Updated on 2024-12-10 GMT+08:00

Conformance Package for PCI DSS

This section describes the background, applicable scenarios, and the conformance package to meet requirements of the Payment Card Industry Data Security Standard (PCI-DSS).

Background

PCI DSS is an information security standard for safe payments worldwide. PCI DSS contains technical and operational baselines to ensure data security of paying accounts. Although specifically designed to focus on environments with payment card account data, PCI DSS can also help reduce payment threats and protect the people, processes, and technologies across the payment ecosystem. For more information about PCI DSS, see Payment Card Industry (PCI) Data Security Standard.

Applicable Scenarios

This conformance package helps enterprises meet PCI DSS and legal requirements for safe card payments. It needs to be reviewed and implemented based on specific conditions.

Exemption Clauses

This package provides you with general guide to help you quickly create scenario-based conformance packages. The conformance package and rules included only apply to cloud service and do not represent any legal advice. This conformance package does not ensure compliance with specific laws, regulations, or industry standards. You are responsible for the compliance and legality of your business and technical operations and assume all related responsibilities.

Rules

The guideline numbers in the following table are in consistent with the chapter numbers in Payment Card Industry (PCI) Data Security Standard.

Table 1 Rules in the conformance package

Guideline No.

Guideline Description

Rule

Solution

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

drs-data-guard-job-not-public

Block public access to DRS real-time DR tasks.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

drs-migration-job-not-public

Block public access to DRS real-time migration tasks.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

drs-synchronization-job-not-public

Block public access to DRS real-time synchronization tasks.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

ecs-instance-in-vpc

Deploy all ECSs within VPCs.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

ecs-instance-no-public-ip

Block public access to ECSs to protect data.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

function-graph-inside-vpc

Configure VPC access for all functions using the FunctionGraph service.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

function-graph-public-access-prohibited

Block public access to FunctionGraph functions. Public access may affect resource availability.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

mrs-cluster-no-public-ip

Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

rds-instance-no-public-ip

Block access to RDS instances over public networks. RDS instances may contain sensitive information, and access control is required.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

vpc-sg-ports-check

You can use security groups to control port connections.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

vpc-sg-restricted-common-ports

You can configure security groups to control connections to frequently used ports.

1.3

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

vpc-sg-restricted-ssh

You can configure security groups to only allow traffic from some IPs to access the SSH port 22 of ECSs to ensure secure remote access to ECSs.

2.1

Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).

root-account-mfa-enabled

Enable MFA for root users. MFA provides additional protection to login credentials.

2.1

Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardIPng standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

access-keys-rotated

Enable key rotation.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

access-keys-rotated

Enable key rotation.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

cts-kms-encrypted-check

Enable trace file encryption for CTS trackers.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

cts-lts-enable

Enable Transfer to LTS for CTS trackers.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources for guidance on configuration standards include but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Cloud Security Alliance, and product vendors.

cts-obs-bucket-track

Create at least one CTS tracker for each OBS bucket.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

cts-support-validate-check

You can enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

ecs-in-allowed-security-groups

Use security groups to control access to ECSs. The rules of a security group will apply to all ECSs that are added to this security group.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

ecs-multiple-public-ip-check

You can use this rule to identify ECSs that have multiple EIPs attached to reduce network security risks.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

iam-policy-no-statements-with-admin-access

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

iam-root-access-key-check

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

iam-user-group-membership-check

Ensure each user is in at least one user group for permission management. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

kms-rotation-enabled

Enable KMS key rotation.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

mfa-enabled-for-iam-console-access

Enable MFA for all IAM users who can access Huawei Cloud management console. MFA enhances account security to prevent account theft and protect sensitive data.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardIPng standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

root-account-mfa-enabled

Enable MFA for root users. MFA provides additional protection to login credentials.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

volumes-encrypted-check

Enable encryption for all EVS disks to protect data.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

vpc-flow-logs-enabled

Enable flow logs for VPCs to help monitor network traffic, analyze network attacks, and optimize security group and ACL configurations.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

vpc-sg-restricted-common-ports

You can configure security groups to control connections to frequently used ports.

2.2

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardIPng standards may include, but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS), and Institute National Institute of Standards Technology (NIST).

vpc-sg-restricted-ssh

You can configure security groups to restrict connections to SSH port 23.

