Mod: aws-pciv3-2-1
The aws-pciv3-2-1 mod consists of 3 policies and 63 controls.
Recommended Version
Version
5.1.1
Released On
Sep 26, 2025
Depends On
aws-cloudtrail ^5.0.0
aws-codebuild ^5.4.0
aws-dms ^5.3.0
aws-ec2 ^5.0.0
aws-elasticsearch ^5.0.0
aws-guardduty ^5.0.0
aws-iam ^5.0.0
aws-kms ^5.0.0
aws-lambda ^5.0.0
aws-rds ^5.0.0
aws-redshift ^5.0.0
aws-s3 ^5.0.0
aws-ssm ^5.13.0
aws-sagemaker ^5.6.0
aws-vpc-core ^5.0.0
aws-vpc-internet ^5.0.0
aws-vpc-security ^5.0.0
aws ^5.0.0
turbot-iam ^5.1.0
turbot ^5.37.0
aws-codebuild ^5.4.0
aws-dms ^5.3.0
aws-ec2 ^5.0.0
aws-elasticsearch ^5.0.0
aws-guardduty ^5.0.0
aws-iam ^5.0.0
aws-kms ^5.0.0
aws-lambda ^5.0.0
aws-rds ^5.0.0
aws-redshift ^5.0.0
aws-s3 ^5.0.0
aws-ssm ^5.13.0
aws-sagemaker ^5.6.0
aws-vpc-core ^5.0.0
aws-vpc-internet ^5.0.0
aws-vpc-security ^5.0.0
aws ^5.0.0
turbot-iam ^5.1.0
turbot ^5.37.0
Controls
- AWS > PCI v3.2.1
- AWS > PCI v3.2.1 > Auto Scaling
- AWS > PCI v3.2.1 > Auto Scaling > 1 Auto Scaling groups associated with a load balancer should use health checks
- AWS > PCI v3.2.1 > CloudTrail
- AWS > PCI v3.2.1 > CloudTrail > 1 CloudTrail logs should be encrypted at rest using AWS KMS CMKs
- AWS > PCI v3.2.1 > CloudTrail > 2 CloudTrail should be enabled
- AWS > PCI v3.2.1 > CloudTrail > 3 CloudTrail log file validation should be enabled
- AWS > PCI v3.2.1 > CloudTrail > 4 CloudTrail trails should be integrated with CloudWatch Logs
- AWS > PCI v3.2.1 > CloudWatch
- AWS > PCI v3.2.1 > CloudWatch > 1 A log metric filter and alarm should exist for usage of the 'root' user
- AWS > PCI v3.2.1 > CodeBuild
- AWS > PCI v3.2.1 > CodeBuild > 1 CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- AWS > PCI v3.2.1 > CodeBuild > 2 CodeBuild project environment variables should not contain clear text credentials
- AWS > PCI v3.2.1 > Config
- AWS > PCI v3.2.1 > Config > 1 AWS Config should be enabled
- AWS > PCI v3.2.1 > DMS
- AWS > PCI v3.2.1 > DMS > 1 AWS Database Migration Service replication instances should not be public
- AWS > PCI v3.2.1 > EC2
- AWS > PCI v3.2.1 > EC2 > 1 Amazon EBS snapshots should not be publicly restorable
- AWS > PCI v3.2.1 > EC2 > 2 VPC default security group should prohibit inbound and outbound traffic
- AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed
- AWS > PCI v3.2.1 > EC2 > 4 Unused EC2 EIPs should be removed
- AWS > PCI v3.2.1 > EC2 > 5 Security groups should not allow ingress from 0.0.0.0/0 to port 22
- AWS > PCI v3.2.1 > EC2 > 6 VPC flow logging should be enabled in all VPCs
- AWS > PCI v3.2.1 > Elasticsearch
- AWS > PCI v3.2.1 > Elasticsearch > 1 Amazon Elasticsearch Service domains should be in a VPC
- AWS > PCI v3.2.1 > Elasticsearch > 2 Amazon Elasticsearch Service domains should have encryption at rest enabled
- AWS > PCI v3.2.1 > ELBV2
- AWS > PCI v3.2.1 > ELBV2 > 1 Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
- AWS > PCI v3.2.1 > GuardDuty
- AWS > PCI v3.2.1 > GuardDuty > 1 GuardDuty should be enabled
- AWS > PCI v3.2.1 > IAM
- AWS > PCI v3.2.1 > IAM > 1 IAM root user access key should not exist
- AWS > PCI v3.2.1 > IAM > 2 IAM users should not have IAM policies attached
- AWS > PCI v3.2.1 > IAM > 3 IAM policies should not allow full '*' administrative privileges
- AWS > PCI v3.2.1 > IAM > 4 Hardware MFA should be enabled for the root user
- AWS > PCI v3.2.1 > IAM > 5 Virtual MFA should be enabled for the root user
- AWS > PCI v3.2.1 > IAM > 6 MFA should be enabled for all IAM users
- AWS > PCI v3.2.1 > IAM > 7 IAM user credentials should be disabled if not used within a predefined number of days
- AWS > PCI v3.2.1 > IAM > 8 Password policies for IAM users should have strong configurations
- AWS > PCI v3.2.1 > KMS
- AWS > PCI v3.2.1 > KMS > 1 Customer master key (CMK) rotation should be enabled
- AWS > PCI v3.2.1 > Lambda
- AWS > PCI v3.2.1 > Lambda > 1 Lambda functions should prohibit public access
- AWS > PCI v3.2.1 > Lambda > 2 Lambda functions should be in a VPC
- AWS > PCI v3.2.1 > RDS
- AWS > PCI v3.2.1 > RDS > 1 RDS snapshots should prohibit public access
- AWS > PCI v3.2.1 > RDS > 2 RDS DB Instances should prohibit public access
- AWS > PCI v3.2.1 > Redshift
- AWS > PCI v3.2.1 > Redshift > 1 Amazon Redshift clusters should prohibit public access
- AWS > PCI v3.2.1 > S3
- AWS > PCI v3.2.1 > S3 > 1 S3 buckets should prohibit public write access
- AWS > PCI v3.2.1 > S3 > 2 S3 buckets should prohibit public read access
- AWS > PCI v3.2.1 > S3 > 3 S3 buckets should have cross-region replication enabled
- AWS > PCI v3.2.1 > S3 > 4 S3 buckets should have server-side encryption enabled
- AWS > PCI v3.2.1 > S3 > 5 S3 buckets should require requests to use Secure Socket Layer
- AWS > PCI v3.2.1 > S3 > 6 S3 Block Public Access setting should be enabled
- AWS > PCI v3.2.1 > SageMaker
- AWS > PCI v3.2.1 > SageMaker > 1 Amazon SageMaker notebook instances should not have direct internet access
- AWS > PCI v3.2.1 > SSM
- AWS > PCI v3.2.1 > SSM > 1 Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
- AWS > PCI v3.2.1 > SSM > 2 Instances managed by Systems Manager should have an association compliance status of COMPLIANT
- AWS > PCI v3.2.1 > SSM > 3 EC2 instances should be managed by AWS Systems Manager