Is cloudwatch_log_group_kms_key_id enforced for PCI DSS v4.0?

Yes, To help protect sensitive data at rest, ensure encryption is enabled for your AWS CloudWatch Log Group.

Is cloudwatch_log_group_retention_in_days enforced for PCI DSS v4.0?

Yes, Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations.

Upstream version 7.5.0

6 controls from PCI DSS v4.0 requirements

pcidss.compliance.tf/terraform-aws-modules/ecs/aws

Log group retention period should be at least 365 days

cloudwatch_log_group_retention_period_365

Framework requirement

ECS clusters should have container insights enabled

ecs_cluster_container_insights_enabled

Framework requirement

ECS fargate services should run on the latest fargate platform version

ecs_service_fargate_using_latest_platform_version

Framework requirement

ECS task definitions should not share the host's process namespace

ecs_task_definition_no_host_pid_mode

Framework requirement

Log group encryption at rest should be enabled

log_group_encryption_at_rest_enabled

Framework requirement

VPC Security groups should only allow unrestricted incoming traffic for authorized ports

vpc_security_group_allows_ingress_authorized_ports1.3.2

Framework requirement