Add group PCI v3.2.1 - Githubissues

toniblyx commented 5 years ago

List of checks based on PCI v3.2.1

PCI 3.2.1

3.1 Requirement: Install and Maintain a Firewall Configuration to Protect Cardholder Data

Ensure no security groups allow ingress from 0.0.0.0/0 to all ports and protocols extra748
Ensure no security groups allow ingress from 0.0.0.0/0 to RDP (TCP 3389) check42
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP 22) check41
Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP 1521) extra749
Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (TCP and UDP 2483) extra749
Ensure no security groups allow ingress from 0.0.0.0/0 to Oracle (UDP 2483) extra749
Ensure no security groups allow ingress from 0.0.0.0/0 to MySQL (TCP 3306) extra750
Ensure no security groups allow ingress from 0.0.0.0/0 to Postgres (TCP 5432) extra751
Ensure no security groups allow ingress from 0.0.0.0/0 to Redis (TCP 6379)extra752
Ensure no security groups allow ingress from 0.0.0.0/0 to MongoDB (TCP 27017 and 27018) extra753
Ensure no security groups allow ingress from 0.0.0.0/0 to Cassandra (TCP 7199, 9160 and 8888) extra754
Ensure no security groups allow ingress from 0.0.0.0/0 to Memcached (TCP and UDP 11211) extra755
Ensure no security groups allow ingress from 0.0.0.0/0 to Elasticsearch ports (TCP 9200/9300/5601) extra779
Ensure the default security group restricts all traffic check43
Remove unused security groups extra75
RDS should not have Public interface open to a public scope extra78
Check for Publicly Accessible Redshift Clusters extra756

3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

Instance with administrative service: SSH (TCP:22) is exposed to the public Internet check41
Instance with administrative service: RDP (TCP:3389) is exposed to the public Internet check42
Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet extra752

3.3 Requirement 3: Protect Stored Cardholder Data

S3 Buckets Server Side encryption at rest extra734
Ensure ECS Cluster At-rest encryption TODO
Ensure DynamoDB -Server Side Encryption DONE (default behavior)
Check if RDS instances storage is encrypted extra735
Ensure there are no EBS Volumes unencrypted extra729
Ensure CloudTrail logs are encrypted at rest using KMS CMKs check27
Ensure rotation for customer created CMKs is enabled check28
Check if EBS snapshots are encrypted extra740
Ensure there are no EBS Snapshots set as Public extra72
Ensure there is no Fargate containers in use (/aws/containers-roadmap/issues/314) TODO

3.4 Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

Use encrypted connections between CloudFront and origin server extra738 and TODO
Ensure that S3 Buckets only allow data transfer using SSL/TLS extra734
ELB is setup with SSL for secure communications TODO
Ensure the access keys are rotated every 90 days or less check14
Network Load Balancer with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716
Network Load Balancer with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet TODO? ELB on SSL should be enough extra779 and extra716
Network Load Balancer with unencrypted service: LDAP (UDP:389) is exposed to the public Internet TODO? ELB on SSL should be enough
Network Load Balancer with unencrypted service: LDAP (TCP:389) is exposed to the public Internet TODO? ELB on SSL should be enough
Instance with unencrypted service: ElasticSearch (TCP:9200) is exposed to the public Internet extra779 and extra716
Instance with unencrypted service: ElasticSearch (TCP:9300) is exposed to the public Internet extra779 and extra716
Instance with unencrypted service: LDAP (UDP:389) is exposed to the public Internet
Instance with unencrypted service: LDAP (TCP:389) is exposed to the public Internet
Instance with unencrypted Redis: (TCP:6379) is exposed to the public Internet

3.5. Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs

N/A

3.6. Requirement 6: Develop and Maintain Secure Systems and Applications

Ensure Inspector has Assessment Targets TODO
Ensure Inspector has a Scheduled Assessment Template TODO
Check for WAF IPSet TODO
Check for WAF Constraint Sets TODO
Check for WAF Web ACL extra744,extra773

3.7. Requirement 7: Restrict Access to Cardholder Data By Business Need To Know

Credentials (access keys) unused for 90 days or more should be disabled check13
Credentials (password enabled) unused for 90 days or more should be disabled check111
Ensure IAM policies are attached only to groups or roles check116

