For any organization that deals with payment transactions online, Payment Card Industry Data Security Standard (PCI DSS) compliance is mandatory. PCI DSS standards apply to all entities that store, process, or transmit cardholder data and are intended to thwart the theft of cardholder information that could happen anywhere in the card-processing ecosystem.
Last week, Fugue announced the release of the PCI DSS compliance library for Amazon Web Services (AWS) to accompany the other industry compliance standards including HIPAA, NIST 800-53, GDPR and AWS CIS Benchmark. Today, we are going to take a deeper look at how enterprises can use Fugue Risk Manager to detect non-compliant PCI DSS configurations and (optionally) correct them back to the provisioned baseline.
Scan Your AWS Cloud Environment
With Fugue Risk Manager's intuitive interface, developers can easily set up a scan of their cloud environment to identify PCI compliance violations. As you can see in the image below, Fugue Risk Manager has been configured to scan and look at your existing security and compliance posture.
Identifying PCI DSS Compliance Violations on AWS
Digging further, Fugue has identified that eight AWS cloud resources are in violation of PCI DSS 7.2.2 . This standard is related to the assignment of privileges to individuals based on job classification and function. Risk Manager has tagged these resources as non-compliant because IAM policy cannot be attached to users, only groups or roles.
Below, you can also see how Risk Manager provides detailed information about the resources that failed PCI DSS 7.2.2. The Resource ID column indicates the Amazon Resource Name (ARN) of each non-compliant resource. The Resource Type column lists the type of each non-compliant resource. And the Reason column explains exactly why each resource failed the compliance rule so they can be easily corrected.
Once the violations are identified, you will want to correct these violations and configure your resources to bring them into compliance.
Establishing an AWS Configuration Baseline that Complies with PCI
Now iyou can click "Establish Baseline" so that Fugue now knows that this is the approved state for your cloud environment and will detect any drift from that baseline. Fugue will only detect actual drift events, eliminating false positives.
For many resources, detecting drift from a baseline may be enough. However, for critical cloud resources in which sensitive data is involved, automated remediation is needed to prevent misconfiguration from going uncorrected for too long. Fugue's self-healing infrastructure corrects for misconfiguration by reverting drift back to the established baseline.
Enable Baseline Enforcement to Automatically Remediate AWS Drift
To turn on baseline enforcement, all you need to do is click "Enable Baseline Enforcement." Now Fugue will simply return your infrastructure to your established baseline if drift is detected. There is no need to alert your team or write additional automation scripts to account for all possible scenarios. When you’ve established an AWS configuration baseline that complies with PCI, Fugue can autonomously revert all drift events back to your known-good baseline.
With your cloud resources in compliance and Fugue is enforcing your established baseline, there's less risk of a data breach, no wasted time is spent on reviewing alerts, and your team can focus on more important projects.
To learn more about Fugue Risk Manager and PCI DSS compliance, sign up for a free compliance audit of your cloud resources.