CloudWiki
Compliance

PCI-DSS

resize
Visit website

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

Compliance checks for Amazon Web Services

Low
Ensure Amazon MQ brokers Log Exports feature is enabled
APRA
CSA CCM
GDPR
HITRUST
ISO 27001
Low
Ensure Amazon MQ brokers are using the latest engine version
APRA
HITRUST
MAS
PCI-DSS
Medium
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Critical
Ensure Amazon MQ brokers are not publicly accessible
APRA
CCPA
CIS 8
GDPR
HIPAA
Low
Ensure Redshift clusters are not using default endpoint port
APRA
CCPA
GDPR
HITRUST
ISO 27001
Low
Ensure Redshift clusters are using a custom master user name instead of the default master user name
APRA
CCPA
CIS 8
GDPR
HITRUST
Medium
Ensure Redshift clusters are provisioned within a VPC
APRA
CCPA
GDPR
HIPAA
HITRUST
Medium
Ensure Redshift clusters Version Upgrade feature is enabled
APRA
MAS
NIST4
PCI-DSS
High
Ensure Redshift clusters are not publicly accessible
APRA
GDPR
HIPAA
MAS
NIST4
High
Ensure Redshift clusters are encrypted at-rest
APRA
HIPAA
MAS
NIST4
PCI-DSS
High
Ensure Database Migration Service (DMS) are not publicly accessible
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Critical
Ensure DMS instances are not accessible via Internet (Network and API)
CIS
SOC2
PCI-DSS
FedRAMP
AWS Well-Architected Framework
Low
CloudTrail changes alarm
CIS
CISAWSF
APRA
MAS
NIST4
Medium
Ensure CloudTrail Log File Integrity Validation is enabled
CISAWSF
PCI-DSS
HIPAA
GDPR
APRA
Medium
Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs
CISAWSF
PCI-DSS
GDPR
APRA
MAS
Medium
Ensure S3 buckets associated with CloudTrail trails are configured with sever access logging
APRA
CISAWSF
SOC2
PCI-DSS
GDPR
High
Ensure CloudTrail trails record global service events
APRA
PCI-DSS
GDPR
NIST4
MAS
High
Ensure CloudTrail trails have multi-region enabled
APRA
MAS
CISAWSF
PCI-DSS
HIPAA
High
Ensure CloudTrail buckets are configured to use MFA
APRA
MAS
NIST4
GDPR
HIPAA
High
Ensure S3 buckets for CloudTrail logs are encrypted at rest
CISAWSF
GDPR
FTR
HIPAA
PCI-DSS
Critical
Ensure DocumentDB database instances have storage encryption enabled
GDPR
NIST4
NIST 800-53
HIPAA
MAS
Critical
Ensure DocumentDB database instances are not accessible via Internet (Network and API)
CIS
SOC2
PCI-DSS
Critical
Ensure access keys are rotated every 90 days or less
CIS
APRA
MAS
NIST4
NIST 800-53
Medium
Ensure Kinesis Data Stream encryption is enabled
APRA
AWS Well-Architected Framework
GDPR
HIPAA
MAS
Critical
Ensure root user has mfa enabled
CIS
ISO 27001
CSA CCM
SOC2
GDPR
Low
EC2 large instance create alarm
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Internet Gateway (IGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Critical
Ensure no root account access key exists
CIS
ISO 27001
CSA CCM
SOC2
GDPR
Low
Ensure EKS Private access is enabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
APRA
AWS Well-Architected Framework
CISAWSF
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
ISO 27001
PCI-DSS
HITRUST
NIST 800-53
CIS
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
ISO 27001
GDPR
PCI-DSS
CIS
CISAWSF
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
CIS
PCI-DSS
APRA
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to UDP port 53 (DNS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 27018 (MongoDB)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 27019 (MongoDB)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 135 (RPC)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 8080 (HTTP proxy)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 8000 (HTTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 5432 (PostgreSQL)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 137 (NetBios)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 139 (NetBios)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 1433 (MSSQL)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 53 (DNS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 20 (FTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 21 (FTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
APRA
AWS Well-Architected Framework
CSA CCM
MAS
NIST4
Critical
Ensure there is no unrestricted inbound access to TCP port 3020 (SMB / CIFS)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 25 (SMTP)
APRA
AWS Well-Architected Framework
MAS
NIST4
PCI-DSS
Critical
Ensure there is no unrestricted inbound access to TCP port 3306 (MySQL)
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Low
Route Table changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
IAM Policy changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
S3 Bucket changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
