Operational Best Practices for PCI DSS 4.0 (Including global resource types) - AWS Config

Operational Best Practices for PCI DSS 4.0 (Including global resource types)

Conformance packs provide a general-purpose compliance framework designed to enable you to create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. Conformance Packs, as sample templates, are not designed to fully ensure compliance with a specific governance or compliance standard. You are responsible for making your own assessment of whether your use of the Services meets applicable legal and regulatory requirements.

The following provides a sample mapping between the Payment Card Industry Data Security Standard (PCI DSS) 4.0 (Excluding global resource types) and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource, and relates to one or more PCI DSS controls. A PCI DSS control can be related to multiple Config rules. Refer to the table below for more detail and guidance related to these mappings.

Control ID Control Description AWS Config Rule Guidance
1.2.5 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

cloudfront-security-policy-check

Ensure that Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. This rule is NON_COMPLIANT for a CloudFront distribution if the minimumProtocolVersion is below TLSv1.2_2018.
1.2.5 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

cloudfront-sni-enabled

Ensure that Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. The rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is a dedicated IP address.
1.2.5 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

transfer-family-server-no-ftp

Ensure that a server created with AWS Transfer Family does not use FTP for endpoint connection. The rule is NON_COMPLIANT if the server protocol for endpoint connection is FTP-enabled.
1.2.5 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

cloudfront-no-deprecated-ssl-protocols

Ensure that CloudFront distributions are not using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any'OriginSslProtocols' includes'SSLv3'.
1.2.5 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

cloudfront-traffic-to-origin-encrypted

Ensure that Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if'OriginProtocolPolicy' is'http-only' or if'OriginProtocolPolicy' is'match-viewer' and'ViewerProtocolPolicy' is'allow-all'.
1.2.5 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

cloudfront-viewer-policy-https

Ensure that your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the DefaultCacheBehavior or for the CacheBehaviors.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

api-gw-endpoint-type-check

Ensure that Amazon API Gateway APIs are of the type specified in the rule parameter 'endpointConfigurationType'. The rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

cloudfront-associated-with-waf

Ensure that Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

netfw-policy-default-action-fragment-packets

Ensure that an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

rds-db-security-group-not-allowed

Ensure that the Amazon Relational Database Service (Amazon RDS) DB security groups is the default one. The rule is NON_COMPLIANT if there are any DB security groups that are not the default DB security group.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

ec2-transit-gateway-auto-vpc-attach-disabled

Ensure that Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways do not have 'AutoAcceptSharedAttachments' enabled. The rule is NON_COMPLIANT for a Transit Gateway if 'AutoAcceptSharedAttachments' is set to 'enable'.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

eks-endpoint-no-public-access

Ensure that the Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

restricted-ssh

Note: For this rule, the rule identifier (INCOMING_SSH_DISABLED) and rule name (restricted-ssh) are different. Ensure that the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON_COMPLIANT.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

appsync-associated-with-waf

Ensure that AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT for an AWS AppSync API if it is not associated with a web ACL.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

docdb-cluster-snapshot-public-prohibited

Ensure that Amazon DocumentDB manual cluster snapshots are not public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

codebuild-project-source-repo-url-check

Ensure that the Bitbucket source repository URL DOES NOT contain sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

emr-block-public-access

Ensure that an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

nacl-no-unrestricted-ssh-rdp

Ensure that default ports for SSH/RDP ingress traffic for network access control lists (NACLs) are restricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

waf-global-webacl-not-empty

Ensure that a WAF Global Web ACL contains some WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

waf-global-rulegroup-not-empty

Ensure that an AWS WAF Classic rule group contains some rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

waf-global-rule-not-empty

Ensure that an AWS WAF global rule contains some conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

ec2-client-vpn-not-authorize-all

Ensure that the AWS Client VPN authorization rules does not authorize connection access for all clients. The rule is NON_COMPLIANT if 'AccessAll' is present and set to true.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

internet-gateway-authorized-vpc-only

Ensure that internet gateways are attached to an authorized virtual private cloud (Amazon VPC). The rule is NON_COMPLIANT if internet gateways are attached to an unauthorized VPC.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

s3-access-point-public-access-blocks

Ensure that Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.
1.2.8 Network security controls (NSCs) are configured and maintained. (PCI-DSS-v4.0)

s3-account-level-public-access-blocks

Ensure that the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

api-gw-endpoint-type-check

Ensure that Amazon API Gateway APIs are of the type specified in the rule parameter 'endpointConfigurationType'. The rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

cloudfront-associated-with-waf

Ensure that Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

netfw-policy-default-action-fragment-packets

Ensure that an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

rds-db-security-group-not-allowed

Ensure that the Amazon Relational Database Service (Amazon RDS) DB security groups is the default one. The rule is NON_COMPLIANT if there are any DB security groups that are not the default DB security group.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

redshift-enhanced-vpc-routing-enabled

Ensure that Amazon Redshift clusters have 'enhancedVpcRouting' enabled. The rule is NON_COMPLIANT if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

ec2-transit-gateway-auto-vpc-attach-disabled

Ensure that Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways do not have 'AutoAcceptSharedAttachments' enabled. The rule is NON_COMPLIANT for a Transit Gateway if 'AutoAcceptSharedAttachments' is set to 'enable'.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

eks-endpoint-no-public-access

Ensure that the Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

restricted-ssh

Note: For this rule, the rule identifier (INCOMING_SSH_DISABLED) and rule name (restricted-ssh) are different. Ensure that the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON_COMPLIANT.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

appsync-associated-with-waf

Ensure that AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT for an AWS AppSync API if it is not associated with a web ACL.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

docdb-cluster-snapshot-public-prohibited

Ensure that Amazon DocumentDB manual cluster snapshots are not public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

codebuild-project-source-repo-url-check

Ensure that the Bitbucket source repository URL DOES NOT contain sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

emr-block-public-access

Ensure that an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

nacl-no-unrestricted-ssh-rdp

Ensure that default ports for SSH/RDP ingress traffic for network access control lists (NACLs) are restricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

waf-global-webacl-not-empty

Ensure that a WAF Global Web ACL contains some WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

waf-global-rulegroup-not-empty

Ensure that an AWS WAF Classic rule group contains some rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

waf-global-rule-not-empty

Ensure that an AWS WAF global rule contains some conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

ec2-client-vpn-not-authorize-all

Ensure that the AWS Client VPN authorization rules does not authorize connection access for all clients. The rule is NON_COMPLIANT if 'AccessAll' is present and set to true.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

internet-gateway-authorized-vpc-only

Ensure that internet gateways are attached to an authorized virtual private cloud (Amazon VPC). The rule is NON_COMPLIANT if internet gateways are attached to an unauthorized VPC.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

s3-access-point-public-access-blocks

Ensure that Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.
1.3.1 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

s3-account-level-public-access-blocks

Ensure that the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

api-gw-endpoint-type-check

Ensure that Amazon API Gateway APIs are of the type specified in the rule parameter 'endpointConfigurationType'. The rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

cloudfront-associated-with-waf

Ensure that Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

netfw-policy-default-action-fragment-packets

Ensure that an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

rds-db-security-group-not-allowed

Ensure that the Amazon Relational Database Service (Amazon RDS) DB security groups is the default one. The rule is NON_COMPLIANT if there are any DB security groups that are not the default DB security group.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

redshift-enhanced-vpc-routing-enabled

Ensure that Amazon Redshift clusters have 'enhancedVpcRouting' enabled. The rule is NON_COMPLIANT if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

ec2-transit-gateway-auto-vpc-attach-disabled

Ensure that Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways do not have 'AutoAcceptSharedAttachments' enabled. The rule is NON_COMPLIANT for a Transit Gateway if 'AutoAcceptSharedAttachments' is set to 'enable'.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

eks-endpoint-no-public-access

Ensure that the Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

restricted-ssh

Note: For this rule, the rule identifier (INCOMING_SSH_DISABLED) and rule name (restricted-ssh) are different. Ensure that the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON_COMPLIANT.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

appsync-associated-with-waf

Ensure that AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT for an AWS AppSync API if it is not associated with a web ACL.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

docdb-cluster-snapshot-public-prohibited

Ensure that Amazon DocumentDB manual cluster snapshots are not public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

codebuild-project-source-repo-url-check

Ensure that the Bitbucket source repository URL DOES NOT contain sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

emr-block-public-access

Ensure that an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

nacl-no-unrestricted-ssh-rdp

Ensure that default ports for SSH/RDP ingress traffic for network access control lists (NACLs) are restricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

waf-global-webacl-not-empty

Ensure that a WAF Global Web ACL contains some WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

waf-global-rulegroup-not-empty

Ensure that an AWS WAF Classic rule group contains some rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

waf-global-rule-not-empty

Ensure that an AWS WAF global rule contains some conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

ec2-client-vpn-not-authorize-all

Ensure that the AWS Client VPN authorization rules does not authorize connection access for all clients. The rule is NON_COMPLIANT if 'AccessAll' is present and set to true.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

internet-gateway-authorized-vpc-only

Ensure that internet gateways are attached to an authorized virtual private cloud (Amazon VPC). The rule is NON_COMPLIANT if internet gateways are attached to an unauthorized VPC.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

s3-access-point-public-access-blocks

Ensure that Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.
1.3.2 Network access to and from the cardholder data environment is restricted. (PCI-DSS-v4.0)

s3-account-level-public-access-blocks

Ensure that the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.
1.4.1 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

api-gw-endpoint-type-check

Ensure that Amazon API Gateway APIs are of the type specified in the rule parameter 'endpointConfigurationType'. The rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.
1.4.1 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

