Question 1

Is cloudwatch_log_group_kms_key_id enforced for PCI DSS v4.0?

Accepted Answer

Yes, To help protect sensitive data at rest, ensure encryption is enabled for your AWS CloudWatch Log Group.

Question 2

Is cloudwatch_log_group_retention_in_days enforced for PCI DSS v4.0?

Accepted Answer

Yes, Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations.

Question 3

Is enabled_log_types enforced for PCI DSS v4.0?

Accepted Answer

Yes, AWS EKS clusters should have control plane audit logging enabled. These logs make it easy to secure and run clusters.

Question 4

Is encryption_config enforced for PCI DSS v4.0?

Accepted Answer

Yes, Ensure that AWS Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.

Question 5

Is endpoint_public_access enforced for PCI DSS v4.0?

Accepted Answer

Yes, Ensure whether AWS Elastic Kubernetes Service (AWS EKS) endpoint is not publicly accessible. The rule is compliant if the endpoint is publicly accessible.

AWS EKS Terraform module

Terraform Module Source