/
AWS Fetcher Details and Related Controls
AWS Fetcher Details and Related Controls
Tristan Mohn (Deactivated)
Victoria Buhler (Deactivated)
Owned by Tristan Mohn (Deactivated)
Last updated: Feb 09, 2023 by Victoria Buhler (Deactivated)Version comment
Page Contents
Overview
This documentation provides two listings of content for the Amazon Web Services Connector.
The first table lists AWS's PCI QuickStart controls that are supported by the AWS Connector.
The second table describes the out-of-the-box fetchers that pull the appropriate AWS evidence for each PCI QuickStart control. It provides information that allows you to further restrict the AWS commands you enable in your Code for Your Amazon Web Services Policy if you don't need to utilize every one of the provided AWS fetchers.
PCI-DSS v3.2 QuickStart Controls
This table lists AWS's PCI QuickStart controls supported by the connector. These controls are provided as an importable CSV, just like all ZenGRC seed content. You can request this content by contacting either support@reciprocitylabs.com or your CSM.
| Code | Control Name | Description |
|---|---|---|
PCI 1.1.4 | Retrieve list of security groups and subnets. | Segmented using Security Groups in VPC, use of a VPC public subnet to simulate a traditional DMZ network zone. |
PCI 1.1.5 | IAM resources (users, groups, policies...) | IAM configuration description and template |
PCI 1.2.1 | List of security groups and NACLs applied to the environment | Security Groups, NACLs used to limit traffic to the CDE. For the SG, we know which rules and NACL apply to traffic in- and out-bound from the CDE |
PCI 1.2.2 | AWS architecture as JSON templates and deployed via CloudFormation | AWS architecture provided as JSON templates and deployed via AWS CloudFormation |
PCI 1.3.1 | Segmented Public/Private subnets in VPC, Security Groups, and NACLs | Segmented Public/Private Subnets in VPC, Security Groups and NACLs limit external traffic to only required ports |
PCI 1.3.2 | External traffic limits | Segmented Public/Private Subnets in VPC, Security Groups and NACLs limit external traffic to only required ports |
| PCI 1.3.3 | Use of VPC restricts layer two broadcasts and ARP spoofing | Use of VPC restricts layer two broadcasts and ARP spoofing |
| PCI 1.3.4 | Restricting traffic with inbound/outbound rules in Security Groups and NACLs, NAT for authorized external connections. | Restricting traffic with inbound/outbound rules in Security Groups and NACLs, NAT for authorized external connections. |
PCI 1.3.5 | List of stateful security groups and NACLs applied in environment. | Configure Security Groups to only allow established connections into the network. |
| PCI 1.3.6 | Placement of DBs and EC2 Instances for application in private only subnets | Placement of DBs and EC2 instances for application in private-only subnets |
| PCI 1.3.7 | Get Route table entries to validate that components have private IPs and are NATed | Use AWS NAT (network address translation) and Gateway configuration and use of Egress-Only Internet gateway (for IPv6 traffic) for masking internal IP's |
| PCI 2.2.1 | Separation of App and web/proxy function between autoscaling group instances | Separating Application and Web/Proxy functions between different AutoScaling Group Instances |
| PCI 2.2.3 | Use of HTTPS load balancers for secure comms, S3 bucket policies | The use of HTTPS load balancers for secure communications, S3 bucket policies |
| PCI 2.2.4 | IAM Config policies for separation of duties | IAM Configuration and Policies which implement separation of duties and least privilege, S3 bucket policies |
| PCI 2.3 | Security group rules / Encryption algorithm and key length | The use of HTTPS load balancers for secure communications, Bastion hosts with SSH enabled. Implement strong Algorithm, key length and key exchange. |
| PCI 2.4 | CLI Retrieval of resources created with template for an inventory of CDE components | AWS architecture provided as JSON templates and deployed via AWS CloudFormation |
PCI 4.1 | Security group rules show port 443 as the incoming port for load balancers | Use of HTTPS Elastic Load Balancers (ELBs) with compliant w/TLS Policies, Enforcement of AES256 encryption for HTTPS S3 connections |
| PCI 7.1.1 | Define access needs for each role | IAM Roles, Policies, Groups |
| PCI 7.1.2 | Restrict access to privileged user IDs to least privileges necessary to perform the job | IAM Roles, Policies, Groups |
| PCI 7.2.1 | Coverage of all system components | IAM Roles, Policies, Groups |
| PCI 7.2.3 | Default 'Deny All' setting | IAM will designed to deny access by default |
| PCI 8.1.4 | Remove/disable inactive user accounts within 90 days | N/A |
| PCI 8.2.1 | Strong cryptography, unreadable auth credentials during transmission and storage | IAM by default handles credentials in a secure manner, SSH is configured on the Bastion Hosts for operating system access |
