View Categories

Implementing PCI DSS 3 2 1 Regional in AWS

Print Friendly, PDF & Email
BenchmarkRule IDTitleService TypeResource Type
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0008Trails lacks integration with CloudWatchCloudTrailTrails
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0010CloudTrail Logs are not encrypted using KMS Customer Master Keys (CMKs).CloudTrailTrails
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0012CloudTrail Log File Validation is DisabledCloudTrailTrails
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0017AWS Config Recorders Not EnabledConfigServiceConfigurationRecorders
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0020Non-empty Default Security Group RulesetsEC2SecurityGroups
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0022Publicly Accessible EBS SnapshotEC2Snapshots
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0033-08Security Group Allows Unrestricted Access through “SSH” Well-Known PortEC2SecurityGroups
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0092Rotation disabled for KMS Symmetric Customer Master Keys (CMKs)KMSKeys
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0110The RDS Instance is Publicly AccessibleRDSDBInstances
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0116Publicly Accessible RDS DB SnapshotRDSDBSnapshot
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0119Redshift Cluster is Publicly accessibleRedshiftCluster
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0149Encryption should be enabled at-rest in CloudTrail.CloudTrailTrails
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0164At the bucket level, the S3 Block Public Access setting needs to be enabled.S3Buckets
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0165Enabling the S3 Block Public Access setting is necessary.S3Buckets
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0167In every VPC, VPC flow logging is must to be enabled.EC2FlowLog
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0202AWS Config should be enabledConfigConfigurationRecorder
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0204Database Migration Service replication instances should not be publicDMSReplicationInstances
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0225Unused EC2 EIPs should be removedEC2Addresses
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0264Application Load Balancer should be configured to redirect all HTTP requests to HTTPSELBv2ApplicationLoadBalancer
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0276Elasticsearch domains should have encryption at-rest enabledESElasticSearchDomain
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0277Elasticsearch domains should not be publicly accessibleESElasticSearchDomain
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0288GuardDuty should be enabledGuardDutyAccount
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0294Lambda function policies should prohibit public accessLambdaLambdaFunction
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0296Lambda functions should be in a VPCLambdaLambdaFunction
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0322OpenSearch domains should have encryption at rest enabledOpensearchDomain
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0325OpenSearch domains should not be publicly accessibleOpensearchDomain
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0371S3 general purpose buckets should use cross-Region replicationS3Buckets
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0372Amazon SageMaker notebook instances should not have direct internet accessSageMakerNotebookInstances
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0382EC2 instances should be managed by AWS Systems ManagerSSMInstances
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0383EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installationSSMPatchCompliance
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0384EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANTSSMAssociationCompliance
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0397At least one CloudTrail trail should be enabledCloudTrailTrails
PCI_DSS_3_2_1_RegionalCSPM-AWS-2024-0398A log metric filter and alarm should exist for usage of the “root” userCloudWatchLogsMetricFilter