By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

Security Monitoring and Compliance

PCI DSS Compliance Monitoring with Security Hub

A configuration package to enable compliance monitoring for a subset of the PCI DSS 3.2.1 controls using AWS Security Hub in an AWS account. The configuration package also includes enabling service prerequisites and configuring notifications for Security Hub findings. AWS Security Hub also turns on CIS AWS Foundations Compliance Standards by default. This package includes:

  • AWS Config which is required to enable Compliance Standards in Security Hub (CIS AWS Foundations and PCI DSS)
  • Configure findings notifications using a CloudWatch Event Rule to match on Security Hub findings and send notifications to an SNS topic (make sure to update the email address from email@example.com).

Premium: Get PCI DSS compliance reports for your environment
Items
7
Size
4.4 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  SecurityHub:
    Type: "AWS::SecurityHub::Hub"
    Properties: {}
  SecurityHubStandards:
    Type: "Custom::SecurityHubStandards"
    Properties:
      ServiceToken:
        Fn::GetAtt:
          - "SecurityHubStandardsResourceLambda"
          - "Arn"
    DependsOn: "SecurityHub"
  SecurityHubStandardsResourceLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service: "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies:
        - PolicyName: "scp-access"
          PolicyDocument:
            Statement:
              - Effect: "Allow"
                Action:
                  - "securityhub:GetEnabledStandards"
                  - "securityhub:BatchDisableStandards"
                  - "securityhub:BatchEnableStandards"
                Resource: "*"
  SecurityHubStandardsResourceLambda:
    Type: "AWS::Lambda::Function"
    Properties:
      Code:
        ZipFile: "'use strict';\nconst AWS = require('aws-sdk');\nconst response = require('./cfn-response');\nconst securityhub = new AWS.SecurityHub();\n\nexports.handler = (event, context, cb) => {\n\n  let region = process.env.AWS_REGION\n  let accountId = context.invokedFunctionArn.split(\":\")[4]\n  console.log('Invoke:', JSON.stringify(event));\n  const done = (err, data) => {\n    if (err) {\n      console.log('Error: ', err);\n      response.send(event, context, response.FAILED, {}, 'CustomResourcePhysicalID');\n    } else {\n      console.log('Data: ', data)\n      response.send(event, context, response.SUCCESS, {}, 'CustomResourcePhysicalID');\n    }\n  };\n\n  if (event.RequestType === 'Create' || event.RequestType === 'Update') {\n    securityhub.batchEnableStandards({\n      StandardsSubscriptionRequests: [\n        {StandardsArn: `arn:aws:securityhub:${region}::standards/pci-dss/v/3.2.1`}\n      ]\n    }, done)\n  }\n  else if (event.RequestType === 'Delete'){\n    securityhub.batchDisableStandards({\n      StandardsSubscriptionArns: [\n        `arn:aws:securityhub:${region}:${accountId}:subscription/pci-dss/v/3.2.1`\n      ]\n    }, done)\n  }\n  else {\n    cb(new Error('unsupported RequestType: ', event.RequestType));\n  }\n};\n"
      Handler: "index.handler"
      MemorySize: 128
      Role:
        Fn::GetAtt:
          - "SecurityHubStandardsResourceLambdaRole"
          - "Arn"
      Runtime: "nodejs12.x"
      Timeout: 120
  SnsTopic1:
    Type: "AWS::SNS::Topic"
    Properties:
      Subscription:
        - Endpoint: "email@example.com"
          Protocol: "email"
      TopicName: "sns-topic"
  CwEvent1:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "detect-securityhub-finding"
      Description: "A CloudWatch Event Rule that triggers on AWS Security Hub findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda."
      State: "ENABLED"
      Targets:
        - Arn:
            Ref: "SnsTopic1"
          Id: "target-id1"
      EventPattern:
        detail-type:
          - "Security Hub Findings - Imported"
        source:
          - "aws.securityhub"
  SnsTopicPolicyCwEvent1:
    Type: "AWS::SNS::TopicPolicy"
    Properties:
      PolicyDocument:
        Statement:
          - Sid: "__default_statement_ID"
            Effect: "Allow"
            Principal:
              AWS: "*"
            Action:
              - "SNS:GetTopicAttributes"
              - "SNS:SetTopicAttributes"
              - "SNS:AddPermission"
              - "SNS:RemovePermission"
              - "SNS:DeleteTopic"
              - "SNS:Subscribe"
              - "SNS:ListSubscriptionsByTopic"
              - "SNS:Publish"
              - "SNS:Receive"
            Resource:
              Ref: "SnsTopic1"
            Condition:
              StringEquals:
                AWS:SourceOwner:
                  Ref: "AWS::AccountId"
          - Sid: "TrustCWEToPublishEventsToMyTopic"
            Effect: "Allow"
            Principal:
              Service: "events.amazonaws.com"
            Action: "sns:Publish"
            Resource:
              Ref: "SnsTopic1"
      Topics:
        - Ref: "SnsTopic1"
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT