PCI DSS and AWS Foundational Security Best Practices on the AWS Cloud

Quick Start Reference Deployment

QS

February 2021
Kanishk Mahajan and Andrew Glenn, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This reference deployment guide provides instructions for deploying Payment Card Industry Data Security Standard (PCI DSS) and AWS Foundational Security Best Practices (AWS FSBP) on the AWS Cloud using AWS CloudFormation templates.

PCI DSS and AWS Foundational Security Best Practices on AWS

Customers require compliance with established security and regulatory controls when migrating workloads to AWS but face numerous challenges. It is a multi-step process that involves reference to standards and regulatory requirements, individual policy definitions, remeditaion workflows, and exception procedures. Furthermore, several remediation steps may require extensive hands-on experience with AWS as individual findings require multiple configuration steps for remediation. This activity is manual, error prone, and results in a high MTTR (Mean Time To Remediation) for customers thus increasing risk and operational costs.

AWS Security Hub provides checks that offer automated detection of findings of configuration noncompliance with PCI DSS and AWS FSBP. This Quick Start leverages the AWS Security Hub service and provides customers with an AWS native implementation for automated real time remediations for PCI DSS and AWS FSBP policy violations detected by AWS Security Hub.

This Quick Start is based on the following approach:

  1. Leverages AWS Security Hub directly to provide automated and continuous detection and recording of PCI DSS and AWS FSBP findings.

  2. Provides AWS Systems Manager automation documents for automated remediation of AWS Security Hub findings. All automation documents are automatically provisioned via an AWS CloudFormation template.

  3. Provides integration of AWS Security Hub custom actions with AWS Systems Manager automation documents to provide real-time remediations of AWS Security Hub PCI DSS and AWS FSBP findings as follows:

    1. Leverages the ability of AWS Security Hub to send findings associated with custom actions to Amazon CloudWatch Events as Security Hub Findings - Custom Action events.

    2. The CloudWatch Events rule invokes the corresponding AWS Lambda function as the target for the Security Hub custom action event.

    3. The AWS Lambda function processes the finding using the AWS Security Finding Format (ASFF) and invokes the corresponding AWS Systems Manager Automation Document with the input from the ASFF finding.

    4. AWS Systems Manager remediates the Security Hub finding.

Coverage

This Quick Start deploys automated remediation workflows for the following controls.

PCI DSS

  • [PCI.AutoScaling.1] Amazon EC2 Auto Scaling groups associated with a load balancer should use health checks.

  • [PCI.CloudTrail.1] AWS CloudTrail logs should be encrypted at rest using AWS Key Management System (AWS KMS) keys.

  • [PCI.CloudTrail.2] AWS CloudTrail log file validation should be enabled.

  • [PCI.CloudTrail.3] AWS CloudTrail log file validation should be enabled.

  • [PCI.CloudTrail.4] AWS CloudTrail trails should be integrated with Amazon CloudWatch Logs.

  • [PCI.CodeBuild.2] AWS CodeBuild project environment variables should not contain clear text credentials.

  • [PCI.CW.1] A log metric filter and alarm should be available to the "root" user.

  • [PCI.Config.1] AWS Config should be enabled.

  • [PCI.EC2.1] Amazon Elastic Block Storage (Amazon EBS) snapshots should not be publicly restorable.

  • [PCI.EC2.2] Amazon Virtual Private Cloud (Amazon VPC) default security group should prohibit inbound and outbound traffic.

  • [PCI.EC2.3] Unused Amazon Elastic Compute Cloud (Amazon EC2) security groups should be removed.

  • [PCI.EC2.4] Unused Amazon EC2 Elastic IP addresses should be removed.

  • [PCI EC2.5] Security groups should not allow inbound traffic from 0.0.0.0/0 to port 22.

  • [PCI.EC2.6] Amazon VPC flow logging should be enabled in all VPCs.

  • [PCI.IAM.1] AWS Identity and Access Management (IAM) root user access key should not exist.

  • [PCI.IAM.2] IAM users should not have IAM policies attached.

  • [PCI.IAM.3] IAM policies should not allow full administrative privileges.

  • [PCI.KMS.1] AWS KMS key rotation should be enabled.

  • [PCI.Lambda.1] AWS Lambda functions should prohibit public access.

  • [PCI.Lambda.2] AWS Lambda functions should be in a VPC.

  • [PCI.RDS.1] Amazon Relational Database Service (Amazon RDS) snapshots should prohibit public access.

  • [PCI.RDS.2] Amazon RDS database instances should prohibit public access.

  • [PCI.Redshift.1] Amazon Redshift clusters should prohibit public access.

  • [PCI.S3.1] Amazon Simple Storage Service (Amazon S3) buckets should prohibit public write access.

  • [PCI.S3.2] S3 buckets should prohibit public read access.

  • [PCI.S3.3] S3 buckets should have cross-Region replication enabled.

