  Running PCI-DSS v4.0 requirements...

Automated Check Score: 43.8% (7/16 passed)

⚠️  IMPORTANT: Only 16 of 21 total controls are automated.
   5 controls require manual documentation and evidence.
   Use 'auditkit evidence' to track what you need to collect.

AuditKit PCI Compliance Scan Results
=====================================
AWS Account: 1234567890
Framework: PCI
Scan Time: 2025-10-11 18:52:12

Compliance Score: [31m43.8%[0m
Controls Passed: 7/21
[31mCritical Issues: 5 (FIX IMMEDIATELY)[0m
[33mHigh Priority: 4[0m

[31mCRITICAL - Fix These NOW:[0m
================================

[31m[FAIL][0m PCI-1.2.1 - Network Segmentation
  Issue: PCI-DSS Req 1.2.1 VIOLATION: Only 1 VPC found - PCI requires isolated network for cardholder data environment (CDE)
  Fix: Create separate VPC for CDE
  Evidence: VPC Console → Show all VPCs → Screenshot showing CDE VPC separated
  Console: https://console.aws.amazon.com/vpc/


[31m[FAIL][0m PCI-1.3.1 - No Direct Public Access
  Issue: PCI-DSS Req 1.3.1 VIOLATION: 1 security groups allow 0.0.0.0/0 access: sg-0ab56571076bcff37 (port 22)
  Fix: Remove all 0.0.0.0/0 rules immediately
  Evidence: EC2 → Security Groups → Each group → Inbound rules → No 0.0.0.0/0
  Console: https://console.aws.amazon.com/ec2/v2/home#SecurityGroups


[31m[FAIL][0m PCI-8.2.4 - Password Rotation
  Issue: PCI-DSS Req 8.2.4 VIOLATION: No password policy configured - PCI requires 90-day rotation
  Fix: Set password expiry to 90 days MAX
  Evidence: IAM → Account settings → Password policy → Must show 90 days or less
  Console: https://console.aws.amazon.com/iam/home#/account_settings


[31m[FAIL][0m PCI-8.3.1 - MFA for All Access
  Issue: PCI-DSS Req 8.3.1 VIOLATION: 1 users with console access lack MFA - PCI requires MFA for ALL: auditkit-test
  Fix: Enable MFA for ALL users with console access
  Evidence: IAM → Users → Show MFA enabled for ALL users with console access
  Console: https://console.aws.amazon.com/iam/home#/users


[31m[FAIL][0m PCI-10.1 - Audit Trail Implementation
  Issue: PCI-DSS Req 10.1 VIOLATION: No CloudTrail configured - PCI REQUIRES comprehensive audit trails
  Fix: Enable CloudTrail immediately
  Evidence: CloudTrail → Dashboard → Show trail enabled for all regions
  Console: https://console.aws.amazon.com/cloudtrail/

[33mHIGH Priority Issues:[0m
========================

[33m[FAIL][0m PCI-2.2.2 - Default Configuration Changes
  Issue: PCI-DSS Req 2.2.2: 1 default security groups have rules - PCI requires removing defaults
  Fix: Remove all rules from default security groups
  Evidence: EC2 → Security Groups → Filter by 'default' → Show empty rule sets
  Console: https://console.aws.amazon.com/ec2/v2/home#SecurityGroups


[33m[FAIL][0m PCI-4.1.1 - Security Control
  Issue: PCI-DSS Req 4.1: 1 S3 buckets don't enforce SSL/TLS
  Fix: Add bucket policy requiring SecureTransport


[33m[FAIL][0m PCI-11.5.1 - Security Control
  Issue: PCI-DSS Req 11.5.1: AWS Config not enabled - required for change detection
  Fix: Enable AWS Config
  Evidence: AWS Config → Settings → Show recorder enabled
  Console: https://console.aws.amazon.com/config/


[33m[FAIL][0m CC6.7 - Password Policy
  Issue: No password policy configured | Violates PCI DSS 8.2.3-8.2.5 (password requirements)
  Fix: Run: aws iam update-account-password-policy
See PDF for required parameters
  Evidence: 1. Go to IAM → Account settings
2. Screenshot 'Password policy' section
3. Must show all requirements enabled
4. PCI DSS requires minimum 7 chars, we recommend 14+
  Console: https://console.aws.amazon.com/iam/home#/account_settings

Manual Documentation Required:
=================================
[INFO] PCI-7.1.2 - Security Control
  Guidance: MANUAL REVIEW REQUIRED: Verify separation between development, operations, and security roles

[INFO] PCI-8.1.8 - Session Timeout
  Guidance: PCI-DSS Req 8.1.8: Verify console timeout is set to 15 minutes or less
  Evidence: IAM → Account settings → Show 15-minute session timeout configured

[INFO] PCI-11.2.2 - Quarterly Vulnerability Scans
  Guidance: PCI-DSS Req 11.2.2: PCI requires QUARTERLY vulnerability scans by Approved Scanning Vendor (ASV)
  Evidence: Document ASV scan reports dated within last 90 days

[INFO] PCI-11.3.1 - Security Control
  Guidance: PCI-DSS Req 11.3.1: PCI requires ANNUAL penetration testing of CDE

[INFO] PCI-11.5 - Security Control
  Guidance: PCI-DSS Req 11.5: Deploy file integrity monitoring on critical systems

[32mPassed Controls:[0m
===================
  - PCI-3.4 - Encryption at Rest
  - PCI-4.1 - Encryption in Transit
  - PCI-8.2.4-keys - Security Control
  - CC6.6 - Authentication Controls
  - CC6.8 - Access Key Rotation
  - CC6.7 - Password Policy
  - CC6.1 - Logical and Physical Access Controls

Priority Action Items:
=========================
  1. PCI-DSS URGENT: Fix 5 CRITICAL issues - QSA will fail your assessment
  2. Document cardholder data flow and network segmentation
  3. Enable continuous compliance monitoring
  4. Document your security policies and procedures
  5. Set up automated alerting for security events

For detailed PCI report with full evidence checklist:
   auditkit scan -provider aws -framework pci -format pdf -output report.pdf

To track evidence collection progress:
   auditkit evidence -provider aws