package com.cloudforgeci.api.core.rules; import com.cloudforge.core.annotation.ComplianceFramework; import com.cloudforge.core.enums.AuthMode; import com.cloudforge.core.enums.ComplianceMode; import com.cloudforge.core.enums.NetworkMode; import com.cloudforge.core.enums.SecurityProfile; import com.cloudforge.core.interfaces.FrameworkRules; import com.cloudforgeci.api.core.SystemContext; import software.amazon.awscdk.services.logs.RetentionDays; import java.util.ArrayList; import java.util.List; import java.util.Optional; import java.util.logging.Logger; /** * PCI-DSS compliance validation rules. * * These rules enforce PCI-DSS requirements for environments processing cardholder data. * * PCI-DSS Requirements Coverage: * - Requirement 1: Install and maintain a firewall configuration * - Requirement 2: Do not use vendor-supplied defaults * - Requirement 3: Protect stored cardholder data * - Requirement 4: Encrypt transmission of cardholder data * - Requirement 6: Develop and maintain secure systems * - Requirement 7: Restrict access to cardholder data by business need to know * - Requirement 8: Identify and authenticate access to system components * - Requirement 10: Track and monitor all access to network resources * - Requirement 11: Regularly test security systems and processes */ @ComplianceFramework( value = "PCI-DSS", priority = 20, displayName = "PCI DSS v4.0.1", description = "Validates PCI DSS v4.0.1 requirements for cardholder data protection" ) public class PciDssRules implements FrameworkRules { private static final Logger LOG = Logger.getLogger(PciDssRules.class.getName()); // PCI DSS v4.0 Req 8.3.6: Minimum 12 character passwords (increased from 7 in v3.2.1) private static final int MIN_PASSWORD_LENGTH = 12; /** * Check if log retention period meets PCI-DSS requirement (at least 1 year). * PCI-DSS Requirement 10.7: Retain audit trail history for at least one year. */ private boolean isRetentionSufficient(RetentionDays retention) { // PCI-DSS requires at least 1 year (365 days) // Acceptable values: ONE_YEAR (365), THIRTEEN_MONTHS (400), EIGHTEEN_MONTHS (545), and higher return retention == RetentionDays.ONE_YEAR || retention == RetentionDays.THIRTEEN_MONTHS || retention == RetentionDays.EIGHTEEN_MONTHS || retention == RetentionDays.TWO_YEARS || retention == RetentionDays.THREE_YEARS || retention == RetentionDays.FIVE_YEARS || retention == RetentionDays.SIX_YEARS || retention == RetentionDays.SEVEN_YEARS || retention == RetentionDays.EIGHT_YEARS || retention == RetentionDays.NINE_YEARS || retention == RetentionDays.TEN_YEARS || retention == RetentionDays.INFINITE; } /** * Install PCI-DSS compliance validation rules. * PCI-DSS applies to environments processing cardholder data. * Only enforced when security profile is PRODUCTION. * * @since 3.0.0 */ @Override public void install(SystemContext ctx) { if (ctx.security != SecurityProfile.PRODUCTION) { LOG.info("PCI-DSS validation rules only enforced for PRODUCTION security profile"); return; } LOG.info("Installing PCI-DSS compliance validation rules"); // Get compliance mode (already resolved to enum with proper default) ComplianceMode complianceMode = ctx.cfc.complianceMode(); LOG.info(" Compliance mode: " + complianceMode); ctx.getNode().addValidation(() -> { List rules = new ArrayList<>(); // Requirement 1: Network Segmentation & Firewall rules.addAll(validateNetworkSecurity(ctx)); // Requirement 2: Vendor Defaults rules.addAll(validateVendorDefaults(ctx)); // Requirement 3 & 4: Encryption rules.addAll(validateEncryption(ctx)); // Requirement 6: Web Application Firewall (PCI-DSS 6.6) rules.addAll(validateWebApplicationSecurity(ctx)); // Requirement 7 & 8: Access Control rules.addAll(validateAccessControl(ctx)); // Requirement 10: Audit Logging rules.addAll(validateAuditLogging(ctx)); // Requirement 11: Security Monitoring rules.addAll(validateSecurityMonitoring(ctx)); // Get all failed rules List failedRules = rules.stream() .filter(rule -> !rule.passed()) .toList(); // Convert to error strings List errors = failedRules.stream() .map(ComplianceRule::toErrorString) .flatMap(Optional::stream) .toList(); if (!errors.isEmpty()) { if (complianceMode == ComplianceMode.ADVISORY) { LOG.warning("PCI-DSS validation found " + errors.size() + " recommendations (ADVISORY mode - not blocking)"); errors.forEach(err -> LOG.warning(" - " + err)); return List.of(); } else { LOG.severe("PCI-DSS validation failed with " + errors.size() + " violations (ENFORCE mode - blocking deployment)"); errors.forEach(err -> LOG.severe(" - " + err)); return errors; } } else { LOG.info("PCI-DSS validation passed (" + rules.size() + " checks)"); return List.of(); } }); } /** * PCI-DSS Requirement 1: Install and maintain a firewall configuration. * Validates network segmentation and firewall rules. */ private List validateNetworkSecurity(SystemContext ctx) { List rules = new ArrayList<>(); // Requirement 1.2.1: Network segmentation if (ctx.vpc.get().isEmpty()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-1.2.1-VPC", "VPC required for network segmentation", "PCI-DSS Req 1.2.1: VPC required for network segmentation" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-1.2.1-VPC", "VPC network segmentation enabled" )); } // Requirement 1.3: Prohibit direct public access if (ctx.cfc.networkMode() == NetworkMode.PUBLIC) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-1.3-Network", "Private network mode required for cardholder data environment", "PCI-DSS Req 1.3: Public network mode prohibited for cardholder data environment. " + "Use 'private-with-nat' for production systems processing card data." )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-1.3-Network", "Private network mode configured" )); } // Requirement 1.3.1: Security groups must restrict traffic if (ctx.albSg.get().isEmpty()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-1.3.1-ALB-SG", "ALB security group required for traffic restrictions", "PCI-DSS Req 1.3.1: ALB security group required for traffic restrictions" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-1.3.1-ALB-SG", "ALB security group configured" )); } if (ctx.efsSg.get().isEmpty()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-1.3.1-EFS-SG", "EFS security group required for storage access restrictions", "PCI-DSS Req 1.3.1: EFS security group required for storage access restrictions" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-1.3.1-EFS-SG", "EFS security group configured" )); } return rules; } /** * PCI-DSS Requirement 3 & 4: Protect stored and transmitted cardholder data. * Validates encryption settings. */ private List validateEncryption(SystemContext ctx) { List rules = new ArrayList<>(); var config = ctx.securityProfileConfig.get().orElseThrow( () -> new IllegalStateException("SecurityProfileConfiguration not set") ); // Requirement 3.4: Encryption of cardholder data at rest if (!config.isEbsEncryptionEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-3.4-EBS", "EBS encryption must be enabled for cardholder data at rest", "EbsEncryptionRule", "PCI-DSS Req 3.4: EBS encryption must be enabled for cardholder data at rest" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-3.4-EBS", "EBS encryption enabled", "EbsEncryptionRule" )); } if (!config.isEfsEncryptionAtRestEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-3.4-EFS", "EFS encryption at rest must be enabled for cardholder data storage", "PCI-DSS Req 3.4: EFS encryption at rest must be enabled for cardholder data storage" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-3.4-EFS", "EFS encryption at rest enabled" )); } if (!config.isS3EncryptionEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-3.4-S3", "S3 encryption must be enabled for cardholder data backups", "S3BucketEncryptionRule", "PCI-DSS Req 3.4: S3 encryption must be enabled for cardholder data backups" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-3.4-S3", "S3 encryption enabled", "S3BucketEncryptionRule" )); } // Requirement 4.1: Strong cryptography for data transmission if (!config.isEfsEncryptionInTransitEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-4.1-EFS-Transit", "EFS encryption in transit (TLS) must be enabled", "PCI-DSS Req 4.1: EFS encryption in transit (TLS) must be enabled" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-4.1-EFS-Transit", "EFS encryption in transit enabled" )); } // Requirement 4.1: SSL/TLS must be enabled for encrypted transmission if (!ctx.cfc.enableSsl()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-4.1-SSL", "SSL/TLS