Aqua Security’s platform can scan containerized environments for compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Let’s see it in action. Imagine you have a Kubernetes cluster running your payment processing application. You’ve deployed your containers, and now you need to verify they meet PCI DSS requirements.
Here’s a typical workflow:
First, Aqua needs to be running in your cluster. This usually involves deploying Aqua’s components, often via a Helm chart:
helm repo add aquasec https://aquasec.github.io/helm-charts/
helm install aquasec-platform aquasec/platform --namespace aquasec --create-namespace \
--set global.aquaImageRegistry=<your-registry.io> \
--set global.aquaImageTag=<specific-version>
Once Aqua is deployed, you’ll configure it to monitor your Kubernetes cluster. This involves giving Aqua the necessary RBAC permissions to read Kubernetes resources.
Next, you’ll enable the PCI DSS compliance checks. Aqua has pre-built compliance reports and policies. You navigate to the "Compliance" section in the Aqua web UI, select "PCI DSS v4.0" (or the relevant version), and associate it with your cluster.
Aqua then begins scanning. It looks at:
- Container Images: It checks for known vulnerabilities in the base OS and application dependencies within your container images. For PCI DSS, this means ensuring no exploitable vulnerabilities are present in components that could touch cardholder data.
- Runtime Behavior: Aqua monitors running containers for suspicious activity. This could include unauthorized network connections, unexpected process execution, or attempts to access sensitive files. PCI DSS Requirement 11.2 mandates regular vulnerability scanning, and runtime protection complements this by detecting active exploitation.
- Kubernetes Configuration: It audits your Kubernetes cluster’s configuration against PCI DSS best practices. This includes checking for proper network segmentation (e.g., NetworkPolicies), access controls (RBAC), and secure storage of secrets. PCI DSS Requirement 1 requires strong network security controls, and misconfigured Kubernetes can undermine this.
- Host Security: If Aqua is deployed with host scanning capabilities, it will also assess the underlying nodes for compliance issues.
The output is a detailed report highlighting any deviations from PCI DSS requirements, categorized by the specific control and its severity.
For example, if Aqua finds a container image with a critical vulnerability in openssl that is used by your payment application, the report might look like this:
Vulnerability Found: CVE-2023-xxxx in openssl Affected Image: my-payment-app:latest Location: /usr/lib/x86_64-linux-gnu/libssl.so.1.1 PCI DSS Requirement: 6.3.1 (Protect system components and cardholder data from known vulnerabilities) Severity: Critical
The remediation would involve rebuilding the my-payment-app image with a patched version of openssl. You’d update your Dockerfile:
FROM ubuntu:22.04
# ... other instructions ...
RUN apt-get update && apt-get install -y openssl=3.0.2-0ubuntu1~22.04.1 && rm -rf /var/lib/apt/lists/*
# ... rest of your application setup ...
Then, you would rebuild and redeploy the image. Aqua would re-scan, and the vulnerability would disappear from the report.
Another example: Aqua might detect that your payment processing pods have overly permissive network access.
Misconfiguration Found: NetworkPolicy not restricting egress from payment-processing-pod Affected Workload: payment-processing-pod in namespace prod PCI DSS Requirement: 1.2 (Maintain a firewall configuration to protect cardholder data) Severity: High
The fix involves implementing a Kubernetes NetworkPolicy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-egress-payment
namespace: prod
spec:
podSelector:
matchLabels:
app: payment-processor
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 192.168.1.0/24 # Allowed external payment gateway IP range
ports:
- protocol: TCP
port: 443
Applying this NetworkPolicy ensures that the payment-processing-pod can only communicate with the specific IP address range of your payment gateway on port 443, significantly reducing the attack surface.
Aqua’s strength lies in its ability to correlate findings across images, runtime, and configuration, providing a holistic view of your compliance posture. It doesn’t just flag a vulnerability; it shows you where it’s running and how it might be exploited in your specific environment.
One subtle but powerful aspect is how Aqua’s runtime protection can detect and alert on attempted exploitation of vulnerabilities even if they haven’t been patched yet. This is crucial for PCI DSS Requirement 11.2.3, which requires timely remediation of identified vulnerabilities. Aqua provides the visibility to prioritize and act quickly.
After fixing all PCI DSS violations, the next challenge will be managing ongoing compliance and integrating these checks into your CI/CD pipeline for continuous assurance.