3.8. Requirement 8: Identify and Authenticate Access to System Components

Enforce password policy: IAM (check15, check16, check17, check18, check19, check110, check111)
Ensure that MFA is enabled for root account check113
Ensure MFA is enabled for all IAM users that have a console password check12
Ensure no root account access key exist check112
Ensure hardware MFA is enabled for the root account check114
Avoid the use of root account. check11

3.9 Requirement 9: Restrict Physical Access to Cardholder Data

N/A

3.10. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

Ensure CloudTrail is enabled in all regions check21
Ensure VPC Flow Logging is enabled in all the applicable Regions check29
Ensure S3 Buckets access logging is enabled on the CloudTrail S3 bucket check26
ELB is created with access logs enabled extra717
S3 bucket should have server access logging enabled extra718
Ensure AWS Config in all regions check25
S3 bucket CloudTrail logs should not have public accessible check23
S3 buckets should not be world-listable extra73
S3 buckets should not be world-writable extra73
S3 buckets should not be world-readable extra73
Ensure a log metric filter and alarm exist for S3 bucket policy changes check38
Ensure a log metric exist for AWS Management console authentication failures check36
Ensure a log metric exist for VPC changes check314

3.11. Requirement 11: Regularly Test Security Systems and Processes

Ensure AWS GuarDduty is enabled extra713
Ensure Inspector has Assessment Targets
Ensure Inspector has a Scheduled Assessment Template

Requirement 12: Maintain a Policy That Addresses Information Security For All Personnel

N/A

jonrau1 commented 5 years ago

3.1 Requirement: Install and Maintain a Firewall Configuration to Protect Cardholder Data

Check for use of Default Network ACL
Check for attachment of Web ACL

3.6. Requirement 6: Develop and Maintain Secure Systems and Applications

Ensure Inspector has Assessment Targets
Ensure Inspector has a Scheduled Assessment Template
Check for WAF IPSet
Check for WAF Constraint Sets
Check for WAF Web ACL

3.11. Requirement 11: Regularly Test Security Systems and Processes

Ensure Inspector has Assessment Targets
Ensure Inspector has a Scheduled Assessment Template

toniblyx commented 5 years ago

Thanks @jonrau1 for the update definitely I have to work on new checks to make it able to check PCI, that is planned, I hope to have something before re:Inforce.

toniblyx commented 5 years ago

@jonrau1 I have updated the list with your comments. Also for the ones you recommend for section 3.1 I have some comments:

Check for use of Default Network ACL - it is covered by the checks included already in prowler like check41, check42, check43 and extra75

eldondev commented 4 years ago

* Ensure ECS Cluster At-rest encryption

Looking at this, is it fair to say that this check would need to ensure that fargate isn't in use while fargate storage remains unencrypted according to /aws/containers-roadmap/issues/314?

hemi-hga commented 4 years ago

How can we help?

toniblyx commented 4 years ago

* Ensure ECS Cluster At-rest encryption
Looking at this, is it fair to say that this check would need to ensure that fargate isn't in use while fargate storage remains unencrypted according to /aws/containers-roadmap/issues/314?

Good point, I wasn't aware of that information and how it may impact PCI DSS compliance. So a check to just look at Fargate is needed to be written. I'll add it to the list.

toniblyx commented 4 years ago

How can we help?

I have just updated the list with the comment from @eldondev and with all recent checks related to Elasticsearch. If you look at the list there are some checks that need to be written. Feel free to pick one and practice, let me know if you need help opening an issue. For example, the check for "LDAP (TCP:389) is exposed to the public Internet" should be pretty simple, just look at other similar checks and pick the next free extras ID, a can create a pci group also to include all existing ones. Thanks for asking @hemedga

toniblyx commented 4 years ago

It is already available as ./prowler -g pci

prowler-cloud / prowler

Add group PCI v3.2.1 #296

3.1 Requirement: Install and Maintain a Firewall Configuration to Protect Cardholder Data

3.2 Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

3.3 Requirement 3: Protect Stored Cardholder Data

3.4 Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

3.5. Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs

3.6. Requirement 6: Develop and Maintain Secure Systems and Applications

3.7. Requirement 7: Restrict Access to Cardholder Data By Business Need To Know

3.8. Requirement 8: Identify and Authenticate Access to System Components

3.9 Requirement 9: Restrict Physical Access to Cardholder Data

3.10. Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

3.11. Requirement 11: Regularly Test Security Systems and Processes

Requirement 12: Maintain a Policy That Addresses Information Security For All Personnel