must be enabled for encrypted transmission of cardholder data", "PCI-DSS Req 4.1: enableSsl must be true for production PCI-DSS compliance" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-4.1-SSL", "SSL/TLS enabled" )); } // Validate TLS certificate is configured if (ctx.cert.get().isEmpty()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-4.1-TLS", "TLS certificate required for encrypted transmission of cardholder data", "PCI-DSS Req 4.1: TLS certificate required for encrypted transmission of cardholder data" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-4.1-TLS", "TLS certificate configured" )); } return rules; } /** * PCI-DSS Requirement 6.6: Protect public-facing web applications. * Either WAF or application-layer security review required. */ private List validateWebApplicationSecurity(SystemContext ctx) { List rules = new ArrayList<>(); var config = ctx.securityProfileConfig.get().orElseThrow( () -> new IllegalStateException("SecurityProfileConfiguration not set") ); // Requirement 6.6: WAF or application security review // WAF is REQUIRED for PRODUCTION environments processing cardholder data if (!config.isWafEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-6.6-WAF", "Web Application Firewall (WAF) REQUIRED for PCI-DSS compliance in PRODUCTION", "WafEnabled", "PCI-DSS Req 6.6: Protect all public-facing web applications from known attacks by " + "installing a web application firewall. WAF is required for PRODUCTION environments " + "processing cardholder data. Set wafEnabled = true in deployment context." )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-6.6-WAF", "WAF protection enabled for PCI-DSS compliance", "WafEnabled" )); } return rules; } /** * PCI DSS Requirement 7 & 8: Restrict access and authenticate users. * Validates access control and authentication configuration. */ private List validateAccessControl(SystemContext ctx) { List rules = new ArrayList<>(); var config = ctx.securityProfileConfig.get().orElseThrow( () -> new IllegalStateException("SecurityProfileConfiguration not set") ); // Req 8.3.6: Minimum 12 character passwords int passwordLength = config.getMinimumPasswordLength(); if (passwordLength < MIN_PASSWORD_LENGTH) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-8.3.6-Password", "Minimum password length must be " + MIN_PASSWORD_LENGTH + " characters (PCI DSS v4.0 Req 8.3.6)", "IAMPasswordPolicyRule", "Current: " + passwordLength + " characters. Update SecurityProfileConfiguration.getMinimumPasswordLength()." )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-8.3.6-Password", "Password length requirement met (" + passwordLength + " characters)", "IAMPasswordPolicyRule" )); } // Requirement 7.1: Limit access by business need to know // IAM validation is handled by IAMRules, but we verify it's configured if (ctx.iamProfile == null) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-7.1-IAM", "IAM profile must be configured for least privilege access control", "IAMPasswordPolicyRule", "PCI-DSS Req 7.1: IAM profile must be configured for least privilege access control" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-7.1-IAM", "IAM profile configured for access control", "IAMPasswordPolicyRule" )); } // Requirement 8.2: Multi-factor authentication AuthMode authMode = ctx.cfc.authMode(); if (authMode == AuthMode.NONE) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-8.2-Auth", "Authentication must be enabled for production environments", "PCI-DSS Req 8.2: Authentication must be enabled for production environments. " + "Configure authMode = 'alb-oidc', 'jenkins-oidc', or 'application-oidc' with MFA-enabled identity provider. " + "Users must use multi-factor authentication to access cardholder data." )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-8.2-Auth", "Authentication enabled" )); } // Requirement 8.3: Strong authentication with MFA if (authMode == AuthMode.ALB_OIDC || authMode == AuthMode.APPLICATION_OIDC) { // Check if using Cognito with MFA (compliant) or SSO (requires ssoInstanceArn) boolean usingCognitoWithMfa = Boolean.TRUE.equals(ctx.cfc.cognitoAutoProvision()) && Boolean.TRUE.equals(ctx.cfc.cognitoMfaEnabled()); boolean hasValidSso = ctx.cfc.ssoInstanceArn() != null && !ctx.cfc.ssoInstanceArn().isEmpty(); if (!usingCognitoWithMfa && !hasValidSso) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-8.3-MFA", "Multi-factor authentication required for OIDC mode", "PCI-DSS Req 8.3: Multi-factor authentication required for OIDC mode. " + "Either: (1) Enable Cognito MFA: cognitoAutoProvision = true, cognitoMfaEnabled = true " + "OR (2) Configure AWS IAM Identity Center: provide ssoInstanceArn with MFA enforcement." )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-8.3-MFA", "Multi-factor authentication configured" )); } } return rules; } /** * PCI-DSS Requirement 10: Track and monitor all access. * Validates audit logging configuration. */ private List validateAuditLogging(SystemContext ctx) { List rules = new ArrayList<>(); var config = ctx.securityProfileConfig.get().orElseThrow( () -> new IllegalStateException("SecurityProfileConfiguration not set") ); // Requirement 10.2: Automated audit trails if (!config.isCloudTrailEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-10.2-CloudTrail", "CloudTrail must be enabled for API activity audit logging", "CloudTrailEnabledRule", "PCI-DSS Req 10.2: CloudTrail must be enabled for API activity audit logging" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-10.2-CloudTrail", "CloudTrail enabled for audit logging", "CloudTrailEnabledRule" )); } // Requirement 10.3: Record specific events if (!config.isFlowLogsEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-10.3-FlowLogs", "VPC Flow Logs must be enabled for network activity tracking", "PCI-DSS Req 10.3: VPC Flow Logs must be enabled for network activity tracking" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-10.3-FlowLogs", "VPC Flow Logs enabled" )); } // Requirement 10.5: Secure audit trails if (!config.isAlbAccessLoggingEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-10.5-ALB", "ALB access logging must be enabled for web traffic audit trails", "PCI-DSS Req 10.5: ALB access logging must be enabled for web traffic audit trails" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-10.5-ALB", "ALB access logging enabled" )); } // Requirement 10.7: Retain audit trail for at least one year var retentionDays = config.getLogRetentionDays(); if (!isRetentionSufficient(retentionDays)) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-10.7-Retention", "Log retention must be at least ONE_YEAR (365 days)", "PCI-DSS Req 10.7: Log retention must be at least ONE_YEAR (365 days). Current: " + retentionDays.toString() )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-10.7-Retention", "Log retention configured for at least one year" )); } return rules; } /** * PCI-DSS Requirement 11: Regularly test security systems. * Validates security monitoring and intrusion detection. */ private List validateSecurityMonitoring(SystemContext ctx) { List rules = new ArrayList<>(); var config = ctx.securityProfileConfig.get().orElseThrow( () -> new IllegalStateException("SecurityProfileConfiguration not set") ); // Requirement 11.4: Intrusion detection/prevention systems if (!config.isGuardDutyEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-11.4-GuardDuty", "GuardDuty (threat detection) must be enabled for production", "GuardDutyEnabled", "PCI-DSS Req 11.4: GuardDuty (threat detection) must be enabled for production" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-11.4-GuardDuty", "GuardDuty threat detection enabled", "GuardDutyEnabled" )); } // Requirement 10 & 11: Track and monitor all access to network resources // VPC Flow Logs are required for network traffic monitoring and audit trail if (!config.isFlowLogsEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-10.11-FlowLogs", "VPC Flow Logs required for network monitoring (PCI-DSS Req 10 & 11)", "FlowLogsEnabled", "PCI-DSS Requirement 10 (logging and monitoring) and Requirement 11 (security testing) " + "require tracking and monitoring all access to network resources and cardholder data. " + "Enable VPC Flow Logs to capture network traffic for audit trail and anomaly detection. " + "Set flowLogsEnabled = true in deployment context." )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-10.11-FlowLogs", "VPC Flow Logs enabled for network monitoring", "FlowLogsEnabled" )); } // Requirement 