| PCI 8.2.3 | Passwords/phrases must meet the following: Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above | Password Policy (IAM) |
| PCI 8.2.4 | Change user passwords/passphrases at least every 90 days | Password Policy (IAM) |
| PCI 8.2.5 | Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used | Password Policy (IAM) |
| PCI 8.2.6 | Set passwords/phrases for first time use and upon reset to a unique value for each user, and change immediately after the first use | Password Policy (IAM) |
| PCI 8.3 | Secure non-console admin access and remote access | Manually set MFA for new IAM users |
| PCI 8.3.1 | Multi-factor path for non-console access | Manually set MFA for new IAM users |
| PCI 8.3.2 | Multi-factor auth for remote access | Manually set MFA for new IAM users |
| PCI 8.5 | 8.5 - IAM groups and roles used in place of generic "root" AWS user, activity with root is notified to SNS topic | |
| PCI 8.7 | Restrictions to cardholder DB access | Use of security groups and NACLs restrict only App servers to query RDS DB and prevent possibility of any external or unauthorized access, single RDS user/password is setup in sample DB |
| PCI 10.1 | Implement audit trails to link all access to system components to each individual user | AWS CloudTrail enabled and logging. collecting all types of access logs (S3, LB, CloudFront etc) |
| PCI 10.2.1 | All individual accesses to cardholder data | AWS CloudTrail enabled and logging. collecting all types of access logs (S3, LB, CloudFront etc) |
| PCI 10.2.2 | All actions taken by any individual with root or admin privileges | AWS CloudTrail records these actions, CloudWatch Alarm will notify if root admin user makes any API calls |
| PCI 10.2.3 | Access to all audit trails | AWS CloudTrail logs to a protected S3 bucket exclusively for CloudTrail logs, ArchiveLog bucket can also be used for application logs |
| PCI 10.2.4 | Invalid logical access attempts. | CloudWatch Alarms detect unauthorized access attempts and send to SNS topic. We can also use CloudWatch events |
| PCI 10.2.5 | Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges. | CloudTrail Logs these actions, IAM activity and creation of AccessKeys send notifications with CloudWatch Alarms |
| PCI 10.2.6 | Initialization, stopping or pausing of the audit logs | IAM policies prevent start/stop of CloudTrail, S3 bucket policies protect access to log data, Alerts are sent if CloudTrail is disabled, Config rule in global-02 provides monitoring of CloudTrail enabled. We can also use CloudWatch alarms/CloudWatch events |
| PCI 10.2.7 | Creation and deletion of system-level objects | AWS CloudTrail records API calls to create, delete and modify resources |
| PCI 10.3.1 | User identification | CloudTrail records all API events and logs which user, time/date, action, and result |
| PCI 10.3.2 | Type of event | Recorded as EventName in CloudTrail |
| PCI 10.3.3 | Date and time | Event time in CloudTrail |
| PCI 10.3.4 | Success or failure indication | ErrorCode in CloudTrail |
| PCI 10.3.5 | Origination of event | CloudTrail |
| PCI 10.3.6 | Identity or name of affected data, system component, or resource | CloudTrail |
| PCI 10.4 | Time synchronization | All instances launched in VPC are synced with NTP, all log data has timestamp provided by NTP. Does the QS use Amazon Time Sync? If yes, this is another resource |
| PCI 10.4.1 | Critical systems have the correct and consistent time | All instances launched in VPC are synced with NTP, all log data has timestamp provided by NTP |
| PCI 10.4.3 | Time settings are received from industry-accepted time sources | All instances launched in VPC are synced with AWS NTP servers which in turn obtain time from NTP.org |
| PCI 10.5.1 | Restricting the audit trail views | IAM with custom policies provide restrictions on which roles can access CloudTrail and log data |
| PCI 10.5.2 | Protect audit trail files from unauthorized modification | IAM Restrictions to Log Data |
| PCI 10.5.3 | Back up audit trail data to media that is difficult to alter | CloudTrail and Log S3 buckets use versioning, lifecycle policies, and deny delete capability |
| PCI 10.5.4 | Logs for external facing tech | CloudTrail and Log S3 buckets use versioning, lifecycle policies, and deny delete capability |
| PCI 10.5.5 | Logfile validation | LogFileValidation is enabled for CloudTrail |
| PCI 10.7 | Retain Audit trail history for at least 1 year | The bucket storing the log data does not have life cycle policy attached to it, to allow organizations control over their log storage. A sample lifecycle policy to move logs to glacier after 90days and to delete them after 7 years is included in the package as "rArchiveLogBucket" |
Fetcher Descriptions and AWS Commands
This table provides fetcher descriptions and indicates which AWS commands they execute. If you don't need all commands in the fetcher, utilize this table to modify the Code for Your Amazon Web Services Policy. This then limits permissions to only the information required by your organization.
