Many of our enterprise customers use Turbot guardrails to ensure continuous compliance of their cloud infrastructure with specific industry standards such as NIST 800-53 and CIS.

Beyond our Financial Services customers, many organizations need the ability to provide PCI compliance to protect cardholder data. Turbot reduces the effort required to comply with PCI regulations and enforces policies to protect Payment Card Information (PCI). It’s not enough to just be PCI compliant at audit time; Turbot helps to ensure continuous compliance with real-time corrective actions any time to eliminate configuration drift. The enterprise can ensure that DevOps teams use only PCI-eligible services, and that they securely process, transmit and store PCI data by utilizing the following guardrails:

1. Whitelist only PCI-eligible Services


Using Turbot, customers can whitelist only PCI-eligible AWS, Azure, and GCP Services, AMIs, RDS Engine Types, etc. All other services can be disabled to ensure that non-PCI compliant services are prevented from being used. The full list of eligible services is available for AWS, as part of the AoC for Azure, and GCP.

2. Enforce Encryption Standards

Turbot offers Encryption at Rest and Encryption in Transit guardrails that can be enforced across various PCI-eligible services.

4. Track and Monitor All Access to Network Resources and Cardholder Data

Turbot provides full transparency to all AWS, Azure, GCP, and Turbot configurations and events. Turbot’s Central Log Management capabilities aggregate AWS, Azure, GCP, and Turbot activity logs to regional logging buckets per account. Users can view log details through raw logs located in S3. Using the Turbot console, they can also view current and prior event history per various levels of the resource hierarchy.

5. Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters


Turbot automates security hardening of Operating Systems to CIS Benchmarks, enforcing hundreds of security settings within Windows and Linux. Turbot can perform user, group, and SSH key management, can restrict access key creation, and enforce rotation of access keys.

6. Identify and Authenticate Access to System Components

Turbot can connect to your organization’s Active Directory, LDAP, or SAML provider, and federate users across your cloud providers. The controls of these directory services (invalid login attempts, minimum lockout durations, idle session timeouts) are then extended and applied to environments where Turbot is managing permissions. Turbot can also enforce account expiration, and enforce activity timers. Turbot also performs user, group, and SSH key management within guest Operating Systems, and can perform user, group, and password management within databases. Turbot also offers support for Multi-Factor Authentication.

7. Develop and Maintain Secure Systems and Applications

Turbot can ensure that patching is up to date within instances running in your cloud environment. Turbot can enforce specific AMIs or Publishers in AWS ensuring that only selected, hardened AMIs are utilized. Turbot also integrates with your CI/CD pipeline, and can automate application deployment ensuring that the latest approved versions of custom applications have been deployed.

8. Install and Maintain a Firewall Configuration to Protect Cardholder Data

VPCs, security groups, ACLs, and other networking controls can support the firewall and network segmentation requirements of PCI compliance. Turbot can automate networking controls, control security group configuration, implement access restrictions, and enforce approved utilization of networking components.


Turbot can also ensure that networking components are configured correctly, in accordance with your policies, to prevent inadvertent exposure of data, and can provide protection of data from being exposed with anonymous access. Turbot’s routing guardrails enforce that resources only live in approved boundaries (e.g. Public, Intranet, Private in VPC).


9. Whitelist Regions

Turbot can ensure that only PCI certified regions are utilized for data storage and data processing. By configuring the “Approved Regions” Policies, Turbot can ensure that data is only placed in PCI compliant regions / cloud provider data centers that have been PCI certified. Turbot allows you to configure approved regions for individual services, and can include different approved regions for each service.

10. Regularly Test Security Systems and Processes

In any computing environment, the risk is rarely in the platform. The risk is what people do with the platform. It is not enough to ensure point-in-time compliance during deployments. Over time application and infrastructure configurations drift causing inadvertent data exposure. Ensuring continuous compliance, security, and operational best practices will maintain adherence to control measures. Turbot’s Software Defined Operations help to ensure continuous compliance with your organization’s defined policies. With Turbot guardrails (preventive controls, detective controls, real-time automated corrective actions, and recurring environment scans), Turbot can ensure consistency and compliance with your policies, and can be utilized to demonstrate continuous compliance to auditors.

Contact us for more information about compliance guardrails and a full demo of how Turbot can enhance and support your cloud team.