AWS region ARN instead of the GuardDuty detector ARN. - Fixed
resource
column insecurityhub_enabled
query to be the AWS region ARN instead of the Security Hub hub ARN. - Renamed
soc2
directory and filenames to usesoc_2
(no impact on benchmarks or controls).
Enhancements
- Added
category
,service
, andtype
tags to benchmarks and controls. (#375) - Improved reason in
iam_root_user_hardware_mfa_enabled
query when a virtual MFA device is enabled.
Bug fixes
- Fixed
resource
iniam_access_analyzer_enabled
query to be the region ARN.
Enhancements
- Renamed several IAM policy and account password policy query names to be more consistent with other query names. (#367)
Bug fixes
- The
cis_v130_1_16
andcis_v140_1_16
controls now only show results for attached IAM policies. (#367) - The
iam_all_policy_no_service_wild_card
control now only checks customer managed IAM policies for full service access statements. (#367) - Fixed
iam_all_policy_no_service_wild_card
andfoundational_security_iam_21
controls not alarming if any policy statements grant*:*
, as these statements also grant full access to at least 1 AWS service. (#367) - Removed
iam_all_policy_no_service_wild_card.sql
andiam_policy_in_use.sql
queries as these were unused by any controls. (#367)
What's new?
- New AWS Foundational Security Best Practices controls added:
- CloudFront.9
- ECR.3
- ELB.10
- S3.11
Bug fixes
- Fixed the
guardduty_enabled
query to only check if GuardDuty is enabled and no longer check if S3 logging is enabled. (#360)
Bug fixes
- The
foundational_security_networkfirewall
benchmark is now a child of thefoundational_security
benchmark.
What's new?
- New AWS Foundational Security Best Practices controls added:
- AutoScaling.2
- AutoScaling.5
- CloudFront.7
- CloudFront.8
- CodeBuild.4
- CodeBuild.5
- EC2.21
- EC2.22
- Lambda.5
- NetworkFirewall.5
- RDS.24
- RDS.25
- Redshift.8
- S3.10
- S3.9
Bug fixes
- Fixed the
dynamodb_table_auto_scaling_enabled
query to correctly check if the tables have on-demand capacity mode enabled or not (#350)
Enhancements
- Updated the following queries to use
cidr_ipv4
column instead of the deprecatedcidr_ip
column (#342)- vpc_security_group_allows_ingress_authorized_ports
- vpc_security_group_remote_administration
- vpc_security_group_restrict_ingress_common_ports_all
- vpc_security_group_restrict_ingress_ssh_all
- vpc_security_group_restrict_ingress_tcp_udp_all
- vpc_security_group_restricted_common_ports
What's new?
- RBI Cyber Security Framework benchmark (
steampipe check benchmark.rbi_cyber_security
) now includes 17 new controls and 7 new queries (331)
Bug fixes
- Fixed the
config_enabled_all_regions
query to correctly evaluate if AWS Config is enabled in the account for the local Region and is recording all resources (325)
What's new?
- New NIST CSF benchmarks added:
- DE.CM-2
- DE.CM-5
- ID.AM-1
- ID.AM-5
- ID.RA-5
- ID.SC-4
- PR.DS-7
- PR.DS-8
- PR.IP-2
- PR.IP-8
- PR.IP-9
- PR.IP-12
- RC.RP-1
- RS.MI-3
- RS.RP-1
Bug fixes
- Fixed the
dynamodb_table_auto_scaling_enabled
query to correctly evaluate if auto scaling is enabled for a DynamoDB table instead of throwing a validation error (319)
What's new?
- Added: AWS Audit Manager Control Tower Guardrails benchmark (
steampipe check aws_compliance.benchmark.audit_manager_control_tower
)
Bug fixes
- Fixed the
backup_plan_min_retention_35_days
query to correctly evaluate backup plan rules where the lifecycle is set toNever Expire
(314)
What's new?
- Additional benchmarks (
hipaa_164_308
andhipaa_164.312
) have been added to thehipaa
benchmark to improve its structure and readability - New HIPAA benchmarks added:
- 164.308(a)(1)(ii)(A) Risk analysis
- 164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions
- 164.308(a)(5)(ii)(B) Protection from malicious software
- 164.308(a)(5)(ii)(C) Log-in monitoring
- 164.308(a)(5)(ii)(D) Password management
- 164.308(a)(7)(ii)(B) Disaster recovery plan
- 164.308(a)(7)(ii)(C) Emergency mode operation plan
- 164.308(a)(8) Evaluation
What's new?
- Added: System and Organization Controls (SOC 2) benchmark (
steampipe check aws_compliance.benchmark.soc_2
)
What's new?
