Add Audit Manager > PCI DSS v3.2.1 controls

README.md

@@ -29,7 +29,7 @@ Includes support for:
 * [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5)
 * [NIST Cybersecurity Framework (CSF)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_csf)
 * [Other Compliance Checks](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.other)
-* [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_v321)
+* [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_dss_v321)
 * [Reserve Bank of India (RBI) Cyber Security Framework](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.rbi_cyber_security)
 * [SOC 2](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.soc_2)
 

conformance_pack/acm.sp

@@ -20,6 +20,7 @@ control "acm_certificate_expires_30_days" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
     soc_2                  = "true"
   })

conformance_pack/apigateway.sp

@@ -19,6 +19,7 @@ control "apigateway_stage_cache_encryption_at_rest_enabled" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
     soc_2                  = "true"
   })
@@ -41,6 +42,7 @@ control "apigateway_stage_logging_enabled" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
     soc_2                  = "true"
   })
@@ -73,6 +75,7 @@ control "apigateway_stage_use_waf_web_acl" {
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
     nist_800_53_rev_5      = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
   })
 }
@@ -119,7 +122,8 @@ query "apigateway_stage_logging_enabled" {
         title,
         region,
         account_id,
-        tags
+        tags,
+        _ctx
       from
         aws_api_gateway_stage
       union
@@ -130,7 +134,8 @@ query "apigateway_stage_logging_enabled" {
         title,
         region,
         account_id,
-        tags
+        tags,
+        _ctx
       from
         aws_api_gatewayv2_stage
     )
@@ -201,7 +206,6 @@ query "apigateway_rest_api_authorizers_configured" {
         when jsonb_array_length(a.provider_arns) > 0 then p.name || ' authorizers configured.'
         else p.name || ' authorizers not configured.'
       end as reason
-
       ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "p.")}
       ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "p.")}
     from

conformance_pack/autoscaling.sp

@@ -4,6 +4,16 @@ locals {
   })
 }
 
+control "autoscaling_launch_config_requires_imdsv2" {
+  title       = "Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)"
+  description = "This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled."
+  query       = query.autoscaling_launch_config_requires_imdsv2
+
+  tags = merge(local.conformance_pack_autoscaling_common_tags, {
+    pci_dss_v321 = "true"
+  })
+}
+
 control "autoscaling_group_with_lb_use_health_check" {
   title       = "Auto Scaling groups with a load balancer should use health checks"
   description = "The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability."
@@ -19,6 +29,7 @@ control "autoscaling_group_with_lb_use_health_check" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
   })
 }
 
@@ -34,6 +45,7 @@ control "autoscaling_launch_config_public_ip_disabled" {
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
     nist_800_53_rev_5      = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
   })
 }

conformance_pack/backup.sp

@@ -16,6 +16,7 @@ control "backup_recovery_point_manual_deletion_disabled" {
     hipaa                 = "true"
     nist_800_171_rev_2    = "true"
     nist_csf              = "true"
+    pci_dss_v321          = "true"
     soc_2                 = "true"
   })
 }
@@ -34,6 +35,7 @@ control "backup_plan_min_retention_35_days" {
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     soc_2                  = "true"
   })
 }
@@ -42,13 +44,15 @@ control "backup_recovery_point_encryption_enabled" {
   title       = "Backup recovery points should be encrypted"
   description = "Ensure if a recovery point is encrypted. The rule is non compliant if the recovery point is not encrypted."
   query       = query.backup_recovery_point_encryption_enabled
+
   tags = merge(local.conformance_pack_backup_common_tags, {
     cisa_cyber_essentials = "true"
     ffiec                 = "true"
     gxp_eu_annex_11       = "true"
     hipaa                 = "true"
     nist_800_171_rev_2    = "true"
     nist_csf              = "true"
+    pci_dss_v321          = "true"
     soc_2                 = "true"
   })
 }
@@ -63,6 +67,7 @@ control "backup_recovery_point_min_retention_35_days" {
     ffiec                 = "true"
     gxp_eu_annex_11       = "true"
     nist_800_171_rev_2    = "true"
+    pci_dss_v321          = "true"
   })
 }
 

conformance_pack/cloudformation.sp

@@ -4,6 +4,16 @@ locals {
   })
 }
 
+control "cloudformation_stack_drift_detection_check" {
+  title       = "CloudFormation stacks differ from the expected configuration"
+  description = "Ensure if the actual configuration of a Cloud Formation stack differs, or has drifted, from the expected configuration, a stack is considered to have drifted if one or more of its resources differ from their expected configuration."
+  query       = query.cloudformation_stack_drift_detection_check
+
+  tags = merge(local.conformance_pack_cloudformation_common_tags, {
+    pci_dss_v321 = "true"
+  })
+}
+
 control "cloudformation_stack_output_no_secrets" {
   title       = "CloudFormation stacks outputs should not have any secrets"
   description = "Ensure CloudFormation stacks outputs do not contain secrets like user names, passwords, and tokens. It is recommended to remove secrets since outputs cannot be encrypted resulting in any entity with basic read-metadata-only and access to CloudFormation outputs having access to these secrets."
@@ -44,6 +54,27 @@ control "cloudformation_stack_termination_protection_enabled" {
   })
 }
 
+query "cloudformation_stack_drift_detection_check" {
+  sql = <<-EOQ
+    select
+      id as resource,
+      case
+        when stack_drift_status = 'IN_SYNC' then 'ok'
+        when stack_drift_status = 'DRIFTED' then 'alarm'
+        else 'skip'
+      end as status,
+      case
+        when stack_drift_status = 'IN_SYNC' then title || ' drift status is ' || stack_drift_status || '.'
+        when stack_drift_status = 'DRIFTED' then title || ' drift status is ' || stack_drift_status || '.'
+        else title || ' drift status is ' || stack_drift_status || '.'
+      end as reason
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_cloudformation_stack;
+  EOQ
+}
+
 query "cloudformation_stack_output_no_secrets" {
   sql = <<-EOQ
     with stack_output as (

conformance_pack/cloudfront.sp

@@ -10,9 +10,10 @@ control "cloudfront_distribution_encryption_in_transit_enabled" {
   query       = query.cloudfront_distribution_encryption_in_transit_enabled
 
   tags = merge(local.conformance_pack_cloudfront_common_tags, {
-    gdpr  = "true"
-    hipaa = "true"
-    soc_2 = "true"
+    gdpr         = "true"
+    hipaa        = "true"
+    pci_dss_v321 = "true"
+    soc_2        = "true"
   })
 }
 
@@ -46,6 +47,26 @@ control "cloudfront_distribution_non_s3_origins_encryption_in_transit_enabled" {
   })
 }
 
+control "cloudfront_distribution_no_deprecated_ssl_protocol" {
+  title       = "CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins"
+  description = "This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3."
+  query       = query.cloudfront_distribution_no_deprecated_ssl_protocol
+
+  tags = merge(local.conformance_pack_cloudfront_common_tags, {
+    pci_dss_v321 = "true"
+  })
+}
+
+control "cloudfront_distribution_custom_origins_encryption_in_transit_enabled" {
+  title       = "CloudFront distributions should encrypt traffic to custom origins"
+  description = "This control checks if Amazon CloudFront distributions are encrypting traffic to custom origins. This control fails for a CloudFront distribution whose origin protocol policy allows 'http-only'. This control also fails if the distribution's origin protocol policy is 'match-viewer' while the viewer protocol policy is 'allow-all'."
+  query       = query.cloudfront_distribution_custom_origins_encryption_in_transit_enabled
+
+  tags = merge(local.conformance_pack_cloudfront_common_tags, {
+    pci_dss_v321 = "true"
+  })
+}
+
 control "cloudfront_distribution_logging_enabled" {
   title       = "CloudFront distributions access logs should be enabled"
   description = "This control checks if Amazon CloudFront distributions are configured to capture information from Amazon Simple Storage Service (Amazon S3) server access logs. This rule is non compliant if a CloudFront distribution does not have logging configured."

conformance_pack/cloudtrail.sp

@@ -22,6 +22,7 @@ control "cloudtrail_trail_integrated_with_logs" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
     soc_2                  = "true"
   })
@@ -46,6 +47,7 @@ control "cloudtrail_s3_data_events_enabled" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
     soc_2                  = "true"
   })
@@ -69,6 +71,7 @@ control "cloudtrail_trail_logs_encrypted_with_kms_cmk" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
     soc_2                  = "true"
   })
@@ -92,6 +95,7 @@ control "cloudtrail_multi_region_trail_enabled" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
     soc_2                  = "true"
   })
@@ -113,6 +117,7 @@ control "cloudtrail_trail_validation_enabled" {
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
+    pci_dss_v321           = "true"
     soc_2                  = "true"
   })
 }
@@ -135,6 +140,7 @@ control "cloudtrail_trail_enabled" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
     soc_2                  = "true"
   })
@@ -228,7 +234,7 @@ query "cloudtrail_s3_data_events_enabled" {
     aws_s3_bucket as b
     left join s3_selectors on bucket_selector like (b.arn || '%') or bucket_selector = 'arn:aws:s3'
   group by
-    b.account_id, b.region, b.arn, b.name, b.tags;
+    b.account_id, b.region, b.arn, b.name, b.tags, b._ctx;
   EOQ
 }
 

conformance_pack/cloudwatch.sp

@@ -18,6 +18,7 @@ control "cloudwatch_alarm_action_enabled" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     soc_2                  = "true"
   })
 }
@@ -49,6 +50,7 @@ control "log_group_encryption_at_rest_enabled" {
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
     soc_2                  = "true"
   })
@@ -69,6 +71,7 @@ control "cloudwatch_log_group_retention_period_365" {
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
+    pci_dss_v321           = "true"
     rbi_cyber_security     = "true"
     soc_2                  = "true"
   })
@@ -115,8 +118,9 @@ control "log_metric_filter_iam_policy" {
   query       = query.log_metric_filter_iam_policy
 
   tags = merge(local.conformance_pack_cloudwatch_common_tags, {
-    gdpr     = "true"
-    nist_csf = "true"
+    gdpr         = "true"
+    nist_csf     = "true"
+    pci_dss_v321 = "true"
   })
 }
 

conformance_pack/codebuild.sp

@@ -9,7 +9,7 @@ control "codebuild_project_build_greater_then_90_days" {
   description = "Ensure CodeBuild projects are curently in use. It is recommended to remove the stale ones."
   query       = query.codebuild_project_build_greater_then_90_days
 
-  tags = merge(local.conformance_pack_ecs_common_tags, {
+  tags = merge(local.conformance_pack_codebuild_common_tags, {
     other_checks = "true"
   })
 }
@@ -20,6 +20,7 @@ control "codebuild_project_plaintext_env_variables_no_sensitive_aws_values" {
   query       = query.codebuild_project_plaintext_env_variables_no_sensitive_aws_values
 
   tags = merge(local.conformance_pack_codebuild_common_tags, {
+    pci_dss_v321           = "true"
     cis_controls_v8_ig1    = "true"
     cisa_cyber_essentials  = "true"
     fedramp_low_rev_4      = "true"
@@ -38,6 +39,7 @@ control "codebuild_project_source_repo_oauth_configured" {
   query       = query.codebuild_project_source_repo_oauth_configured
 
   tags = merge(local.conformance_pack_codebuild_common_tags, {
+    pci_dss_v321           = "true"
     cis_controls_v8_ig1    = "true"
     cisa_cyber_essentials  = "true"
     fedramp_low_rev_4      = "true"
@@ -55,13 +57,22 @@ control "codebuild_project_with_user_controlled_buildspec" {
   description = "This control checks if buildspec.yml is used from a trusted source which user cant interfere with."
   query       = query.codebuild_project_with_user_controlled_buildspec
 
-  tags = merge(local.conformance_pack_ecs_common_tags, {
+  tags = merge(local.conformance_pack_codebuild_common_tags, {
     other_checks = "true"
   })
 }
 
+control "codebuild_project_environment_privileged_mode_disabled" {
+  title       = "CodeBuild project environments should not have privileged mode enabled"
+  description = "This control checks if an AWS CodeBuild project environment has privileged mode enabled. This control fails when an AWS CodeBuild project environment has privileged mode enabled."
+  query       = query.codebuild_project_environment_privileged_mode_disabled
+  tags = merge(local.conformance_pack_codebuild_common_tags, {
+    pci_dss_v321 = "true"
+  })
+}
+
 control "codebuild_project_logging_enabled" {
-  title       = "CodeBuild project logging should be enabled"
+  title       = "CodeBuild projects should have logging enabled"
   description = "This control checks if an AWS CodeBuild project environment has at least one log option enabled. The rule is non compliant if the status of all present log configurations is set to 'DISABLED'."
   query       = query.codebuild_project_logging_enabled