  • [PCI.S3.4] S3 buckets should have server-side encryption enabled.

  • [PCI.SSM.1] Amazon EC2 instances managed by AWS Systems Manager should have a patch compliance status of COMPLIANT after a patch installation.

AWS FSBP

  • [EC2.3] Attached Amazon EBS volumes should be encrypted at rest.

  • [GuardDuty.1] Amazon GuardDuty should be enabled.

  • [IAM.3] IAM .access keys should be rotated every 90 days or less.

  • [Lambda.1] AWS Lambda functions should prohibit public access.

  • [Lambda.2] AWS Lambda functions should use latest runtimes.

  • [RDS.3] Amazon RDS database instances should have encryption at rest enabled.

  • [SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager.

Additional AWS FSBP coverage provided when the PCI DSS remediation templates are deployed

The coverage for remediations of each of these FSBP controls is provided by deploying the PCI remediation templates aws-security-hub-pci-remediations-template1.template and aws-security-hub2-pci-remediations-template1.template2.

  • [AutoScaling.1] Amazon EC2 Auto Scaling groups associated with a load balancer should use load balancer health checks.

  • [CloudTrail.1] AWS CloudTrail should be enabled and configured with at least one multi-Region trail.

  • [CloudTrail.2] AWS CloudTrail should have encryption at rest enabled.

  • [CodeBuild.2] AWS CodeBuild project environment variables should not contain clear text credentials.

  • [Config.1] AWS Config should be enabled.

  • [EC2.1] Only authorized users should be able to share Amazon EBS snapshots publicly.

  • [EC2.2] The VPC default security group should not allow inbound and outbound traffic.

  • [IAM.1] IAM policies should not allow full administrative privileges.

  • [IAM.2] IAM users should not have IAM policies attached.

  • [IAM.4] IAM root user access key should not exist.

  • [IAM.7] Password policies for IAM users should have strong configurations.

  • [S3.1] S3 Block Public Access setting should be enabled.

  • [S3.2] S3 buckets should prohibit public read access.

  • [S3.3] S3 buckets should prohibit public write access.

  • [S3.4] S3 buckets should have server-side encryption enabled.

  • [RDS.1] Amazon RDS snapshots should be private.

  • [RDS.2] Amazon RDS database instances should prohibit public access.

  • [SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

The PCI DSS compliance standard in AWS Security Hub is designed to help you with ongoing PCI DSS security activities. The controls cannot verify if your systems are compliant with the PCI DSS standard. They can’t replace internal efforts or guarantee that you will pass a PCI DSS assessment. Security Hub does not check procedural controls that require manual evidence collection.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

No software licenses are necessary to use this Quick Start.

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

Architecture

Deploying this Quick Start builds the following environment in the AWS Cloud.

Architecture
Figure 1. PCI DSS and AWS FSBP compliance using AWS Security Hub

As shown in Figure 1, the Quick Start sets up the following:

  • AWS Security Hub to compile findings of automated and continuous evaluations of PCI DSS and AWS FSBP controls against your AWS resources. Custom actions in Security Hub send findings to Amazon CloudWatch as custom events.

  • Amazon CloudWatch to match a custom event from AWS Security Hub with a rule that triggers an AWS Lambda function.

  • AWS Lambda functions to invoke the appropriate AWS Systems Manager runbook to remediate a finding of a deviation from PCI DSS and AWS FSBP controls.

  • AWS Systems Manager to perform the automated remediation actions defined in runbooks.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

For more information about the AWS services that are used in this Quick Start, see the Additional resources section.

AWS Security Hub

Security Hub uses service-linked AWS Config rules. Therefore, ensure that AWS Config is turned on and recording all supported resources, including global resources, in all accounts and Regions where Security Hub is deployed. You are not charged by AWS Config for these service-linked rules. You are only charged according to AWS Security Hub pricing.

AWS CloudFormation templates automate the provisioning of all required parameters to run the security remediation workflows deployed by this Quick Start. These include IAM roles, Amazon CloudWatch Logs log groups, S3 buckets, and AWS KMS key.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

AWS Security Hub compliance checks

2

AWS Systems Manager runbooks

10

AWS Identity and Access Management (IAM) roles

3

AWS CloudTrail trails

1

Amazon CloudWatch Logs

1

Amazon S3 buckets

2

Supported Regions

Regions

If you plan to deploy the architecture with three Availability Zones, choose an AWS Region that supports three zones.

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Prerequisites

  • Ensure that AWS Config is turned on and recording all supported resources, including global resources, in all accounts and Regions where Security Hub is enabled. Security Hub uses service-linked AWS Config rules. You are not charged by AWS Config for these service-linked rules. you are only charged according to AWS Security Hub pricing.

  • Ensure that Security Hub is enabled in the account and Region where these templates are deployed.