2.3

Encrypt all non-console administrative access using strong cryptography.

apig-instances-ssl-enabled

Enable SSL for APIG REST APIs to authenticate API requests.

2.3

Encrypt all non-console administrative access using strong cryptography.

css-cluster-https-required

After HTTPS is enabled for a CSS cluster, communication is encrypted when you access this cluster. If HTTPS is disabled, HTTP protocol is used for cluster communication. In this case, data security cannot be ensured and public address is not allowed.

2.3

Encrypt all non-console administrative access using strong cryptography.

dws-enable-ssl

Enable SSL for DWS clusters to protect data.

2.3

Encrypt all non-console administrative access using strong cryptography.

elb-tls-https-listeners-only

Ensure that your load balancer listeners are configured with the HTTPS protocol.

2.4

Maintain an inventory of system components that are in scope for PCI DSS.

ecs-in-allowed-security-groups

Use security groups to control access to ECSs. The rules of a security group will apply to all ECSs that are added to this security group. You can also associate more strict security groups to specific ECSs.

2.4

Maintain an inventory of system components that are in scope for PCI DSS.

eip-unbound-check

Ensure that there are no unattached EIPs.

2.4

Maintain an inventory of system components that are in scope for PCI DSS.

eip-use-in-specified-days

Ensure that there are no unattached EIPs.

2.4

Maintain an inventory of system components that are in scope for PCI DSS.

vpc-acl-unused-check

Use this rule to identity unattached ACLs. An ACL helps control traffic in and out of a subnet.

3.4

Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: one-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.

cts-kms-encrypted-check

Enable trace file encryption for CTS trackers.

3.4

Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.

rds-instances-enable-kms

Enable KMS encryption for RDS instances to protect data.

3.4

Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.

sfsturbo-encrypted-check

Enable KMS encryption for SFS Turbo file systems.

3.4

Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN), truncation (hashing cannot be used to replace the truncated segment of PAN), index tokens and pads (pads must be securely stored), and strong cryptography with associated key-management processes and procedures. Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.

volumes-encrypted-check

Enable encryption for EVS to protect data.

4.1

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications.

apig-instances-ssl-enabled

Enable SSL for API Gateway REST APIs to authenticate API requests.

4.1

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications.

css-cluster-disk-encryption-check

Enable disk encryption for CSS clusters to protect data.

4.1

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications.

css-cluster-disk-encryption-check

Enable disk encryption for CSS clusters to protect sensitive data.

4.1

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications.

css-cluster-https-required

Enable HTTPS for CSS clusters to ensure data security and allow access over public networks. After HTTPS is disabled, HTTP protocol is used for cluster communication. In this case, data security cannot be ensured and public IP address cannot be used.

4.1

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications.

dws-enable-ssl

Enable SSL for DWS clusters to protect data.

4.1

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications.

elb-tls-https-listeners-only

Ensure that your load balancer listeners are configured with the HTTPS protocol.

4.1

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications.

pca-certificate-authority-expiration-check

Use Private Certificate Authority (PCA) to create and manage your private CAs and ensure that there are no expired certificates.

4.1

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: Only trusted keys and certificates are accepted. The protocol in use only supports secure versions or configurations. The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: The Internet Wireless technologies, including 802.11 and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), code division multiple access (CDMA), General Packet Radio Service (GPRS), and satellite communications.

pca-certificate-expiration-check

Use Private Certificate Authority (PCA) to create and manage your private CAs and ensure that there are no expired certificates.

6.2

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.

cce-cluster-end-of-maintenance-version

Ensure that CCE cluster versions can be maintained.

6.2

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.

cce-cluster-oldest-supported-version

Ensure that there are no CCE cluster versions that cannot be maintained. For CCE clusters of supported versions, The system automatically deploys security patches to upgrade your CCE clusters. If any security issue is identified, Huawei Cloud will fix the issue.

10.1

Implement audit trails to link all access to system components to each individual user.

apig-instances-execution-logging-enabled

Enable CTS for your dedicated APIG gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions.

10.1

Implement audit trails to link all access to system components to each individual user.

cts-obs-bucket-track

Create at least one CTS tracker for each OBS bucket.

10.1

Implement audit trails to link all access to system components to each individual user.

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console.

