How to use the AWS Security Hub PCI DSS v3.2.1 standard
August 31, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info.
On February 13, 2020, AWS added partial support for the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 requirements to AWS Security Hub.
This update enables you to validate a subset of PCI DSS’s requirements and helps with ongoing PCI DSS security activities by conducting continuous and automated checks. The new Security Hub standard also makes it easier to proactively monitor AWS resources, which is critical for any company involved with the storage, processing, or transmission of cardholder data. There’s also a Security score feature for the Security Hub standard, which can help support preparations for PCI DSS assessment.
Use this post to learn how to:
- Enable the AWS Security Hub PCI DSS v3.2.1 standard and navigating results
- Interpret your security score
- Remediate failed security checks
- Understand requirements related to findings
Enable Security Hub’s PCI DSS v3.2.1 standard and navigate results
Note: This section assumes that you have Security Hub enabled in one or more accounts. To learn how to enable Security Hub, follow these instructions. If you don’t have Security Hub enabled, the first time you enable Security Hub you will be given the option to enable PCI DSS v3.2.1.
To enable the PCI DSS v3.2.1 security standard in Security Hub:
- Open Security Hub and enable PCI DSS v3.2.1 Security standards.
(Once enabled, Security Hub will begin evaluating related resources in the current AWS account and region against the AWS controls within the standard. The scope of the assessment is the current AWS account).
- When the evaluation completes, select View results.
- Now you are on the PCI DSS v3.2.1 page (Figure 1). You can see all 32 currently-implemented security controls in this standard, their severities, and their status for this account and region. Use search and filters to narrow down the controls by status, severity, title, or related requirement.
- Select the name of the control to review detailed information about it. This action will take you to the control’s detail page (Figure 2), which gives you related findings.
- If a specific control is not relevant for you, you can disable the control by selecting Disable and providing a Reason for disabling. (See Disabling Individual Compliance Controls for instructions).
How to interpret and improve your “Security score”
After enabling the PCI DSS v3.2.1 standard in Security Hub, you will notice a Security score appear for the standard itself, and for your account overall. These scores range between 0% and 100%.
The PCI DSS standard’s Security score represents the proportion of passed PCI DSS controls over enabled PCI DSS controls. The score is displayed as a percentage. Similarly, the overall Security score represents the proportion of passed controls over enabled controls, including controls from every enabled Security Hub standard, displayed as a percentage.
Your aim should be to pass all enabled security checks to reach a score of 100%. Reaching a 100% security score for the AWS Security Hub PCI DSS standard will help you prepare for a PCI DSS assessment. The PCI DSS Compliance Standard in Security Hub is designed to help you with your ongoing PCI DSS security activities.
An important note, the controls cannot verify whether your systems are compliant with the PCI DSS standard. They can neither replace internal efforts nor guarantee that you will pass a PCI DSS assessment.
Remediating failed security checks
To remediate a failed control, you need to remediate every failed finding for that control.
- To prioritize remediation, we recommend filtering by Failed controls and then remediating issues starting with critical– and ending with low severity controls.
- Identify a control you want to remediate and visit the control detail page.
- Follow the Remediation instructions link, and then follow the step-by-step remediation instructions, applying them for every failed finding.
How to interpret “Related requirements”
Every control displays Related requirements in the control card and in the control’s detail page. For PCI DSS, the Related requirements show which PCI DSS requirements are related to the Security Hub PCI DSS control. A single AWS control might relate to multiple PCI DSS requirements.
The user guide lists the related PCI DSS requirements and explains how the specific Security Hub PCI DSS control is related to the requirement.
For example, the AWS Config rule cmk-backing-key-rotation-enabled checks that key rotation is enabled for each AWS KMS key, but it doesn’t check for KMS keys that are using key material imported with the AWS Key Management Service (AWS KMS) BYOK mechanism. The related PCI DSS requirement that is mapped to this rule is PCI DSS 3.6.4 – “Cryptographic keys should be changed once they have reached the end of their cryptoperiod.” Although PCI DSS doesn’t specify the time frame for cryptoperiods, this rule is mapped because, if key rotation is enabled, rotation occurs annually by default with a customer-managed KMS key.
The new AWS Security Hub PCI DSS v3.2.1 standard is fundamental for any company involved with storing, processing, or transmitting cardholder data. In this post, you learned how to enable the standard to begin proactively monitoring your AWS resources against the Security Hub PCI DSS controls. You also learned how to navigate the PCI DSS results within Security Hub. By frequently reviewing failed security checks, prioritizing their remediation, and aiming to achieve a 100% security score for PCI DSS within Security Hub, you’ll be better prepared for a PCI DSS assessment.
- Getting started with Security Hub
- PCI DSS v3.2.1 Security Hub user guide
- Interpreting severity labels
If you have feedback about this post, submit comments in the Comments section below. If you have questions, please start a new thread on the Security Hub forums.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.