  • This Quick Start uses a KMS key to remediate the PCI.CloudTrail.1 control. The key must have permissions to encrypt/decrypt AWS CloudTrail logs in the AWS account in which this Quick Start is deployed. Make sure you update the key policy with the AWS account ID. To do this, search for a key with an alias of "PCI-CMK" in the AWS KMS console. Then, see Required CMK policy sections for use with CloudTrail for instructions to enable CloudTrail log encrypt and decrypt permissions.

Deployment options

This Quick Start provides automation to remediate deviations from the following sets of industry controls:

  • Payment Card Industry Data Security Standard (PCI DSS)

  • AWS Foundational Security Best Practices

Each of these standard sets are deployed in two templates. Links to deploy them are provided in the Deployment steps section later in this guide.

Deployment steps

Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.

  2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

  3. Use the Region selector in the navigation bar to select the AWS Region where you want to deploy the Quick Start.

Launch the Quick Start

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.

This Quick Start deploys automated workflows to remediate security compliance issues that modify your AWS account. We do not recommend deploying this Quick Start in a production environment before appropriate evaluation and testing.
Deploy PCI DSS and AWS FSBP remediations

PCI DSS and AWS FSBP remediations are each packaged in two templates. To deploy PCI DSS, choose the link to launch the first PCI DSS template and follow steps 1–8 provided. After deploying the first template, choose the link to launch the second PCI DSS template and repeat steps 1–8. Repeat this entire process to deploy the two AWS FSBP templates.

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for the deployment is built. The template is launched in the us-east-1 Region by default.

  2. On the Select Template page, keep the default setting for the template URL, and then choose Next.

  3. On the Specify Details page, provide the stack name. For the second PCI DSS template only, also specify an email address. This is used specifically for PCI.CW.1 control notifications.

  4. Review and choose Next.

  1. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.

  2. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  3. Choose Create stack to deploy the stack.

  4. Monitor the status of the stack. When the status is CREATE_COMPLETE, the PCI DSS and AWS FSBP deployment is ready.

  5. Use the values displayed in the Outputs tab for the stack, as shown in Figure 2, to view the created resources.

cfn_outputs
Figure 2. PCI DSS and AWS FSBP outputs after successful deployment

Test the deployment

Security Hub begins running security checks within two hours after you deploy PCI DSS and AWS FSBP controls. After the initial check, subsequent checks occur on a periodic or change-triggered basis, depending on the control. For more information, see Schedule for running security checks. Follow the steps in this section to test the deployment.

The following steps test remediation of the PCI EC2.2 control. This control states that the VPC default security group should prohibit inbound and outbound traffic, and it is evaluated on a change-triggered basis. To test it, purposefully misconfigure security group settings in the Amazon EC2 console to allow inbound traffic. This should trigger a Security Hub finding which remediates the security issue by undoing the misconfiguration in the console.

  1. Choose Security Groups in the Amazon EC2 console.

  2. Choose the Security group ID of the default VPC.

  3. Choose Edit inbound rules.

Architecture
Figure 3. Edit inbound rules

  1. Select Add rule.

  2. Select SSH as the Type and 0.0.0.0/0 as the Source.

Architecture
Figure 4. SSH rule

  1. Select Save rules. Make a note of the security group Amazon Resource Number (ARN).

  2. In Security Hub, select Findings. Locate the finding that corresponds to the misconfiguration.

  3. Select the check box next to the finding and select Actions.

  4. Select PCI EC2.2 from the drop-down list. A message displays that findings were successfully sent to AWS CloudWatch Events.

  5. In Systems Manager, select Automation. You should see a successful automation execution that corresponds to the PCI EC2.2 remediation.

  6. To confirm success of the remediation, select Security Groups in the Amazon EC2 console. Then select the Security group ID of the default VPC. Confirm that the SSH rule is removed from the Inbound rules tab.

For more information on the format of Security Hub findings, see Results of security checks.

AWS Security Best Practices

AWS categorizes each Security Hub service action into one of five access levels: list, read, write, permissions management, or tagging. To allow a large group of users to access list and read Security Hub actions, and only a small group to access the write action, use managed IAM policies. For more information, see Security best practices in IAM.

Security Hub ingests findings generated from integrated providers (both third-party services using ASFF.

Security

This Quick Start follows security best practices and guidelines as documented in Security in AWS Security Hub.

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If CloudFormation fails to create the stack, we recommend that you relaunch the template with Rollback on failure set to Disabled. (This setting is under Advanced on the Options page of the AWS CloudFormation console.) With this setting, the stack’s state is retained and the instance remains running so you can troubleshoot the issue.

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Ensure that you delete the stack after troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.

Q. I encountered a size limitation error when I deployed the CloudFormation templates.

A. We recommend that you launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information, see AWS CloudFormation quotas.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

See the AWS Quick Start home page.

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.

Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.

Privacy | Site terms | © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.