blog

How To: PCI DSS Compliance Readiness with AWS Security Hub

| By Choon Ming Goh, HeleCloud Principal Consultant |

Introduction

In a recent cloud security blogpost, my colleague Craig Tunstall highlights the impact of data breaches and the four key areas of AWS Cloud Security. I wanted to follow up with this ‘How To’ blog to help you navigate the AWS Security Hub. 

For every merchant or service provider that deals with card holder’s data and Sensitive Authentication Data (SAD), achieving PCI DSS compliance is vital as it provides a set of standard and controls in order to prevent unauthorised access and loss. This data consists of the Primary Account Number (PAN), cardholder name, expiration date, and service code. SAD includes the data from the full magnetic strip, card security code (CSC, CVV2, CID, CAV2) and PIN and/or PIN block. Companies dealing with such data must comply with PCI DSS standard as it provides quality assurances to the customer that a company website/services are secure. The following sections of this blog show how you can prepare your Amazon Web Services (AWS) account for PCI DSS assessment.

Shared responsibility

As a company providing services to the customer on the AWS platform, there is a shared responsibility between the AWS customer and AWS as the service provider. AWS is certified as a PCI DSS Level 1 Service Provider, the highest level of assessment available. However, you must manage your own PCI DSS compliance certification, and additional testing will be required to verify that your environment satisfies all PCI DSS requirements. For the portion of the PCI cardholder data environment (CDE) that is deployed in AWS, your Qualified Security Assessor (QSA) can rely on AWS Attestation of Compliance (AOC) without further testing.

Shared_Responsibility_Model_V2

Source: https://aws.amazon.com/compliance/shared-responsibility-model/

To understand which PCI DSS controls that you are responsible for, AWS provides “AWS PCI DSS Responsibility Summary” from the AWS PCI DSS Compliance Package, available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. 

AWS Security Hub

In order to prepare your AWS account for PCI DSS assessment, AWS Security Hub is a security tool that provides a comprehensive view on the security findings and alerts in your account. In partnership with PCI DSS, AWS released a set of controls related to PCI DSS requirements in order to provide an overview of the account’s readiness for the assessment.

Setup AWS Security Hub

In order to get started with Security Hub, first you must enable AWS Config as it is not managed by Security Hub and many of the controls for the security standards rely on AWS Config service-level rules. Although Security Hub is a standalone tool, enabling AWS Config is a requirement for enabling Security Hub’s PCI DSS standard checks.

Enable AWS Config

  1. Login to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.
  2. If this is the first time you are opening the AWS Config console or you are setting up AWS Config in a new region, the AWS Config console page will appear as:
  1. Choose Get Started Now.
  2. On the Settings page, for Resource types to record, specify all the resource types you want AWS Config to record. Select Record all resources supported in this region and Include global resources. Leave the Specific Types field empty.
  3. For Amazon S3 Bucket, choose the Amazon S3 bucket to which AWS Config sends configuration history and configuration snapshot files or create a new S3 bucket. You can also send the AWS Config data in a central S3 bucket in a dedicated logging account.
  4. For Amazon SNS Topic, choose the AWS Config streams information by selecting the Stream configuration changes and notifications to an Amazon SNS topic. AWS Config sends notifications such as configuration history delivery, configuration snapshot delivery, and compliance.
  5. For AWS Config role, choose the IAM role that grants AWS Config permission to record configuration information and send this information to Amazon S3 and Amazon SNS. Select Use an existing AWS Config service-linked role option.
  6. Choose Next. This page will allow you to setup AWS Config with rules. Do nothing and choose Next then Confirm.

Enable Security Hub

  1. When you open the Security Hub console at https://console.aws.amazon.com/securityhub for the first time, choose Get Started.
  2. On the welcome page, Security standards lists the security standards that Security Hub supports. Select all the standards.
  3. Choose Enable Security Hub.
  4. After the setup, you will see the results of the Security Hub findings after an hour or so depending on the number of resources in your AWS account. It can take up to 24 hours

When you enable Security Hub from the console, you can also enable the supported security standards. When you enable Security Hub from the API, the CIS AWS Foundations Benchmark standard is enabled automatically. Many of the controls for the security standards rely on AWS Config service-level rules.

Security Hub provides controls for the following standards.

