Product logo
DocsBlogPricing

@turbot/aws-pciv3-2-1

Version
5.0.4
Released On
Nov 23, 2022
Depends On

Control Types

Policy Types

Release Notes

5.0.4 (2022-11-23)

Bug fixes

  • The AWS > PCI v3.2.1 > CloudWatch > 1 A log metric filter and alarm should exist for usage of the 'root' user control would sometimes go into an error state because of an incorrect GraphQL query for metric names. This is fixed and the control will now work as expected.

5.0.3 (2022-08-09)

Bug fixes

  • The AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed control would incorrectly move to an error state while identifying if security groups were attached to network interfaces. This is fixed and the control will now work as expected.

5.0.2 (2022-06-21)

Bug fixes

  • The AWS > PCI v3.2.1 > CloudTrail > 2 CloudTrail should be enabled control will now also check for shadow trails to evaluate the outcome correctly.

5.0.1 (2022-04-22)

Bug fixes

  • Earlier, the control overview and recommendations for PCI controls didn't clearly indicate what the controls looked for and how they were evaluated. We've now updated the descriptions for such controls to be more informative and helpful for users.

5.0.0 (2022-03-31)

Control Types

Added

  • AWS > PCI v3.2.1
  • AWS > PCI v3.2.1 > Auto Scaling
  • AWS > PCI v3.2.1 > Auto Scaling > 1 Auto Scaling groups associated with a load balancer should use health checks
  • AWS > PCI v3.2.1 > CloudTrail
  • AWS > PCI v3.2.1 > CloudTrail > 1 CloudTrail logs should be encrypted at rest using AWS KMS CMKs
  • AWS > PCI v3.2.1 > CloudTrail > 2 CloudTrail should be enabled
  • AWS > PCI v3.2.1 > CloudTrail > 3 CloudTrail log file validation should be enabled
  • AWS > PCI v3.2.1 > CloudTrail > 4 CloudTrail trails should be integrated with CloudWatch Logs
  • AWS > PCI v3.2.1 > CloudWatch
  • AWS > PCI v3.2.1 > CloudWatch > 1 A log metric filter and alarm should exist for usage of the 'root' user
  • AWS > PCI v3.2.1 > CodeBuild
  • AWS > PCI v3.2.1 > CodeBuild > 1 CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
  • AWS > PCI v3.2.1 > CodeBuild > 2 CodeBuild project environment variables should not contain clear text credentials
  • AWS > PCI v3.2.1 > Config
  • AWS > PCI v3.2.1 > Config > 1 AWS Config should be enabled
  • AWS > PCI v3.2.1 > DMS
  • AWS > PCI v3.2.1 > DMS > 1 AWS Database Migration Service replication instances should not be public
  • AWS > PCI v3.2.1 > EC2
  • AWS > PCI v3.2.1 > EC2 > 1 Amazon EBS snapshots should not be publicly restorable
  • AWS > PCI v3.2.1 > EC2 > 2 VPC default security group should prohibit inbound and outbound traffic
  • AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed
  • AWS > PCI v3.2.1 > EC2 > 4 Unused EC2 EIPs should be removed
  • AWS > PCI v3.2.1 > EC2 > 5 Security groups should not allow ingress from 0.0.0.0/0 to port 22
  • AWS > PCI v3.2.1 > EC2 > 6 VPC flow logging should be enabled in all VPCs
  • AWS > PCI v3.2.1 > ELBV2
  • AWS > PCI v3.2.1 > ELBV2 > 1 Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
  • AWS > PCI v3.2.1 > Elasticsearch
  • AWS > PCI v3.2.1 > Elasticsearch > 1 Amazon Elasticsearch Service domains should be in a VPC
  • AWS > PCI v3.2.1 > Elasticsearch > 2 Amazon Elasticsearch Service domains should have encryption at rest enabled
  • AWS > PCI v3.2.1 > GuardDuty
  • AWS > PCI v3.2.1 > GuardDuty > 1 GuardDuty should be enabled
  • AWS > PCI v3.2.1 > IAM
  • AWS > PCI v3.2.1 > IAM > 1 IAM root user access key should not exist
  • AWS > PCI v3.2.1 > IAM > 2 IAM users should not have IAM policies attached
  • AWS > PCI v3.2.1 > IAM > 3 IAM policies should not allow full '*' administrative privileges
  • AWS > PCI v3.2.1 > IAM > 4 Hardware MFA should be enabled for the root user
  • AWS > PCI v3.2.1 > IAM > 5 Virtual MFA should be enabled for the root user
  • AWS > PCI v3.2.1 > IAM > 6 MFA should be enabled for all IAM users
  • AWS > PCI v3.2.1 > IAM > 7 IAM user credentials should be disabled if not used within a predefined number of days
  • AWS > PCI v3.2.1 > IAM > 8 Password policies for IAM users should have strong configurations
  • AWS > PCI v3.2.1 > KMS
  • AWS > PCI v3.2.1 > KMS > 1 Customer master key (CMK) rotation should be enabled
  • AWS > PCI v3.2.1 > Lambda
  • AWS > PCI v3.2.1 > Lambda > 1 Lambda functions should prohibit public access
  • AWS > PCI v3.2.1 > Lambda > 2 Lambda functions should be in a VPC
  • AWS > PCI v3.2.1 > RDS
  • AWS > PCI v3.2.1 > RDS > 1 RDS snapshots should prohibit public access
  • AWS > PCI v3.2.1 > RDS > 2 RDS DB Instances should prohibit public access
  • AWS > PCI v3.2.1 > Redshift
  • AWS > PCI v3.2.1 > Redshift > 1 Amazon Redshift clusters should prohibit public access
  • AWS > PCI v3.2.1 > S3
  • AWS > PCI v3.2.1 > S3 > 1 S3 buckets should prohibit public write access
  • AWS > PCI v3.2.1 > S3 > 2 S3 buckets should prohibit public read access
  • AWS > PCI v3.2.1 > S3 > 3 S3 buckets should have cross-region replication enabled
  • AWS > PCI v3.2.1 > S3 > 4 S3 buckets should have server-side encryption enabled
  • AWS > PCI v3.2.1 > S3 > 5 S3 buckets should require requests to use Secure Socket Layer
  • AWS > PCI v3.2.1 > S3 > 6 S3 Block Public Access setting should be enabled
  • AWS > PCI v3.2.1 > SSM
  • AWS > PCI v3.2.1 > SSM > 1 Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
  • AWS > PCI v3.2.1 > SSM > 2 Instances managed by Systems Manager should have an association compliance status of COMPLIANT
  • AWS > PCI v3.2.1 > SSM > 3 EC2 instances should be managed by AWS Systems Manager
  • AWS > PCI v3.2.1 > SageMaker
  • AWS > PCI v3.2.1 > SageMaker > 1 Amazon SageMaker notebook instances should not have direct internet access

Policy Types

Added

  • AWS > PCI v3.2.1