To Bot or not to Bot your PCI Compliance
By Marina Segal and Aditya Gupta – Product Management CloudGuard Dome9
Building cloud environments and systems that need to be compliant with PCI requirements is a common task for many companies. PCI compliance is a must when you deal with credit card information (or any other data/systems that are in scope for PCI). PCI requirements span across various security domains such as: encryption, network security, identity and authentication, logging and monitoring.
In this blog we will be discussing the steps that we took to automate PCI compliance using CFT and CloudGuard Dome9 Cloudbots.
The best way to achieve PCI compliance in a cloud environment is to start with PCI Compliant architecture. Once you have a compliant cloud environment deployed, the challenge is to ensure there is no drift from the desired configurations, and that the environment is compliant with PCI requirements at all times.
If your environment is deployed in AWS, PCI Compliant architecture can be deployed easily by using the AWS PCI CloudFormation template (CFT), which automates the deployment process.
AWS PCI CFT can be found on Amazon Quick Starts – Automated, gold-standard deployments in the AWS Cloud: https://aws.amazon.com/quickstart/architecture/compliance-pci/
PCI Compliance automated with CFT and CloudGuard Dome9
To simulate the deployment and compliance assessment process, we’ve deployed AWS PCI CFT in one of the new regions in existing AWS environment. We’ve checked CloudGuard Dome9 PCI compliance score along the way to understand how each step affects the score.
Step 1 – CFT Deployment
Before you begin with the actual deployment of the CFT, it is crucial that you ensure your AWS environment is compliant with these manual pre-deployment steps: https://docs.aws.amazon.com/quickstart/latest/compliance-pci/pre-deployment.html
Once the CFT is Deployed, Cloud Guard Dome9 can provide clarity as to which manual steps were not completed, and which security controls are still required to be implemented to ensure that your environment is aligned with PCI requirements
This can be achieved by running the CloudGuard Dome9 AWS PCI-DSS 3.2 ruleset to evaluate compliance of the accounts/environment in scope.
After you have run the AWS PCI-DSS 3.2 assessment, you will receive an initial compliance score – in our case the initial PCI score was 76%. This score indicates how compliant your AWS environment is with PCI-DSS 3.2 regulations before manual and auto remediation activities.
Step 2 – Manual Remediation Steps
There are a number of things that must be manually configured and set by the user to reduce the amount of findings in your PCI compliance remediation effort. A quick summary of how to remediate those issues can be found here.
After we’ve implemented manual remediation steps as per CloudGuard Dome9 recommendations, our PCI score went up to 85%. This score indicates how compliant your AWS environment is with PCI-DSS 3.2 regulations before auto remediation activities.
Manual fixes for remediation in your AWS environment:
PCI Check | Reference Materials | Remediation |
S3 Bucket Should Have Versioning Mfa Delete Enabled | https://www.cloudmantra.net/blog/how-to-enable-mfa-delete-for-s3-bucket/ | https://gsl.dome9.com/D9.AWS.IAM.43.html |
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html | https://gsl.dome9.com/D9.AWS.IAM.02.html |
S3 Buckets Secure Transport (SSL) | https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html | https://gsl.dome9.com/D9.AWS.CRY.04.html
See Policy that needs to be added to each s3 bucket’s permissions in the Appendix |
Now, we can use dome9 cloudbots for remediation of the remaining issues.
Step 3 – Automation Time!
In our previous blog we talked about “What is CloudBots and how to secure AWS, Azure and Google Environments automatically with CloudBots”.
In order to remediate the remaining findings, and ensure there is no drift from the desired policies and configurations, we deployed CloudBots and followed the next steps:
Cloudbots documentation: https://github.com/Dome9/cloud-bots
Follow the instructions in the ‘Onboarding’ section, and deploy the dome9CloudBots environment in the same region as your AWS PCI CFT environment.
CloudGuard Dome9 allows you to associate CloudBots to any compliance rules to automate the compliance process.
PCI Controls Automation
CloudGuard Dome9 Cloudbots allow you to automatically remediate compliance findings and comply with PCI requirements. Once the PCI compliant CFT was deployed and manual steps were completed our compliance score was 85%. When we enabled all the predefined bots to run on an ongoing basis, our score went up to 94.12%.
To Bot or not to Bot?
Whether you are building brand new PCI compliant cloud environment or need to ensure PCI compliance of existing cloud deployment, CloudGuard Dome9 Cloudbots will reduce the effort required to maintain compliance at all times.
In our case here is how we were able to achieve a score of 94.12% easily by reducing the amount of manual steps using CFT and CloudBots together.
Step | Score |
1. Deployed AWS PCI CFT in one of the new regions on existing AWS environment | 76% |
2. Dome9 Compliance Engine enabled and Manual remediation steps executed | 85% |
3. CloudGuard Dome9 Cloudbots Enabled | 94% |
How can I get to 100%?
For the findings that are still not resolved, custom Cloudbots or manual remediation steps will help you to achieve 100% compliance with all the PCI controls that are relevant for your AWS environment.
Give it a try!
Ensuring that your AWS environment follows the compliance standards of PCI DSS is crucial when building, scaling or deploying applications pertaining to payments and PCI domains. Cloudbots is open source, and can be easily integrated with the CloudGuard Dome9 Compliance Engine for quick and easy auto remediation.
Start using the Dome9 Compliance Engine and Cloudbots to automate your PCI compliance
Appendix
{
“Sid”: “EnforceSecureTransport”,
“Effect”: “Deny”,
“Principal”: “*”,
“Action”: “s3:*”,
“Resource”: “arn:aws:s3:::[BUCKET NAME HERE]”,
“Condition”: {
“Bool”: {
“aws:SecureTransport”: “false”
}
}
},
{
“Sid”: “EnforceEncryptionOnPut”,
“Effect”: “Deny”,
“Principal”: “*”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::[BUCKET NAME HERE]/*”,
“Condition”: {
“StringNotEquals”: {
“s3:x-amz-server-side-encryption”: “AES256”
}
}
},
{
“Sid”: “DenyUnEncryptedObjectUploads”,
“Effect”: “Deny”,
“Principal”: “*”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::[BUCKET NAME HERE]/*”,
“Condition”: {
“StringNotEquals”: {
“s3:x-amz-server-side-encryption”: “AES256”
}