In April 2023, Stax released the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 Rule Bundle to help organizations validate their compliance against the standard.
The Rule Bundle focuses on a subset of PCI DSS requirements and enables organizations to assess their AWS environment against these controls. It is recommended that you enable this Bundle in all accounts that have resources that store, process, or transmit cardholder data. This Bundle cannot guarantee that your organization will pass a PCI DSS assessment, nor can it verify whether your environment is compliant with the PCI DSS standard. It's important to take the following into consideration:
- Incomplete coverage: This rule bundle is unable to validate components of the standard that cannot be evaluated programmatically, and as such does not cover all aspects of PCI DSS compliance. Therefore, it is important to review the standard itself to ensure that you're covering all requirements.
- Scope: By default, the rules are evaluated against all your accounts and resources, but it is unlikely that all your accounts and resources are in scope for PCI DSS compliance. This means you may need to disable some rules or ignore specific resources that do not need to be alerted on.
- Interpretation: The results of this rule bundle require interpretation to ensure that the results are meaningful based on your AWS environment. It's important to have a clear understanding of the results and how they align with the PCI standard.
- Review failures: Compliance failures and alerts do not always mean there is a security risk, only that the resource has failed the compliance check, and should be reviewed by a human.
Why are some of my Stax-managed resources failing PCI DSS checks?
You may notice some Stax-managed resources failing in the PCI DSS Rule bundle. This is due to the literal interpretation of the compliance standard and does not take into account Stax's own tested mitigations and controls. Stax-managed resources are part of Stax's own PCI-DSS scope which Stax continually ensures are compliant with the PCI-DSS compliance framework. Stax-managed resources are not part of the Customer's scope for Security compliance audits; for more information, you may request a copy of the Stax PCI-DSS Responsibility Matrix.
If you wish for this to not be reflected in your compliance score, you may disable the rule or ignore the failing resource from being evaluated by the rule. These rules are listed below.
A log metric filter and alarm should exist for usage of the "root" user
This control verifies that CloudWatch Log metric filters and alarms are configured on CloudTrail Logs to provide visibility of root user usage across all accounts. This helps organizations monitor the use of the root user to ensure they are not used for daily tasks and only to perform account and service management tasks.
Stax configures CloudTrail at the AWS Organization level as part of Stax Assurance in alignment with AWS best practices. This means that the CloudWatch Logs for all accounts in your AWS organization are centralized and stored in the management account only. Therefore, the Log metric filter is only configured in the AWS management account.
| Failing Resources | All AWS Organization member accounts |
|---|---|
| PCI Requirement |
Requirement 7.2.1
Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
|
| Recommendation | Ignore all failing resources in all member accounts |
S3 buckets should have replication enabled
Stax currently does not enable S3 Same-Region or Cross-Region replication on any S3 buckets deployed to Stax-managed AWS accounts.
All Stax-managed S3 buckets have the following mitigating controls and AWS best practices applied:
- Bucket versioning enabled
- Access logging enabled
- Termination protection enforced
- SCPs and permissions preventing unauthorized write access and deletion
- Block Public Access setting
In addition to the above controls, AWS offers a number of S3 storage classes that are designed for high durability (eleven 9s) and availability.
Before enabling S3 replication, it is recommended that you assess other S3 solutions such as S3 backup and review the related PCI requirement to validate the configuration is meaningful to your organization.
Enabling S3 replication will result in additional costs.
| Failing Resources | All Stax-managed S3 buckets |
|---|---|
| PCI Requirement |
Requirement 2.2 Develop configuration standards for all system components that address all known security vulnerabilities and are consistent with industry-accepted definitions. Update system configuration standards as new vulnerability issues are identified. |
| Recommendation |
Direct customers can choose to enable replication on all Stax-managed S3 buckets in their Logging, Security and Management Accounts. Resold customers can choose to enable S3 Replication on the Stax-managed S3 buckets in their Logging and Security Accounts only. Stax-managed S3 buckets in the management account do not require replication. |