11.5: File integrity monitoring if (!config.isSecurityMonitoringEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-11.5-Monitoring", "Security monitoring must be enabled for alerting", "PCI-DSS Req 11.5: Security monitoring must be enabled for alerting" )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-11.5-Monitoring", "Security monitoring enabled" )); } // Requirement 11.6: Change detection (AWS Config) if (!config.isAwsConfigEnabled()) { rules.add(ComplianceRule.fail( "PCI-DSS-Req-11.6-Config", "AWS Config recommended for continuous compliance monitoring", "PCI-DSS Req 11.6: AWS Config recommended for continuous compliance monitoring. " + "Set awsConfigEnabled = true in deployment context." )); } else { rules.add(ComplianceRule.pass( "PCI-DSS-Req-11.6-Config", "AWS Config enabled for compliance monitoring" )); } return rules; } /** * PCI-DSS Requirement 2: Do not use vendor-supplied defaults. * Validates that default configurations have been changed. * * For PRODUCTION security profile, these operational controls are assumed to be * implemented as part of the organization's security program and are auto-approved. */ private List validateVendorDefaults(SystemContext ctx) { List rules = new ArrayList<>(); // For PRODUCTION profile, assume operational controls are in place // This matches the infrastructure-centric approach of SOC2 rules boolean isProduction = ctx.security == SecurityProfile.PRODUCTION; // Requirement 2.1: Default passwords must be changed // PRODUCTION profile requires strong IAM policies and authentication if (isProduction || getBooleanSetting(ctx, "customConfigurationApplied", false)) { rules.add(ComplianceRule.pass( "PCI-DSS-Req-2.1-CustomConfig", "Custom configuration applied - vendor defaults changed (PRODUCTION profile)" )); } else { rules.add(ComplianceRule.fail( "PCI-DSS-Req-2.1-CustomConfig", "Custom configuration required - vendor defaults must be changed", "Verify default passwords, SNMP strings, and credentials have been changed. " + "PCI-DSS Req 2.1: Change all vendor-supplied defaults before deploying. " + "Set customConfigurationApplied = true after verification or use PRODUCTION security profile." )); } // Requirement 2.2: Configuration standards // PRODUCTION profile applies hardened security configurations if (isProduction || getBooleanSetting(ctx, "securityHardeningApplied", false)) { rules.add(ComplianceRule.pass( "PCI-DSS-Req-2.2-Hardening", "Security hardening standards applied (PRODUCTION profile)" )); } else { rules.add(ComplianceRule.fail( "PCI-DSS-Req-2.2-Hardening", "Security hardening configuration standards required", "Apply CIS benchmarks or NIST hardening guidelines. " + "PCI-DSS Req 2.2: Develop configuration standards for all system components. " + "Set securityHardeningApplied = true after implementing hardening or use PRODUCTION security profile." )); } // Requirement 2.2.2: Enable only necessary services // PRODUCTION profile enforces minimal service exposure via security groups if (isProduction || getBooleanSetting(ctx, "unnecessaryServicesDisabled", false)) { rules.add(ComplianceRule.pass( "PCI-DSS-Req-2.2.2-Services", "Unnecessary services disabled (PRODUCTION profile enforces minimal exposure)" )); } else { rules.add(ComplianceRule.fail( "PCI-DSS-Req-2.2.2-Services", "Disable unnecessary services and protocols", "PCI-DSS Req 2.2.2: Enable only necessary services, protocols, and daemons. " + "Remove or disable FTP, telnet, and other insecure services. " + "Set unnecessaryServicesDisabled = true after verification or use PRODUCTION security profile." )); } // Requirement 2.2.5: Remove unnecessary functionality // PRODUCTION profile assumes minimal images are used for production deployments if (isProduction || getBooleanSetting(ctx, "minimalBaseImageUsed", false)) { rules.add(ComplianceRule.pass( "PCI-DSS-Req-2.2.5-MinimalImage", "Minimal base image in use (PRODUCTION profile)" )); } else { rules.add(ComplianceRule.fail( "PCI-DSS-Req-2.2.5-MinimalImage", "Use minimal base images without unnecessary functionality", "PCI-DSS Req 2.2.5: Remove unnecessary functionality (scripts, utilities, etc). " + "Use minimal container images or hardened AMIs. " + "Set minimalBaseImageUsed = true when using minimal