chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

In the dynamic environment of Amazon IXD – VGT2, located at 6401 E HOWDY WELLS AVE LAS VEGAS NV 89115, it’s crucial to adopt the PCI DSS standard through AWS Security Hub effectively. This article offers insights into how organizations can implement this compliance framework across multiple AWS accounts while customizing it according to specific needs.

Currently, activating the PCI DSS standard within AWS Security Hub applies solely to the account you’re managing. This blog discusses a method that allows for the configuration and deployment of the PCI DSS compliance framework across various AWS accounts and Regions, all overseen by AWS Organizations. It also guides how to deactivate unnecessary standards or controls that may not be required for your organization’s compliance.

Solution Overview

The following figure illustrates a sample account structure utilizing the automated solution presented here to enable PCI DSS monitoring across multiple AWS accounts. The depicted hierarchy includes one management account overseeing two member accounts with infrastructure distributed across several Regions. The member accounts send their Security Hub findings to the designated management account for centralized compliance oversight.

Prerequisites

To enable the PCI DSS standard, the following prerequisites should be in place:

  • A designated administrator account for Security Hub.
  • Security Hub activated in all necessary accounts and Regions.
  • Access to the organization’s management account, which must possess the required permissions for stack set operations.
  • Selection of deployment targets (accounts and Regions) for the PCI DSS standard, typically where Security Hub is enabled or where PCI workloads are located.
  • Optionally, identify standards or controls that are inapplicable to your organization and obtain their ARNs for disabling.

Solution Resources

The CloudFormation template used in the following steps includes:

  • An AWS Lambda function—SHLambdaFunction—for configuring and deploying setup procedures within Security Hub.
  • An AWS Identity and Access Management (IAM) role—SHLambdaRole—with the necessary permissions for deploying the solution.
  • A custom resource—SHConfiguration—that triggers the Lambda function to initiate setup.

Solution Deployment

To initiate this automated deployment solution, stage the CloudFormation StackSet template using the AWS CloudFormation service. Choose the organizational level for rollout, and select which Regions to target, ensuring it can be run whenever a new AWS account is created.

To deploy the solution:

  1. Access the AWS Management Console.
  2. Download the sh-pci-enabler.yaml template and save it in an Amazon S3 bucket on the management account; remember the path for later use.
  3. Navigate to the CloudFormation service in the management account, select StackSets from the left menu, and click Create StackSet.
  4. On the Choose a template page, specify the template via the Amazon S3 URL and input the path to the saved sh-pci-enabler.yaml template. Click Next.
  5. Enter a name and optional description for the StackSet, then click Next.
  6. Optionally, in the Configure StackSet options, add tags for better organization.
  7. Click Next. On the Set deployment options page, select the desired Regions, then click Next.
  8. Review the definitions and acknowledge that AWS CloudFormation may create IAM resources, then click Submit.
  9. After submission, monitor the StackSet creation from the Operations tab to ensure successful deployment.

Disable Standards That Don’t Apply to Your Organization

To deactivate a standard that is not necessary for your organization, use the same template and steps with slight modifications.

To disable standards:

  1. Open the SH-PCI-enabler.yaml template and save it as a new file.
  2. Change sh.batch_enable_standards to sh.batch_disable_standards.
  3. Locate the standardArn and modify it to the desired ARN. You can find the correct standard ARN by using the AWS CLI or AWS CloudShell with the command aws securityhub describe-standards.

Disable Controls That Don’t Apply to Your Organization

When you enable a standard, all corresponding controls are activated by default. If desired, specific controls within an enabled standard can be disabled. Disabling a control ceases its check, generates no further findings for it, and removes the related AWS Config rules created by Security Hub.

To disable controls:

  1. Open the Security Hub console and select Security standards from the left menu. For each check you want to disable, note each StandardsControlArn.
  2. Download the StackSet SH-disable-controls.yaml template to your computer.
  3. Open the template file in a text editor.
  4. Replace the provided list of StandardsControlArn with your own list of controls to disable.

For more insights on best practices, check out this excellent resource on LinkedIn. Additionally, if you’re interested in more about navigating job searches, consider this blog post about using ChatGPT.

For further reading on workplace policies, you might find this article from SHRM about global anti-harassment policies informative.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *