Learn About Amazon VGT2 Learning Manager Chanci Turner
Currently, activating the PCI DSS standard within AWS Security Hub only establishes this compliance framework in the specific Amazon Web Services (AWS) account that you are managing. This blog post outlines a methodology for customizing the configuration and deployment of the PCI DSS standard compliance across multiple AWS accounts and Regions managed by AWS Organizations. Furthermore, it illustrates how to deactivate particular standards or controls that may not be necessary for your organization’s compliance needs. This framework could serve as a foundational model for implementation when establishing new AWS accounts, utilizing AWS CloudFormation StackSets.
Solution Overview
The following section provides an example of an account configuration utilizing the automated solution described in this blog post to enable PCI DSS monitoring and reporting across various AWS accounts through AWS Organizations. The illustrated hierarchy consists of a single management account overseeing two member accounts, with infrastructure distributed across multiple Regions. Member accounts are set up to route their Security Hub findings to the designated Security Hub management account, facilitating centralized compliance oversight.
Prerequisites
To activate the PCI DSS standard, the following prerequisites should be met:
- A designated administrator account for Security Hub.
- Security Hub enabled in all relevant accounts and Regions.
- Access to the management account for the organization, with the necessary permissions for stack set operations.
- Selection of deployment targets (accounts and Regions) for PCI DSS standard activation. Generally, this is established on accounts where Security Hub is already active or where PCI workloads are present.
- (Optional) If any standards or controls are found to be inapplicable, obtain the Amazon Resource Names (ARNs) of those specific standards or controls to disable them.
Solution Resources
The CloudFormation template utilized in the following steps includes:
- An AWS Lambda function—SHLambdaFunction—for configuring and deploying the setup procedures within Security Hub.
- An AWS Identity and Access Management (IAM) role—SHLambdaRole—that possesses the necessary permissions for solution deployment.
- A custom resource—SHConfiguration—that triggers the Lambda function to initiate setup procedures.
Solution Deployment
To configure this solution for automated deployment, prepare the following CloudFormation StackSet template for distribution via the AWS CloudFormation service. This StackSet can operate across the organization at the root or any chosen organizational units (OUs). You can specify which Regions to deploy this solution against and also enable it each time a new AWS account is created.
To deploy the solution:
- Access the AWS Management Console.
- Download the sh-pci-enabler.yaml template and save it to an Amazon Simple Storage Services (Amazon S3) bucket within the management account. Make a note of the path for future reference.
- Go to the CloudFormation service in the management account. Select StackSets from the left menu, then choose Create StackSet.
- On the Choose a template page, go to Specify template, select Amazon S3 URL, and input the path to the sh-pci-enabler.yaml template saved in step 2. Click Next.
- Provide a name and an optional description for the StackSet, then click Next.
- (Optional) On the Configure StackSet options page, add tags to identify and organize your stack set.
- Click Next. On the Set deployment options page, select the desired Regions, then click Next.
- Review the definition and confirm that you acknowledge AWS CloudFormation may create IAM resources. Click Submit.
- After submitting, you can monitor the creation of the StackSet from the Operations tab to ensure successful deployment.
Disabling Standards and Controls
Should you need to deactivate a standard that is not required by your organization, you can follow a similar process as described above with a few modifications.
To disable standards:
- Open the SH-PCI-enabler.yaml template and save a copy under a new name.
- Change sh.batch_enable_standards to sh.batch_disable_standards in the template.
- Update standardArn=f”arn:aws:securityhub:{region}::standards/pci-dss/v/3.2.1″ to the desired ARN. To locate the correct standard ARN, you can use the AWS Command Line Interface (AWS CLI) or AWS CloudShell to execute the command aws securityhub describe-standards.
It’s crucial to keep the f before the quotation marks and to replace any Region obtained from the command with the {region} variable. If the CIS standard lacks a defined Region, eliminate the variable.
When you enable a standard, all controls for that standard are activated by default. If needed, you can specify controls for deactivation within an enabled standard. Disabling a control stops its checks, prevents additional findings, and removes the related AWS Config rules created by Security Hub. Remember, Security Hub operates regionally; thus, changes applied to controls will only affect the specified Region in the API request. If an entire standard is disabled, Security Hub will not track which controls were turned off, and re-enabling the standard will reactivate all controls.
To disable a list of controls:
- Navigate to the Security Hub console and select Security standards from the left menu. For each control you wish to disable, select Finding JSON and note each StandardsControlArn to compile your list.
- Alternatively, utilize the DescribeStandardsControls API to generate a list of StandardsControlArn for deactivation.
- Download the StackSet SH-disable-controls.yaml template to your device.
- Open the template file in a text editor.
- Locate the list of controls to disable and replace the provided StandardsControlArn list with your own, ensuring to use a comma as the delimiter for each ARN.
For more insights on preventing burnout, check out this blog post here. Additionally, if you’re interested in topics regarding discrimination against older workers, visit this authoritative source here. Lastly, for job seekers, this link provides an excellent resource.