redshift-enhanced-vpc-routing-enabled

Ensure that Amazon Redshift clusters have 'enhancedVpcRouting' enabled. The rule is NON_COMPLIANT if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'.
1.4.1 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

internet-gateway-authorized-vpc-only

Ensure that internet gateways are attached to an authorized virtual private cloud (Amazon VPC). The rule is NON_COMPLIANT if internet gateways are attached to an unauthorized VPC.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

api-gw-endpoint-type-check

Ensure that Amazon API Gateway APIs are of the type specified in the rule parameter 'endpointConfigurationType'. The rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

cloudfront-associated-with-waf

Ensure that Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

netfw-policy-default-action-fragment-packets

Ensure that an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

rds-db-security-group-not-allowed

Ensure that the Amazon Relational Database Service (Amazon RDS) DB security groups is the default one. The rule is NON_COMPLIANT if there are any DB security groups that are not the default DB security group.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

redshift-enhanced-vpc-routing-enabled

Ensure that Amazon Redshift clusters have 'enhancedVpcRouting' enabled. The rule is NON_COMPLIANT if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

ec2-transit-gateway-auto-vpc-attach-disabled

Ensure that Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways do not have 'AutoAcceptSharedAttachments' enabled. The rule is NON_COMPLIANT for a Transit Gateway if 'AutoAcceptSharedAttachments' is set to 'enable'.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

eks-endpoint-no-public-access

Ensure that the Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

restricted-ssh

Note: For this rule, the rule identifier (INCOMING_SSH_DISABLED) and rule name (restricted-ssh) are different. Ensure that the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON_COMPLIANT.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

appsync-associated-with-waf

Ensure that AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT for an AWS AppSync API if it is not associated with a web ACL.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

docdb-cluster-snapshot-public-prohibited

Ensure that Amazon DocumentDB manual cluster snapshots are not public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

codebuild-project-source-repo-url-check

Ensure that the Bitbucket source repository URL DOES NOT contain sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

emr-block-public-access

Ensure that an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

nacl-no-unrestricted-ssh-rdp

Ensure that default ports for SSH/RDP ingress traffic for network access control lists (NACLs) are restricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

waf-global-webacl-not-empty

Ensure that a WAF Global Web ACL contains some WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

waf-global-rulegroup-not-empty

Ensure that an AWS WAF Classic rule group contains some rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

waf-global-rule-not-empty

Ensure that an AWS WAF global rule contains some conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

ec2-client-vpn-not-authorize-all

Ensure that the AWS Client VPN authorization rules does not authorize connection access for all clients. The rule is NON_COMPLIANT if 'AccessAll' is present and set to true.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

internet-gateway-authorized-vpc-only

Ensure that internet gateways are attached to an authorized virtual private cloud (Amazon VPC). The rule is NON_COMPLIANT if internet gateways are attached to an unauthorized VPC.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

s3-access-point-public-access-blocks

Ensure that Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.
1.4.2 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

s3-account-level-public-access-blocks

Ensure that the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.
1.4.3 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

netfw-policy-default-action-fragment-packets

Ensure that an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.
1.4.3 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

netfw-policy-default-action-fragment-packets

Ensure that an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.
1.4.3 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

netfw-policy-default-action-full-packets

Ensure that an AWS Network Firewall policy is configured with a user defined default stateless action for full packets. This rule is NON_COMPLIANT if default stateless action for full packets does not match with user defined default stateless action.
1.4.4 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

api-gw-endpoint-type-check

Ensure that Amazon API Gateway APIs are of the type specified in the rule parameter 'endpointConfigurationType'. The rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.
1.4.4 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

redshift-enhanced-vpc-routing-enabled

Ensure that Amazon Redshift clusters have 'enhancedVpcRouting' enabled. The rule is NON_COMPLIANT if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'.
1.4.4 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

internet-gateway-authorized-vpc-only

Ensure that internet gateways are attached to an authorized virtual private cloud (Amazon VPC). The rule is NON_COMPLIANT if internet gateways are attached to an unauthorized VPC.
1.4.5 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

ecs-task-definition-pid-mode-check

Ensure that ECSTaskDefinitions are configured to share a host's process namespace with its Amazon Elastic Container Service (Amazon ECS) containers. The rule is NON_COMPLIANT if the pidMode parameter is set to'host'.
1.4.5 Network connections between trusted and untrusted networks are controlled. (PCI-DSS-v4.0)

ec2-launch-template-public-ip-disabled

Ensure that Amazon EC2 Launch Templates are not set to assign public IP addresses to Network Interfaces. The rule is NON_COMPLIANT if the default version of an EC2 Launch Template has at least 1 Network Interface with 'AssociatePublicIpAddress' set to 'true'.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

api-gw-endpoint-type-check

Ensure that Amazon API Gateway APIs are of the type specified in the rule parameter 'endpointConfigurationType'. The rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

cloudfront-associated-with-waf

Ensure that Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

netfw-policy-default-action-fragment-packets

Ensure that an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

rds-db-security-group-not-allowed

Ensure that the Amazon Relational Database Service (Amazon RDS) DB security groups is the default one. The rule is NON_COMPLIANT if there are any DB security groups that are not the default DB security group.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

ec2-transit-gateway-auto-vpc-attach-disabled

Ensure that Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways do not have 'AutoAcceptSharedAttachments' enabled. The rule is NON_COMPLIANT for a Transit Gateway if 'AutoAcceptSharedAttachments' is set to 'enable'.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

eks-endpoint-no-public-access

Ensure that the Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

restricted-ssh

Note: For this rule, the rule identifier (INCOMING_SSH_DISABLED) and rule name (restricted-ssh) are different. Ensure that the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON_COMPLIANT.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

appsync-associated-with-waf

Ensure that AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT for an AWS AppSync API if it is not associated with a web ACL.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

docdb-cluster-snapshot-public-prohibited

Ensure that Amazon DocumentDB manual cluster snapshots are not public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

codebuild-project-source-repo-url-check

Ensure that the Bitbucket source repository URL DOES NOT contain sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

emr-block-public-access

Ensure that an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

nacl-no-unrestricted-ssh-rdp

Ensure that default ports for SSH/RDP ingress traffic for network access control lists (NACLs) are restricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

waf-global-webacl-not-empty

Ensure that a WAF Global Web ACL contains some WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

waf-global-rulegroup-not-empty

Ensure that an AWS WAF Classic rule group contains some rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

waf-global-rule-not-empty

Ensure that an AWS WAF global rule contains some conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

ec2-client-vpn-not-authorize-all

Ensure that the AWS Client VPN authorization rules does not authorize connection access for all clients. The rule is NON_COMPLIANT if 'AccessAll' is present and set to true.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

internet-gateway-authorized-vpc-only

Ensure that internet gateways are attached to an authorized virtual private cloud (Amazon VPC). The rule is NON_COMPLIANT if internet gateways are attached to an unauthorized VPC.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

s3-access-point-public-access-blocks

Ensure that Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.
1.5.1 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. (PCI-DSS-v4.0)

s3-account-level-public-access-blocks

Ensure that the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.2.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

ec2-instance-detailed-monitoring-enabled

Ensure that detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudwatch-alarm-resource-check

Ensure that a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

wafv2-rulegroup-logging-enabled

Ensure that Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.2.1.1 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.2.1.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.2.1.3 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.2.1.4 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.2.1.5 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.2.1.6 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.2.1.7 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.3.1 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.3.2 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

cloudtrail-security-trail-enabled

Ensure that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following:
10.3.2 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

neptune-cluster-snapshot-public-prohibited

Ensure that an Amazon Neptune manual DB cluster snapshot is not public. The rule is NON_COMPLIANT if any existing and new Neptune cluster snapshot is public.
10.3.2 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

docdb-cluster-snapshot-public-prohibited

Ensure that Amazon DocumentDB manual cluster snapshots are not public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
10.3.2 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
10.3.2 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

emr-block-public-access

Ensure that an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.
10.3.2 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

s3-access-point-public-access-blocks

Ensure that Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.
10.3.2 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

s3-account-level-public-access-blocks

Ensure that the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.
10.3.2 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

s3-bucket-mfa-delete-enabled

Ensure that MFA Delete is enabled in the Amazon Simple Storage Service (Amazon S3) bucket versioning configuration. The rule is NON_COMPLIANT if MFA Delete is not enabled.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

aurora-resources-protected-by-backup-plan

Ensure that Amazon Aurora DB clusters are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) Database Cluster is not protected by a backup plan.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

db-instance-backup-enabled

Ensure that RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

dynamodb-in-backup-plan

Ensure that Amazon DynamoDB tables are present in AWS Backup Plans. The rule is NON_COMPLIANT if Amazon DynamoDB tables are not present in any AWS Backup plan.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

dynamodb-resources-protected-by-backup-plan

Ensure that Amazon DynamoDB tables are protected by a backup plan. The rule is NON_COMPLIANT if the DynamoDB Table is not covered by a backup plan.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

ebs-in-backup-plan

Ensure that Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

ebs-resources-protected-by-backup-plan

Ensure that Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EBS volume is not covered by a backup plan.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

ec2-resources-protected-by-backup-plan

Ensure that Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EC2 instance is not covered by a backup plan.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

efs-in-backup-plan

Ensure that Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. The rule is NON_COMPLIANT if EFS file systems are not included in the backup plans.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

efs-resources-protected-by-backup-plan

Ensure that Amazon Elastic File System (Amazon EFS) file systems are protected by a backup plan. The rule is NON_COMPLIANT if the EFS File System is not covered by a backup plan.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

elasticache-redis-cluster-automatic-backup-check

Check if the Amazon ElastiCache Redis clusters have automatic backup turned on. The rule is NON_COMPLIANT if the SnapshotRetentionLimit for Redis cluster is less than the SnapshotRetentionPeriod parameter. For example: If the parameter is 15 then the rule is non-compliant if the snapshotRetentionPeriod is between 0-15.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

