infrastructure
Production data access monitored
All production data access logged and monitored for anomalies.
PassingLow RiskSemi-Automated
Owner
Infrastructure Team
Last Tested
10/6/2025
Test Frequency
Continuous
Maturity Level
Level 4 / 5
Framework Mappings
Evidence (16)
EKS Clusters have audit logs enabled
This test verifies that all audit log types (API server, audit, authenticator, controller manager, scheduler) are enabled for your AWS EKS clusters, ensuring comprehensive audit logging for security and compliance purposes.
LOGGING•TEST
VPC Flow Logs enabled
This test checks whether your AWS Virtual Private Clouds (VPCs) have VPC Flow Logs enabled for network traffic monitoring.
LOGGING•TEST
CloudTrail enabled
This test verifies that CloudTrail is enabled on all AWS accounts within your organization.
LOGGING•TEST
Company uses Vanta for continuous security monitoring
Automatically passes.
INFRASTRUCTURE•TEST
Only authorized users can access logging buckets
Verifies that no AWS S3 logging buckets grant access to the built-in AWS groups AllUsers or AuthenticatedUsers
LOGGING•TEST
S3 server access logs enabled
This test verifies that there is at least one AWS S3 bucket configured as a central storage destination for CloudTrail event logging or S3 server access logging.
LOGGING•TEST
Server logs retained for 365 days (AWS)
This test verifies that AWS CloudWatch Log Groups are configured to retain logs for at least 365 days or are set to unlimited retention.
LOGGING•TEST
SQL database CPU monitored
Checks that all Amazon RDS database instances have CloudWatch alarms configured to monitor CPU utilization.
MONITORING ALERTS•TEST
SQL database freeable memory monitored (AWS)
Verifies that all Amazon RDS instances have associated AWS CloudWatch alarms configured to monitor the `FreeableMemory` metric.
MONITORING ALERTS•TEST
Database IO monitored (AWS)
This test verifies that Amazon RDS databases have CloudWatch alarms configured for at least one key Input/Output (IO) performance metrics (such as `DiskQueueDepth`, `WriteIOPS`, `ReadIOPS`, `VolumeWriteIOPs`, `VolumeReadIOPs`).
MONITORING ALERTS•TEST
NoSQL database read capacity monitored (AWS)
This test verifies whether each AWS DynamoDB table has a configured CloudWatch alarm for monitoring the `ConsumedReadCapacityUnits` metric.
MONITORING ALERTS•TEST
NoSQL database write capacity monitored (AWS)
This test verifies whether each AWS DynamoDB table has a configured CloudWatch alarm for monitoring the `ConsumedWriteCapacityUnits` metric.
MONITORING ALERTS•TEST
SSL/TLS on admin page of infrastructure console
This test confirms that all AWS service API endpoints enforce encryption via TLS (Transport Layer Security) by default. This ensures secure communication between your administrators and AWS infrastructure services.
MONITORING ALERTS•TEST
Serverless function error rate monitored (AWS)
This test verifies that all AWS Lambda functions have CloudWatch alarms configured to monitor their Errors metric—either individually per function or globally for all functions.
MONITORING ALERTS•TEST
Server CPU monitored (AWS)
This test verifies whether all AWS EC2 instances have a CloudWatch alarm set specifically for the `CPUUtilization` metric to ensure proper monitoring and alerts in case of high CPU usage.
MONITORING ALERTS•TEST
Messaging queue message age monitored
This test verifies that all AWS SQS queues have appropriate CloudWatch alarms configured to monitor the `ApproximateAgeOfOldestMessage` metric, which indicates message processing delays or potential queue blockages.
MONITORING ALERTS•TEST
Related Policies
Control Information
- Control ID
- production-data-access-monitored
- Category
- INFRASTRUCTURE
- Family
- infrastructure
- Last Updated
- 10/6/2025