reference deployment

PCI DSS and AWS Foundational Security Best Practices on AWS

Deploy automated workflows to remediate deviations from PCI DSS and AWS Foundational Security Best Practices

This solution uses AWS CloudFormation templates to deploy automated workflows to remediate deviations from the Payment Card Industry Data Security Standard (PCI DSS) and AWS Foundational Security Best Practices (AWS FSBP).

With this deployment, AWS Security Hub continuously evaluates your AWS resources against the PCI DSS and AWS FSBP controls. Deviations from controls invoke an automated process of remediation using AWS CloudWatch rules and AWS Systems Manager runbooks. Security Hub processes and prioritizes security check findings using the AWS Security Finding Format (ASFF). 

AWS logo

This solution was developed by AWS.

  •  What you'll build
  • This solution sets up the following:

    • Security Hub to compile findings of automated and continuous evaluations of PCI DSS and AWS FSBP controls against your AWS resources. Custom actions in Security Hub send findings to CloudWatch as custom events.*
    • CloudWatch to match a custom event from Security Hub with a rule that triggers an AWS Lambda function.
    • AWS Lambda functions to invoke the appropriate Systems Manager runbook to remediate a finding of a deviation from PCI DSS or AWS FSBP controls.
    • Systems Manager to perform the automated remediation actions defined in runbooks.

    *The PCI DSS compliance standard in Security Hub is designed to help you with ongoing PCI DSS security activities. The controls cannot verify if your systems are compliant with the PCI DSS standard. They can't replace internal efforts or guarantee that you will pass a PCI DSS assessment. Security Hub does not check procedural controls that require manual evidence collection.

    Specific guidance on building and maintaining PCI DSS–compliant applications is available from AWS Security Assurance Services.

  •  How to deploy
  • To deploy this solution, follow the instructions in the deployment guide, which includes these steps.

    1. If you don't already have an AWS account, sign up at, and sign in to your account.
    2. Launch the solution. The stack takes about 20 minutes to deploy. Before you create the stack, choose the AWS Region from the top toolbar. Choose one of the following options:
    3. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Costs and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?