Benchmark: 3.5.1.1: Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated keymanagement processes and procedures
Description
Rendering stored PAN unreadable is a defense in depth control designed to protect the data if an unauthorized individual gains access to stored data by taking advantage of a vulnerability or misconfiguration of an entity's primary access control.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 3.5.1.1: Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated keymanagement processes and procedures.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_3_5_1_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_3_5_1_1 --shareControls
- ACM certificates should not expire within 30 days
- API Gateway stage should uses SSL certificate
- CloudFront distributions should use custom SSL/TLS certificates
- ELB application and network load balancers should only use SSL or HTTPS listeners
- ELB classic load balancers should use SSL certificates
- Ensure managed IAM policies should not allow blocked actions on KMS keys
- Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys
- KMS keys should not be pending deletion