diff --git a/CHANGELOG.md b/CHANGELOG.md
index e627d7ee..17aedaa5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## v1.2.0 [2024-11-21]
+
+_What's new?_
+
+- Added NYDFS 23 benchmark (`powerpipe benchmark run aws_compliance.benchmark.nydfs_23`). ([#844](https://github.com/turbot/steampipe-mod-aws-compliance/pull/844))
+
## v1.1.1 [2024-10-30]
_Bug fixes_
@@ -10,7 +16,7 @@ _Bug fixes_
_What's new?_
-- Added CIS v4.0.0 benchmark (`steampipe check benchmark.cis_v400`). ([#836](https://github.com/turbot/steampipe-mod-aws-compliance/pull/836))
+- Added CIS v4.0.0 benchmark (`powerpipe benchmark run aws_compliance.benchmark.cis_v400`). ([#836](https://github.com/turbot/steampipe-mod-aws-compliance/pull/836))
- Added `ebs_encryption_by_default_enabled` and `vpc_security_group_restrict_ingress_cifs_port_all` controls to the `All Controls` benchmark. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835))
_Enhancements_
diff --git a/README.md b/README.md
index 1481d455..19c4a446 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# AWS Compliance Mod for Powerpipe
-540+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including **the latest (v4.0.0) CIS benchmark**, CIS AWS Compute Services, PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, NIST 800-172, Reserve Bank of India, Audit Manager Control Tower, Australian Cyber Security Center (ACSC) Essential Eight, and more!
+540+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including **the latest (v4.0.0) CIS benchmark**, CIS AWS Compute Services, PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, NIST 800-172, NYDFS 23, Reserve Bank of India, Audit Manager Control Tower, Australian Cyber Security Center (ACSC) Essential Eight, and more!
Run checks in a dashboard:
diff --git a/conformance_pack/acm.pp b/conformance_pack/acm.pp
index e38eeb16..4c5438fa 100644
--- a/conformance_pack/acm.pp
+++ b/conformance_pack/acm.pp
@@ -21,6 +21,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
diff --git a/conformance_pack/apigateway.pp b/conformance_pack/apigateway.pp
index ee8338cc..4d33dc84 100644
--- a/conformance_pack/apigateway.pp
+++ b/conformance_pack/apigateway.pp
@@ -39,6 +39,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -64,6 +65,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -85,6 +87,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
})
@@ -115,6 +118,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
})
diff --git a/conformance_pack/autoscaling.pp b/conformance_pack/autoscaling.pp
index c3ac25ec..9136b30c 100644
--- a/conformance_pack/autoscaling.pp
+++ b/conformance_pack/autoscaling.pp
@@ -39,6 +39,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
})
@@ -60,6 +61,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/backup.pp b/conformance_pack/backup.pp
index 4dc0a202..3cabdd21 100644
--- a/conformance_pack/backup.pp
+++ b/conformance_pack/backup.pp
@@ -19,6 +19,7 @@
hipaa_security_rule_2003 = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
@@ -42,6 +43,7 @@
hipaa_security_rule_2003 = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
@@ -62,6 +64,7 @@
hipaa_security_rule_2003 = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
soc_2 = "true"
})
diff --git a/conformance_pack/cloudtrail.pp b/conformance_pack/cloudtrail.pp
index 75d65401..65540efe 100644
--- a/conformance_pack/cloudtrail.pp
+++ b/conformance_pack/cloudtrail.pp
@@ -40,6 +40,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -68,6 +69,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -95,6 +97,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -121,6 +124,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -147,6 +151,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
soc_2 = "true"
})
@@ -172,6 +177,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/cloudwatch.pp b/conformance_pack/cloudwatch.pp
index bdb6c17e..95d38847 100644
--- a/conformance_pack/cloudwatch.pp
+++ b/conformance_pack/cloudwatch.pp
@@ -40,6 +40,7 @@
tags = merge(local.conformance_pack_cloudwatch_common_tags, {
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
soc_2 = "true"
})
@@ -71,6 +72,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -94,6 +96,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/codebuild.pp b/conformance_pack/codebuild.pp
index e9c354e5..39aeb84c 100644
--- a/conformance_pack/codebuild.pp
+++ b/conformance_pack/codebuild.pp
@@ -26,6 +26,7 @@
hipaa_security_rule_2003 = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
soc_2 = "true"
})
@@ -46,6 +47,7 @@
hipaa_security_rule_2003 = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
soc_2 = "true"
})
@@ -80,6 +82,7 @@
hipaa_final_omnibus_security_rule_2013 = "true"
hipaa_security_rule_2003 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
})
}
@@ -90,9 +93,10 @@
query = query.codebuild_project_artifact_encryption_enabled
tags = merge(local.conformance_pack_codebuild_common_tags, {
- gxp_21_cfr_part_11 = "true"
- gxp_eu_annex_11 = "true"
- nist_csf = "true"
+ gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
+ nist_csf = "true"
+ nydfs_23 = "true"
})
}
diff --git a/conformance_pack/dms.pp b/conformance_pack/dms.pp
index dc102f19..77e1a59e 100644
--- a/conformance_pack/dms.pp
+++ b/conformance_pack/dms.pp
@@ -23,6 +23,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -222,9 +223,9 @@
else title || ' source database logging disabled.'
