PCI DSS 4.0.1 Evidence Readiness Report
PCI Score is a 0–100 readiness measure weighted by finding severity and status — higher is better. Scores above 80 generally read as on track for an assessment; under 60 indicates material work remaining before your QSA review. The score reflects evidence readiness only — final compliance determination is made by your QSA.
| Status | Severity | Check | Detail | PCI | Remediation |
|---|---|---|---|---|---|
| READY | CRITICAL | Security groups with open SSH (0.0.0.0/0:22) | 1.3.1 | ||
| READY | CRITICAL | Security groups with open RDP (0.0.0.0/0:3389) | 1.3.1 | ||
| READY | CRITICAL | Security groups with unrestricted ingress (0.0.0.0/0 all ports) | 1.3.1 | ||
| ACTION NEEDED | HIGH | VPC flow logs enabled | 1 VPC(s) without flow logs | 1.2.2, 10.2.1 | aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type ALL --log-destination-arn <… |
| READY | HIGH | No publicly accessible Lambda functions | 1.3.2, 7.2.1 | ||
| INFO | Lambda functions deployed in VPC | 0 of 22 functions deployed in VPC |
| Status | Severity | Check | Detail | PCI | Remediation |
|---|---|---|---|---|---|
| READY | CRITICAL | No publicly accessible RDS instances | 1.3.2, 2.2.7 | ||
| READY | HIGH | CloudFront distributions enforce HTTPS | 4.2.1 | ||
| ACTION NEEDED | HIGH | CloudFront uses TLS 1.2+ minimum | 1 distribution(s) use deprecated TLS version | 4.2.1 | aws cloudfront update-distribution --id <id> --viewer-certificate MinimumProtocolVersion=TLSv1.2_2021 |
| INFO | CloudFront uses SNI (not dedicated IP) | 11 distributions using SNI |
| Status | Severity | Check | Detail | PCI | Remediation |
|---|---|---|---|---|---|
| ACTION NEEDED | HIGH | KMS key rotation enabled for customer-managed keys | 1 customer-managed key(s) without rotation enabled | 3.7.4 | aws kms enable-key-rotation --key-id <key-id> |
| READY | HIGH | S3 buckets encrypted at rest | 3.4.1 | ||
| ACTION NEEDED | CRITICAL | S3 public access blocked | 4 bucket(s) without public access block | 1.3.2, 7.2.1 | aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnoreP… |
| REVIEW | MEDIUM | S3 versioning enabled | 1/19 bucket(s) have versioning enabled | 3.4.1 | Enable versioning on S3 buckets to protect against accidental deletion and support recovery. |
| REVIEW | MEDIUM | S3 buckets have server access logging | 0/19 bucket(s) have access logging enabled | 10.2.1 | Enable server access logging on all S3 buckets to track access requests. |
| REVIEW | Lambda environment variables encrypted with KMS | 22 functions with env vars not encrypted with customer KMS key | |||
| REVIEW | DynamoDB tables encrypted with customer-managed KMS key | 27 tables use default encryption — customer-managed KMS recommended for PCI | |||
| READY | MEDIUM | DynamoDB point-in-time recovery enabled | 3.4.1 | ||
| REVIEW | DynamoDB deletion protection enabled | 27 tables without deletion protection | |||
| REVIEW | Macie sensitive data discovery enabled | Macie is not enabled — no automated sensitive data discovery |
| Status | Severity | Check | Detail | PCI | Remediation |
|---|---|---|---|---|---|
| READY | HIGH | No expired certificates | 4.2.1 | ||
| READY | MEDIUM | No certificates expiring within 30 days | 4.2.1 | ||
| ACTION NEEDED | HIGH | CloudFront origin connections use HTTPS | 2 origins configured for HTTP-only — data in transit unencrypted | 4.2.1 | Configure CloudFront origin protocol policy to HTTPS-only to encrypt data between CloudFront and origin servers. |
| READY | MEDIUM | CloudFront uses custom SSL certificates | 4.2.1 |
| Status | Severity | Check | Detail | PCI | Remediation |
|---|---|---|---|---|---|
| ACTION NEEDED | HIGH | AWS Inspector enabled | Inspector is not enabled — no automated vulnerability scanning | 5.2.1, 11.3.1 | Enable AWS Inspector for automated vulnerability scanning across EC2, Lambda, and container images. |
| Status | Severity | Check | Detail | PCI | Remediation |
|---|---|---|---|---|---|
| ACTION NEEDED | MEDIUM | ECR scan-on-push enabled | 1 repository(ies) without scan-on-push | 6.3.1 | Enable scan-on-push for ECR repositories to automatically scan images for vulnerabilities. |
| READY | HIGH | No ECR images with critical vulnerabilities | 6.3.3 | ||
