PCI DSS v4.0.1 - AWS
This page lists all 160 policies in the PCI DSS v4.0.1 pack for AWS.
| Policy Name | Description | Framework Reference | Framework Specification |
|---|---|---|---|
| environment-separation-tagging | Ensures that resources are tagged to distinguish between production and non-production environments | A1.1.2 | A1.1.2: Controls are implemented such that each customer only has permission to access its own cardholder data and CDE |
| athena-workgroup-enforce-configuration | Checks that Athena Workgroups enforce their configuration to their clients. | 1.2.8 | 1.2.8: Configuration files for NSCs are secured from unauthorized access and are kept consistent with active network configurations |
| database-strict-network-access | Ensures RDS instances have strict network access controls | 1.3.1 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied |
| security-group-ssh-rdp-ingress-restricted | Ensures security groups do not allow SSH/RDP ingress from the internet | 1.3.1 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied |
| security-group-default-deny | Ensures security groups follow strict firewall rules with default deny | 1.3.1; 1.3.1; 1.3.2; 1.4.2 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.3.2: Outbound traffic from the CDE is restricted; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| redshift-enhanced-vpc-routing-enabled | Ensures Redshift clusters have enhanced VPC routing enabled for network isolation. | 1.3.1; 1.3.2 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.3.2: Outbound traffic from the CDE is restricted |
| ec2-vpc-placement-required | EC2 instances must be placed in VPC for network isolation | 1.3.1; 1.4.1 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.1: NSCs are implemented between trusted and untrusted networks * |
| lambda-vpc-placement-required | Lambda functions must be deployed in VPC for network isolation and security | 1.3.1; 1.4.1 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.1: NSCs are implemented between trusted and untrusted networks * |
| rds-private-subnet-validation | Validates that RDS DB subnet groups contain only private subnets | 1.3.1; 1.4.1 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.1: NSCs are implemented between trusted and untrusted networks * |
| elasticsearch-vpc-required | Elasticsearch domains must be deployed in VPC for network isolation | 1.3.1; 1.4.1 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.1: NSCs are implemented between trusted and untrusted networks * |
| ec2-instance-disallow-public-ip | Checks that EC2 instances do not have a public IP address. | 1.3.1; 1.4.2 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| ec2-launch-configuration-disallow-public-ip | Checks that EC2 Launch Configurations do not have a public IP address. | 1.3.1; 1.4.2 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| ec2-launch-template-disallow-public-ip | Checks that EC2 Launch Templates do not have public IP addresses. | 1.3.1; 1.4.2 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| emr-no-public-ip | EMR clusters must not be deployed in public subnets that auto-assign public IP addresses | 1.3.1; 1.4.2 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| sagemaker-notebook-internet-access-disabled | Ensures SageMaker notebook instances have direct internet access disabled. | 1.3.1; 1.4.2 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| vpc-route-table-internet-gateway-restricted | Ensures VPC route tables restrict public access to internet gateways appropriately. | 1.3.1; 1.4.2 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| vpc-subnet-auto-assign-public-ip-disabled | Ensures VPC subnets have auto-assign public IP disabled to prevent unintended internet exposure. | 1.3.1; 1.4.2 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| eks-cluster-disallow-api-endpoint-public-access | Check that EKS Clusters API Endpoint are not publicly accessible. | 1.3.1; 1.4.2 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| ec2-security-group-disallow-inbound-http-traffic | Check that EC2 Security Groups do not allow inbound HTTP traffic. | 1.3.1; 4.2.1 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| vpc-endpoint-security-policy | Ensures that VPC endpoints are associated with security policies that limit access to specified resources | 1.3.1; 7.3.1 | 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied; 7.3.1: An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components |
| database-strict-egress | Ensures database security groups have strict egress controls | 1.3.2 | 1.3.2: Outbound traffic from the CDE is restricted |
| security-group-egress-restriction | Ensures security groups restrict egress traffic with default deny principles | 1.3.2 | 1.3.2: Outbound traffic from the CDE is restricted |
| security-group-ssh-rdp-egress-restricted | Enforces strict egress restrictions for SSH and RDP traffic in security groups | 1.3.2 | 1.3.2: Outbound traffic from the CDE is restricted |
| rds-instance-disallow-public-access | Checks that RDS Instance public access is not enabled. | 1.4.1; 1.4.2 | 1.4.1: NSCs are implemented between trusted and untrusted networks *; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| rds-cluster-instance-disallow-public-access | Checks that RDS Cluster Instances public access is not enabled. | 1.4.1; 1.4.2 | 1.4.1: NSCs are implemented between trusted and untrusted networks *; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| neptune-clusterinstance-no-public-access | Checks that Neptune Cluster Instances public access is not enabled. | 1.4.1; 1.4.2 | 1.4.1: NSCs are implemented between trusted and untrusted networks *; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| dms-no-public-access | Ensures DMS replication instances are not publicly accessible to maintain security. | 1.4.1; 1.4.2 | 1.4.1: NSCs are implemented between trusted and untrusted networks *; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| redshift-public-access-prohibited | Ensures Redshift clusters prohibit public access to prevent unauthorized connections. | 1.4.1; 1.4.2 | 1.4.1: NSCs are implemented between trusted and untrusted networks *; 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted |
| s3-bucket-disallow-public-read | Checks that S3 Bucket ACLs don’t allow ‘public-read’ or ‘public-read-write’ or ‘authenticated-read’. | 1.4.2; 7.3.1 | 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted; 7.3.1: An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components |
| s3-bucket-public-access-block-required | Ensures each S3 bucket has a public access block with all settings enabled | 1.4.2; 7.3.1 | 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted; 7.3.1: An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components |
| lambda-public-access-restricted | Lambda functions must restrict public access through resource-based policies | 1.4.2; 7.3.1 | 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted; 7.3.1: An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components |
| anti-spoofing-measures | Ensures AWS Network Firewall policies are configured with anti-spoofing measures to detect and block forged source IP addresses | 1.4.3 | 1.4.3: Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network * |
| internal-ip-disclosure-prevention | Ensures internal IP addresses are not disclosed through public-facing edge services | 1.4.5 | 1.4.5: The disclosure of internal IP addresses and routing information is limited to only authorized parties * |
| s3-bucket-ssl-enforcement-required | S3 buckets must enforce SSL/TLS for all requests to ensure encryption in transit | 2.2.7; 4.2.1 | 2.2.7: All non-console administrative access is encrypted using strong cryptography *; 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| elasticsearch-node-to-node-encryption-enabled | Elasticsearch domains must have node-to-node encryption enabled | 2.2.7; 4.2.1 | 2.2.7: All non-console administrative access is encrypted using strong cryptography *; 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| redshift-ssl-required | Ensures Redshift clusters have encryption in transit enabled through SSL parameter configuration. | 2.2.7; 4.2.1 | 2.2.7: All non-console administrative access is encrypted using strong cryptography *; 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| cloudfront-distribution-configure-secure-tls-to-origin | Checks that CloudFront distributions communicate with custom origins using TLS 1.2 encryption only. | 2.2.7; 4.2.1 | 2.2.7: All non-console administrative access is encrypted using strong cryptography *; 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| cloudfront-distribution-enable-tls-to-origin | Checks that CloudFront distributions communicate with custom origins using TLS encryption. | 2.2.7; 4.2.1 | 2.2.7: All non-console administrative access is encrypted using strong cryptography *; 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| api-gateway-ssl-certificate-required | Ensures API Gateway REST API stages have client certificates configured for SSL/TLS authentication to protect data in transit. | 2.2.7; 4.2.1 | 2.2.7: All non-console administrative access is encrypted using strong cryptography *; 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| api-gateway-domain-name-configure-security-policy | Checks that ApiGateway Domain Name Security Policy uses secure/modern TLS encryption. | 2.2.7; 4.2.1 | 2.2.7: All non-console administrative access is encrypted using strong cryptography *; 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| api-gateway-v2-domain-name-configure-domain-name-security-policy | Checks that any ApiGatewayV2 Domain Name Security Policy uses secure/modern TLS encryption. | 2.2.7; 4.2.1 | 2.2.7: All non-console administrative access is encrypted using strong cryptography *; 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| s3-bucket-lifecycle | Ensures each S3 bucket has lifecycle rules configured for retention/disposal | 3.2.1 | 3.2.1: Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes |
| ebs-unused-volumes-prohibited | EBS volumes must be removed when unused | 3.2.1 | 3.2.1: Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes |
| kinesis-stream-retention | Ensures Kinesis streams have retention periods configured | 3.2.1 | 3.2.1: Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes |
| sqs-message-retention | Ensures SQS queues have message retention periods configured | 3.2.1 | 3.2.1: Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes |
| no-hardcoded-secrets | Ensures EC2 instances do not contain hardcoded secrets | 3.3.2; 8.3.2 | 3.3.2: SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography; 8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components |
| ec2-instance-disallow-unencrypted-block-device | Checks that EC2 instances do not have unencrypted block devices. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| ec2-instance-disallow-unencrypted-root-block-device | Checks that EC2 instances does not have unencrypted root volumes. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| ec2-launch-configuration-disallow-unencrypted-block-device | Checks that EC2 Launch Configurations do not have unencrypted block devices. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| ec2-launch-configuration-disallow-unencrypted-root-block-device | Checks that EC2 launch configuration do not have unencrypted root block device. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| ec2-launch-template-disallow-unencrypted-block-device | Checks that EC2 Launch Templates do not have unencrypted block device. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| lambda-environment-variables-encryption | Ensures that all Lambda functions have their environment variables encrypted using AWS KMS | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| sagemaker-endpoint-kms-encryption-enabled | Ensures SageMaker endpoint configurations have encryption enabled using KMS keys. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| sagemaker-notebook-kms-encryption-enabled | Ensures SageMaker notebook instances have encryption enabled using KMS keys. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| dynamodb-kms-encryption-enabled | Ensures DynamoDB tables have encryption enabled using KMS keys. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| rds-cluster-disallow-unencrypted-storage | Checks that RDS Clusters storage is encrypted. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| rds-instance-disallow-unencrypted-storage | Checks that RDS instance storage is encrypted. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| elasticsearch-encryption-enabled | Elasticsearch domains must have encryption at rest enabled | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| redshift-kms-encryption-enabled | Ensures Redshift clusters have encryption enabled using KMS keys. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| athena-database-disallow-unencrypted-database | Checks that Athena Databases storage is encrypted. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| athena-workgroup-disallow-unencrypted-workgroup | Checks that Athena Workgroups are encrypted. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| ebs-volume-disallow-unencrypted-volume | Checks that EBS volumes are encrypted. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| ecr-repository-disallow-unencrypted-repository | Checks that ECR Repositories are encrypted. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| efs-file-system-disallow-unencrypted-file-system | Checks that EFS File Systems do not have an unencrypted file system. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| eks-cluster-enable-cluster-encryption-config | Check that EKS Cluster Encryption Config is enabled. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| cloudtrail-kms-encryption-enabled | Ensures CloudTrail trails have encryption enabled using KMS keys. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| cloudwatch-log-group-kms-encryption-enabled | Ensures CloudWatch log groups have encryption enabled using KMS keys. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| api-gateway-cache-encryption-enabled | Ensures API Gateway method settings have cache data encryption enabled when caching is configured. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| sns-kms-encryption-enabled | Ensures SNS topics have encryption enabled using KMS keys. | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| sqs-encryption | Ensures SQS queues have server-side encryption enabled | 3.5.1; 3.6.1 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure |
| s3-bucket-encryption | S3 buckets must have server-side encryption configured using BucketServerSideEncryptionConfiguration resource | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| appflow-connector-profile-configure-customer-managed-key | Check that AppFlow ConnectorProfile uses a customer-managed KMS key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| appflow-flow-configure-customer-managed-key | Check that AppFlow Flow uses a customer-managed KMS key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| athena-database-configure-customer-managed-key | Checks that Athena Databases storage uses a customer-managed-key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| athena-workgroup-configure-customer-managed-key | Checks that Athena Workgroups use a customer-managed-key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| ebs-volume-configure-customer-managed-key | Check that encrypted EBS volumes use a customer-managed KMS key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| ec2-launch-template-configure-customer-managed-key | Check that encrypted EBS volume uses a customer-managed KMS key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| ecr-repository-configure-customer-managed-key | Checks that ECR repositories use a customer-managed KMS key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| efs-file-system-configure-customer-managed-key | Check that encrypted EFS File system uses a customer-managed KMS key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| rds-cluster-configure-customer-managed-key | Checks that RDS Clusters storage uses a customer-managed KMS key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| rds-instance-configure-customer-managed-key | Checks that RDS Instance storage uses a customer-managed KMS key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| secrets-manager-secret-configure-customer-managed-key | Check that Secrets Manager Secrets use a customer-manager KMS key. | 3.5.1; 3.6.1; 3.6.1.2 | 3.5.1 PAN is rendered unreadable anywhere it is stored; 3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure; 3.6.1.2: Secret and private keys used to protect stored account data |
| kms-grant-access-control | Validates KMS grants for least privilege access control | 3.6.1.3; 7.2.2 | 3.6.1.3: Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary; 7.2.2: Access is assigned to users, including privileged users |
| kms-key-policy-access-control | Validates KMS key policies for least privilege and separation of duties | 3.6.1.3; 7.2.2 | 3.6.1.3: Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary; 7.2.2: Access is assigned to users, including privileged users |
| kms-key-creation | Validates KMS key creation with appropriate specifications and origins | 3.7.1; 3.7.2 | 3.7.1: Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data; 3.7.2: Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data |
| kms-key-rotation-enabled | Checks that KMS Keys have key rotation enabled. | 3.7.4 | 3.7.4: Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner |
| secrets-manager-rotation-required | Ensures Secrets Manager secrets have automatic rotation enabled with proper scheduling and frequency limits. | 3.7.4 | 3.7.4: Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner |
| kms-key-deletion-protection | Validates KMS key deletion windows and lifecycle management | 3.7.5 | 3.7.5: Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data * |
| elasticsearch-https-required | Elasticsearch domains must require HTTPS for client connections | 4.2.1 | 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| rds-instance-ssl-encryption | Ensures RDS instances have SSL/TLS encryption enabled through parameter group configuration | 4.2.1 | 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| rds-clusterinstance-ssl-encryption | Ensures RDS cluster instances have SSL/TLS encryption enabled through parameter group configuration | 4.2.1 | 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| cloudfront-distribution-configure-secure-tls | Checks that CloudFront distributions uses secure/modern TLS encryption. | 4.2.1 | 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| cloudfront-distribution-disallow-unencrypted-traffic | Checks that CloudFront distributions only allow encypted ingress traffic. | 4.2.1 | 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| elb-load-balancer-disallow-unencrypted-traffic | Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic. | 4.2.1 | 4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks * |
| elasticbeanstalk-managed-updates-enabled | Elastic Beanstalk environments must have managed platform updates enabled | 6.3.3 | 6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates * |
| lambda-runtime-restrictions | Ensures that AWS Lambda functions are created only with approved runtime versions | 6.3.3 | 6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates * |
| rds-instance-managed-service-patching | Ensures RDS instances have automated minor version upgrades enabled | 6.3.3 | 6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates * |
| rds-clusterinstance-managed-service-patching | Ensures RDS cluster instances have automated minor version upgrades enabled | 6.3.3 | 6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates * |
| neptune-clusterinstance-managed-service-patching | Ensures Neptune cluster instances have automated minor version upgrades enabled | 6.3.3 | 6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates * |
| docdb-clusterinstance-managed-service-patching | Ensures DocumentDB cluster instances have automated minor version upgrades enabled | 6.3.3 | 6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates * |
| redshift-maintenance-required | Ensures Redshift clusters have proper maintenance settings configured for automated updates. | 6.3.3 | 6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates * |
| waf-association-validation | Validates WAF Web ACL associations are properly configured | 6.4.2 | 6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks |
| cloudfront-distribution-configure-waf | Checks that any CloudFront distribution has a WAF ACL associated. | 6.4.2 | 6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks |
| api-gateway-waf-enabled | Ensures API Gateway stages have WAF Web ACL associations for protection against web attacks. | 6.4.2 | 6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks |
| iam-user-group-membership-required | IAM users must be members of groups for proper access management | 7.2.1; 7.2.2 | 7.2.1: An access control model is defined and includes granting access; 7.2.2: Access is assigned to users, including privileged users |
| api-gateway-authorization | Ensures API Gateway methods use strong authorization instead of NONE | 7.2.1; 7.2.2 | 7.2.1: An access control model is defined and includes granting access; 7.2.2: Access is assigned to users, including privileged users |
| s3-bucket-least-privilege | Prevents overly permissive S3 bucket policies | 7.2.1; 7.2.2; 7.3.1 | 7.2.1: An access control model is defined and includes granting access; 7.2.2: Access is assigned to users, including privileged users; 7.3.1: An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components |
| pubsub-least-privilege-iam | Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis) | 7.2.1; 7.2.2; 7.3.1 | 7.2.1: An access control model is defined and includes granting access; 7.2.2: Access is assigned to users, including privileged users; 7.3.1: An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components |
| ecs-task-non-privileged-required | ECS task definitions must use non-privileged user for host mode | 7.2.2 | 7.2.2: Access is assigned to users, including privileged users |
| iam-user-policy-least-privilege | Ensures IAM user policies follow least privilege principles | 7.2.2; 7.3.1 | 7.2.2: Access is assigned to users, including privileged users; 7.3.1: An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components |
| lambda-permission-configure-source-arn | Checks that lambda function permissions have a source arn specified. | 7.2.2; 7.3.1 | 7.2.2: Access is assigned to users, including privileged users; 7.3.1: An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components |
| ec2-iam-profile-required | EC2 instances must have IAM profile attached | 7.2.2; 8.2.1 | 7.2.2: Access is assigned to users, including privileged users; 8.2.1: All users are assigned a unique ID before access to system components or cardholder data is allowed * |
| no-direct-user-access-keys | Prevents creation of direct IAM user access keys for human users | 7.2.2; 8.2.1 | 7.2.2: Access is assigned to users, including privileged users; 8.2.1: All users are assigned a unique ID before access to system components or cardholder data is allowed * |
| iam-user-policy-restriction | IAM user policies (inline policy attachments) should not be used | 7.2.3; 7.2.4 | 7.2.3: Required privileges are approved by authorized personnel *; 7.2.4: All user accounts and related access privileges, including third-party/vendor accounts, are reviewed * |
| iam-user-policy-attachment-prohibited | IAM users must not have directly attached policies | 7.2.3; 7.2.4 | 7.2.3: Required privileges are approved by authorized personnel *; 7.2.4: All user accounts and related access privileges, including third-party/vendor accounts, are reviewed * |
| rds-iam-authentication | Ensures RDS instances have IAM database authentication enabled | 8.2.1 | 8.2.1: All users are assigned a unique ID before access to system components or cardholder data is allowed * |
| restrict-default-iam-user-creation | Ensures that default IAM user accounts are not allowed to be created | 8.2.1; 8.2.2 | 8.2.1: All users are assigned a unique ID before access to system components or cardholder data is allowed *; 8.2.2: Group, shared, or generic IDs, or other shared authentication credentials are only used when necessary on an exception basis, and are managed |
| iam-role-session-duration | Enforces maximum session duration for IAM roles | 8.2.8 | 8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session |
| rds-secure-master-credentials | Ensures RDS instances use secure credential management instead of hardcoded passwords | 8.3.2; 8.3.2; 8.6.3; 8.6.3 | 8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components; 8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components; 8.6.3: 3 Passwords/passphrases for any application and system accounts are protected against misuse; 8.6.3: 3 Passwords/passphrases for any application and system accounts are protected against misuse |
| iam-password-complexity | IAM password policy must require character complexity (lowercase, uppercase, numbers, symbols) | 8.3.6 | 8.3.6: 6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.6, they meet the minimum level of complexity * |
| iam-password-policy-minimum-length | Ensure IAM password policy requires minimum length of 14 or greater. | 8.3.6 | 8.3.6: 6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.6, they meet the minimum level of complexity * |
| iam-password-policy-prevent-reuse | Ensure IAM password policy prevents password reuse. | 8.3.7 | 8.3.7: Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used * |
| iam-password-expiration | IAM password policy must expire passwords | 8.3.9 | 8.3.9 If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: • Passwords/passphrases are changed at least once every 90 days, OR • The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly. * |
| iam-role-assume-role-mfa-enforcement | Ensures IAM roles require MFA when assumed by human users (not AWS services) | 8.4.2; 8.4.3 | 8.4.2 MFA is implemented for all non-console access into the CDE *; 8.4.3 MFA is implemented for all remote access originating from outside the entity’s network that could access or impact the CDE * |
| iam-user-mfa-console-access | Ensures IAM users with console access have MFA devices | 8.4.2; 8.4.3 | 8.4.2 MFA is implemented for all non-console access into the CDE *; 8.4.3 MFA is implemented for all remote access originating from outside the entity’s network that could access or impact the CDE * |
| ec2-monitoring-enabled | EC2 instances must have detailed monitoring enabled | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| elasticbeanstalk-health-reporting-enabled | Elastic Beanstalk must have enhanced health reporting enabled | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| lambda-function-logging | Ensures that all AWS Lambda functions have logging enabled to track output data processing | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| rds-audit-logging | Ensures RDS instances have audit logging enabled | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| rds-instance-enhanced-monitoring | RDS database instances must have enhanced monitoring enabled to provide detailed system-level metrics | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| rds-clusterinstance-enhanced-monitoring | RDS cluster instances must have enhanced monitoring enabled to provide detailed system-level metrics | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| redshift-logging-enabled | Ensures Redshift clusters have logging configurations enabled for audit and monitoring purposes. | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| wafv2-logging-enabled | Ensures WAFv2 Web ACLs have logging configurations enabled for audit and monitoring purposes. | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| vpc-flow-logs | Ensures VPC flow logs use approved destinations for centralized monitoring | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| vpc-subnet-flow-logs | Ensures all VPCs and subnets have flow logs enabled | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| cloudfront-distribution-configure-access-logging | Checks that any CloudFront distributions have access logging configured. | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| elb-load-balancer-configure-access-logging | Check that ELB Load Balancers uses access logging. | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| cloudtrail-multi-region-enabled | Ensures CloudTrail trails are configured as multi-region trails for comprehensive audit coverage. | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| config-recorder-enabled | Ensures AWS Config configuration recorders are enabled for tracking and auditing resource changes. | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| api-gateway-access-logging-enabled | Ensures API Gateway stages have access logging enabled | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| api-gateway-v2-access-logging | Ensures API Gateway V2 stages have access logging enabled | 10.2.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data |
