CloudWiki

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

Compliance checks for Amazon Web Services

Warning
Ensure Kinesis Data Stream encryption is enabled
Critical
Ensure root user has mfa enabled
Info
EC2 large instance create alarm
Info
Internet Gateway (IGW) changes alarm
Critical
Ensure no root account access key exists
Info
Ensure EKS Private access is enabled
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
Critical
Ensure there is no unrestricted inbound access to UDP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27018 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27019 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 135 (RPC)
Critical
Ensure there is no unrestricted inbound access to TCP port 8080 (HTTP proxy)
Critical
Ensure there is no unrestricted inbound access to TCP port 8000 (HTTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 5432 (PostgreSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 137 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 139 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 1433 (MSSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 20 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 21 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 3020 (SMB / CIFS)
Critical
Ensure there is no unrestricted inbound access to TCP port 25 (SMTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 3306 (MySQL)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Critical
Ensure SageMaker Notebook Data is Encrypted
Info
VPC Peering changes alarm
Info
Transit Gateway (TGW) changes alarm
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Warning
Ensure SageMaker Notebook Direct Internet Access is disabled
Warning
Ensure Amazon SageMaker Notebook Instance is in VPC
Warning
IAM user inline policy is over permissive
Critical
Ensure EBS snapshots are not publicly accessible
Warning
Ensure EBS snapshots are encrypted
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy requires minimum length of 14 or greater
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one lowercase letter
Warning
Ensure IAM password policy prevents password reuse
Info
Ensure RDS is not using the default port 1433
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Warning
Ensure that S3 Buckets are configured with "Block public access"
Critical
S3 bucket is public
Critical
Ensure Lambda functions prohibit public access
Info
Lambda functions should be in a VPC
Warning
Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2
Warning
Ensure IAM users receive permissions only through groups
Warning
Ensure S3 object versioning is enabled
Critical
Ensure RDS database instances are not accessible via Internet (Network and API)
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure node-to-node encryption is enabled for OpenSearch clusters
Warning
Ensure OpenSearch data at rest encryption is enabled
Warning
IAM Group inline policy is over permissive
Warning
Ensure default security groups do not allow unrestricted traffic
Warning
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Warning
Ensure communication between CloudFront distributions and their origins is encrypted using HTTPS
Critical
Ensure Lambda function resource based policy does not allow public access
Warning
Ensure that Cloudfront distribution is not using insecure SSL protocols
Warning
VPC endpoint is publicly accessible
Critical
Ensure all IAM users with console access have MFA enabled
Warning
Ensure CloudTrail logs are encrypted at rest
Warning
Ensure EBS volumes are encrypted
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
Warning
Ensure EKS Public access is disabled
Warning
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Warning
Ensure SQS encryption is enabled
Warning
Ensure SNS encryption is enabled
Warning
Ensure S3 buckets have server access logging enabled to track access requests
Warning
Ensure data stored in the S3 bucket is securely encrypted at rest
Warning
Ensure CloudFront web distributions enforce field-level encryption
Info
Ensure RDS is not using the default port 3306
Info
Ensure RDS is not using the default port 1521
Info
Ensure RDS is not using the default port 5432
Critical
Ensure RDS database instances have storage encryption enabled