images or use PRODUCTION security profile." )); } // Requirement 2.3: Encrypt non-console administrative access // Already covered by TLS certificate validation in validateEncryption() if (ctx.cert.get().isPresent()) { rules.add(ComplianceRule.pass( "PCI-DSS-Req-2.3-EncryptAdmin", "Administrative access encrypted (HTTPS/TLS)" )); } else { rules.add(ComplianceRule.fail( "PCI-DSS-Req-2.3-EncryptAdmin", "Encrypt all non-console administrative access", "PCI-DSS Req 2.3: Use SSH, VPN, TLS for remote admin access" )); } // Requirement 2.4: Maintain inventory of system components // AWS Config provides continuous inventory for PRODUCTION deployments var config = ctx.securityProfileConfig.get().orElse(null); if ((config != null && config.isAwsConfigEnabled()) || getBooleanSetting(ctx, "systemInventoryMaintained", false)) { rules.add(ComplianceRule.pass( "PCI-DSS-Req-2.4-Inventory", "System inventory maintained (AWS Config enabled)" )); } else { rules.add(ComplianceRule.fail( "PCI-DSS-Req-2.4-Inventory", "Maintain inventory of system components in scope for PCI-DSS", "PCI-DSS Req 2.4: Keep inventory of all systems in cardholder data environment. " + "Use AWS Systems Manager Inventory or Config. " + "Set systemInventoryMaintained = true when inventory system is active or enable AWS Config." )); } return rules; } /** * Helper method to safely get boolean settings from deployment context. */ private static boolean getBooleanSetting(SystemContext ctx, String key, boolean defaultValue) { try { String value = ctx.cfc.getContextValue(key, String.valueOf(defaultValue)); return Boolean.parseBoolean(value); } catch (Exception e) { return defaultValue; } } /** * Generate PCI-DSS compliance report showing which requirements are met. */ public String generateComplianceReport(SystemContext ctx) { StringBuilder report = new StringBuilder(); report.append("\n=== PCI-DSS Compliance Report ===\n\n"); var config = ctx.securityProfileConfig.get().orElseThrow( () -> new IllegalStateException("SecurityProfileConfiguration not set") ); report.append("Security Profile: ").append(ctx.security).append("\n"); report.append("Network Mode: ").append(ctx.cfc.networkMode()).append("\n"); report.append("Authentication: ").append(ctx.cfc.authMode()).append("\n\n"); report.append("Infrastructure Controls:\n"); report.append(" ✓ Network Segmentation (Req 1.2.1): ").append(ctx.vpc.get().isPresent() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ Private Network (Req 1.3): ").append(ctx.cfc.networkMode() == NetworkMode.PRIVATE_WITH_NAT ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ EBS Encryption (Req 3.4): ").append(config.isEbsEncryptionEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ EFS Encryption at Rest (Req 3.4): ").append(config.isEfsEncryptionAtRestEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ EFS Encryption in Transit (Req 4.1): ").append(config.isEfsEncryptionInTransitEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ S3 Encryption (Req 3.4): ").append(config.isS3EncryptionEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ TLS Certificate (Req 4.1): ").append(ctx.cert.get().isPresent() ? "CONFIGURED" : "MISSING").append("\n"); report.append(" ✓ WAF Protection (Req 6.6): ").append(config.isWafEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ Authentication (Req 8.2): ").append(ctx.cfc.authMode() != AuthMode.NONE ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ CloudTrail (Req 10.2): ").append(config.isCloudTrailEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ VPC Flow Logs (Req 10.3): ").append(config.isFlowLogsEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ ALB Access Logs (Req 10.5): ").append(config.isAlbAccessLoggingEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ Log Retention (Req 10.7): ").append(config.getLogRetentionDays().toString()).append("\n"); report.append(" ✓ GuardDuty (Req 11.4): ").append(config.isGuardDutyEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ Security Monitoring (Req 11.5): ").append(config.isSecurityMonitoringEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append(" ✓ AWS Config (Req 11.6): ").append(config.isAwsConfigEnabled() ? "ENABLED" : "DISABLED").append("\n"); report.append("\n"); return report.toString(); } }