PCI DSS in Security Hub
The Payment Card Industry Data Security Standard (PCI DSS) is a third-party compliance framework that provides a set of rules and guidelines for safely handling credit and debit card information. The PCI Security Standards Council (SSC) creates and updates this framework.
AWS Security Hub has a PCI DSS standard to help you stay compliant with this third-party framework. You can use this standard to discover security vulnerabilities in AWS resources that handle cardholder data. We recommend enabling this standard in AWS accounts that have resources that store, process, or transmit cardholder data or sensitive authentication data. Assessments by the PCI SSC validated this standard.
Security Hub offers support for both PCI DSS v3.2.1 and PCI DSS v4.0.1. We recommend using v4.0.1 to stay current on security best practices. You can have both versions of the standard enabled at the same time. For instructions on enabling standards, see Enabling a security standard in Security Hub. If you currently use v3.2.1 but want to use only v4.0.1, enable the newer version before disabling the older version. This prevents gaps in your security checks. If you use the Security Hub integration with AWS Organizations and want to batch enable v4.0.1 in multiple accounts, we recommend using central configuration to do so.
The following sections show which controls apply to PCI DSS v3.2.1 and PCI DSS v4.0.1.
Controls that apply to PCI DSS v3.2.1
[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks
[CloudTrail.2] CloudTrail should have encryption at-rest enabled
[CloudTrail.3] At least one CloudTrail trail should be enabled
[CloudTrail.4] CloudTrail log file validation should be enabled
[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs
[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
[Config.1] AWS Config should be enabled and use the service-linked role for resource recording
[DMS.1] Database Migration Service replication instances should not be public
[EC2.1] Amazon EBS snapshots should not be publicly restorable
[EC2.2] VPC default security groups should not allow inbound or outbound traffic
[EC2.6] VPC flow logging should be enabled in all VPCs
[EC2.12] Unused Amazon EC2 EIPs should be removed
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
[ES.1] Elasticsearch domains should have encryption at-rest enabled
[ES.2] Elasticsearch domains should not be publicly accessible
[GuardDuty.1] GuardDuty should be enabled
[IAM.1] IAM policies should not allow full "*" administrative privileges
[IAM.2] IAM users should not have IAM policies attached
[IAM.4] IAM root user access key should not exist
[IAM.6] Hardware MFA should be enabled for the root user
[IAM.8] Unused IAM user credentials should be removed
[IAM.9] MFA should be enabled for the root user
[IAM.10] Password policies for IAM users should have strong AWS Configurations
[IAM.19] MFA should be enabled for all IAM users
[KMS.4] AWS KMS key rotation should be enabled
[Lambda.1] Lambda function policies should prohibit public access
[Lambda.3] Lambda functions should be in a VPC
[Opensearch.1] OpenSearch domains should have encryption at rest enabled
[Opensearch.2] OpenSearch domains should not be publicly accessible
[RDS.1] RDS snapshot should be private
[Redshift.1] Amazon Redshift clusters should prohibit public access
[S3.1] S3 general purpose buckets should have block public access settings enabled
[S3.2] S3 general purpose buckets should block public read access
[S3.3] S3 general purpose buckets should block public write access
[S3.5] S3 general purpose buckets should require requests to use SSL
[S3.7] S3 general purpose buckets should use cross-Region replication
[SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
Controls that apply to PCI DSS v4.0.1
[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits
[APIGateway.9] Access logging should be configured for API Gateway V2 Stages
[AppSync.2] AWS AppSync should have field-level logging enabled
[CloudFront.1] CloudFront distributions should have a default root object configured
[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins
[CloudFront.3] CloudFront distributions should require encryption in transit
[CloudFront.5] CloudFront distributions should have logging enabled
[CloudFront.6] CloudFront distributions should have WAF enabled
[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins
[CloudTrail.2] CloudTrail should have encryption at-rest enabled
[CloudTrail.3] At least one CloudTrail trail should be enabled
[CloudTrail.4] CloudTrail log file validation should be enabled
[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials
[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
[CodeBuild.3] CodeBuild S3 logs should be encrypted
[DMS.1] Database Migration Service replication instances should not be public
[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled
[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled
[DMS.12] DMS endpoints for Redis OSS should have TLS enabled
[DMS.6] DMS replication instances should have automatic minor version upgrade enabled
[DMS.7] DMS replication tasks for the target database should have logging enabled
[DMS.8] DMS replication tasks for the source database should have logging enabled
[DMS.9] DMS endpoints should use SSL
[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period
[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public
[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs
[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22
[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389
[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses
[EC2.16] Unused Network Access Control Lists should be removed
[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)