| Fetcher Title | Description |
|---|---|
| ZenGRC AWS Integration PCI 1.1.4 | Lists Security Groups and Subnets. Commands: aws ec2 describe-security-groups aws ec2 describe-subnets |
| ZenGRC AWS Integration PCI 1.1.5 | Lists users, groups and roles, with both inline and attached policies. Commands: aws iam list-users aws iam list-user-policies aws iam list-attached-user-policies aws iam get-user-policy aws iam list-groups aws iam list-group-policies aws iam list-attached-group-policies aws iam get-group-policy aws iam list-roles aws iam list-role-policies aws iam list-attached-role-policies aws iam get-role-policy aws iam get-policy |
| ZenGRC AWS Integration PCI 1.2.1 | Lists Security Groups and Network ACLs Commands: aws ec2 describe-network-acls aws ec2 describe-security-groups |
| ZenGRC AWS Integration PCI 1.2.2 | Lists Route Tables, CloudFormation Stacks and gets details for all Templates Commands: aws ec2 describe-route-tables aws cloudformation list-stacks aws cloudformation get-template |
| ZenGRC AWS Integration PCI 1.3.1 | Lists Subnets and Network ACLs Commands: aws ec2 describe-subnets aws ec2 describe-network-acls |
| ZenGRC AWS Integration PCI 1.3.2 | Lists Security Groups, Subnets, and Network ACLs Commands: aws ec2 describe-network-acls aws ec2 describe-subnets aws ec2 describe-security-groups |
| ZenGRC AWS Integration PCI 1.3.3 | Lists VPCs Command: aws ec2 describe-vpcs |
| ZenGRC AWS Integration PCI 1.3.4 | Lists Security Groups, Route Tables, and Network ACLs Commands: aws ec2 describe-network-acls aws ec2 describe-route-tables aws ec2 describe-security-groups |
| ZenGRC AWS Integration PCI 1.3.5 | Lists Security Groups Command: aws ec2 describe-security-groups |
| ZenGRC AWS Integration PCI 1.3.6 | Lists Route Tables, DB Instances, EC2 Instances, CloudFormation Stacks, and gets CloudFormation Stack Templates Commands: aws ec2 describe-route-tables aws rds describe-db-instances aws ec2 describe-instances aws cloudformation list-stacks aws cloudformation get-template |
| ZenGRC AWS Integration PCI 1.3.7 | Lists Route Tables, DB Instances, and EC2 Instances Commands: aws ec2 describe-route-tables aws rds describe-db-instances aws ec2 describe-instances |
| ZenGRC AWS Integration PCI 2.2.1 | Lists Security Groups, DB Instances, and EC2 Instances Commands: aws ec2 describe-route-tables aws rds describe-db-instances aws ec2 describe-instances |
| ZenGRC AWS Integration PCI 2.2.3 | Lists Security Groups, Load Balancers, Trails, and Bucket Policies for trail buckets. Commands: aws ec2 describe-security-groups aws cloudtrail describe-trails aws elb describe-load-balancers aws s3 get-bucket-policy |
| ZenGRC AWS Integration PCI 2.2.4 | Lists users, groups and roles, with both inline and attached policies. Also lists Trails and bucket policies for trail buckets. Commands: aws iam list-users aws iam list-user-policies aws iam list-attached-user-policies aws iam get-user-policy aws iam list-groups aws iam list-group-policies aws iam list-attached-group-policies aws iam get-group-policy aws iam list-roles aws iam list-role-policies aws iam list-attached-role-policies aws iam get-role-policy aws iam get-policy aws cloudtrail describe-trails aws s3 get-bucket-policy |
| ZenGRC AWS Integration PCI 2.3 | Lists Security Groups. Command: aws ec2 describe-security-groups |
| ZenGRC AWS Integration PCI 2.4 | Lists CloudFormation Stacks and Stack Resources. Commands: aws cloudformation list-stacks aws cloudformation describe-stack-resources |