10.1

Implement audit trails to link all access to system components to each individual user.

multi-region-cts-tracker-exists

Ensure that there are CTS trackers in regions where your services are deployed. Cloud Trace Service (CTS) allows you to collect, store, and query operation records of cloud resources. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers.

10.1

Implement audit trails to link all access to system components to each individual user.

vpc-flow-logs-enabled

Enable flow logs for VPCs to help monitor network traffic, analyze network attacks, and optimize security group and ACL configurations.

10.5

Secure audit trails so they cannot be altered.

cts-kms-encrypted-check

Enable trace file encryption for CTS trackers.

11.5

Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

cts-support-validate-check

You can enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

drs-data-guard-job-not-public

Block public access to DRS real-time DR tasks.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

drs-migration-job-not-public

Block public access to DRS real-time migration tasks.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

drs-synchronization-job-not-public

Block public access to DRS real-time synchronization tasks.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

ecs-instance-in-vpc

Deploy all ECSs within VPCs.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

ecs-instance-no-public-ip

Block public access to ECSs to protect data.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

function-graph-inside-vpc

Deploy FunctionGraph functions within VPCs.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

function-graph-public-access-prohibited

Block public access to FunctionGraph functions. Public access may reduce resource availability.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

mrs-cluster-no-public-ip

Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

rds-instance-no-public-ip

Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

vpc-sg-ports-check

You can use security groups to control port connections.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

vpc-sg-restricted-common-ports

You can configure security groups to control connections to frequently used ports.

1.2.1

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

vpc-sg-restricted-ssh

You can configure security groups to restrict connections to SSH port 24.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

drs-data-guard-job-not-public

Block public access to DRS real-time DR tasks.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

drs-migration-job-not-public

Block public access to DRS real-time migration tasks.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

drs-synchronization-job-not-public

Block public access to DRS real-time synchronization tasks.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

ecs-instance-in-vpc

Deploy all ECSs within VPCs.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

ecs-instance-no-public-ip

Block public access to ECSs to protect data.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

function-graph-inside-vpc

Deploy FunctionGraph functions within VPCs.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

function-graph-public-access-prohibited

Block public access to FunctionGraph functions. Public access may reduce resource availability.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

mrs-cluster-no-public-ip

Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

rds-instance-no-public-ip

Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

vpc-sg-ports-check

You can use security groups to control port connections.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

vpc-sg-restricted-common-ports

You can configure security groups to control connections to frequently used ports.

1.3.1

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

vpc-sg-restricted-ssh

Configure security groups to restrict connections to SSH port 25.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

drs-data-guard-job-not-public

Block public access to DRS real-time DR tasks.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

drs-migration-job-not-public

Block public access to DRS real-time migration tasks.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

drs-synchronization-job-not-public

Block public access to DRS real-time synchronization tasks.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

ecs-instance-in-vpc

Deploy all ECSs within VPCs.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

ecs-instance-no-public-ip

Block public access to ECSs to protect data.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

function-graph-inside-vpc

Deploy FunctionGraph functions within VPCs.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

function-graph-public-access-prohibited

Block public access to FunctionGraph functions. Public access may reduce resource availability.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

mrs-cluster-no-public-ip

Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

rds-instance-no-public-ip

Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

vpc-sg-ports-check

You can use security groups to control port connections.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

vpc-sg-restricted-common-ports

You can configure security groups to control connections to frequently used ports.

1.3.2

Limit inbound Internet traffic to IP addresses within the DMZ.

vpc-sg-restricted-ssh

Configure security groups to restrict connections to SSH port 26.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

drs-data-guard-job-not-public

Block public access to DRS real-time DR tasks.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

drs-migration-job-not-public

Block public access to DRS real-time migration tasks.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

drs-synchronization-job-not-public

Block public access to DRS real-time synchronization tasks.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

ecs-instance-in-vpc

Deploy all ECSs within VPCs.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

ecs-instance-no-public-ip

Block public access to ECSs to protect data.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

function-graph-inside-vpc

Deploy FunctionGraph functions within VPCs.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

function-graph-public-access-prohibited

Block public access to FunctionGraph functions. Public access may reduce resource availability.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

mrs-cluster-no-public-ip

Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

rds-instance-no-public-ip

Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

vpc-sg-ports-check

You can use security groups to control port connections.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

vpc-sg-restricted-common-ports

Configure security groups to control connections to common ports in a VPC.