| audit-admin-actions-logged | Ensures CloudTrail captures all administrative actions | 10.2.1.2; 10.2.1.5; 10.2.1.6; 10.2.1.7 | 10.2.1.2: Audit logs capture all actions taken by any individual with administrative access *; 10.2.1.5: Audit logs capture creation and deletion of system-level objects *; 10.2.1.6: Audit logs capture initialization, stopping, or pausing of the audit logs *; 10.2.1.7: Audit logs capture creation and deletion of system level objects * |
| audit-log-access-logged | Ensures CloudTrail has S3 data events logging enabled for all S3 buckets | 10.2.1.3 | 10.2.1.3: Audit logs capture all access to audit logs * |
| cloudtrail-s3-data-events-enabled | Ensures CloudTrail trails have S3 data events enabled for comprehensive object-level logging. | 10.2.1; 10.2.1.1 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data; 10.2.1.1: Audit logs capture all individual user access to cardholder data * |
| cloudtrail-enabled | Ensures CloudTrail is enabled with at least one active trail for audit logging. | 10.2.1; 10.2.1.4 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data; 10.2.1.4: Audit logs capture all invalid access attempts * |
| s3-bucket-access-logging | Ensures each S3 bucket has access logging enabled | 10.2.1; 10.3.3 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data; 10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify |
| elasticsearch-cloudwatch-logging-enabled | Elasticsearch domains must send logs to CloudWatch for audit tracking | 10.2.1; 10.3.3 | 10.2.1: Audit logs are enabled and active for all system components and cardholder data; 10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify |
| cloudtrail-s3-bucket-public-access-denied | Ensures S3 buckets used for CloudTrail logging deny public access to protect audit information. | 10.3.2 | 10.3.2: Audit log files are protected to prevent modifications by individuals * |
| cloudtrail-cloudwatch-logs-integration | Ensures CloudTrail trails have CloudWatch Logs integration enabled for real-time monitoring and analysis. | 10.3.3 | 10.3.3: Audit log files, including those for externalfacing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify |
| cloudtrail-log-file-validation-enabled | Ensures CloudTrail trails have log file validation enabled to protect audit log integrity. | 10.3.4 | 10.3.4: File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts * |
| security-hub-enabled | Ensures AWS Security Hub is enabled for continuous monitoring and security assessment. | 10.4.1; 10.4.1.1 | 10.4.1: Potentially suspicious or anomalous activities are quickly identified to minimize impact *; 10.4.1.1: Automated mechanisms are used to perform audit log reviews * |
| config-rule-auto-remediation-enabled | Ensures AWS Config rules have automatic remediation configured for integrity violations. | 10.4.3 | 10.4.3: Exceptions and anomalies identified during the review process are addressed * |
| cloudwatch-log-retention | Ensures CloudWatch log groups have appropriate retention periods for compliance. | 10.5.1 | 10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis * |
| config-snapshot-retention | Ensures AWS Config retention configuration meets minimum 7-year requirement for compliance auditing. | 10.5.1 | 10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis * |
| cloudwatch-alarms-actions-required | Ensures CloudWatch alarms have actions enabled and configured for proper incident response. | 10.7.2; 12.10.5 | 10.7.2: Failures in critical security control systems are promptly identified and addressed *; 12.10.5: The security incident response plan includes monitoring and responding to alerts from security monitoring systems * |
| ecs-task-definition-image-scanning | Ensures ECS task definitions use images from repositories with vulnerability scanning | 11.3.1 | 11.3.1: Internal vulnerability scans are performed |
| guardduty-malware-detection-enabled | Ensures AWS GuardDuty is enabled with malware detection capabilities for threat protection. | 11.5.1 | 11.5.1: Intrusion-detection and/or intrusionprevention techniques are used to detect and/or prevent intrusions into the network * |
| dynamodb-streams-enabled | Enforces that all DynamoDB tables have Stream settings enabled to capture all changes | 11.5.2 | 11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed |
| ecr-repository-disallow-mutable-image | Checks that ECR Repositories have immutable images enabled. | 11.5.2 | 11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed |
| resource-tagging | Ensures all AWS resources must include tags for proper change tracking | 11.5.2 | 11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
