Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) in Security Hub provides a set of AWS security best practices for handling cardholder data. You can use this standard to discover security vulnerabilities in resources that handle cardholder data. Security Hub currently scopes the controls at the account level. We recommend that you enable these controls in all of your accounts that have resources that store, process, or transmit cardholder data.
This standard was validated by AWS Security Assurance Services LLC (AWS SAS), which is a team of Qualified Security Assessors (QSAs) certified to provide PCI DSS guidance, and assessments by the PCI DSS Security Standards Council (PCI SSC). AWS SAS has confirmed that the automated checks can assist a customer in preparing for a PCI DSS assessment.
Controls that apply to PCI DSS
[CloudTrail.2] CloudTrail should have encryption at-rest enabled
[CloudTrail.3] CloudTrail should be enabled
[CloudTrail.4] CloudTrail log file validation should be enabled
[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs
[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user
[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
[Config.1] AWS Config should be enabled
[DMS.1] Database Migration Service replication instances should not be public
[EC2.1] Amazon EBS snapshots should not be publicly restorable
[EC2.12] Unused Amazon EC2 EIPs should be removed
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 to port 22
[EC2.2] The VPC default security group should not allow inbound and outbound traffic
[EC2.6] VPC flow logging should be enabled in all VPCs
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
[ES.1] Elasticsearch domains should have encryption at-rest enabled
[ES.2] Elasticsearch domains should be in a VPC
[GuardDuty.1] GuardDuty should be enabled
[IAM.1] IAM policies should not allow full "*" administrative privileges
[IAM.2] IAM users should not have IAM policies attached
[IAM.4] IAM root user access key should not exist
[IAM.6] Hardware MFA should be enabled for the root user
[IAM.8] Unused IAM user credentials should be removed
[IAM.9] Virtual MFA should be enabled for the root user
[IAM.10] Password policies for IAM users should have strong AWS Configurations
[IAM.19] MFA should be enabled for all IAM users
[KMS.4] AWS KMS key rotation should be enabled
[Lambda.1] Lambda function policies should prohibit public access
[Lambda.3] Lambda functions should be in a VPC
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
[Opensearch.2] OpenSearch domains should be in a VPC
[RDS.1] RDS snapshot should be private
[Redshift.1] Amazon Redshift clusters should prohibit public access
[S3.1] S3 Block Public Access setting should be enabled
[S3.2] S3 buckets should prohibit public read access
[S3.3] S3 buckets should prohibit public write access
[S3.4] S3 buckets should have server-side encryption enabled
[S3.5] S3 buckets should require requests to use Secure Socket Layer
[S3.7] S3 buckets should have cross-Region replication enabled
[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