end as reason
${local.tag_dimensions_sql}
- ${local.common_dimensions_sql}
+ ${local.common_dimensions_sql}
from
aws_dms_replication_task as t
- left join replication_task_logging as l on l.arn = t.arn;
+ left join replication_task_logging as l on l.arn = t.arn;
EOQ
}
\ No newline at end of file
diff --git a/conformance_pack/dynamodb.pp b/conformance_pack/dynamodb.pp
index 293c8545..25940303 100644
--- a/conformance_pack/dynamodb.pp
+++ b/conformance_pack/dynamodb.pp
@@ -21,6 +21,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
})
}
@@ -45,6 +46,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -68,6 +70,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
})
@@ -91,6 +94,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/ebs.pp b/conformance_pack/ebs.pp
index bd6eebd3..422bdabc 100644
--- a/conformance_pack/ebs.pp
+++ b/conformance_pack/ebs.pp
@@ -21,6 +21,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
soc_2 = "true"
})
@@ -45,6 +46,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -85,6 +87,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -109,6 +112,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/ec2.pp b/conformance_pack/ec2.pp
index b667c28e..76a98435 100644
--- a/conformance_pack/ec2.pp
+++ b/conformance_pack/ec2.pp
@@ -54,6 +54,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
@@ -97,6 +98,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -122,6 +124,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -177,6 +180,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
@@ -197,6 +201,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
})
}
diff --git a/conformance_pack/ecs.pp b/conformance_pack/ecs.pp
index 3bed26de..5ede0cc6 100644
--- a/conformance_pack/ecs.pp
+++ b/conformance_pack/ecs.pp
@@ -68,6 +68,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
})
}
diff --git a/conformance_pack/efs.pp b/conformance_pack/efs.pp
index ec0db5f9..d5f78cf8 100644
--- a/conformance_pack/efs.pp
+++ b/conformance_pack/efs.pp
@@ -21,6 +21,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -44,6 +45,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/elasticache.pp b/conformance_pack/elasticache.pp
index f9316117..bf94f6aa 100644
--- a/conformance_pack/elasticache.pp
+++ b/conformance_pack/elasticache.pp
@@ -74,6 +74,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/elasticbeanstalk.pp b/conformance_pack/elasticbeanstalk.pp
index 5e73c2f6..1b9732be 100644
--- a/conformance_pack/elasticbeanstalk.pp
+++ b/conformance_pack/elasticbeanstalk.pp
@@ -15,6 +15,7 @@
hipaa_final_omnibus_security_rule_2013 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
})
}
diff --git a/conformance_pack/elb.pp b/conformance_pack/elb.pp
index 6b6c5081..ec6c2159 100644
--- a/conformance_pack/elb.pp
+++ b/conformance_pack/elb.pp
@@ -40,6 +40,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -64,6 +65,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
})
}
@@ -86,6 +88,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -107,6 +110,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -132,6 +136,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -152,6 +157,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -177,6 +183,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -201,6 +208,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
})
}
@@ -220,6 +228,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/emr.pp b/conformance_pack/emr.pp
index ec9383e7..f40be14c 100644
--- a/conformance_pack/emr.pp
+++ b/conformance_pack/emr.pp
@@ -28,6 +28,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
@@ -51,6 +52,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/es.pp b/conformance_pack/es.pp
index 1a616627..119ca7a3 100644
--- a/conformance_pack/es.pp
+++ b/conformance_pack/es.pp
@@ -64,6 +64,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -88,6 +89,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -113,6 +115,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -136,6 +139,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/guardduty.pp b/conformance_pack/guardduty.pp
index b68b38c0..231c602b 100644
--- a/conformance_pack/guardduty.pp
+++ b/conformance_pack/guardduty.pp
@@ -23,6 +23,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
diff --git a/conformance_pack/iam.pp b/conformance_pack/iam.pp
index cc5396f4..1f8ec078 100644
--- a/conformance_pack/iam.pp
+++ b/conformance_pack/iam.pp
@@ -65,7 +65,9 @@
description = "By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users."