Security Group (SG) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Critical
Ensure SageMaker Notebook Data is Encrypted
APRA
GDPR
HIPAA
MAS
NIST4
Low
VPC Peering changes alarm
CIS
PCI-DSS
APRA
MAS
NIST4
Low
Transit Gateway (TGW) changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
NAT Gateway changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Low
VPC changes alarm
CIS
CISAWSF
PCI-DSS
APRA
MAS
Medium
Ensure SageMaker Notebook Direct Internet Access is disabled
APRA
GDPR
HIPAA
NIST4
PCI-DSS
Medium
Ensure Amazon SageMaker Notebook Instance is in VPC
APRA
AWS Well-Architected Framework
MAS
PCI-DSS
Medium
IAM user inline policy is over permissive
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
Ensure EBS snapshots are not publicly accessible
GDPR
NIST4
PCI-DSS
AWS Well-Architected Framework
HITRUST
Medium
Ensure EBS snapshots are encrypted
PCI-DSS
GDPR
HIPAA
NIST4
HITRUST
Critical
Ensure IAM password policy expires passwords within 90 days or less
ISO 27001
CSA CCM
SOC2
PCI-DSS
APRA
Medium
Ensure IAM password policy requires minimum length of 14 or greater
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
Medium
Ensure IAM password policy require at least one symbol
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy requires at least one uppercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
HIPAA
Medium
Ensure IAM password policy require at least one number
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
GDPR
Medium
Ensure IAM password policy require at least one lowercase letter
APRA
AWS Well-Architected Framework
CISAWSF
PCI-DSS
ISO 27001
Medium
Ensure IAM password policy prevents password reuse
CIS
ISO 27001
SOC2
GDPR
PCI-DSS
Low
Ensure RDS is not using the default port 1433
APRA
AWS Well-Architected Framework
NIST4
PCI-DSS
NIST 800-53
Medium
Ensure security groups do not have ingress open to any (0.0.0.0/0)
CIS
PCI-DSS
APRA
MAS
NIST4
Medium
Ensure security groups do not have all ports open
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
HIPAA
HITRUST
Medium
Ensure that S3 Buckets are configured with "Block public access"
GDPR
ISO 27001
PCI-DSS
SOC2
HITRUST
Critical
S3 bucket is public
CIS
GDPR
PCI-DSS
NIST 800-53
Critical
Ensure Lambda functions prohibit public access
PCI-DSS
HITRUST
ISO 27701
AWS Foundational Security Best Practices Controls
Low
Lambda functions should be in a VPC
PCI-DSS
CIS 8
NIST 800-53
HITRUST
Medium
Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2
PCI-DSS
HIPAA
Medium
Ensure IAM users receive permissions only through groups
AWS Well-Architected Framework
CIS
CISAWSF
SOC2
PCI-DSS
Medium
Ensure S3 object versioning is enabled
PCI-DSS
APRA
MAS
NIST4
AWS Well-Architected Framework
Critical
Ensure RDS database instances are not accessible via Internet (Network and API)
CIS
SOC2
PCI-DSS
Medium
Ensure VPC flow logging is enabled in all VPCs
CIS
SOC2
GDPR
ISO 27001
PCI-DSS
Medium
Ensure node-to-node encryption is enabled for OpenSearch clusters
AWS Foundational Security Best Practices Controls
PCI-DSS
NIST 800-53
Medium
Ensure OpenSearch data at rest encryption is enabled
AWS Foundational Security Best Practices Controls
PCI-DSS
CIS 8
NIST 800-53
CSA CCM
Medium
IAM Group inline policy is over permissive
PCI-DSS
FTR
CIS 8
NIST 800-53
HITRUST
Medium
Ensure default security groups do not allow unrestricted traffic
APRA
CISAWSF
SOC2
PCI-DSS
GDPR
Medium
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
AWS Well-Architected Framework
HIPAA
NIST4
PCI-DSS
CIS 8
Medium
Ensure communication between CloudFront distributions and their origins is encrypted using HTTPS
AWS Well-Architected Framework
PCI-DSS
HIPAA
MAS
NIST4
Critical
Ensure Lambda function resource based policy does not allow public access
GDPR
PCI-DSS
Medium
Ensure that Cloudfront distribution is not using insecure SSL protocols
APRA
HIPAA
MAS
NIST4
PCI-DSS
Medium
VPC endpoint is publicly accessible
APRA
AWS Well-Architected Framework
GDPR
MAS
NIST4
Critical
Ensure all IAM users with console access have MFA enabled
CIS
SOC2
GDPR
ISO 27001
FTR
Medium
Ensure OpenSearch domains are in a VPC
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
PCI-DSS
GDPR
Medium
Ensure CloudTrail logs are encrypted at rest
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
Medium
Ensure EBS volumes are encrypted
APRA
MAS
NIST4
CIS
ISO 27001
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
CIS
HIPAA
GDPR
APRA
MAS
Medium
Ensure EKS Public access is disabled
APRA
CIS
CISAWSF
CIS EKS
GDPR
All Compliances
APRA
AWS Foundational Security Best Practices Controls
AWS Well-Architected Framework
CCPA
CIS
CIS 8
CIS EKS
CISAWSF
CSA CCM
FTR
FedRAMP
GDPR
HIPAA
HITRUST
ISO 27001
ISO 27701
MAS
NIST 800-53
NIST4
PCI-DSS
SOC2