| REVIEW | ECR immutable image tags | 0/1 repository(ies) have immutable tags | |||
| REVIEW | WAF web ACLs configured | No WAF web ACLs found — web applications may lack WAF protection | |||
| ACTION NEEDED | HIGH | CloudFront distributions associated with WAF | 11 of 11 distributions without WAF protection | 6.4.1 | aws cloudfront update-distribution --id <id> --web-acl-id <acl-arn> |
| READY | MEDIUM | Lambda functions use supported runtimes | 6.3.2 |
| Status | Severity | Check | Detail | PCI | Remediation |
|---|---|---|---|---|---|
| INFO | IAM users inventory | 1 users, 38 roles, 0 customer-managed policies |
| Status | Severity | Check | Detail | PCI | Remediation |
|---|---|---|---|---|---|
| ACTION NEEDED | CRITICAL | All console users have MFA enabled | 1 of 1 console users missing MFA | 8.3.1 | Enable MFA for all IAM users with console access. Use virtual MFA apps or hardware security keys. |
| READY | CRITICAL | Root account has MFA enabled | 8.3.1 | ||
| REVIEW | Root account has hardware MFA | Root account uses virtual MFA — hardware MFA recommended for PCI | |||
| ACTION NEEDED | CRITICAL | No access keys on root account | Root account has active access keys — should be removed | 8.6.1 | Delete root account access keys. Root should never be used programmatically. Create IAM users or roles instead. |
| INFO | API Gateway throttling configured | 0 REST APIs, 2 HTTP APIs with 2 total stages | |||
| ACTION NEEDED | Password policy configured | No password policy is configured |
| Status | Severity | Check | Detail | PCI | Remediation |
|---|---|---|---|---|---|
| ACTION NEEDED | CRITICAL | Multi-region CloudTrail logging enabled | No multi-region CloudTrail trail with logging enabled | 10.2.1 | aws cloudtrail update-trail --name <trail> --is-multi-region-trail |
| REVIEW | CloudWatch log groups have retention policies | 24 with retention under 365 days — PCI requires minimum 1 year retention | |||
| ACTION NEEDED | Security-relevant CloudWatch metric filters exist | Only 0 of 8 recommended security metric filters found — critical gap in security monitoring | |||
| READY | CloudWatch alarms have notification actions | ||||
| INFO | CloudWatch alarms configured for security metrics | 4 active CloudWatch alarms configured | |||
| ACTION NEEDED | MEDIUM | CloudFront access logging enabled | 11 distributions without access logging | 10.2.1 | aws cloudfront update-distribution --id <id> --logging-config '{"Enabled":true,"Bucket":"l… |
| READY | MEDIUM | API Gateway access logging enabled | 10.2.1 | ||
| REVIEW | API Gateway X-Ray tracing enabled | 2 stages without X-Ray tracing | |||
| REVIEW | Lambda X-Ray tracing enabled | 22 functions without X-Ray tracing |
| Status | Severity | Check | Detail | PCI | Remediation |
|---|---|---|---|---|---|
| ACTION NEEDED | CRITICAL | GuardDuty enabled | GuardDuty not enabled — required for PCI 11.4 intrusion detection | 11.4.1 | aws guardduty create-detector --enable --data-sources S3Logs={Enable=true} |
| ACTION NEEDED | HIGH | AWS Config enabled | AWS Config is not enabled — no continuous configuration monitoring | 11.5.1 | aws configservice start-configuration-recorder --configuration-recorder-name default |
| ACTION NEEDED | HIGH | AWS Inspector vulnerability scanning enabled | Inspector is not enabled — no automated vulnerability scanning | 11.3.1 | Enable Inspector scanning for EC2, Lambda, and ECR to continuously identify vulnerabilities. |
| ACTION NEEDED | HIGH | AWS Config enabled and recording | AWS Config not recording — required for infrastructure change tracking (PCI 11.5) | 11.5.1 | aws configservice start-configuration-recorder --configuration-recorder-name default |
| ACTION NEEDED | AWS Config rules evaluate compliance | No AWS Config rules configured — no automated compliance evaluation | |||
| ACTION NEEDED | Critical infrastructure change detection | Insufficient Config rules for critical infrastructure monitoring | |||
| REVIEW | S3 buckets with versioning for data integrity | 18 of 19 buckets do not have versioning — data change tracking unavailable | |||
| REVIEW | CloudTrail data events track object-level changes | No S3 data events — object-level change tracking not enabled |