query = query.iam_user_no_policies
- tags = local.conformance_pack_iam_common_tags
+ tags = merge(local.conformance_pack_iam_common_tags, {
+ nydfs_23 = "true"
+ })
}
control "iam_user_one_active_key" {
@@ -108,6 +110,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -131,6 +134,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
@@ -156,6 +160,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -183,6 +188,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -210,6 +216,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
@@ -237,6 +244,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
@@ -259,6 +267,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
@@ -285,6 +294,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
@@ -311,6 +321,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
@@ -337,6 +348,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -363,6 +375,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
@@ -387,6 +400,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
diff --git a/conformance_pack/kinesis.pp b/conformance_pack/kinesis.pp
index 464f7b3a..42b90c08 100644
--- a/conformance_pack/kinesis.pp
+++ b/conformance_pack/kinesis.pp
@@ -10,10 +10,11 @@
query = query.kinesis_stream_server_side_encryption_enabled
tags = merge(local.conformance_pack_kinesis_common_tags, {
- gxp_21_cfr_part_11 = "true"
- gxp_eu_annex_11 = "true"
- nist_csf = "true"
- pci_dss_v321 = "true"
+ gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
+ nist_csf = "true"
+ nydfs_23 = "true"
+ pci_dss_v321 = "true"
})
}
diff --git a/conformance_pack/lambda.pp b/conformance_pack/lambda.pp
index c78bbeb8..884fde04 100644
--- a/conformance_pack/lambda.pp
+++ b/conformance_pack/lambda.pp
@@ -61,6 +61,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -87,6 +88,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
diff --git a/conformance_pack/opensearch.pp b/conformance_pack/opensearch.pp
index af015ea7..be65fc37 100644
--- a/conformance_pack/opensearch.pp
+++ b/conformance_pack/opensearch.pp
@@ -24,6 +24,7 @@
hipaa_security_rule_2003 = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
})
}
@@ -65,6 +66,7 @@
acsc_essential_eight = "true"
gxp_21_cfr_part_11 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
soc_2 = "true"
})
@@ -79,6 +81,7 @@
acsc_essential_eight = "true"
gxp_21_cfr_part_11 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
@@ -97,6 +100,7 @@
hipaa_security_rule_2003 = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
})
}
@@ -111,6 +115,7 @@
nist_800_171_rev_2 = "true"
nist_csf = "true"
rbi_itf_nbfc = "true"
+ nydfs_23 = "true"
})
}
diff --git a/conformance_pack/rds.pp b/conformance_pack/rds.pp
index 4b232f67..4c077950 100644
--- a/conformance_pack/rds.pp
+++ b/conformance_pack/rds.pp
@@ -104,6 +104,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -131,6 +132,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -154,6 +156,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
})
}
@@ -178,6 +181,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -202,6 +206,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -228,6 +233,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -255,6 +261,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -281,6 +288,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -303,6 +311,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
})
}
@@ -323,6 +332,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
diff --git a/conformance_pack/redshift.pp b/conformance_pack/redshift.pp
index 3bf8d614..603af586 100644
--- a/conformance_pack/redshift.pp
+++ b/conformance_pack/redshift.pp
@@ -30,6 +30,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -58,6 +59,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -84,6 +86,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -111,6 +114,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -133,6 +137,7 @@
hipaa_security_rule_2003 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_cyber_security = "true"
})
}
@@ -191,6 +196,7 @@
acsc_essential_eight = "true"
gxp_21_cfr_part_11 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
diff --git a/conformance_pack/s3.pp b/conformance_pack/s3.pp
index 752e0e59..0c08ca11 100644
--- a/conformance_pack/s3.pp
+++ b/conformance_pack/s3.pp
@@ -41,6 +41,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -66,6 +67,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -90,6 +92,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
+ nydfs_23 = "true"
nist_csf = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
@@ -117,6 +120,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -138,6 +142,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
@@ -163,6 +168,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -190,6 +196,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -217,6 +224,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -250,6 +258,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
soc_2 = "true"
})
@@ -287,6 +296,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
})
@@ -343,6 +353,7 @@
hipaa_security_rule_2003 = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
diff --git a/conformance_pack/sagemaker.pp b/conformance_pack/sagemaker.pp
index 901f0c63..b33c058c 100644
--- a/conformance_pack/sagemaker.pp
+++ b/conformance_pack/sagemaker.pp
@@ -9,7 +9,9 @@
description = "This control checks if SageMaker notebook instance storage volumes are encrypted with AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys."
query = query.sagemaker_notebook_instance_encrypted_with_kms_cmk
- tags = local.conformance_pack_sagemaker_common_tags
+ tags = merge(local.conformance_pack_sagemaker_common_tags, {
+ nydfs_23 = "true"
+ })
}
control "sagemaker_notebook_instance_direct_internet_access_disabled" {
@@ -31,6 +33,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -56,6 +59,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
@@ -80,6 +84,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
diff --git a/conformance_pack/secretsmanager.pp b/conformance_pack/secretsmanager.pp
index 41b16187..6c298ce5 100644
--- a/conformance_pack/secretsmanager.pp
+++ b/conformance_pack/secretsmanager.pp
@@ -32,6 +32,7 @@
hipaa_security_rule_2003 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
@@ -49,6 +50,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
})
@@ -78,6 +80,7 @@
hipaa_final_omnibus_security_rule_2013 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
})
}
diff --git a/conformance_pack/securityhub.pp b/conformance_pack/securityhub.pp
index 50c6adac..cc0bc500 100644
--- a/conformance_pack/securityhub.pp
+++ b/conformance_pack/securityhub.pp
@@ -24,6 +24,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
diff --git a/conformance_pack/sns.pp b/conformance_pack/sns.pp
index b57df7d2..bfb04c86 100644
--- a/conformance_pack/sns.pp
+++ b/conformance_pack/sns.pp
@@ -21,6 +21,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
soc_2 = "true"
diff --git a/conformance_pack/ssm.pp b/conformance_pack/ssm.pp
index 17fdb473..362ef5c2 100644
--- a/conformance_pack/ssm.pp
+++ b/conformance_pack/ssm.pp
@@ -48,6 +48,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -93,6 +94,7 @@
hipaa_final_omnibus_security_rule_2013 = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
})
}
diff --git a/conformance_pack/vpc.pp b/conformance_pack/vpc.pp
index d458f595..ea43ad62 100644
--- a/conformance_pack/vpc.pp
+++ b/conformance_pack/vpc.pp
@@ -24,6 +24,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -83,6 +84,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -143,6 +145,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
soc_2 = "true"
@@ -169,6 +172,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -193,6 +197,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
@@ -215,6 +220,7 @@
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23_common_tags = "true"
rbi_itf_nbfc = "true"
})
}
@@ -263,6 +269,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
rbi_cyber_security = "true"
rbi_itf_nbfc = "true"
})
@@ -283,6 +290,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
+ nydfs_23 = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
})
@@ -366,7 +374,9 @@
description = "This control checks whether the VPC security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. The default values for authorizedTcpPorts are 80 and 443."
