| Benchmark | Rule ID | Title | Service Type | Resource Type |
|---|---|---|---|---|
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0008 | Trails lacks integration with CloudWatch | CloudTrail | Trails |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0010 | CloudTrail Logs are not encrypted using KMS Customer Master Keys (CMKs). | CloudTrail | Trails |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0012 | CloudTrail Log File Validation is Disabled | CloudTrail | Trails |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0017 | AWS Config Recorders Not Enabled | ConfigService | ConfigurationRecorders |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0020 | Non-empty Default Security Group Rulesets | EC2 | SecurityGroups |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0022 | Publicly Accessible EBS Snapshot | EC2 | Snapshots |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0033-08 | Security Group Allows Unrestricted Access through “SSH” Well-Known Port | EC2 | SecurityGroups |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0068 | Passwords Expiration Threshold Is Not Configured Or Exceeds The Specified Limit | IAM | AccountPasswordPolicy |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0069 | The Minimum Password Length for IAM is Short. | IAM | AccountPasswordPolicy |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0070 | Password Expiration Disabled | IAM | AccountPasswordPolicy |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0071 | Password Policy Does Not Mandate Lowercase Characters | IAM | AccountPasswordPolicy |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0072 | Password Policy Does Not Mandate a Number | IAM | AccountPasswordPolicy |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0073 | Password Policy Does Not Mandate a Symbol | IAM | AccountPasswordPolicy |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0074 | Password Policy Does Not Mandate Uppercase Characters | IAM | AccountPasswordPolicy |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0075 | Password Policy Allows Reuse of Passwords | IAM | AccountPasswordPolicy |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0077 | No Hardware MFA for Root Account | IAM | CredentialReport |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0078 | No MFA for Root Account | IAM | CredentialReport |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0091 | User without MFA | IAM | Users |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0092 | Rotation disabled for KMS Symmetric Customer Master Keys (CMKs) | KMS | Keys |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0110 | The RDS Instance is Publicly Accessible | RDS | DBInstances |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0116 | Publicly Accessible RDS DB Snapshot | RDS | DBSnapshot |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0119 | Redshift Cluster is Publicly accessible | Redshift | Cluster |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0149 | Encryption should be enabled at-rest in CloudTrail. | CloudTrail | Trails |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0159 | IAM Managed policies should not allow full “*” administrative privileges | IAM | Policies |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0164 | At the bucket level, the S3 Block Public Access setting needs to be enabled. | S3 | Buckets |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0165 | Enabling the S3 Block Public Access setting is necessary. | S3 | Buckets |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0167 | In every VPC, VPC flow logging is must to be enabled. | EC2 | FlowLog |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0169 | Verify that there are no active access keys associated with the root user account | IAM | AccountSummary |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0202 | AWS Config should be enabled | Config | ConfigurationRecorder |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0204 | Database Migration Service replication instances should not be public | DMS | ReplicationInstances |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0225 | Unused EC2 EIPs should be removed | EC2 | Addresses |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0264 | Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | ELBv2 | ApplicationLoadBalancer |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0276 | Elasticsearch domains should have encryption at-rest enabled | ES | ElasticSearchDomain |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0277 | Elasticsearch domains should not be publicly accessible | ES | ElasticSearchDomain |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0288 | GuardDuty should be enabled | GuardDuty | Account |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0294 | Lambda function policies should prohibit public access | Lambda | LambdaFunction |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0296 | Lambda functions should be in a VPC | Lambda | LambdaFunction |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0322 | OpenSearch domains should have encryption at rest enabled | Opensearch | Domain |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0325 | OpenSearch domains should not be publicly accessible | Opensearch | Domain |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0371 | S3 general purpose buckets should use cross-Region replication | S3 | Buckets |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0372 | Amazon SageMaker notebook instances should not have direct internet access | SageMaker | NotebookInstances |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0382 | EC2 instances should be managed by AWS Systems Manager | SSM | Instances |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0383 | EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation | SSM | PatchCompliance |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0384 | EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT | SSM | AssociationCompliance |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0397 | At least one CloudTrail trail should be enabled | CloudTrail | Trails |
| PCI_DSS_3_2_1 | CSPM-AWS-2024-0398 | A log metric filter and alarm should exist for usage of the “root” user | CloudWatchLogs | MetricFilter |