fsx-resources-protected-by-backup-plan

Ensure that Amazon FSx File Systems are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon FSx File System is not covered by a backup plan.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

neptune-cluster-backup-retention-check

Ensure that an Amazon Neptune DB cluster retention period is set to specific number of days. The rule is NON_COMPLIANT if the retention period is less than the value specified by the parameter.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

rds-in-backup-plan

Ensure that Amazon Relational Database Service (Amazon RDS) databases are present in AWS Backup plans. The rule is NON_COMPLIANT if Amazon RDS databases are not included in any AWS Backup plan.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

rds-resources-protected-by-backup-plan

Ensure that Amazon Relational Database Service (Amazon RDS) instances are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon RDS Database instance is not covered by a backup plan.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

redshift-backup-enabled

Ensure that Amazon Redshift automated snapshots are enabled for clusters. The rule is NON_COMPLIANT if the value for automatedSnapshotRetentionPeriod is greater than MaxRetentionPeriod or less than MinRetentionPeriod or the value is 0.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

s3-resources-protected-by-backup-plan

Ensure that Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon S3 bucket is not covered by a backup plan.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

cloudtrail-security-trail-enabled

Ensure that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following:
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

db-instance-backup-enabled

Ensure that RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window.
10.3.3 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

dynamodb-pitr-enabled

Ensure that point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if PITR is not enabled for DynamoDB tables.
10.3.4 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

cloudfront-origin-access-identity-enabled

Ensure that CloudFront distribution with Amazon S3 Origin type has origin access identity (OAI) configured. The rule is NON_COMPLIANT if the CloudFront distribution is backed by S3 and any origin type is not OAI configured, or the origin is not an S3 bucket.
10.3.4 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

cloudfront-s3-origin-access-control-enabled

Ensure that an Amazon CloudFront distribution with an Amazon Simple Storage Service (Amazon S3) Origin type has origin access control (OAC) enabled. The rule is NON_COMPLIANT for CloudFront distributions with Amazon S3 origins that don't have OAC enabled.
10.3.4 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

s3-bucket-default-lock-enabled

Ensure that the S3 bucket has lock enabled, by default. The rule is NON_COMPLIANT if the lock is not enabled.
10.3.4 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

s3-bucket-versioning-enabled

Ensure that versioning is enabled for your S3 buckets. Optionally, the rule checks if MFA delete is enabled for your S3 buckets.
10.3.4 Audit logs are protected from destruction and unauthorized modifications. (PCI-DSS-v4.0)

cloudtrail-security-trail-enabled

Ensure that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following:
10.4.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.4.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

ec2-instance-detailed-monitoring-enabled

Ensure that detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled.
10.4.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.4.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.4.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.4.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-resource-check

Ensure that a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.
10.4.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

wafv2-rulegroup-logging-enabled

Ensure that Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.
10.4.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
10.4.1.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.4.1.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

ec2-instance-detailed-monitoring-enabled

Ensure that detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled.
10.4.1.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.4.1.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.4.1.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.4.1.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-resource-check

Ensure that a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.
10.4.1.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

wafv2-rulegroup-logging-enabled

Ensure that Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.
10.4.1.1 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
10.4.2 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.4.2 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

ec2-instance-detailed-monitoring-enabled

Ensure that detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled.
10.4.2 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.4.2 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.4.2 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.4.2 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-resource-check

Ensure that a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.
10.4.2 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

wafv2-rulegroup-logging-enabled

Ensure that Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.
10.4.2 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
10.4.3 Audit logs are reviewed to identify anomalies or suspicious activity. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.5.1 Audit log history is retained and available for analysis. (PCI-DSS-v4.0)

cloudtrail-security-trail-enabled

Ensure that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following:
10.5.1 Audit log history is retained and available for analysis. (PCI-DSS-v4.0)

ec2-volume-inuse-check

Ensure that EBS volumes are attached to EC2 instances. Optionally ensure that EBS volumes are marked for deletion when an instance is terminated.
10.5.1 Audit log history is retained and available for analysis. (PCI-DSS-v4.0)

ecr-private-lifecycle-policy-configured

Ensure that a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. The rule is NON_COMPLIANT if no lifecycle policy is configured for the ECR private repository.
10.5.1 Audit log history is retained and available for analysis. (PCI-DSS-v4.0)

dynamodb-pitr-enabled

Ensure that point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if PITR is not enabled for DynamoDB tables.
10.5.1 Audit log history is retained and available for analysis. (PCI-DSS-v4.0)

cw-loggroup-retention-period-check

Ensure that an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime, if specified, or else 365 days.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

ec2-instance-detailed-monitoring-enabled

Ensure that detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

cloudwatch-alarm-resource-check

Ensure that a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

wafv2-rulegroup-logging-enabled

Ensure that Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
10.6.3 Time-synchronization mechanisms support consistent time settings across all systems. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
10.7.1 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.7.1 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

cloudformation-stack-notification-check

Ensure that your CloudFormation stacks send event notifications to an Amazon SNS topic. Optionally ensure that specified Amazon SNS topics are used. The rule is NON_COMPLIANT if CloudFormation stacks do not send notifications.
10.7.1 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

ec2-instance-detailed-monitoring-enabled

Ensure that detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled.
10.7.1 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.7.1 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.7.1 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.7.1 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

cloudwatch-alarm-resource-check

Ensure that a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.
10.7.1 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

wafv2-rulegroup-logging-enabled

Ensure that Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.
10.7.1 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
10.7.2 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
10.7.2 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

cloudformation-stack-notification-check

Ensure that your CloudFormation stacks send event notifications to an Amazon SNS topic. Optionally ensure that specified Amazon SNS topics are used. The rule is NON_COMPLIANT if CloudFormation stacks do not send notifications.
10.7.2 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

ec2-instance-detailed-monitoring-enabled

Ensure that detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled.
10.7.2 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.7.2 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.7.2 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
10.7.2 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

cloudwatch-alarm-resource-check

Ensure that a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.
10.7.2 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

wafv2-rulegroup-logging-enabled

Ensure that Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.
10.7.2 Failures of critical security control systems are detected, reported, and responded to promptly. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
11.5.2 Network intrusions and unexpected file changes are detected and responded to. (PCI-DSS-v4.0)

cloudformation-stack-notification-check

Ensure that your CloudFormation stacks send event notifications to an Amazon SNS topic. Optionally ensure that specified Amazon SNS topics are used. The rule is NON_COMPLIANT if CloudFormation stacks do not send notifications.
11.5.2 Network intrusions and unexpected file changes are detected and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
11.5.2 Network intrusions and unexpected file changes are detected and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
11.5.2 Network intrusions and unexpected file changes are detected and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-settings-check

Ensure that CloudWatch alarms with the given metric name have the specified settings.
11.5.2 Network intrusions and unexpected file changes are detected and responded to. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
11.6.1 Unauthorized changes on payment pages are detected and responded to. (PCI-DSS-v4.0)

cloudformation-stack-notification-check

Ensure that your CloudFormation stacks send event notifications to an Amazon SNS topic. Optionally ensure that specified Amazon SNS topics are used. The rule is NON_COMPLIANT if CloudFormation stacks do not send notifications.
11.6.1 Unauthorized changes on payment pages are detected and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
11.6.1 Unauthorized changes on payment pages are detected and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
11.6.1 Unauthorized changes on payment pages are detected and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-settings-check

Ensure that CloudWatch alarms with the given metric name have the specified settings.
11.6.1 Unauthorized changes on payment pages are detected and responded to. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
12.10.5 Suspected and confirmed security incidents that could impact the CDE are responded to immediately. (PCI-DSS-v4.0)

cloudformation-stack-notification-check

Ensure that your CloudFormation stacks send event notifications to an Amazon SNS topic. Optionally ensure that specified Amazon SNS topics are used. The rule is NON_COMPLIANT if CloudFormation stacks do not send notifications.
12.10.5 Suspected and confirmed security incidents that could impact the CDE are responded to immediately. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
12.10.5 Suspected and confirmed security incidents that could impact the CDE are responded to immediately. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
12.10.5 Suspected and confirmed security incidents that could impact the CDE are responded to immediately. (PCI-DSS-v4.0)

cloudwatch-alarm-settings-check

Ensure that CloudWatch alarms with the given metric name have the specified settings.
12.10.5 Suspected and confirmed security incidents that could impact the CDE are responded to immediately. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
12.4.2.1 PCI DSS compliance is managed. (PCI-DSS-v4.0)

service-catalog-shared-within-organization

Ensure that AWS Service Catalog shares portfolios to an organization (a collection of AWS accounts treated as a single unit) when integration is enabled with AWS Organizations. The rule is NON_COMPLIANT if the `Type` value of a share is `ACCOUNT`.
2.2.5 System components are configured and managed securely. (PCI-DSS-v4.0)

cloudfront-security-policy-check

Ensure that Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. This rule is NON_COMPLIANT for a CloudFront distribution if the minimumProtocolVersion is below TLSv1.2_2018.
2.2.5 System components are configured and managed securely. (PCI-DSS-v4.0)

cloudfront-sni-enabled

Ensure that Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. The rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is a dedicated IP address.
2.2.5 System components are configured and managed securely. (PCI-DSS-v4.0)

transfer-family-server-no-ftp

Ensure that a server created with AWS Transfer Family does not use FTP for endpoint connection. The rule is NON_COMPLIANT if the server protocol for endpoint connection is FTP-enabled.
2.2.5 System components are configured and managed securely. (PCI-DSS-v4.0)