query = query.vpc_security_group_allows_ingress_authorized_ports
- tags = local.conformance_pack_vpc_common_tags
+ tags = merge(local.conformance_pack_vpc_common_tags, {
+ nydfs_23 = "true"
+ })
}
control "vpc_security_group_allows_ingress_to_cassandra_ports" {
diff --git a/conformance_pack/wafv2.pp b/conformance_pack/wafv2.pp
index 211d3549..e36df09c 100644
--- a/conformance_pack/wafv2.pp
+++ b/conformance_pack/wafv2.pp
@@ -23,6 +23,7 @@
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
+ nydfs_23 = "true"
nist_csf = "true"
pci_dss_v321 = "true"
rbi_cyber_security = "true"
diff --git a/docs/index.md b/docs/index.md
index a58a8da3..ca7401cf 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,6 +1,6 @@
# AWS Compliance Mod
-Run individual configuration, compliance and security controls or full compliance benchmarks for `Audit Manager Control Tower`, `AWS Foundational Security Best Practices`, `CIS`, `CIS AWS Compute Services`, `CISA Cyber Essentials`, `FedRAMP`, `FFIEC`, `GDPR`, `GxP 21 CFR Part 11`, `GxP EU Annex 11`, `HIPAA Final Omnibus Security Rule 2013`, `HIPAA Security Rule 2003`, `NIST 800-53`, `NIST CSF`, `NIST 800-172`, `PCI DSS`, `RBI Cyber Security Framework`, `SOC 2`, `Australian Cyber Security Center (ACSC) Essential Eight` and more across all your AWS accounts.
+Run individual configuration, compliance and security controls or full compliance benchmarks for `Audit Manager Control Tower`, `AWS Foundational Security Best Practices`, `CIS`, `CIS AWS Compute Services`, `CISA Cyber Essentials`, `FedRAMP`, `FFIEC`, `GDPR`, `GxP 21 CFR Part 11`, `GxP EU Annex 11`, `HIPAA Final Omnibus Security Rule 2013`, `HIPAA Security Rule 2003`, `NIST 800-53`, `NIST CSF`, `NIST 800-172`, `NYDFS 23`, `PCI DSS`, `RBI Cyber Security Framework`, `SOC 2`, `Australian Cyber Security Center (ACSC) Essential Eight` and more across all your AWS accounts.
diff --git a/nydfs_23/500_02.pp b/nydfs_23/500_02.pp
new file mode 100644
index 00000000..6d3db10f
--- /dev/null
+++ b/nydfs_23/500_02.pp
@@ -0,0 +1,170 @@
+benchmark "nydfs_23_500_02" {
+ title = "500.02 Cybersecurity Program"
+ description = "Each covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s information systems. (b) The cybersecurity program shall be based on the covered entity’s risk assessment and designed to perform the following core cybersecurity functions: (1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity’s information systems; (2) use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts; (3) detect cybersecurity events; (4) respond to identified or detected cybersecurity events to mitigate any negative effects; (5) recover from cybersecurity events and restore normal operations and services; and (6) fulfill applicable regulatory reporting obligations. (c) A covered entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an affiliate, provided that such provisions satisfy the requirements of this Part, as applicable to the covered entity. (d) All documentation and information relevant to the covered entity’s cybersecurity program shall be made available to the superintendent upon request."
+
+ children = [
+ benchmark.nydfs_23_500_02_a,
+ benchmark.nydfs_23_500_02_b_2,
+ benchmark.nydfs_23_500_02_b_3,
+ benchmark.nydfs_23_500_02_b_5
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
+benchmark "nydfs_23_500_02_a" {
+ title = "500.02(a)"
+ description = "Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems."
