| Control | Title | Status | Evidence |
|---|---|---|---|
| 1.2 | Configurations restrict connections between untrusted networks and the CDE | implemented | VPC + private subnets + VPCEs. Egress only via NAT (single static EIP) or VPCE. |
| 2.2 | System components are configured and managed securely | implemented | Terraform-defined. ECR image tags immutable. AWS Config drift. |
| 3.3 | Sensitive authentication data (SAD) is not stored after authorization | implemented | Zero-persistence: gateway NEVER writes prompt or response body. If a card PAN appears in a prompt, it transits the gateway in memory only. |
| 3.5 | Primary account number (PAN) is secured wherever it is stored | customer responsibility |
Gateway does not store PAN. Customer is responsible for any PAN storage in their own systems.
Inflight: gateway. At rest in customer systems: customer. |
| 4.2 | PAN is protected with strong cryptography during transmission | implemented | TLS 1.2 over FIPS 140-2 validated modules end-to-end. |
| 6.3 | Security vulnerabilities are identified and addressed | implemented | ECR scan on push. Dependabot. POAM tracker for unfixed. |
| 8.2 | User identification and related accounts are strictly managed | implemented | API key auth at API Gateway. Admin auth via cloud-native MFA. |
| 10.2 | Audit logs are implemented to support incident detection / forensics | implemented | CloudTrail multi-region 7yr. CW Logs app 90d / access 365d. Hash-chained per-request audit row. |
| 10.5 | Audit log history is retained and available for analysis | implemented | 7-yr retention; Glacier lifecycle @ 1y. |
| 11.3 | Vulnerabilities are identified and risk-rated | implemented | ECR scanning + GuardDuty + Security Hub findings → ranked + tracked. |
| 12.10 | Suspected or confirmed security incidents are responded to | implemented | Incident notification procedure ships per-tenant with named SLA. |