cloudfront-no-deprecated-ssl-protocols

Ensure that CloudFront distributions are not using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any'OriginSslProtocols' includes'SSLv3'.
2.2.5 System components are configured and managed securely. (PCI-DSS-v4.0)

cloudfront-traffic-to-origin-encrypted

Ensure that Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if'OriginProtocolPolicy' is'http-only' or if'OriginProtocolPolicy' is'match-viewer' and'ViewerProtocolPolicy' is'allow-all'.
2.2.5 System components are configured and managed securely. (PCI-DSS-v4.0)

cloudfront-viewer-policy-https

Ensure that your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the DefaultCacheBehavior or for the CacheBehaviors.
2.2.7 System components are configured and managed securely. (PCI-DSS-v4.0)

dms-redis-tls-enabled

Ensure that AWS Database Migration Service (AWS DMS) endpoints for Redis data stores are enabled for TLS/SSL encryption of data communicated with other endpoints. The rule is NON_COMPLIANT if TLS/SSL encryption is not enabled.
2.2.7 System components are configured and managed securely. (PCI-DSS-v4.0)

cloudfront-no-deprecated-ssl-protocols

Ensure that CloudFront distributions are not using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any'OriginSslProtocols' includes'SSLv3'.
2.2.7 System components are configured and managed securely. (PCI-DSS-v4.0)

cloudfront-traffic-to-origin-encrypted

Ensure that Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if'OriginProtocolPolicy' is'http-only' or if'OriginProtocolPolicy' is'match-viewer' and'ViewerProtocolPolicy' is'allow-all'.
2.2.7 System components are configured and managed securely. (PCI-DSS-v4.0)

cloudfront-viewer-policy-https

Ensure that your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the DefaultCacheBehavior or for the CacheBehaviors.
2.2.7 System components are configured and managed securely. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
2.2.7 System components are configured and managed securely. (PCI-DSS-v4.0)

dax-tls-endpoint-encryption

Ensure that your Amazon DynamoDB Accelerator (DAX) cluster has ClusterEndpointEncryptionType set to TLS. The rule is NON_COMPLIANT if a DAX cluster is not encrypted by transport layer security (TLS).
2.2.7 System components are configured and managed securely. (PCI-DSS-v4.0)

msk-in-cluster-node-require-tls

Ensure that an Amazon MSK cluster enforces encryption in transit using HTTPS (TLS) with the broker nodes of the cluster. The rule is NON_COMPLIANT if plain text communication is enabled for in-cluster broker node connections.
2.2.7 System components are configured and managed securely. (PCI-DSS-v4.0)

dms-endpoint-ssl-configured

Ensure that AWS Database Migration Service (AWS DMS) endpoints are configured with an SSL connection. The rule is NON_COMPLIANT if AWS DMS does not have an SSL connection configured.
3.2.1 Storage of account data is kept to a minimum. (PCI-DSS-v4.0)

ec2-volume-inuse-check

Ensure that EBS volumes are attached to EC2 instances. Optionally ensure that EBS volumes are marked for deletion when an instance is terminated.
3.2.1 Storage of account data is kept to a minimum. (PCI-DSS-v4.0)

ecr-private-lifecycle-policy-configured

Ensure that a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. The rule is NON_COMPLIANT if no lifecycle policy is configured for the ECR private repository.
3.2.1 Storage of account data is kept to a minimum. (PCI-DSS-v4.0)

dynamodb-pitr-enabled

Ensure that point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if PITR is not enabled for DynamoDB tables.
3.2.1 Storage of account data is kept to a minimum. (PCI-DSS-v4.0)

cw-loggroup-retention-period-check

Ensure that an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime, if specified, or else 365 days.
3.3.1.1 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

ec2-volume-inuse-check

Ensure that EBS volumes are attached to EC2 instances. Optionally ensure that EBS volumes are marked for deletion when an instance is terminated.
3.3.1.1 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

ecr-private-lifecycle-policy-configured

Ensure that a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. The rule is NON_COMPLIANT if no lifecycle policy is configured for the ECR private repository.
3.3.1.1 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

dynamodb-pitr-enabled

Ensure that point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if PITR is not enabled for DynamoDB tables.
3.3.1.1 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

cw-loggroup-retention-period-check

Ensure that an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime, if specified, or else 365 days.
3.3.1.3 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

ec2-volume-inuse-check

Ensure that EBS volumes are attached to EC2 instances. Optionally ensure that EBS volumes are marked for deletion when an instance is terminated.
3.3.1.3 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

ecr-private-lifecycle-policy-configured

Ensure that a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. The rule is NON_COMPLIANT if no lifecycle policy is configured for the ECR private repository.
3.3.1.3 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

dynamodb-pitr-enabled

Ensure that point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if PITR is not enabled for DynamoDB tables.
3.3.1.3 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

cw-loggroup-retention-period-check

Ensure that an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime, if specified, or else 365 days.
3.3.2 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

ec2-volume-inuse-check

Ensure that EBS volumes are attached to EC2 instances. Optionally ensure that EBS volumes are marked for deletion when an instance is terminated.
3.3.2 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

ecr-private-lifecycle-policy-configured

Ensure that a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. The rule is NON_COMPLIANT if no lifecycle policy is configured for the ECR private repository.
3.3.2 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

dynamodb-pitr-enabled

Ensure that point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if PITR is not enabled for DynamoDB tables.
3.3.2 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

cw-loggroup-retention-period-check

Ensure that an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime, if specified, or else 365 days.
3.3.3 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

ec2-volume-inuse-check

Ensure that EBS volumes are attached to EC2 instances. Optionally ensure that EBS volumes are marked for deletion when an instance is terminated.
3.3.3 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

ecr-private-lifecycle-policy-configured

Ensure that a private Amazon Elastic Container Registry (ECR) repository has at least one lifecycle policy configured. The rule is NON_COMPLIANT if no lifecycle policy is configured for the ECR private repository.
3.3.3 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

dynamodb-pitr-enabled

Ensure that point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if PITR is not enabled for DynamoDB tables.
3.3.3 Sensitive authentication data (SAD) is not stored after authorization. (PCI-DSS-v4.0)

cw-loggroup-retention-period-check

Ensure that an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime, if specified, or else 365 days.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

athena-workgroup-encrypted-at-rest

Ensure that an Amazon Athena workgroup is encrypted at rest. The rule is NON_COMPLIANT if encryption of data at rest is not enabled for an Athena workgroup.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

neptune-cluster-snapshot-encrypted

Ensure that an Amazon Neptune DB cluster has snapshots encrypted. The rule is NON_COMPLIANT if a Neptune cluster does not have snapshots encrypted.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

redshift-cluster-kms-enabled

Ensure that Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is COMPLIANT if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is NON_COMPLIANT if the cluster is not encrypted or encrypted with another key.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

codebuild-project-artifact-encryption

Ensure that an AWS CodeBuild project has encryption enabled for all of its artifacts. The rule is NON_COMPLIANT if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

codebuild-project-s3-logs-encrypted

Ensure that an AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. The rule is NON_COMPLIANT if'encryptionDisabled' is set to'true' in a S3LogsConfig of a CodeBuild project.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

dax-encryption-enabled

Ensure that Amazon DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

eks-secrets-encrypted

Ensure that Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

api-gw-cache-enabled-and-encrypted

Ensure that all methods in Amazon API Gateway stages have cache enabled and cache encrypted. The rule is NON_COMPLIANT if any method in an Amazon API Gateway stage is not configured to cache or the cache is not encrypted.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

docdb-cluster-encrypted

Ensure that storage encryption is enabled for your Amazon DocumentDB (with MongoDB compatibility) clusters. The rule is NON_COMPLIANT if storage encryption is not enabled.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

dynamodb-table-encrypted-kms

Ensure that Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT if Amazon DynamoDB table is not encrypted with AWS KMS. The rule is also NON_COMPLIANT if the encrypted AWS KMS key is not present in kmsKeyArns input parameter.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

dynamodb-table-encryption-enabled

Ensure that the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status is enabled or enabling.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

codebuild-project-envvar-awscred-check

Ensure that the project DOES NOT contain environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The rule is NON_COMPLIANT when the project environment variables contains plaintext credentials.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

eks-cluster-secrets-encrypted

Ensure that Amazon EKS clusters are not configured to have Kubernetes secrets encrypted using AWS KMS. The rule is NON_COMPLIANT if an EKS cluster does not have an encryptionConfig resource or if encryptionConfig does not name secrets as a resource.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

kinesis-stream-encrypted

Ensure that Amazon Kinesis streams are encrypted at rest with server-side encryption. The rule is NON_COMPLIANT for a Kinesis stream if 'StreamEncryption' is not present.
3.5.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

neptune-cluster-encrypted

Ensure that storage encryption is enabled for your Amazon Neptune DB clusters. The rule is NON_COMPLIANT if storage encryption is not enabled.
3.5.1.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.5.1.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.5.1.1 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
3.5.1.3 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.5.1.3 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.5.1.3 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

neptune-cluster-snapshot-public-prohibited

Ensure that an Amazon Neptune manual DB cluster snapshot is not public. The rule is NON_COMPLIANT if any existing and new Neptune cluster snapshot is public.
3.5.1.3 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

docdb-cluster-snapshot-public-prohibited

Ensure that Amazon DocumentDB manual cluster snapshots are not public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
3.5.1.3 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
3.5.1.3 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
3.5.1.3 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

emr-block-public-access

Ensure that an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.
3.5.1.3 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

s3-access-point-public-access-blocks

Ensure that Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.
3.5.1.3 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

s3-account-level-public-access-blocks

Ensure that the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.
3.5.1.3 Primary account number (PAN) is secured wherever it is stored. (PCI-DSS-v4.0)