- New AWS Foundational Security Best Practices controls added:
- ES.4
- ES.5
Bug fixes
- Fixed the metric filter pattern in the
log_metric_filter_unauthorized_api
query as per the CIS documentation (#294) - Fixed the
rds_db_instance_logging_enabled
query to correctly evaluate if logging is enabled forSQL Server Express Edition
DB engine type (296)
Bug fixes
- Fixed the metric filter pattern in the
log_metric_filter_organization
query as per the CIS documentation (#271) cis_v140_1_16
control now refers toiam_all_policy_no_star_star
query which evaluates all the attached IAM policies(both AWS and customer managed) instead of only IAM customer managed policies (#281)foundational_security_iam_1
control now refers toiam_custom_policy_no_star_star
query which only evaluates IAM customer managed policies instead of evaluating both customer and AWS managed IAM policies (#281)foundational_security_iam_21
control now refers toiam_custom_policy_no_service_wild_card
query which correctly checks if there are any IAM customer managed policies that allow wildcard access for services (#281)
What's new?
- Added: AWS General Data Protection Regulation(GDPR) benchmarks and controls (
steampipe check benchmark.gdpr
)
Enhancements
vpc_security_group_associated
control name has been renamed tovpc_security_group_associated_to_eni
which now refersvpc_security_group_associated_to_eni
query
Bug fixes
vpc_security_group_associated
query will no longer return duplicate security groups (#283)- Fixed the missing filter patterns in
log_metric_filter_root_login
andlog_metric_filter_unauthorized_api
queries (#285) (#278) cis_v130_1_12
andcis_v140_1_12
controls will now render<root_account>
user status asinfo
(#286)
Bug fixes
foundational_security_elasticbeanstalk_1
control will now correctly reference theelastic_beanstalk_enhanced_health_reporting_enabled
query instead of theapigateway_stage_logging_enabled
query
What's new?
- New AWS Foundational Security Best Practices controls added:
- APIGateway.5
- EC2.15
- EC2.19
- ElasticBeanstalk.1
- ELB.7
- Lambda.4
- RDS.18
- RDS.19
- RDS.20
- RDS.21
- RDS.22
- RDS.23
- SQS.1
What's new?
- New AWS Foundational Security Best Practices controls added:
- APIGateway.3
- APIGateway.4
- CloudFront.5
- CloudFront.6
- EC2.16
- EC2.17
- EC2.18
- ECS.1
- ECS.2
- ES.4
- ES.6
- ES.7
- ES.8
- IAM.21
- RDS.15
- RDS.16
- RDS.17
- Redshift.4
- S3.8
Bug fixes
- Fixed: Update multiple CloudTrail, CloudWatch, Config, Lambda, and S3 queries to work properly with multi-account connections (#247)
- Fixed: Cleanup unnecessary quotes in various CloudFront, CloudTrail, GuardDuty and S3 queries (#249)
What's new?
- Added: NIST 800-53 Revision 4 benchmark (
steampipe check benchmark.nist_800_53_rev_4
)
What's new?
- Added: NIST Cybersecurity Framework (CSF) benchmark (
steampipe check benchmark.nist_csf
) - New AWS Foundational Security Best Practices controls added:
- CodeBuild.1
- CodeBuild.2
- New HIPAA controls added:
- codebuild_project_source_repo_oauth_configured
- New PCI v3.2.1 controls added:
- CodeBuild.1
Enhancements
- Updated: AWS Foundational Security Best Practices benchmark title now includes
AWS
for better readability - Updated: Update column reference
table_arn
toarn
indynamodb_table_auto_scaling_enabled
,dynamodb_table_encrypted_with_kms_cmk
,dynamodb_table_in_backup_plan
,dynamodb_table_point_in_time_recovery_enabled
queries - Updated: Update column reference
file_system_arn
toarn
inefs_file_system_automatic_backups_enabled
,efs_file_system_encrypt_data_at_rest
queries
What's new?
- New RBI Cyber Security Framework controls added:
- dynamodb_table_in_backup_plan
- ebs_volume_in_backup_plan
- efs_file_system_in_backup_plan
- rds_db_instance_in_backup_plan
What's new?
- Added: RBI Cyber Security Framework benchmark (
steampipe check benchmark.rbi_cyber_security
) - New Foundational Security controls added:
- CloudTrail.1
- EC2.7
- EFS.2
- SSM.2
- SSM.3
- New HIPAA controls added:
- cloudtrail_trail_enabled
- guardduty_finding_archived
- vpc_vpn_tunnel_up
- New PCI v3.2.1 controls added:
- SSM.1
- SSM.2
Enhancements
- Updated: CIS v1.3.0 and v1.4.0 benchmarks and controls now include the
service
tag - Updated: Replaced
benchmark
tag for all benchmarks and controls with framework specific tags, e.g.,cis = true
,hipaa = true
What's new?
- Added: HIPAA benchmark (
steampipe check benchmark.hipaa
)
What's new?
- Added: CIS v1.4.0 benchmark (
steampipe check benchmark.cis_v140
) - Added: AWS Foundational Security Best Practices benchmark (
steampipe check benchmark.foundational_security
)
Bug fixes
- Minor fixes in the docs
What's new?
- Added: Documentation for various PCI v3.2.1 benchmarks and controls
- New PCI v3.2.1 controls added
- CloudWatch.1
- CodeBuild.2
- EC2.3
- ELBV2.2
- GuardDuty.1
- S3.3
Bug fixes
- Fixed:
autoscaling_group_with_lb_use_healthcheck
query should skip groups that aren't associated with a load balancer (#30)