[EC2.171] EC2 VPN connections should have logging enabled
[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces
[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled
[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
[ECR.1] ECR private repositories should have image scanning configured
[ECS.10] ECS Fargate services should run on the latest Fargate platform version
[ECS.16] ECS task sets should not automatically assign public IP addresses
[ECS.2] ECS services should not have public IP addresses assigned to them automatically
[ECS.8] Secrets should not be passed as container environment variables
[EFS.4] EFS access points should enforce a user identity
[EKS.1] EKS cluster endpoints should not be publicly accessible
[EKS.2] EKS clusters should run on a supported Kubernetes version
[EKS.3] EKS clusters should use encrypted Kubernetes secrets
[EKS.8] EKS clusters should have audit logging enabled
[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled
[ElastiCache.5] ElastiCache replication groups should be encrypted in transit
[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch
[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
[ELB.4] Application Load Balancer should be configured to drop invalid http headers
[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses
[EMR.2] Amazon EMR block public access setting should be enabled
[ES.2] Elasticsearch domains should not be publicly accessible
[ES.3] Elasticsearch domains should encrypt data sent between nodes
[ES.5] Elasticsearch domains should have audit logging enabled
[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy
[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached
[GuardDuty.1] GuardDuty should be enabled
[GuardDuty.10] GuardDuty S3 Protection should be enabled
[GuardDuty.6] GuardDuty Lambda Protection should be enabled
[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled
[GuardDuty.9] GuardDuty RDS Protection should be enabled
[IAM.10] Password policies for IAM users should have strong AWS Configurations
[IAM.11] Ensure IAM password policy requires at least one uppercase letter
[IAM.12] Ensure IAM password policy requires at least one lowercase letter
[IAM.13] Ensure IAM password policy requires at least one symbol
[IAM.14] Ensure IAM password policy requires at least one number
[IAM.16] Ensure IAM password policy prevents password reuse
[IAM.17] Ensure IAM password policy expires passwords within 90 days or less
[IAM.18] Ensure a support role has been created to manage incidents with Support
[IAM.19] MFA should be enabled for all IAM users
[IAM.3] IAM users' access keys should be rotated every 90 days or less
[IAM.5] MFA should be enabled for all IAM users that have a console password
[IAM.6] Hardware MFA should be enabled for the root user
[IAM.7] Password policies for IAM users should have strong configurations
[IAM.8] Unused IAM user credentials should be removed
[IAM.9] MFA should be enabled for the root user
[Inspector.1] Amazon Inspector EC2 scanning should be enabled
[Inspector.2] Amazon Inspector ECR scanning should be enabled
[Inspector.3] Amazon Inspector Lambda code scanning should be enabled
[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled
[KMS.4] AWS KMS key rotation should be enabled
[Lambda.1] Lambda function policies should prohibit public access
[Lambda.2] Lambda functions should use supported runtimes
[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch
[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
[MSK.1] MSK clusters should be encrypted in transit among broker nodes
[MSK.3] MSK Connect connectors should be encrypted in transit
[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs
[Neptune.3] Neptune DB cluster snapshots should not be public
[Opensearch.10] OpenSearch domains should have the latest software update installed
[Opensearch.5] OpenSearch domains should have audit logging enabled
[RDS.13] RDS automatic minor version upgrades should be enabled
[RDS.24] RDS Database clusters should use a custom administrator username
[RDS.25] RDS database instances should use a custom administrator username
[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled
[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs
[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs
[RDS.9] RDS DB instances should publish logs to CloudWatch Logs
[Redshift.1] Amazon Redshift clusters should prohibit public access
[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
[Redshift.4] Amazon Redshift clusters should have audit logging enabled
[Route53.2] RouteĀ 53 public hosted zones should log DNS queries
[S3.1] S3 general purpose buckets should have block public access settings enabled
[S3.15] S3 general purpose buckets should have Object Lock enabled
[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys
[S3.19] S3 access points should have block public access settings enabled
[S3.22] S3 general purpose buckets should log object-level write events
[S3.23] S3 general purpose buckets should log object-level read events
[S3.24] S3 Multi-Region Access Points should have block public access settings enabled
[S3.5] S3 general purpose buckets should require requests to use SSL
[S3.8] S3 general purpose buckets should block public access
[S3.9] S3 general purpose buckets should have server access logging enabled
[SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access
[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled
[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
[StepFunctions.1] Step Functions state machines should have logging turned on
[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection
[WAF.1] AWS WAF Classic Global Web ACL logging should be enabled
[WAF.11] AWS WAF web ACL logging should be enabled