s3-bucket-mfa-delete-enabled

Ensure that MFA Delete is enabled in the Amazon Simple Storage Service (Amazon S3) bucket versioning configuration. The rule is NON_COMPLIANT if MFA Delete is not enabled.
3.6.1 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.6.1 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.6.1 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
3.6.1.2 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.6.1.2 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.6.1.2 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
3.6.1.3 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.6.1.3 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.6.1.3 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
3.6.1.4 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.6.1.4 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.6.1.4 Cryptographic keys used to protect stored account data are secured. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
3.7.1 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

acm-certificate-rsa-check

Ensure that RSA certificates managed by AWS Certificate Manager (ACM) have a key length of at least '2048' bits.The rule is NON_COMPLIANT if the minimum key length is less than 2048 bits.
3.7.1 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.7.1 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.7.1 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
3.7.2 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.7.2 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.7.2 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
3.7.4 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.7.4 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.7.4 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
3.7.6 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.7.6 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.7.6 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
3.7.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
3.7.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
3.7.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
4.2.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

dms-redis-tls-enabled

Ensure that AWS Database Migration Service (AWS DMS) endpoints for Redis data stores are enabled for TLS/SSL encryption of data communicated with other endpoints. The rule is NON_COMPLIANT if TLS/SSL encryption is not enabled.
4.2.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

cloudfront-no-deprecated-ssl-protocols

Ensure that CloudFront distributions are not using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any'OriginSslProtocols' includes'SSLv3'.
4.2.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

cloudfront-traffic-to-origin-encrypted

Ensure that Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if'OriginProtocolPolicy' is'http-only' or if'OriginProtocolPolicy' is'match-viewer' and'ViewerProtocolPolicy' is'allow-all'.
4.2.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

cloudfront-viewer-policy-https

Ensure that your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the DefaultCacheBehavior or for the CacheBehaviors.
4.2.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
4.2.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

dax-tls-endpoint-encryption

Ensure that your Amazon DynamoDB Accelerator (DAX) cluster has ClusterEndpointEncryptionType set to TLS. The rule is NON_COMPLIANT if a DAX cluster is not encrypted by transport layer security (TLS).
4.2.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

msk-in-cluster-node-require-tls

Ensure that an Amazon MSK cluster enforces encryption in transit using HTTPS (TLS) with the broker nodes of the cluster. The rule is NON_COMPLIANT if plain text communication is enabled for in-cluster broker node connections.
4.2.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

dms-endpoint-ssl-configured

Ensure that AWS Database Migration Service (AWS DMS) endpoints are configured with an SSL connection. The rule is NON_COMPLIANT if AWS DMS does not have an SSL connection configured.
4.2.1.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

acm-pca-root-ca-disabled

Ensure that AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED.
4.2.1.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
4.2.1.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

dms-redis-tls-enabled

Ensure that AWS Database Migration Service (AWS DMS) endpoints for Redis data stores are enabled for TLS/SSL encryption of data communicated with other endpoints. The rule is NON_COMPLIANT if TLS/SSL encryption is not enabled.
4.2.1.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

cloudfront-no-deprecated-ssl-protocols

Ensure that CloudFront distributions are not using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any'OriginSslProtocols' includes'SSLv3'.
4.2.1.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

cloudfront-traffic-to-origin-encrypted

Ensure that Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if'OriginProtocolPolicy' is'http-only' or if'OriginProtocolPolicy' is'match-viewer' and'ViewerProtocolPolicy' is'allow-all'.
4.2.1.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

cloudfront-viewer-policy-https

Ensure that your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the DefaultCacheBehavior or for the CacheBehaviors.
4.2.1.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
4.2.1.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

dax-tls-endpoint-encryption

Ensure that your Amazon DynamoDB Accelerator (DAX) cluster has ClusterEndpointEncryptionType set to TLS. The rule is NON_COMPLIANT if a DAX cluster is not encrypted by transport layer security (TLS).
4.2.1.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

msk-in-cluster-node-require-tls

Ensure that an Amazon MSK cluster enforces encryption in transit using HTTPS (TLS) with the broker nodes of the cluster. The rule is NON_COMPLIANT if plain text communication is enabled for in-cluster broker node connections.
4.2.1.1 PAN is protected with strong cryptography during transmission. (PCI-DSS-v4.0)

dms-endpoint-ssl-configured

Ensure that AWS Database Migration Service (AWS DMS) endpoints are configured with an SSL connection. The rule is NON_COMPLIANT if AWS DMS does not have an SSL connection configured.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

cloudtrail-security-trail-enabled

Ensure that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following:
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
5.3.4 Anti-malware mechanisms and processes are active, maintained, and monitored. (PCI-DSS-v4.0)

cw-loggroup-retention-period-check

Ensure that an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime, if specified, or else 365 days.
6.3.3 Security vulnerabilities are identified and addressed. (PCI-DSS-v4.0)

lambda-function-settings-check

Ensure that the AWS Lambda function settings for runtime, role, timeout, and memory size match the expected values. The rule ignores functions with the 'Image' package type and functions with runtime set to 'OS-only Runtime'. The rule is NON_COMPLIANT if the Lambda function settings do not match the expected values.
6.3.3 Security vulnerabilities are identified and addressed. (PCI-DSS-v4.0)

eks-cluster-oldest-supported-version

Ensure that an Amazon Elastic Kubernetes Service (EKS) cluster is not running the oldest supported version. The rule is NON_COMPLIANT if an EKS cluster is running oldest supported version (equal to the parameter 'oldestVersionSupported').
6.4.1 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

cloudfront-associated-with-waf

Ensure that Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.
6.4.1 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

appsync-associated-with-waf

Ensure that AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT for an AWS AppSync API if it is not associated with a web ACL.
6.4.1 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

wafv2-webacl-not-empty

Ensure that a WAFv2 Web ACL contains any WAF rules or WAF rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rules or WAF rule groups.
6.4.1 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

wafv2-rulegroup-not-empty

Ensure that WAFv2 Rule Groups contain rules. The rule is NON_COMPLIANT if there are no rules in a WAFv2 Rule Group.
6.4.1 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

waf-global-webacl-not-empty

Ensure that a WAF Global Web ACL contains some WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.
6.4.1 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

waf-global-rulegroup-not-empty

Ensure that an AWS WAF Classic rule group contains some rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
6.4.1 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

waf-global-rulegroup-not-empty

Ensure that an AWS WAF Classic rule group contains some rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
6.4.1 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

waf-global-rule-not-empty

Ensure that an AWS WAF global rule contains some conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.
6.4.2 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

cloudfront-associated-with-waf

Ensure that Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.
6.4.2 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

appsync-associated-with-waf

Ensure that AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT for an AWS AppSync API if it is not associated with a web ACL.
6.4.2 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

wafv2-webacl-not-empty

Ensure that a WAFv2 Web ACL contains any WAF rules or WAF rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rules or WAF rule groups.
6.4.2 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

wafv2-rulegroup-not-empty

Ensure that WAFv2 Rule Groups contain rules. The rule is NON_COMPLIANT if there are no rules in a WAFv2 Rule Group.
6.4.2 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

waf-global-webacl-not-empty

Ensure that a WAF Global Web ACL contains some WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.
6.4.2 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

waf-global-rulegroup-not-empty

Ensure that an AWS WAF Classic rule group contains some rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
6.4.2 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

waf-global-rulegroup-not-empty

Ensure that an AWS WAF Classic rule group contains some rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
6.4.2 Public-facing web applications are protected against attacks. (PCI-DSS-v4.0)

waf-global-rule-not-empty

Ensure that an AWS WAF global rule contains some conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.
6.5.5 Changes to all system components are managed securely. (PCI-DSS-v4.0)

codedeploy-lambda-allatonce-traffic-shift-disabled

Ensure that the deployment group for Lambda Compute Platform is not using the default deployment configuration. The rule is NON_COMPLIANT if the deployment group is using the deployment configuration 'CodeDeployDefault.LambdaAllAtOnce'.
6.5.5 Changes to all system components are managed securely. (PCI-DSS-v4.0)

codepipeline-deployment-count-check

Ensure that the first deployment stage of AWS CodePipeline performs at least one deployment. This is to monitor continuous deployment activity, ensuring regular updates and identifying inactive or underutilized pipelines, which can signal issues in the development or deployment process. Optionally ensure that each of the subsequent remaining stages deploy to more than the specified number of deployments (deploymentLimit).
6.5.6 Changes to all system components are managed securely. (PCI-DSS-v4.0)

codedeploy-lambda-allatonce-traffic-shift-disabled

Ensure that the deployment group for Lambda Compute Platform is not using the default deployment configuration. The rule is NON_COMPLIANT if the deployment group is using the deployment configuration 'CodeDeployDefault.LambdaAllAtOnce'.
6.5.6 Changes to all system components are managed securely. (PCI-DSS-v4.0)

codepipeline-deployment-count-check

Ensure that the first deployment stage of AWS CodePipeline performs at least one deployment. This is to monitor continuous deployment activity, ensuring regular updates and identifying inactive or underutilized pipelines, which can signal issues in the development or deployment process. Optionally ensure that each of the subsequent remaining stages deploy to more than the specified number of deployments (deploymentLimit).
7.2.1 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
7.2.1 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
7.2.1 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

shield-drt-access

Ensure that the Shield Response Team (SRT) can access your AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.
7.2.1 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
7.2.1 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

neptune-cluster-iam-database-authentication

Ensure that an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.
7.2.1 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

rds-cluster-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled.
7.2.1 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

ec2-instance-profile-attached

Ensure that an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON_COMPLIANT if no IAM profile is attached to the EC2 instance.
7.2.1 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
7.2.1 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