| ZenGRC AWS Integration PCI 4.1 | Lists Load Balancers, and the respective Policies. Commands: aws elb describe-load-balancers aws elb describe-load-balancer-policies |
| ZenGRC AWS Integration PCI 7.1.1 | Lists users, groups and roles, with both inline and attached policies. Also lists CloudFormation Stacks and Stack Resources. Commands: aws iam list-users aws iam list-user-policies aws iam list-attached-user-policies aws iam get-user-policy aws iam list-groups aws iam list-group-policies aws iam list-attached-group-policies aws iam get-group-policy aws iam list-roles aws iam list-role-policies aws iam list-attached-role-policies aws iam get-role-policy aws iam get-policy aws cloudformation list-stacks aws cloudformation describe-stack-resources |
| ZenGRC AWS Integration PCI 7.1.2 | Lists users, groups and roles, with both inline and attached policies. Commands: aws iam list-users aws iam list-user-policies aws iam list-attached-user-policies aws iam get-user-policy aws iam list-groups aws iam list-group-policies aws iam list-attached-group-policies aws iam get-group-policy aws iam list-roles aws iam list-role-policies aws iam list-attached-role-policies aws iam get-role-policy aws iam get-policy |
| ZenGRC AWS Integration PCI 7.2.1 | Lists CloudFormation Stacks and Stack Resources. Commands: aws cloudformation list-stacks aws cloudformation describe-stack-resources |
| ZenGRC AWS Integration PCI 7.2.3 | Lists CloudFormation Stacks and Stack Resources. Commands: aws cloudformation list-stacks aws cloudformation describe-stack-resources |
| ZenGRC AWS Integration PCI 8.2.1 | Lists Security Groups. Command: aws ec2 describe-security-groups |
| ZenGRC AWS Integration PCI 8.2.3 | Gets the Account Password Policy. Command: aws iam get-account-password-policy |
| ZenGRC AWS Integration PCI 8.1.4 | Generates a Credentials Report, lists Users and Access Keys with last used date and time. Commands: aws iam generate-credential-report aws iam get-credential-report aws iam list-users aws iam list-access-keys aws iam get-access-key-last-used |
| ZenGRC AWS Integration PCI 8.2.4 | Gets the Account Password Policy. Command: aws iam get-account-password-policy |
| ZenGRC AWS Integration PCI 8.2.5 | Gets the Account Password Policy. Command: aws iam get-account-password-policy |
| ZenGRC AWS Integration PCI 8.2.6 | Gets the Account Password Policy. Command: aws iam get-account-password-policy |
| ZenGRC AWS Integration PCI 8.5 | Lists CloudWatch Alarms. Command: aws cloudwatch describe-alarms |
| ZenGRC AWS Integration PCI 8.3 | Lists Virtual MFA Devices, Users and MFA Devices for each User. Commands: aws iam list-virtual-mfa-devices aws iam list-users aws iam list-mfa-devices |
| ZenGRC AWS Integration PCI 8.3.1 | Lists Virtual MFA Devices, Users and MFA Devices for each User. Commands: aws iam list-virtual-mfa-devices aws iam list-users aws iam list-mfa-devices |
| ZenGRC AWS Integration PCI 8.3.2 | Lists Virtual MFA Devices, Users and MFA Devices for each User. Commands: aws iam list-virtual-mfa-devices aws iam list-users aws iam list-mfa-devices |
| ZenGRC AWS Integration PCI 8.7 | Lists Security Groups and Network ACLs. Commands: aws ec2 describe-security-groups aws ec2 describe-network-acls |
| ZenGRC AWS Integration PCI 10.1 | Lists CloudTrail Trails. Command: aws cloudtrail describe-trails |
| ZenGRC AWS Integration PCI 10.2.1 | Lists CloudWatch Alarms and CloudTrail Trails. Commands: aws cloudwatch describe-alarms aws cloudtrail describe-trails |