+
+ children = [
+ control.acm_certificate_expires_30_days,
+ control.apigateway_rest_api_stage_use_ssl_certificate,
+ control.apigateway_stage_cache_encryption_at_rest_enabled,
+ control.autoscaling_group_with_lb_use_health_check,
+ control.autoscaling_launch_config_public_ip_disabled,
+ control.backup_recovery_point_encryption_enabled,
+ control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
+ control.cloudtrail_trail_validation_enabled,
+ control.codebuild_project_artifact_encryption_enabled,
+ control.dynamodb_table_auto_scaling_enabled,
+ control.dynamodb_table_encrypted_with_kms,
+ control.ebs_attached_volume_encryption_enabled,
+ control.ebs_encryption_by_default_enabled,
+ control.ec2_instance_detailed_monitoring_enabled,
+ control.efs_file_system_encrypt_data_at_rest,
+ control.elastic_beanstalk_enhanced_health_reporting_enabled,
+ control.elb_application_lb_deletion_protection_enabled,
+ control.elb_application_lb_drop_http_headers,
+ control.elb_application_lb_redirect_http_request_to_https,
+ control.elb_application_network_lb_use_ssl_certificate,
+ control.elb_classic_lb_cross_zone_load_balancing_enabled,
+ control.elb_classic_lb_use_ssl_certificate,
+ control.elb_classic_lb_use_tls_https_listeners,
+ control.es_domain_encryption_at_rest_enabled,
+ control.es_domain_node_to_node_encryption_enabled,
+ control.kinesis_stream_server_side_encryption_enabled,
+ control.log_group_encryption_at_rest_enabled,
+ control.opensearch_domain_encryption_at_rest_enabled,
+ control.opensearch_domain_node_to_node_encryption_enabled,
+ control.rds_db_instance_deletion_protection_enabled,
+ control.rds_db_instance_encryption_at_rest_enabled,
+ control.rds_db_instance_multiple_az_enabled,
+ control.rds_db_snapshot_encrypted_at_rest,
+ control.redshift_cluster_encryption_in_transit_enabled,
+ control.redshift_cluster_encryption_logging_enabled,
+ control.s3_bucket_default_encryption_enabled_kms,
+ control.s3_bucket_default_encryption_enabled,
+ control.s3_bucket_enforces_ssl,
+ control.s3_bucket_object_lock_enabled,
+ control.s3_public_access_block_account,
+ control.sagemaker_endpoint_configuration_encryption_at_rest_enabled,
+ control.sagemaker_notebook_instance_encryption_at_rest_enabled,
+ control.sns_topic_encrypted_at_rest,
+ control.ssm_document_prohibit_public_access,
+ control.vpc_vpn_tunnel_up
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
+benchmark "nydfs_23_500_02_b_2" {
+ title = "500.02(b)(2)"
+ description = "The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform the following core cybersecurity functions: use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts."
+
+ children = [
+ control.apigateway_stage_use_waf_web_acl,
+ control.dms_replication_instance_not_publicly_accessible,
+ control.ebs_snapshot_not_publicly_restorable,
+ control.ec2_instance_in_vpc,
+ control.ec2_instance_not_publicly_accessible,
+ control.ec2_instance_uses_imdsv2,
+ control.elb_application_lb_waf_enabled,
+ control.emr_cluster_kerberos_enabled,
+ control.emr_cluster_master_nodes_no_public_ip,
+ control.es_domain_in_vpc,
+ control.iam_account_password_policy_strong_min_reuse_24,
+ control.iam_group_not_empty,
+ control.iam_policy_no_star_star,
+ control.iam_root_user_hardware_mfa_enabled,
+ control.iam_root_user_mfa_enabled,
+ control.iam_root_user_no_access_keys,
+ control.iam_user_console_access_mfa_enabled,
+ control.iam_user_in_group,
+ control.iam_user_mfa_enabled,
+ control.iam_user_no_inline_attached_policies,
+ control.iam_user_no_policies,
+ control.lambda_function_in_vpc,
+ control.lambda_function_restrict_public_access,
+ control.opensearch_domain_in_vpc,
+ control.rds_db_instance_prohibit_public_access,
+ control.rds_db_snapshot_prohibit_public_access,
+ control.redshift_cluster_prohibit_public_access,
+ control.s3_bucket_policy_restrict_public_access,
+ control.s3_bucket_restrict_public_read_access,
+ control.s3_bucket_restrict_public_write_access,
+ control.s3_public_access_block_account,
+ control.sagemaker_notebook_instance_direct_internet_access_disabled,
+ control.ssm_document_prohibit_public_access,
+ control.vpc_default_security_group_restricts_all_traffic,
+ control.vpc_igw_attached_to_authorized_vpc,
+ control.vpc_route_table_restrict_public_access_to_igw,
+ control.vpc_security_group_allows_ingress_authorized_ports,
+ control.vpc_security_group_restrict_ingress_common_ports_all,
+ control.vpc_security_group_restrict_ingress_ssh_all
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
+benchmark "nydfs_23_500_02_b_3" {
+ title = "500.02(b)(3)"
+ description = "The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform the following core cybersecurity functions: detect Cybersecurity Events."
+
+ children = [
+ control.apigateway_stage_logging_enabled,
+ control.cloudtrail_multi_region_trail_enabled,
+ control.cloudtrail_s3_data_events_enabled,
+ control.cloudtrail_trail_integrated_with_logs,
+ control.codebuild_project_logging_enabled,
+ control.ec2_instance_detailed_monitoring_enabled,
+ control.elb_application_classic_lb_logging_enabled,
+ control.es_domain_logs_to_cloudwatch,
+ control.guardduty_enabled,
+ control.opensearch_domain_audit_logging_enabled,
+ control.opensearch_domain_logs_to_cloudwatch,
+ control.rds_db_instance_and_cluster_enhanced_monitoring_enabled,
+ control.rds_db_instance_logging_enabled,
+ control.redshift_cluster_audit_logging_enabled,
+ control.redshift_cluster_encryption_logging_enabled,
+ control.s3_bucket_logging_enabled,
+ control.securityhub_enabled,
+ control.ssm_managed_instance_compliance_association_compliant,
+ control.vpc_flow_logs_enabled,
+ control.wafv2_web_acl_logging_enabled
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
+benchmark "nydfs_23_500_02_b_5" {
+ title = "500.02(b)(5)"
+ description = "The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform the following core cybersecurity functions: detect Cybersecurity Events."