rds-instance-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled.
7.2.2 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
7.2.2 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
7.2.2 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

shield-drt-access

Ensure that the Shield Response Team (SRT) can access your AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.
7.2.2 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
7.2.2 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

neptune-cluster-iam-database-authentication

Ensure that an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.
7.2.2 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

rds-cluster-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled.
7.2.2 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

ec2-instance-profile-attached

Ensure that an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON_COMPLIANT if no IAM profile is attached to the EC2 instance.
7.2.2 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
7.2.2 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

rds-instance-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled.
7.2.4 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

secretsmanager-secret-unused

Ensure that AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON_COMPLIANT if a secret has not been accessed in 'unusedForDays' number of days. The default value is 90 days.
7.2.5 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
7.2.5 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
7.2.5 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

shield-drt-access

Ensure that the Shield Response Team (SRT) can access your AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.
7.2.5 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
7.2.5 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

neptune-cluster-iam-database-authentication

Ensure that an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.
7.2.5 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

rds-cluster-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled.
7.2.5 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

ec2-instance-profile-attached

Ensure that an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON_COMPLIANT if no IAM profile is attached to the EC2 instance.
7.2.5 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
7.2.5 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

rds-instance-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled.
7.2.5.1 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

secretsmanager-secret-unused

Ensure that AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON_COMPLIANT if a secret has not been accessed in 'unusedForDays' number of days. The default value is 90 days.
7.2.6 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
7.2.6 Access to system components and data is appropriately defined and assigned. (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
7.3.1 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
7.3.1 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
7.3.1 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

shield-drt-access

Ensure that the Shield Response Team (SRT) can access your AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.
7.3.1 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
7.3.1 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

neptune-cluster-iam-database-authentication

Ensure that an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.
7.3.1 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

rds-cluster-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled.
7.3.1 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

ec2-instance-profile-attached

Ensure that an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON_COMPLIANT if no IAM profile is attached to the EC2 instance.
7.3.1 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
7.3.1 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

rds-instance-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled.
7.3.2 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
7.3.2 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
7.3.2 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

shield-drt-access

Ensure that the Shield Response Team (SRT) can access your AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.
7.3.2 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
7.3.2 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

neptune-cluster-iam-database-authentication

Ensure that an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.
7.3.2 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

rds-cluster-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled.
7.3.2 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

ec2-instance-profile-attached

Ensure that an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON_COMPLIANT if no IAM profile is attached to the EC2 instance.
7.3.2 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
7.3.2 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

rds-instance-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled.
7.3.3 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
7.3.3 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
7.3.3 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

shield-drt-access

Ensure that the Shield Response Team (SRT) can access your AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.
7.3.3 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
7.3.3 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

neptune-cluster-iam-database-authentication

Ensure that an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.
7.3.3 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

rds-cluster-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled.
7.3.3 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

ec2-instance-profile-attached

Ensure that an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON_COMPLIANT if no IAM profile is attached to the EC2 instance.
7.3.3 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
7.3.3 Access to system components and data is managed via an access control system(s). (PCI-DSS-v4.0)

rds-instance-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled.
8.2.1 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
8.2.1 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

ec2-no-amazon-key-pair

Ensure that running Amazon Elastic Compute Cloud (EC2) instances are not launched using amazon key pairs. The rule is NON_COMPLIANT if a running EC2 instance is launched with a key pair.
8.2.2 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
8.2.2 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

ec2-no-amazon-key-pair

Ensure that running Amazon Elastic Compute Cloud (EC2) instances are not launched using amazon key pairs. The rule is NON_COMPLIANT if a running EC2 instance is launched with a key pair.
8.2.2 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

codebuild-project-envvar-awscred-check

Ensure that the project DOES NOT contain environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The rule is NON_COMPLIANT when the project environment variables contains plaintext credentials.
8.2.2 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

secretsmanager-scheduled-rotation-success-check

Ensure that AWS Secrets Manager secrets rotated successfully according to the rotation schedule. Secrets Manager calculates the date the rotation should happen. The rule is NON_COMPLIANT if the date passes and the secret isn't rotated.
8.2.2 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

secretsmanager-secret-periodic-rotation

Ensure that AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON_COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days.
8.2.2 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

secretsmanager-secret-unused

Ensure that AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON_COMPLIANT if a secret has not been accessed in 'unusedForDays' number of days. The default value is 90 days.
8.2.4 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
8.2.4 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

ec2-no-amazon-key-pair

Ensure that running Amazon Elastic Compute Cloud (EC2) instances are not launched using amazon key pairs. The rule is NON_COMPLIANT if a running EC2 instance is launched with a key pair.
8.2.5 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
8.2.5 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

ec2-no-amazon-key-pair

Ensure that running Amazon Elastic Compute Cloud (EC2) instances are not launched using amazon key pairs. The rule is NON_COMPLIANT if a running EC2 instance is launched with a key pair.
8.2.6 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

secretsmanager-secret-unused

Ensure that AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON_COMPLIANT if a secret has not been accessed in 'unusedForDays' number of days. The default value is 90 days.
8.2.7 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
8.2.7 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
8.2.7 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

shield-drt-access

Ensure that the Shield Response Team (SRT) can access your AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.
8.2.7 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
8.2.7 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

neptune-cluster-iam-database-authentication

Ensure that an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.
8.2.7 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

rds-cluster-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled.
8.2.7 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

ec2-instance-profile-attached

Ensure that an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON_COMPLIANT if no IAM profile is attached to the EC2 instance.
8.2.7 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
8.2.7 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

rds-instance-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled.
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

shield-drt-access

Ensure that the Shield Response Team (SRT) can access your AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

neptune-cluster-iam-database-authentication

Ensure that an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

rds-cluster-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled.
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

ec2-imdsv2-check

Ensure that your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is NON_COMPLIANT if the HttpTokens is set to optional.
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

ec2-instance-profile-attached

Ensure that an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON_COMPLIANT if no IAM profile is attached to the EC2 instance.
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

autoscaling-launchconfig-requires-imdsv2

Ensure that only IMDSv2 is enabled. This rule is NON_COMPLIANT if the Metadata version is not included in the launch configuration or if both Metadata V1 and V2 are enabled.
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
8.2.8 User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle. (PCI-DSS-v4.0)

rds-instance-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled.
8.3.10.1 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

access-keys-rotated

Ensure that active IAM access keys are rotated (changed) within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days.
8.3.10.1 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

secretsmanager-scheduled-rotation-success-check

Ensure that AWS Secrets Manager secrets rotated successfully according to the rotation schedule. Secrets Manager calculates the date the rotation should happen. The rule is NON_COMPLIANT if the date passes and the secret isn't rotated.
8.3.10.1 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

secretsmanager-secret-periodic-rotation

Ensure that AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON_COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days.
8.3.11 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
8.3.11 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

ec2-no-amazon-key-pair

Ensure that running Amazon Elastic Compute Cloud (EC2) instances are not launched using amazon key pairs. The rule is NON_COMPLIANT if a running EC2 instance is launched with a key pair.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

athena-workgroup-encrypted-at-rest

Ensure that an Amazon Athena workgroup is encrypted at rest. The rule is NON_COMPLIANT if encryption of data at rest is not enabled for an Athena workgroup.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

neptune-cluster-snapshot-encrypted

Ensure that an Amazon Neptune DB cluster has snapshots encrypted. The rule is NON_COMPLIANT if a Neptune cluster does not have snapshots encrypted.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

redshift-cluster-kms-enabled

Ensure that Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is COMPLIANT if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is NON_COMPLIANT if the cluster is not encrypted or encrypted with another key.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

codebuild-project-artifact-encryption

Ensure that an AWS CodeBuild project has encryption enabled for all of its artifacts. The rule is NON_COMPLIANT if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

codebuild-project-s3-logs-encrypted

Ensure that an AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. The rule is NON_COMPLIANT if'encryptionDisabled' is set to'true' in a S3LogsConfig of a CodeBuild project.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

dax-encryption-enabled

Ensure that Amazon DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

dms-redis-tls-enabled

Ensure that AWS Database Migration Service (AWS DMS) endpoints for Redis data stores are enabled for TLS/SSL encryption of data communicated with other endpoints. The rule is NON_COMPLIANT if TLS/SSL encryption is not enabled.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

eks-secrets-encrypted

Ensure that Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

api-gw-cache-enabled-and-encrypted

Ensure that all methods in Amazon API Gateway stages have cache enabled and cache encrypted. The rule is NON_COMPLIANT if any method in an Amazon API Gateway stage is not configured to cache or the cache is not encrypted.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

docdb-cluster-encrypted

Ensure that storage encryption is enabled for your Amazon DocumentDB (with MongoDB compatibility) clusters. The rule is NON_COMPLIANT if storage encryption is not enabled.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

dynamodb-table-encrypted-kms

Ensure that Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT if Amazon DynamoDB table is not encrypted with AWS KMS. The rule is also NON_COMPLIANT if the encrypted AWS KMS key is not present in kmsKeyArns input parameter.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

dynamodb-table-encryption-enabled

Ensure that the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status is enabled or enabling.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

cloudfront-no-deprecated-ssl-protocols

Ensure that CloudFront distributions are not using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any'OriginSslProtocols' includes'SSLv3'.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

cloudfront-traffic-to-origin-encrypted

Ensure that Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if'OriginProtocolPolicy' is'http-only' or if'OriginProtocolPolicy' is'match-viewer' and'ViewerProtocolPolicy' is'allow-all'.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

cloudfront-viewer-policy-https

Ensure that your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the DefaultCacheBehavior or for the CacheBehaviors.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

codebuild-project-envvar-awscred-check

Ensure that the project DOES NOT contain environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The rule is NON_COMPLIANT when the project environment variables contains plaintext credentials.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

dax-tls-endpoint-encryption

Ensure that your Amazon DynamoDB Accelerator (DAX) cluster has ClusterEndpointEncryptionType set to TLS. The rule is NON_COMPLIANT if a DAX cluster is not encrypted by transport layer security (TLS).
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

eks-cluster-secrets-encrypted

Ensure that Amazon EKS clusters are not configured to have Kubernetes secrets encrypted using AWS KMS. The rule is NON_COMPLIANT if an EKS cluster does not have an encryptionConfig resource or if encryptionConfig does not name secrets as a resource.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

kinesis-stream-encrypted

Ensure that Amazon Kinesis streams are encrypted at rest with server-side encryption. The rule is NON_COMPLIANT for a Kinesis stream if 'StreamEncryption' is not present.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

msk-in-cluster-node-require-tls

Ensure that an Amazon MSK cluster enforces encryption in transit using HTTPS (TLS) with the broker nodes of the cluster. The rule is NON_COMPLIANT if plain text communication is enabled for in-cluster broker node connections.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

neptune-cluster-encrypted

Ensure that storage encryption is enabled for your Amazon Neptune DB clusters. The rule is NON_COMPLIANT if storage encryption is not enabled.
8.3.2 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

dms-endpoint-ssl-configured

Ensure that AWS Database Migration Service (AWS DMS) endpoints are configured with an SSL connection. The rule is NON_COMPLIANT if AWS DMS does not have an SSL connection configured.
8.3.4 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

s3-bucket-blacklisted-actions-prohibited

Ensure that an Amazon Simple Storage Service (Amazon S3) bucket policy does not allow blocklisted bucket-level and object-level actions on resources in the bucket for principals from other AWS accounts. For example, the rule checks that the Amazon S3 bucket policy does not allow another AWS account to perform any s3:GetBucket* actions and s3:DeleteObject on any object in the bucket. The rule is NON_COMPLIANT if any blocklisted actions are allowed by the Amazon S3 bucket policy.
8.3.4 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

s3-bucket-policy-not-more-permissive

Ensure that your Amazon Simple Storage Service (S3) bucket policies do not allow other inter-account permissions than the control Amazon S3 bucket policy that you provide.
8.3.4 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

shield-drt-access

Ensure that the Shield Response Team (SRT) can access your AWS account. The rule is NON_COMPLIANT if AWS Shield Advanced is enabled but the role for SRT access is not configured.
8.3.4 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

iam-policy-in-use

Ensure that an IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity.
8.3.4 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

neptune-cluster-iam-database-authentication

Ensure that an Amazon Neptune cluster has AWS Identity and Access Management (IAM) database authentication enabled. The rule is NON_COMPLIANT if an Amazon Neptune cluster does not have IAM database authentication enabled.
8.3.4 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

rds-cluster-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS Cluster does not have IAM authentication enabled.
8.3.4 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

ec2-instance-profile-attached

Ensure that an EC2 instance has an AWS Identity and Access Management (IAM) profile attached to it. The rule is NON_COMPLIANT if no IAM profile is attached to the EC2 instance.
8.3.4 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
8.3.4 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

rds-instance-iam-authentication-enabled

Ensure that an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an Amazon RDS instance does not have IAM authentication enabled.
8.3.5 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

access-keys-rotated

Ensure that active IAM access keys are rotated (changed) within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days.
8.3.5 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

secretsmanager-scheduled-rotation-success-check

Ensure that AWS Secrets Manager secrets rotated successfully according to the rotation schedule. Secrets Manager calculates the date the rotation should happen. The rule is NON_COMPLIANT if the date passes and the secret isn't rotated.
8.3.5 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

secretsmanager-secret-periodic-rotation

Ensure that AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON_COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days.
8.3.7 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

access-keys-rotated

Ensure that active IAM access keys are rotated (changed) within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days.
8.3.7 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

secretsmanager-scheduled-rotation-success-check

Ensure that AWS Secrets Manager secrets rotated successfully according to the rotation schedule. Secrets Manager calculates the date the rotation should happen. The rule is NON_COMPLIANT if the date passes and the secret isn't rotated.
8.3.7 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

secretsmanager-secret-periodic-rotation

Ensure that AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON_COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days.
8.3.9 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

access-keys-rotated

Ensure that active IAM access keys are rotated (changed) within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days.
8.3.9 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

secretsmanager-scheduled-rotation-success-check

Ensure that AWS Secrets Manager secrets rotated successfully according to the rotation schedule. Secrets Manager calculates the date the rotation should happen. The rule is NON_COMPLIANT if the date passes and the secret isn't rotated.
8.3.9 Strong authentication for users and administrators is established and managed. (PCI-DSS-v4.0)

secretsmanager-secret-periodic-rotation

Ensure that AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON_COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days.
8.4.1 Multi-factor authentication (MFA) is implemented to secure access into the CDE. (PCI-DSS-v4.0)

s3-bucket-mfa-delete-enabled

Ensure that MFA Delete is enabled in the Amazon Simple Storage Service (Amazon S3) bucket versioning configuration. The rule is NON_COMPLIANT if MFA Delete is not enabled.
8.4.2 Multi-factor authentication (MFA) is implemented to secure access into the CDE. (PCI-DSS-v4.0)

s3-bucket-mfa-delete-enabled

Ensure that MFA Delete is enabled in the Amazon Simple Storage Service (Amazon S3) bucket versioning configuration. The rule is NON_COMPLIANT if MFA Delete is not enabled.
8.4.3 Multi-factor authentication (MFA) is implemented to secure access into the CDE. (PCI-DSS-v4.0)

s3-bucket-mfa-delete-enabled

Ensure that MFA Delete is enabled in the Amazon Simple Storage Service (Amazon S3) bucket versioning configuration. The rule is NON_COMPLIANT if MFA Delete is not enabled.
8.6.3 Use of application and system accounts and associated authentication factors is strictly managed. (PCI-DSS-v4.0)

access-keys-rotated

Ensure that active IAM access keys are rotated (changed) within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days.
8.6.3 Use of application and system accounts and associated authentication factors is strictly managed. (PCI-DSS-v4.0)

secretsmanager-scheduled-rotation-success-check

Ensure that AWS Secrets Manager secrets rotated successfully according to the rotation schedule. Secrets Manager calculates the date the rotation should happen. The rule is NON_COMPLIANT if the date passes and the secret isn't rotated.
8.6.3 Use of application and system accounts and associated authentication factors is strictly managed. (PCI-DSS-v4.0)

secretsmanager-secret-periodic-rotation

Ensure that AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is NON_COMPLIANT if a secret has not been rotated for more than maxDaysSinceRotation number of days. The default value is 90 days.
A1.1.2 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

neptune-cluster-snapshot-public-prohibited

Ensure that an Amazon Neptune manual DB cluster snapshot is not public. The rule is NON_COMPLIANT if any existing and new Neptune cluster snapshot is public.
A1.1.2 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

docdb-cluster-snapshot-public-prohibited

Ensure that Amazon DocumentDB manual cluster snapshots are not public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
A1.1.2 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
A1.1.2 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

emr-block-public-access

Ensure that an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.
A1.1.2 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

s3-access-point-public-access-blocks

Ensure that Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.
A1.1.2 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

s3-account-level-public-access-blocks

Ensure that the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.
A1.1.2 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

s3-bucket-mfa-delete-enabled

Ensure that MFA Delete is enabled in the Amazon Simple Storage Service (Amazon S3) bucket versioning configuration. The rule is NON_COMPLIANT if MFA Delete is not enabled.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

api-gw-endpoint-type-check

Ensure that Amazon API Gateway APIs are of the type specified in the rule parameter 'endpointConfigurationType'. The rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

cloudfront-associated-with-waf

Ensure that Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

cloudfront-custom-ssl-certificate

Ensure that the certificate associated with an Amazon CloudFront distribution is not the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

netfw-policy-default-action-fragment-packets

Ensure that an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

rds-db-security-group-not-allowed

Ensure that the Amazon Relational Database Service (Amazon RDS) DB security groups is the default one. The rule is NON_COMPLIANT if there are any DB security groups that are not the default DB security group.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

ec2-transit-gateway-auto-vpc-attach-disabled

Ensure that Amazon Elastic Compute Cloud (Amazon EC2) Transit Gateways do not have 'AutoAcceptSharedAttachments' enabled. The rule is NON_COMPLIANT for a Transit Gateway if 'AutoAcceptSharedAttachments' is set to 'enable'.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

eks-endpoint-no-public-access

Ensure that the Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is NON_COMPLIANT if the endpoint is publicly accessible.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

restricted-ssh

Note: For this rule, the rule identifier (INCOMING_SSH_DISABLED) and rule name (restricted-ssh) are different. Ensure that the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT if the IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0 or ::/0). Otherwise, NON_COMPLIANT.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

appsync-associated-with-waf

Ensure that AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT for an AWS AppSync API if it is not associated with a web ACL.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

docdb-cluster-snapshot-public-prohibited

Ensure that Amazon DocumentDB manual cluster snapshots are not public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

codebuild-project-source-repo-url-check

Ensure that the Bitbucket source repository URL DOES NOT contain sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

elb-acm-certificate-required

Ensure that the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. Note - this rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

emr-block-public-access

Ensure that an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

nacl-no-unrestricted-ssh-rdp

Ensure that default ports for SSH/RDP ingress traffic for network access control lists (NACLs) are restricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

waf-global-webacl-not-empty

Ensure that a WAF Global Web ACL contains some WAF rules or rule groups. This rule is NON_COMPLIANT if a Web ACL does not contain any WAF rule or rule group.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

