Question 1

Is associate_public_ip_address enforced for PCI DSS v4.0?

Accepted Answer

Yes, Manage access to the AWS Cloud by ensuring AWS Elastic Compute Cloud (AWS EC2) instances cannot be publicly accessed.

Question 2

Is ebs_volumes enforced for PCI DSS v4.0?

Accepted Answer

Yes, Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes.

Question 3

Is iam_instance_profile enforced for PCI DSS v4.0?

Accepted Answer

Yes, Ensure that an AWS Elastic Compute Cloud (AWS EC2) instance has an Identity and Access Management (IAM) profile attached to it. This rule is non-compliant if no IAM profile is attached to the AWS EC2 instance.

Question 4

Is key_name enforced for PCI DSS v4.0?

Accepted Answer

Yes, This control checks whether running EC2 instances are using key pairs. The control fails if a running EC2 instance uses a key pair.

Question 5

Is metadata_options enforced for PCI DSS v4.0?

Accepted Answer

Yes, Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of AWS Elastic Compute Cloud (AWS EC2) instance metadata.

Question 6

Is monitoring enforced for PCI DSS v4.0?

Accepted Answer

Yes, Enable this rule to help improve AWS Elastic Compute Cloud (AWS EC2) instance monitoring on the AWS EC2 console, which displays monitoring graphs with a 1-minute period for the instance.

Question 7

Is security_group_ingress_rules enforced for PCI DSS v4.0?

Accepted Answer

Yes, This control checks whether the VPC security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. The default values for authorizedTcpPorts are 80 and 443.

Question 8

Is subnet_id enforced for PCI DSS v4.0?

Accepted Answer

Yes, Deploy AWS Elastic Compute Cloud (AWS EC2) instances within an AWS Virtual Private Cloud (AWS VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection.

AWS EC2 Instance Terraform module

Terraform Module Source