+
+ children = [
+ control.backup_plan_min_retention_35_days,
+ control.backup_recovery_point_manual_deletion_disabled,
+ control.dynamodb_table_in_backup_plan,
+ control.dynamodb_table_point_in_time_recovery_enabled,
+ control.ebs_volume_in_backup_plan,
+ control.ec2_instance_ebs_optimized,
+ control.efs_file_system_in_backup_plan,
+ control.elasticache_redis_cluster_automatic_backup_retention_15_days,
+ control.rds_db_instance_backup_enabled,
+ control.rds_db_instance_in_backup_plan,
+ control.redshift_cluster_automatic_snapshots_min_7_days,
+ control.s3_bucket_cross_region_replication_enabled,
+ control.s3_bucket_versioning_enabled
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
\ No newline at end of file
diff --git a/nydfs_23/500_06.pp b/nydfs_23/500_06.pp
new file mode 100644
index 00000000..009c8ba1
--- /dev/null
+++ b/nydfs_23/500_06.pp
@@ -0,0 +1,49 @@
+benchmark "nydfs_23_500_06" {
+ title = "500.06 Audit Trail"
+ description = "Each covered entity shall securely maintain systems that, to the extent applicable and based on its risk assessment: (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity; and (2) include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered entity. (b) Each covered entity shall maintain records required by paragraph (a)(1) of this section for not fewer than five years and shall maintain records required by paragraph (a)(2) of this section for not fewer than three years."
+
+ children = [
+ benchmark.nydfs_23_500_06_a,
+ benchmark.nydfs_23_500_06_b
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
+benchmark "nydfs_23_500_06_a" {
+ title = "500.06(a)"
+ description = "Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment: (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and (2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity."
+
+ children = [
+ control.apigateway_stage_logging_enabled,
+ control.cloudtrail_multi_region_trail_enabled,
+ control.cloudtrail_s3_data_events_enabled,
+ control.cloudtrail_trail_enabled,
+ control.cloudtrail_trail_integrated_with_logs,
+ control.cloudwatch_log_group_retention_period_365,
+ control.codebuild_project_logging_enabled,
+ control.elb_application_classic_lb_logging_enabled,
+ control.es_domain_logs_to_cloudwatch,
+ control.opensearch_domain_audit_logging_enabled,
+ control.opensearch_domain_logs_to_cloudwatch,
+ control.rds_db_instance_logging_enabled,
+ control.redshift_cluster_audit_logging_enabled,
+ control.redshift_cluster_encryption_logging_enabled,
+ control.s3_bucket_logging_enabled,
+ control.vpc_flow_logs_enabled,
+ control.wafv2_web_acl_logging_enabled
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
+benchmark "nydfs_23_500_06_b" {
+ title = "500.06(b)"
+ description = "Each Covered Entity shall maintain records required by section 500.06(a)(1) of this Part for not fewer than five years and shall maintain records required by section 500.06(a)(2) of this Part for not fewer than three years."
+
+ children = [
+ control.cloudwatch_log_group_retention_period_365
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
diff --git a/nydfs_23/500_07.pp b/nydfs_23/500_07.pp
new file mode 100644
index 00000000..51879c4d
--- /dev/null
+++ b/nydfs_23/500_07.pp
@@ -0,0 +1,44 @@
+benchmark "nydfs_23_500_07" {
+ title = "500.07 Access Privileges and Management"
+ description = "As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges."
+
+ children = [
+ control.dms_replication_instance_not_publicly_accessible,
+ control.ebs_snapshot_not_publicly_restorable,
+ control.ec2_instance_in_vpc,
+ control.ec2_instance_not_publicly_accessible,
+ control.ecs_task_definition_user_for_host_mode_check,
+ control.emr_cluster_kerberos_enabled,
+ control.emr_cluster_master_nodes_no_public_ip,
+ control.es_domain_in_vpc,
+ control.iam_account_password_policy_strong_min_reuse_24,
+ control.iam_group_not_empty,
+ control.iam_policy_no_star_star,
+ control.iam_root_user_no_access_keys,
+ control.iam_user_access_key_age_90,
+ control.iam_user_in_group,
+ control.iam_user_no_inline_attached_policies,
+ control.iam_user_no_policies,
+ control.iam_user_unused_credentials_90,
+ control.lambda_function_in_vpc,
+ control.lambda_function_restrict_public_access,
+ control.opensearch_domain_in_vpc,
+ control.rds_db_instance_prohibit_public_access,
+ control.rds_db_snapshot_prohibit_public_access,
+ control.redshift_cluster_prohibit_public_access,
+ control.s3_bucket_policy_restrict_public_access,
+ control.s3_bucket_restrict_public_read_access,
+ control.s3_bucket_restrict_public_write_access,
+ control.s3_public_access_block_account,
+ control.sagemaker_notebook_instance_direct_internet_access_disabled,
+ control.secretsmanager_secret_automatic_rotation_enabled,
+ control.secretsmanager_secret_rotated_as_scheduled,
+ control.ssm_document_prohibit_public_access,
+ control.vpc_igw_attached_to_authorized_vpc,
+ control.vpc_route_table_restrict_public_access_to_igw,
+ control.vpc_subnet_auto_assign_public_ip_disabled
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
diff --git a/nydfs_23/500_08.pp b/nydfs_23/500_08.pp
new file mode 100644
index 00000000..a67aa727
--- /dev/null
+++ b/nydfs_23/500_08.pp
@@ -0,0 +1,23 @@
+benchmark "nydfs_23_500_08" {
+ title = "500.08 Application Security"
+ description = "Application security Requirement: (b) All such procedures, guidelines and standards shall be reviewed, assessed and updated as necessary by the CISO (or aqualified designee) of the covered entity at least annually."
