GuardDuty Alerts for Control Failures

Supporting PCI Requirement 10.8 in AWS
An additional requirement for service providers in PCI Requirement 10.8 is to implement a process for detecting and reporting failures of critical security control systems, including: 

  • Firewalls
  • FIM
  • Anti-virus
  • Physical access controls
  • Logical access controls
  • Audit logging mechanisms
  • Segmentation controls 

In AWS, compliance with PCI Requirement 10.8 can be met using Amazon GuardDuty. GuardDuty continuously monitors S3 for malicious activity or unauthorized behavior. If unauthorized behavior or failures take place, you’ll know about it. To learn more about compliance with PCI Requirement 10.8, visit the AWS documentation for Amazon S3 protection in Amazon GuardDuty

For service providers, there is an extra little “gotcha” in PCI Requirement 10. PCI Requirement 10.8 says that they need to make sure that the security devices that are in play in the service provider’s network are also up/down monitored, looking for problems and looking for alerts for those systems, themselves. What comes into play here in AWS is GuardDuty. GuardDuty will look at the logs coming from everything, including these devices virtual in the VPCs or the other services. You can configure the alerts inside GuardDuty to send you an SMS, email, or your flavor of alert. But service providers need to be aware of this and need to deeply look at GuardDuty for meeting PCI Requirement 10.8.

Related Videos