| ZenGRC AWS Integration PCI 10.2.2 | Lists CloudWatch Alarms and CloudTrail Trails. Commands: aws cloudwatch describe-alarms aws cloudtrail describe-trails |
| ZenGRC AWS Integration PCI 10.2.3 | Lists Trails and Bucket Logging status for S3 trail buckets. Commands: aws cloudtrail describe-trails aws s3 get-bucket-logging |
| ZenGRC AWS Integration PCI 10.2.4 | Lists CloudWatch Alarms. Command: aws cloudwatch describe-alarms |
| ZenGRC AWS Integration PCI 10.2.5 | Lists CloudWatch Alarms. Command: aws cloudwatch describe-alarms |
| ZenGRC AWS Integration PCI 10.2.6 | Lists users, groups and roles, with both inline and attached policies. Also gets Config Rules and lists CloudWatch Trails with their respective S3 Bucket policies Commands: aws iam list-users aws iam list-user-policies aws iam list-attached-user-policies aws iam get-user-policy aws iam list-groups aws iam list-group-policies aws iam list-attached-group-policies aws iam get-group-policy aws iam list-roles aws iam list-role-policies aws iam list-attached-role-policies aws iam get-role-policy aws iam get-policy aws config describe-config-rules aws cloudtrail describe-trails aws s3 get-bucket-policy |
| ZenGRC AWS Integration PCI 10.2.7 | Lists CloudTrail Trails. Command: aws cloudtrail describe-trails |
| ZenGRC AWS Integration PCI 10.3.1 | Gets the latest event from CloudTrail. Command: aws cloudtrail lookup-events MaxResults=1 |
| ZenGRC AWS Integration PCI 10.3.2 | Gets the latest event from CloudTrail. Command: aws cloudtrail lookup-events MaxResults=1 |
| ZenGRC AWS Integration PCI 10.3.3 | Gets the latest event from CloudTrail. Command: aws cloudtrail lookup-events MaxResults=1 |
| ZenGRC AWS Integration PCI 10.3.4 | Gets the latest event from CloudTrail. Command: aws cloudtrail lookup-events MaxResults=1 |
| ZenGRC AWS Integration PCI 10.3.5 | Gets the latest event from CloudTrail. Command: aws cloudtrail lookup-events MaxResults=1 |
| ZenGRC AWS Integration PCI 10.3.6 | Gets the latest event from CloudTrail. Command: aws cloudtrail lookup-events MaxResults=1 |
| ZenGRC AWS Integration PCI 10.5.1 | Lists users, groups and roles, with both inline and attached policies. Also lists CloudWatch Trails with their respective S3 Bucket policies Commands: aws iam list-users aws iam list-user-policies aws iam list-attached-user-policies aws iam get-user-policy aws iam list-groups aws iam list-group-policies aws iam list-attached-group-policies aws iam get-group-policy aws iam list-roles aws iam list-role-policies aws iam list-attached-role-policies aws iam get-role-policy aws iam get-policy aws cloudtrail describe-trails aws s3 get-bucket-policy |
| ZenGRC AWS Integration PCI 10.5.2 | Lists Trails and Bucket Policies for S3 trail buckets. Commands: aws cloudtrail describe-trails aws s3 get-bucket-policy |
| ZenGRC AWS Integration PCI 10.5.3 | Lists Trails, Bucket Policies and Lifecycle Configuration Data for S3 trail buckets. Commands: aws cloudtrail describe-trails aws s3 get-bucket-policy aws s3 get-bucket-lifecycle-configuration |
| ZenGRC AWS Integration PCI 10.5.4 | Lists CloudTrail Trails. Command: aws cloudtrail describe-trails |
| ZenGRC AWS Integration PCI 10.5.5 | Lists CloudTrail Trails. Command: aws cloudtrail describe-trails |
| ZenGRC AWS Integration PCI 10.7 | Lists Trails, Bucket Policies and Lifecycle Configuration Data for S3 trail buckets. Commands: aws cloudtrail describe-trails aws s3 get-bucket-policy aws s3 get-bucket-lifecycle-configuration |
, multiple selections available,
© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com