+
+ children = [
+ benchmark.nydfs_23_500_08_a
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
+benchmark "nydfs_23_500_08_a" {
+ title = "500.08(a)"
+ description = "Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment."
+
+ children = [
+ control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values,
+ control.codebuild_project_source_repo_oauth_configured
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
diff --git a/nydfs_23/500_12.pp b/nydfs_23/500_12.pp
new file mode 100644
index 00000000..ce483b5a
--- /dev/null
+++ b/nydfs_23/500_12.pp
@@ -0,0 +1,15 @@
+benchmark "nydfs_23_500_12" {
+ title = "500.12 Multi-factor Authentication"
+ description = "Multi-factor authentication Requirement: (a) Multifactor authentication shall be utilized for any individual accessing any information systems of a covered entity, unless the covered entity qualifies for a limited exemption pursuant to section 500.19(a) of this Part in which case multi-factor authentication shall be utilized for: (1) remote access to the covered entity’s information systems; (2) remote access to thirdparty applications, including but not limited to those that are cloud based, from which nonpublic information is accessible."
+
+ children = [
+ control.iam_root_user_hardware_mfa_enabled,
+ control.iam_root_user_mfa_enabled,
+ control.iam_root_user_no_access_keys,
+ control.iam_user_console_access_mfa_enabled,
+ control.iam_user_mfa_enabled
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
diff --git a/nydfs_23/500_14.pp b/nydfs_23/500_14.pp
new file mode 100644
index 00000000..bafc5b8c
--- /dev/null
+++ b/nydfs_23/500_14.pp
@@ -0,0 +1,41 @@
+benchmark "nydfs_23_500_14" {
+ title = "500.14 Monitoring and Training"
+ description = "As part of its cybersecurity program, each covered entity shall: (a) implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users; and (b) provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the covered entity in its risk assessment."
+
+ children = [
+ benchmark.nydfs_23_500_14_a
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
+benchmark "nydfs_23_500_14_a" {
+ title = "500.14(a)"
+ description = "Implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users."
+
+ children = [
+ control.apigateway_stage_logging_enabled,
+ control.cloudtrail_multi_region_trail_enabled,
+ control.cloudtrail_s3_data_events_enabled,
+ control.cloudtrail_trail_enabled,
+ control.cloudtrail_trail_integrated_with_logs,
+ control.cloudwatch_alarm_action_enabled_check,
+ control.cloudwatch_log_group_retention_period_365,
+ control.codebuild_project_logging_enabled,
+ control.elb_application_classic_lb_logging_enabled,
+ control.es_domain_logs_to_cloudwatch,
+ control.guardduty_enabled,
+ control.opensearch_domain_audit_logging_enabled,
+ control.opensearch_domain_logs_to_cloudwatch,
+ control.rds_db_instance_logging_enabled,
+ control.redshift_cluster_audit_logging_enabled,
+ control.redshift_cluster_encryption_logging_enabled,
+ control.s3_bucket_logging_enabled,
+ control.securityhub_enabled,
+ control.vpc_flow_logs_enabled,
+ control.wafv2_web_acl_logging_enabled
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
diff --git a/nydfs_23/500_15.pp b/nydfs_23/500_15.pp
new file mode 100644
index 00000000..75b013f8
--- /dev/null
+++ b/nydfs_23/500_15.pp
@@ -0,0 +1,53 @@
+benchmark "nydfs_23_500_15" {
+ title = "500.15 Encryption of Nonpublic Information"
+ description = "Encryption of nonpublic information Requirement: (a) As part of its cybersecurity program, each covered entity shall implement a written policy requiring encryption that meets industry standards, to protect nonpublic information held or transmitted by the covered entity both in transit over external networks and at rest."
+
+ children = [
+ benchmark.nydfs_23_500_15_a
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
+benchmark "nydfs_23_500_15_a" {
+ title = "500.15(a)"
+ description = "As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest."
