reference deployment

PCI DSS and AWS Foundational Security Best Practices on AWS

Deploy automated workflows to remediate deviations from PCI DSS and AWS Foundational Security Best Practices

This Quick Start uses AWS CloudFormation templates to deploy automated workflows to remediate deviations from the Payment Card Industry Data Security Standard (PCI DSS) and AWS Foundational Security Best Practices (AWS FSBP).

With this deployment, AWS Security Hub continuously evaluates your AWS resources against the PCI DSS and AWS FSBP controls. Deviations from controls invoke an automated process of remediation using AWS CloudWatch rules and AWS Systems Manager runbooks. Security Hub processes and prioritizes security check findings using the AWS Security Finding Format (ASFF). 

AWS logo

This Quick Start was developed by AWS.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • Deploy the PCC DSS and AWS FSBP templates to build the following environment on the AWS Cloud:

    • Security Hub to compile findings of automated and continuous evaluations of PCI DSS and AWS FSBP controls against your AWS resources. Custom actions in Security Hub send findings to CloudWatch as custom events.*
    • CloudWatch to match a custom event from Security Hub with a rule that triggers an AWS Lambda function.
    • AWS Lambda functions to invoke the appropriate Systems Manager runbook to remediate a finding of a deviation from PCI DSS or AWS FSBP controls.
    • Systems Manager to perform the automated remediation actions defined in runbooks.

    *The PCI DSS compliance standard in Security Hub is designed to help you with ongoing PCI DSS security activities. The controls cannot verify if your systems are compliant with the PCI DSS standard. They can't replace internal efforts or guarantee that you will pass a PCI DSS assessment. Security Hub does not check procedural controls that require manual evidence collection.

    Specific guidance on building and maintaining PCI DSS–compliant applications is available from AWS Security Assurance Services.

  •  How to deploy
  • To deploy PCC DSS and AWS FSBP using AWS Security Hub in about 20 minutes, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign in to your account.

    2. PCC DSS and AWS FSBP are each packaged in two templates. Deploy the templates in the order they are provided in the instructions in the deployment guide. In the AWS Console, be sure to select a Region from the top toolbar before creating a stack.

    3. Test the deployment. See the deployment guide for complete instructions.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month, and aggregate the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?