  • CIS AWS Foundations
  • Payment Card Industry Data Security Standard (PCI DSS 3.2.1)
  • AWS Foundational Security Best Practices

Analyse findings

After 24 hours, you can view the summary of the findings of the standard’s security check on Security Hub’s console. An example of the summary:

From the Security standards page, you can display a details page for the standard. You can only display details for an enabled standard and cannot display details for a disabled standard.

At the top of the details page is the overall score for the standard. The overall score is the percentage of passed controls relative to the number of enabled controls that have data.

Next to the overall score is a chart summarising the control statuses. The chart shows the percentage of failed and passed controls. When you pause on the chart, the pop-up displays the number of failed controls for each severity, the number of controls with a status of Unknown, and the number of passed controls.

At the bottom of the details page is the list of controls for the standard. The control list is organised and sorted based on the current overall status of the control and the severity assigned to each control.

To display the list of controls for an enabled standard:

  • Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.
  • In the Security Hub navigation pane, choose Security standards.
  • For the standard that you want to display the details for, choose View results

Enabling or Disabling Controls

When you enable a standard, all the controls for that standard are enabled by default. You can then disable and enable specific controls within an enabled standard.

When you disable a control, the following occurs:

  • The check for the control is no longer performed.
  • No additional findings are generated for that control.

The related AWS Config rules that Security Hub created are removed.

It can be useful to turn off security checks for controls that are not relevant to your environment. For example, you might use a single Amazon S3 bucket to log your CloudTrail logs. If so, you can turn off controls related to CloudTrail logging in all accounts and Regions except for the account and Region where the centralised S3 bucket is located. Disabling irrelevant controls reduces the number of irrelevant findings. It also removes the failed check from the readiness score for the associated standard.

  • AWS have a list of PCI DSS controls that we might want to disable:
    [PCI.IAM.1] IAM root user access key should not exist
  • [PCI.IAM.2] IAM users should not have IAM policies attached
  • [PCI.IAM.3] IAM policies should not allow full “*” administrative privileges
  • [PCI.IAM.4] Hardware MFA should be enabled for the root user
  • [PCI.IAM.5] Virtual MFA should be enabled for the root user
  • [PCI.IAM.6] MFA should be enabled for all IAM users

For each finding, AWS Security Hub provides access to details to help you investigate the finding. You can display details about the finding resource and the related configuration rule. You can also view any notes added to the finding. 

For each security check, you can view the related requirements of the security check against PCI DSS standard in the Related requirements tab.

Resources contains information about the affected resources related to this security check. 

In the Investigate column, you can view the timeline of the resource’s configuration on AWS Config. You can also view the relevant AWS Config rule here to understand better why the security check passed or failed. 

Remediate findings

Now you have all the results of the security checks for each of the standard, you can prepare your AWS account for PCI DSS assessment by remediating each of the findings.

In each of the standard’s control, there is link on how to remediate each of the control in the event of a failed security check. The standard is validated by AWS Security Assurance Services LLC (AWS SAS), which is a team of Qualified Security Assessors (QSAs) certified to provide PCI DSS guidance and assessments by the PCI DSS Security Standards Council (PCI SSC). 

AWS SAS have confirmed that the automated checks can assist a customer in preparing for a PCI DSS assessment.

After the remediation, the status will be evaluated again at the next cycle of security checks on the standard’s controls. It will either be Passed or Failed depending on the action taken.

Taking this a step further, combining AWS Security Hub and AWS Config with other AWS services such as AWS Lambda, we would be able to automate the remediation steps. For example, deactivate AWS Access Keys older than 90 days or disable IAM accounts that have not logged in to X days.

A recommended approach for Security Hub and AWS Config is to enable these services in all the AWS regions that is used by the organization. AWS Security Hub and AWS Config is a regional resource therefore it will only monitor the AWS region that it is enabled on.

Conclusion

Achieving PCI DSS certification, whilst mandatory, it takes a lot of effort in order to comply and implement the controls as laid out by the standard. AWS Security Hub can provide you with an overview on the readiness of your company’s AWS account for the PCI DSS assessment. AWS Security Hub does not check the procedural controls that require manual evidence collection, but it gets you pass the halfway point. AWS Security Hub, however, can assist AWS customers to prepare their accounts for the assessment and provide an insight to the current state of the AWS account.

AWS has published a few documents on PCI DSS guideline, available here:

Do keep an eye out in HeleCloud’s whitepaper page as we will be shortly releasing a new whitepaper on security information and event management (SIEM). If you would like to find out more about HeleCloud’s offering on SIEM, feel free to contact us.