PCI DSS v4.0¶

The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 is an information security standard for organizations that handle branded credit cards from major card schemes. Released in March 2022 by the PCI Security Standards Council, this version modernizes requirements with enhanced flexibility through customized implementation and expanded multi-factor authentication requirements. It applies globally to all entities that store, process, or transmit cardholder data and became mandatory for compliance assessments after March 31, 2024.

Terraform Registry Subdomain: pcidss¶

module "..." {
  source  = "pcidss.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

module "..." {
  source = "https://pcidss.compliance.tf/terraform-aws-modules/<module>/aws"
}

Refer to the Terraform Registry Endpoints section for more details.

Implemented Controls¶

The following controls are implemented as part of this framework.

• API Gateway routes should specify an authorization type
• API Gateway stage should uses SSL certificate
• API Gateway REST API stages should have AWS X-Ray tracing enabled
• API Gateway stage cache encryption at rest should be enabled
• API Gateway stage logging should be enabled
• AppSync graphql API logging should be enabled
• Athena workgroups should be encrypted at rest
• Backup plan min frequency and min retention check
• CloudFormation stacks should have notifications enabled
• CloudFront distributions should require encryption in transit
• CloudFront distributions access logs should be enabled
• CloudFront distributions should use SNI to serve HTTPS requests
• CloudFront distributions should use custom SSL/TLS certificates
• CloudFront distributions should have AWS WAF enabled
• At least one enabled trail should be present in a region
• CloudTrail trails should be integrated with CloudWatch logs
• CloudTrail trail logs should be encrypted with KMS CMK
• CloudTrail trail log file validation should be enabled
• CloudWatch alarm should have an action configured
• Log group retention period should be at least 365 days
• CodeBuild project artifact encryption should be enabled
• CodeBuild project environments should not have privileged mode enabled
• CodeBuild projects should have logging enabled
• CodeBuild project S3 logs should be encrypted
• DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• DMS replication instances should not be publicly accessible
• AWS DocumentDB clusters should have an adequate backup retention period
• AWS DocumentDB clusters should be encrypted at rest
• DynamoDB table should be encrypted with AWS KMS
• DynamoDB table should have encryption enabled
• DynamoDB table point-in-time recovery should be enabled
• Attached EBS volumes should have encryption enabled
• EC2 Client VPN endpoints should have client connection logging enabled
• EC2 instance detailed monitoring should be enabled
• EC2 instances should have IAM profile attached
• EC2 instances should be in a VPC
• EC2 instances should not use key pairs in running state
• EC2 instances should not have a public IP address
• EC2 instances should use IMDSv2
• AWS EC2 launch templates should not assign public IPs to network interfaces
• EC2 transit gateways should have auto accept shared attachments disabled
• ECR repositories should have image scan on push enabled
• ECS clusters should have container insights enabled
• ECS fargate services should run on the latest fargate platform version
• ECS task definitions should not share the host's process namespace
• EFS access points should enforce a root directory
• EFS access points should enforce a user identity
• EFS file system encryption at rest should be enabled
• EKS clusters should have control plane audit logging enabled
• EKS clusters endpoint should restrict public access
• EKS clusters should be configured to have kubernetes secrets encrypted using KMS
• ElastiCache clusters should not use the default subnet group
• ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
• ElastiCache for Redis replication groups should be encrypted at rest
• ElastiCache for Redis replication groups should be encrypted in transit
• ELB application and classic load balancer logging should be enabled
• ELB application and network load balancers should only use SSL or HTTPS listeners
• ELB classic load balancers should be configured with defensive or strictest desync mitigation mode
• EMR cluster Kerberos should be enabled
• ES domain encryption at rest should be enabled
• ES domains should be in a VPC
• Elasticsearch domain should send logs to CloudWatch
• Elasticsearch domain node-to-node encryption should be enabled
• Access logging should be configured for API Gateway V2 Stages
• Ensure IAM password policy requires a minimum length of 14 or greater
• Ensure IAM password policy requires at least one lowercase letter
• Ensure IAM password policy requires at least one number
• Ensure IAM password policy requires at least one symbol
• Ensure IAM password policy requires at least one uppercase letter
• IAM password policies for users should have strong configurations
• Kinesis streams should have server side encryption enabled
• KMS CMK rotation should be enabled
• Lambda functions should be in a VPC
• Lambda functions should use latest runtimes
• Log group encryption at rest should be enabled
• Neptune DB clusters should publish audit logs to CloudWatch Logs
• Neptune DB clusters should have automated backups enabled
• Neptune DB clusters should be encrypted at rest
• Neptune DB clusters should have IAM database authentication enabled
• The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
• The default stateless action for Network Firewall policies should be drop or forward for full packets
• OpenSearch domains should have audit logging enabled.
• OpenSearch domains should have encryption at rest enabled
• OpenSearch domains should have fine-grained access control enabled
• OpenSearch domains should use HTTPS
• OpenSearch domains should be in a VPC
• OpenSearch domains logs to AWS CloudWatch Logs
• OpenSearch domains node-to-node encryption should be enabled
• Aurora MySQL DB clusters should have audit logging enabled
• IAM authentication should be configured for RDS clusters
• RDS DB instance automatic minor version upgrade should be enabled
• RDS DB instance backup should be enabled
• RDS DB instance encryption at rest should be enabled
• RDS DB instances should have iam authentication enabled
• Database logging should be enabled
• RDS DB instances should prohibit public access
• AWS Redshift audit logging should be enabled
• AWS Redshift clusters should have automatic snapshots enabled
• Redshift cluster encryption in transit should be enabled
• Redshift cluster audit logging and encryption should be enabled
• AWS Redshift enhanced VPC routing should be enabled
• AWS Redshift clusters should be encrypted with KMS
• AWS Redshift should have required maintenance settings
• Redshift clusters should prohibit public access
• S3 access points should have block public access settings enabled
• S3 buckets access control lists (ACLs) should not be used to manage user access to buckets
• S3 bucket cross-region replication should be enabled
• S3 bucket default encryption should be enabled
• S3 bucket default encryption should be enabled with KMS
• S3 buckets should have event notifications enabled
• S3 buckets should have lifecycle policies configured
• S3 bucket logging should be enabled
• S3 bucket MFA delete should be enabled
• S3 bucket object lock should be enabled
• S3 bucket policy should prohibit public access
• S3 bucket cross-account permissions should be restricted
• S3 buckets should prohibit public read access
• S3 buckets should prohibit public write access
• S3 buckets with versioning enabled should have lifecycle policies configured
• S3 bucket versioning should be enabled
• S3 public access should be blocked at account level
• S3 public access should be blocked at bucket levels
• SageMaker endpoint configuration encryption should be enabled
• SageMaker notebook instances should not have direct internet access
• SageMaker notebook instance encryption should be enabled
• SageMaker notebook instances should be in a VPC
• SageMaker notebook instances root access should be disabled
• Secrets Manager secrets should be encrypted using CMK
• Step Function state machines should have logging turned on
• SNS topics should be encrypted at rest
• VPC Security groups should only allow unrestricted incoming traffic for authorized ports
• AWS WAF rules should have CloudWatch metrics enabled

Enable/Disable Controls¶

You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.

Examples¶

S3 bucket module with PCI DSS v4.0 compliance framework controls enabled, and a couple of controls disabled¶

module "..." {
  source = "https://pcidss.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=api_gatewayv2_route_authorization_type_configured,apigateway_rest_api_stage_use_ssl_certificate"
}