+
+ children = [
+ control.acm_certificate_expires_30_days,
+ control.apigateway_rest_api_stage_use_ssl_certificate,
+ control.apigateway_stage_cache_encryption_at_rest_enabled,
+ control.backup_recovery_point_encryption_enabled,
+ control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
+ control.codebuild_project_artifact_encryption_enabled,
+ control.dynamodb_table_encrypted_with_kms,
+ control.ebs_attached_volume_encryption_enabled,
+ control.ebs_encryption_by_default_enabled,
+ control.efs_file_system_encrypt_data_at_rest,
+ control.elb_application_lb_drop_http_headers,
+ control.elb_application_lb_redirect_http_request_to_https,
+ control.elb_application_network_lb_use_ssl_certificate,
+ control.elb_classic_lb_use_tls_https_listeners,
+ control.es_domain_encryption_at_rest_enabled,
+ control.es_domain_node_to_node_encryption_enabled,
+ control.kinesis_stream_server_side_encryption_enabled,
+ control.log_group_encryption_at_rest_enabled,
+ control.opensearch_domain_encryption_at_rest_enabled,
+ control.opensearch_domain_node_to_node_encryption_enabled,
+ control.rds_db_instance_encryption_at_rest_enabled,
+ control.rds_db_snapshot_encrypted_at_rest,
+ control.redshift_cluster_encryption_in_transit_enabled,
+ control.redshift_cluster_encryption_logging_enabled,
+ control.redshift_cluster_kms_enabled,
+ control.s3_bucket_default_encryption_enabled_kms,
+ control.s3_bucket_default_encryption_enabled,
+ control.s3_bucket_enforces_ssl,
+ control.sagemaker_endpoint_configuration_encryption_at_rest_enabled,
+ control.sagemaker_notebook_instance_encryption_at_rest_enabled,
+ control.secretsmanager_secret_encrypted_with_kms_cmk,
+ control.sns_topic_encrypted_at_rest
+ ]
+
+ tags = local.nydfs_23_common_tags
+}
+
diff --git a/nydfs_23/docs/nydfs_23_overview.md b/nydfs_23/docs/nydfs_23_overview.md
new file mode 100644
index 00000000..a74fc0bb
--- /dev/null
+++ b/nydfs_23/docs/nydfs_23_overview.md
@@ -0,0 +1,18 @@
+## Overview
+
+Around the world, financial institutions (FIs) use Amazon Web Services (AWS) to modernize and automate their core applications, including mobile applications, regulatory reporting, and market analysis. Through continuous innovation, AWS makes strong security available to FIs globally, along with a deep set of services and features, industry expertise, and the [AWS Partner Network](https://aws.amazon.com/partners/). AWS empowers FIs to modernize their technology infrastructure, meet rapidly changing customer behaviors and expectations, and drive business growth. AWS offers IT services in categories from compute, storage, database, and networking to artificial intelligence and machine learning.
+
+Effective March 1, 2017, the New York State Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation with cybersecurity requirements for financial services companies (Cybersecurity Regulation or Part 500). The entities required to comply with the Cybersecurity Regulation include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law (Covered Entities).
+
+This guide is a resource to help Covered Entities understand technical and operational requirements for the use of AWS services. This guide includes a description of the tools and security features offered by AWS that Covered Entities can use to assist them with compliance with requirements in the Second Amendment to NYDFS Cybersecurity Regulation Part 500 of Title 23 (NYDFS Cybersecurity Regulation).
+
+
+This guide does not undertake a full analysis of the NYDFS Cybersecurity Regulation. The sections in the following list provide information on AWS services, features, and resources that can help Covered Entities support their regulatory objectives under the NYDFS Cybersecurity Regulation.
+
+- Security and shared responsibility: It is important that Covered Entities understand the [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) before evaluating the specific technical and operational requirements outlined in the NYDFS Cybersecurity Regulation. The AWS Shared Responsibility Model is fundamental to understanding the respective roles of the Covered Entity and AWS with respect to security and information access.
+
+- AWS Compliance Programs: AWS has obtained certifications and third-party attestations for a variety of industry-specific and general workloads. AWS has also developed [Compliance Programs](https://aws.amazon.com/compliance/programs/) to make these resources available to customers. Customers can take advantage of AWS Compliance Programs to help satisfy their regulatory objectives.
+
+- AWS Global Cloud Infrastructure: The [AWS Global Cloud Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/) comprises [AWS Regions and Availability Zones](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/). The AWS Global Cloud Infrastructure offers AWS customers a way to design and operate applications and databases, making them more available, fault tolerant, and scalable than traditional on-premises environments. AWS customers can use the AWS Global Cloud Infrastructure to help them design an AWS environment consistent with their business and regulatory objectives.
+
+- Appendix: Considerations on the Second Amendment to NYDFS Cybersecurity Regulation Describes considerations for Covered Entities that use AWS and describes how Covered Entities can use AWS services and tools to support their regulatory objectives under the NYDFS Cybersecurity Regulation.
\ No newline at end of file
diff --git a/nydfs_23/nydfs_23.pp b/nydfs_23/nydfs_23.pp
new file mode 100644
index 00000000..ac87ec56
--- /dev/null
+++ b/nydfs_23/nydfs_23.pp
@@ -0,0 +1,23 @@
+locals {
+ nydfs_23_common_tags = merge(local.aws_compliance_common_tags, {
+ nydfs_23 = "true"
+ type = "Benchmark"
+ })
+}
+
+benchmark "nydfs_23" {
+ title = "NYDFS 23"
+ description = "The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions."
+ documentation = file("./nydfs_23/docs/nydfs_23_overview.md")
+ children = [
+ benchmark.nydfs_23_500_02,
+ benchmark.nydfs_23_500_06,
+ benchmark.nydfs_23_500_07,
+ benchmark.nydfs_23_500_08,
+ benchmark.nydfs_23_500_12,
+ benchmark.nydfs_23_500_14,
+ benchmark.nydfs_23_500_15
+ ]
+
+ tags = local.nydfs_23_common_tags
+}