1.3.4

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

vpc-sg-restricted-ssh

Configure security groups to restrict connections to SSH port 27.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

css-cluster-in-vpc

Deploy all CSS clusters within VPCs.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

drs-data-guard-job-not-public

Block public access to DRS real-time DR tasks.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

drs-migration-job-not-public

Block public access to DRS real-time migration tasks.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

drs-synchronization-job-not-public

Block public access to DRS real-time synchronization tasks.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

ecs-instance-in-vpc

Deploy all ECSs within VPCs.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

ecs-instance-no-public-ip

Block public access to ECSs to protect data.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

rds-instance-no-public-ip

Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

vpc-sg-ports-check

You can use security groups to control port connections.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

vpc-sg-restricted-common-ports

You can configure security groups to control connections to frequently used ports.

1.3.6

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

vpc-sg-restricted-ssh

Configure security groups to restrict connections to SSH port 28.

10.2.1

Implement automated audit trails for all system components to reconstruct the following events: all individual user accesses to cardholder data.

apig-instances-execution-logging-enabled

Enable CTS for your dedicated APIG gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions.

10.2.1

Implement automated audit trails for all system components to reconstruct the following events: all individual user accesses to cardholder data.

cts-obs-bucket-track

Create at least one CTS tracker for each OBS bucket.

10.2.1

Implement automated audit trails for all system components to reconstruct the following events: all individual user accesses to cardholder data.

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud management console.

10.2.1

Implement automated audit trails for all system components to reconstruct the following events: all individual user accesses to cardholder data.

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

10.2.2

Implement automated audit trails for all system components to reconstruct the following events: All actions taken by any individual with root or administrative privileges.

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console.

10.2.2

Implement automated audit trails for all system components to reconstruct the following events: All actions taken by any individual with root or administrative privileges.

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

10.2.3

Implement automated audit trails for all system components to reconstruct the following events: Access to all audit trails.

cts-obs-bucket-track

Create at least one CTS tracker for each OBS bucket.

10.2.3

Implement automated audit trails for all system components to reconstruct the following events: Access to all audit trails.

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console.

10.2.3

Implement automated audit trails for all system components to reconstruct the following events: Access to all audit trails.

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

10.2.4

Implement automated audit trails for all system components to reconstruct the following events: Invalid logical access attempts.

apig-instances-execution-logging-enabled

Enable CTS for your dedicated API gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions.

10.2.4

Implement automated audit trails for all system components to reconstruct the following events: Invalid logical access attempts.

cts-obs-bucket-track

Create at least one CTS tracker for each OBS bucket.

10.2.4

Implement automated audit trails for all system components to reconstruct the following events: Invalid logical access attempts.

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console.

10.2.4

Implement automated audit trails for all system components to reconstruct the following events: Invalid logical access attempts.

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

10.2.5

Implement automated audit trails for all system components to reconstruct the following events: Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges.

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console.

10.2.5

Implement automated audit trails for all system components to reconstruct the following events: Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges.

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

10.2.6

Implement automated audit trails for all system components to reconstruct the following events: Initialization, stopping, or pausing of the audit logs.

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console.

10.2.6

Implement automated audit trails for all system components to reconstruct the following events: Initialization, stopping, or pausing of the audit logs.

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

10.2.7

Implement automated audit trails for all system components to reconstruct the following events: Creation and deletion of system-level objects.

apig-instances-execution-logging-enabled

Enable CTS for your dedicated API gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions.

10.2.7

Implement automated audit trails for all system components to reconstruct the following events: Creation and deletion of system-level objects.

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console.

10.2.7

Implement automated audit trails for all system components to reconstruct the following events: Creation and deletion of system-level objects.

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

10.3.1

Record at least the following audit trail entries for all system components for each event: User identification.

apig-instances-execution-logging-enabled

Enable CTS for your dedicated API gateways. APIG supports custom log analysis templates, which you can use to collect and manage logs and trace and analyze API request exceptions.

10.3.1

Record at least the following audit trail entries for all system components for each event: User identification.

cts-obs-bucket-track

Create at least one CTS tracker for each OBS bucket.

10.3.1

Record at least the following audit trail entries for all system components for each event: User identification.

cts-tracker-exists

Ensure that a CTS tracker has been created for your account to record operations on the Huawei Cloud console.

10.3.1

Record at least the following audit trail entries for all system components for each event: User identification.

multi-region-cts-tracker-exists

Create CTS trackers for different regions where your services are deployed. When you enable CTS for the first time, a management tracker, system, is created automatically. You can create multiple trackers for different regions to help make services better satisfy customer needs as well as legal or regulatory requirements.

10.3.1

Record at least the following audit trail entries for all system components for each event: User identification.

vpc-flow-logs-enabled

Enable flow logs for VPCs to help monitor network traffic, analyze network attacks, and optimize security group and ACL configurations.

10.5.2

Protect audit trail files from unauthorized modifications.

cts-kms-encrypted-check

Enable trace file encryption for CTS trackers.

10.5.3

Promptly back up audit trail files to a centralized log server or media that is difficult to alter.

cts-lts-enable

Enable Transfer to LTS for CTS trackers.

10.5.5

Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

cts-support-validate-check

You can enable file verification for CTS trackers to prevent log files from being modified or deleted after being stored.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

drs-data-guard-job-not-public

Block public access to DRS real-time DR tasks.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

drs-migration-job-not-public

Block public access to DRS real-time migration tasks.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

drs-synchronization-job-not-public

Block public access to DRS real-time synchronization tasks.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

ecs-instance-in-vpc

Deploy all ECSs within VPCs.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

ecs-instance-no-public-ip

Block public access to ECSs to protect data.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

function-graph-inside-vpc

Deploy FunctionGraph functions within VPCs.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

function-graph-public-access-prohibited

Block public access to FunctionGraph functions. Public access may reduce resource availability.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

mrs-cluster-no-public-ip

Block public access to MRS clusters. MRS instances may contain sensitive information, and access control is required.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

rds-instance-no-public-ip

Block public access to RDS instances. RDS instances may contain sensitive information, and access control is required.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

vpc-default-sg-closed

Use security groups to control access within a VPC. You can directly use the default security group for resource access control.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

vpc-sg-ports-check

You can use security groups to control port connections.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

vpc-sg-restricted-common-ports

You can configure security groups to control connections to frequently used ports.

2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

vpc-sg-restricted-ssh

Configure security groups to restrict connections to SSH port 29.

3.5.2

Restrict access to cryptographic keys to the fewest number of custodians necessary.

iam-customer-policy-blocked-kms-actions

Use this rule to identity policies that disable KMS encryption. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

3.6.4

Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).

kms-rotation-enabled

Enable KMS key rotation.

3.6.5

Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised. Note: If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key). Archived cryptographic keys should only be used for decryption/verification purposes.

kms-not-scheduled-for-deletion

Ensure that there are no KMS keys scheduled for deletion.

3.6.7

Prevention of unauthorized substitution of cryptographic keys.

kms-not-scheduled-for-deletion

Ensure that there are no KMS keys scheduled for deletion.

7.1.1

Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources.

iam-customer-policy-blocked-kms-actions

Use this rule to identity policies that disable KMS encryption. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.1.1

Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources.

iam-group-has-users-check

Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in.

7.1.1

Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources.

iam-policy-no-statements-with-admin-access

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.1.1

Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources.

iam-role-has-all-permissions

Only grant IAM users necessary permissions for performing specific operations. Granting users more permissions than they need may violate the least privilege principle and damage separation of duties.

7.1.1

Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources.

iam-root-access-key-check

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.1.1

Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources.

iam-user-group-membership-check

Ensure each user is in at least one user group for permission management. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.1.1

Define access needs for each role, including: system components and data resources that each role needs to access for their job function and level of privilege required (for example, user, administrator, etc.) for accessing resources.

mrs-cluster-kerberos-enabled

Enable Kerberos for MRS clusters.

7.1.2

Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.

iam-customer-policy-blocked-kms-actions

Use this rule to identity policies that disable KMS encryption. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.1.2

Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.

iam-group-has-users-check

Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in.

7.1.2

Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities

iam-policy-no-statements-with-admin-access

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.1.2

Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.

iam-role-has-all-permissions

Only grant IAM users necessary permissions for performing specific operations. Granting users more permissions than they need may violate the least privilege principle and damage separation of duties.

7.1.2

Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.

iam-root-access-key-check

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.1.2

Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.

iam-user-group-membership-check

Ensure each user is in at least one user group for permission management. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.2.1

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components.

iam-customer-policy-blocked-kms-actions

Use this rule to identity policies that disable KMS encryption. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.2.1

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components.

iam-group-has-users-check

Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in.

7.2.1

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components.

iam-policy-no-statements-with-admin-access

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.2.1

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components.

iam-role-has-all-permissions

Only grant IAM users necessary permissions for performing specific operations. Granting users more permissions than they need may violate the least privilege principle and damage separation of duties.

7.2.1

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components.

iam-root-access-key-check

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.2.1

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components.

iam-user-group-membership-check

Ensure that each user is in at least one user group for permission management. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.2.1

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components.

mrs-cluster-kerberos-enabled

Enable Kerberos for MRS clusters.

7.2.2

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components

iam-customer-policy-blocked-kms-actions

Use this rule to identity policies that disable KMS encryption. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.2.2

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components

iam-group-has-users-check

Add IAM users to at least one user group so that users can inherit permissions attached to the user group that they are in.

7.2.2

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components

iam-policy-no-statements-with-admin-access

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.2.2

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components

iam-role-has-all-permissions

Only grant IAM users necessary permissions for performing specific operations. Granting users more permissions than they need may violate the least privilege principle and damage separation of duties.

7.2.2

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components

iam-root-access-key-check

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.2.2

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components

iam-user-group-membership-check

Ensure that each user is in at least one user group for permission management. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

7.2.2

Establish an access control system that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. This access control system(s) must include the following: Coverage of all system components

mrs-cluster-kerberos-enabled

Enable Kerberos for MRS clusters.

8.1.1

Assign all users a unique ID before allowing them to access system components or cardholder data.

iam-root-access-key-check

Grant IAM users only necessary permissions for performing specific operations. Granting users more permissions than they need may violate the principles of least privilege and separation of duties.

8.1.4

Remove/disable inactive user accounts within 90 days.

access-keys-rotated

Enable key rotation.

8.2.1

Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.

apig-instances-ssl-enabled

Enable SSL for API Gateway REST APIs to authenticate API requests.

8.2.1

Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.

elb-tls-https-listeners-only

Ensure that your load balancer listeners are configured with the HTTPS protocol.

8.2.1

Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.

rds-instances-enable-kms

Enable KMS for RDS to encrypt data at rest.

8.2.1

Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.

sfsturbo-encrypted-check

Enable KMS encryption for SFS Turbo file systems.

8.2.1

Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.

volumes-encrypted-check

Enable encryption for EVS to protect data.

8.2.3

Passwords/passphrases must meet the following: Require a minimum length of at least seven characters; only digits and letters are allowed; and alternatively, the complexity and strength of the password/passphrase must be at least comparable to the parameters specified above.

iam-password-policy

Set thresholds for IAM user password strength.

8.2.4

Change user passwords/passphrases at least once every 90 days.

access-keys-rotated

Enable key rotation.

8.2.4

Change user passwords/passphrases at least once every 90 days.

access-keys-rotated

Enable key rotation.

8.2.4

Change user passwords/passphrases at least once every 90 days.

iam-password-policy

Set thresholds for IAM user password strength.

8.2.5

Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.

iam-password-policy

Set thresholds for IAM user password strength.

8.3.1

Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

iam-user-mfa-enabled

Enable MFA for all IAM users. MFA provides an additional layer of protection in addition to the username and password.

8.3.1

Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

mfa-enabled-for-iam-console-access

Enable MFA for all IAM users who can access Huawei Cloud management console MFA provides an additional layer of protection in addition to the username and password.

8.3.1

Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

root-account-mfa-enabled

Enable MFA for root users. MFA adds additional protection to login credentials.

8.3.2

Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

iam-user-mfa-enabled

Enable MFA for all IAM users. MFA provides an additional layer of protection in addition to the username and password.

8.3.2

Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity's network.

mfa-enabled-for-iam-console-access

Enable MFA for all IAM users who can access Huawei Cloud management console MFA provides an additional layer of protection in addition to the username and password.

8.3.2

Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity's network.

root-account-mfa-enabled

Enable MFA for root users. MFA adds additional protection to login credentials.