waf-global-rulegroup-not-empty

Ensure that an AWS WAF Classic rule group contains some rules. The rule is NON_COMPLIANT if there are no rules present within a rule group.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

waf-global-rule-not-empty

Ensure that an AWS WAF global rule contains some conditions. The rule is NON_COMPLIANT if no conditions are present within the WAF global rule.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

ec2-client-vpn-not-authorize-all

Ensure that the AWS Client VPN authorization rules does not authorize connection access for all clients. The rule is NON_COMPLIANT if 'AccessAll' is present and set to true.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

internet-gateway-authorized-vpc-only

Ensure that internet gateways are attached to an authorized virtual private cloud (Amazon VPC). The rule is NON_COMPLIANT if internet gateways are attached to an unauthorized VPC.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

s3-access-point-public-access-blocks

Ensure that Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.
A1.1.3 Multi-tenant service providers protect and separate all customer environments and data. (PCI-DSS-v4.0)

s3-account-level-public-access-blocks

Ensure that the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

api-gwv2-access-logs-enabled

Ensure that Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if 'accessLogSettings' is not present in Stage configuration.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

cloudfront-accesslogs-enabled

Ensure that Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

cloudtrail-security-trail-enabled

Ensure that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following:
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

neptune-cluster-cloudwatch-log-export-enabled

Ensure that an Amazon Neptune cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if a Neptune cluster does not have CloudWatch log export enabled for audit logs.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

ecs-task-definition-log-configuration

Ensure that logConfiguration is set on active ECS Task Definitions. This rule is NON_COMPLIANT if an active ECSTaskDefinition does not have the logConfiguration resource defined or the value for logConfiguration is null in at least one container definition.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

cloudtrail-enabled

Note: For this rule, the rule identifier (CLOUD_TRAIL_ENABLED) and rule name (cloudtrail-enabled) are different. Ensure that an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

multi-region-cloudtrail-enabled

Note: for this rule, the rule identifier (MULTI_REGION_CLOUD_TRAIL_ENABLED) and rule name (multi-region-cloudtrail-enabled) are different. Ensure that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match input parameters. The rule is NON_COMPLIANT if the ExcludeManagementEventSources field is not empty or if AWS CloudTrail is configured to exclude management events such as AWS KMS events or Amazon RDS Data API events.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

appsync-logging-enabled

Ensure that an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or 'fieldLogLevel' is neither ERROR nor ALL.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

waf-classic-logging-enabled

Ensure that logging is enabled on AWS WAF classic global web access control lists (web ACLs). The rule is NON_COMPLIANT for a global web ACL, if it does not have logging enabled.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

mq-cloudwatch-audit-logging-enabled

Ensure that Amazon MQ brokers have Amazon CloudWatch audit logging enabled. The rule is NON_COMPLIANT if a broker does not have audit logging enabled.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

mq-cloudwatch-audit-log-enabled

Ensure that an Amazon MQ broker has CloudWatch audit logging enabled. The rule is NON_COMPLIANT if the broker does not have audit logging enabled.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

eks-cluster-logging-enabled

Ensure that an Amazon Elastic Kubernetes Service (Amazon EKS) cluster is configured with logging enabled. The rule is NON_COMPLIANT if logging for Amazon EKS clusters is not enabled for all log types.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

elastic-beanstalk-logs-to-cloudwatch

Ensure that AWS Elastic Beanstalk environments are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if the value of `StreamLogs` is false.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

step-functions-state-machine-logging-enabled

Ensure that AWS Step Functions machine has logging enabled. The rule is NON_COMPLIANT if a state machine does not have logging enabled or the logging configuration is not at the minimum level provided.
A1.2.1 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

netfw-logging-enabled

Ensure that AWS Network Firewall firewalls have logging enabled. The rule is NON_COMPLIANT if a logging type is not configured. You can specify which logging type you want the rule to check.
A1.2.3 Multi-tenant service providers facilitate logging and incident response for all customers. (PCI-DSS-v4.0)

security-account-information-provided

Ensure that you have provided security contact information for your AWS account contacts. The rule is NON_COMPLIANT if security contact information within the account is not provided.
A3.2.5.1 PCI DSS scope is documented and validated. (PCI-DSS-v4.0)

macie-auto-sensitive-data-discovery-check

Ensure that automated sensitive data discovery is enabled for Amazon Macie. The rule is NON_COMPLIANT if automated sensitive data discovery is disabled. The rule is APPLICABLE for administrator accounts and NOT_APPLICABLE for member accounts.
A3.2.5.1 PCI DSS scope is documented and validated. (PCI-DSS-v4.0)

macie-status-check

Ensure that Amazon Macie is enabled in your account per region. The rule is NON_COMPLIANT if the 'status' attribute is not set to 'ENABLED'.
A3.2.5.2 PCI DSS scope is documented and validated. (PCI-DSS-v4.0)

macie-auto-sensitive-data-discovery-check

Ensure that automated sensitive data discovery is enabled for Amazon Macie. The rule is NON_COMPLIANT if automated sensitive data discovery is disabled. The rule is APPLICABLE for administrator accounts and NOT_APPLICABLE for member accounts.
A3.2.5.2 PCI DSS scope is documented and validated. (PCI-DSS-v4.0)

macie-status-check

Ensure that Amazon Macie is enabled in your account per region. The rule is NON_COMPLIANT if the 'status' attribute is not set to 'ENABLED'.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

cloudformation-stack-notification-check

Ensure that your CloudFormation stacks send event notifications to an Amazon SNS topic. Optionally ensure that specified Amazon SNS topics are used. The rule is NON_COMPLIANT if CloudFormation stacks do not send notifications.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

ec2-instance-detailed-monitoring-enabled

Ensure that detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

cloudwatch-alarm-resource-check

Ensure that a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

cloudwatch-alarm-settings-check

Ensure that CloudWatch alarms with the given metric name have the specified settings.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

wafv2-rulegroup-logging-enabled

Ensure that Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.
A3.3.1 PCI DSS is incorporated into business-as-usual (BAU) activities. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.
A3.4.1 Logical access to the cardholder data environment is controlled and managed. (PCI-DSS-v4.0)

neptune-cluster-snapshot-public-prohibited

Ensure that an Amazon Neptune manual DB cluster snapshot is not public. The rule is NON_COMPLIANT if any existing and new Neptune cluster snapshot is public.
A3.4.1 Logical access to the cardholder data environment is controlled and managed. (PCI-DSS-v4.0)

docdb-cluster-snapshot-public-prohibited

Ensure that Amazon DocumentDB manual cluster snapshots are not public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public.
A3.4.1 Logical access to the cardholder data environment is controlled and managed. (PCI-DSS-v4.0)

backup-recovery-point-manual-deletion-disabled

Ensure that a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement (statement with backup:DeleteRecoveryPoint, backup:UpdateRecoveryPointLifecycle, and backup:PutBackupVaultAccessPolicy permissions).
A3.4.1 Logical access to the cardholder data environment is controlled and managed. (PCI-DSS-v4.0)

emr-block-public-access

Ensure that an account with Amazon EMR has block public access settings enabled. The rule is NON_COMPLIANT if BlockPublicSecurityGroupRules is false, or if true, ports other than Port 22 are listed in PermittedPublicSecurityGroupRuleRanges.
A3.4.1 Logical access to the cardholder data environment is controlled and managed. (PCI-DSS-v4.0)

secretsmanager-secret-unused

Ensure that AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is NON_COMPLIANT if a secret has not been accessed in 'unusedForDays' number of days. The default value is 90 days.
A3.4.1 Logical access to the cardholder data environment is controlled and managed. (PCI-DSS-v4.0)

s3-access-point-public-access-blocks

Ensure that Amazon S3 access points have block public access settings enabled. The rule is NON_COMPLIANT if block public access settings are not enabled for S3 access points.
A3.4.1 Logical access to the cardholder data environment is controlled and managed. (PCI-DSS-v4.0)

s3-account-level-public-access-blocks

Ensure that the required public access block settings are configured from account level. The rule is only NON_COMPLIANT when the fields set below do not match the corresponding fields in the configuration item.
A3.4.1 Logical access to the cardholder data environment is controlled and managed. (PCI-DSS-v4.0)

s3-bucket-mfa-delete-enabled

Ensure that MFA Delete is enabled in the Amazon Simple Storage Service (Amazon S3) bucket versioning configuration. The rule is NON_COMPLIANT if MFA Delete is not enabled.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

api-gw-xray-enabled

Ensure that AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

cloudformation-stack-notification-check

Ensure that your CloudFormation stacks send event notifications to an Amazon SNS topic. Optionally ensure that specified Amazon SNS topics are used. The rule is NON_COMPLIANT if CloudFormation stacks do not send notifications.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

ec2-instance-detailed-monitoring-enabled

Ensure that detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-action-check

Ensure that CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally ensure that any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-resource-check

Ensure that a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

cloudwatch-alarm-settings-check

Ensure that CloudWatch alarms with the given metric name have the specified settings.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

wafv2-rulegroup-logging-enabled

Ensure that Amazon CloudWatch security metrics collection on AWS WAFv2 rule groups is enabled. The rule is NON_COMPLIANT if the 'VisibilityConfig.CloudWatchMetricsEnabled' field is set to false.
A3.5.1 Suspicious events are identified and responded to. (PCI-DSS-v4.0)

sns-topic-message-delivery-notification-enabled

Ensure that Amazon Simple Notification Service (SNS) logging is enabled for the delivery status of notification messages sent to a topic for the endpoints. The rule is NON_COMPLIANT if the delivery status notification for messages is not enabled.

Template

The template is available on GitHub: Operational Best Practices for PCI DSS 4.0 (Including global resource types).