SWIFT CSP Security Controls Public 2022
SWIFT CSP Security Controls Public 2022
Control # Description
Control 2.9 Transaction Business Controls changed to mandatory
A new advisory control for Customer Environment Protection
is created to ensure protection of the ‘customer connector’
Control 1.5A for architecture A4
This is nearly a copy of Control 1.1 and hence the guidelines are the same
for customers using a Service Bureau
No changes, the guidance remains the same since the scope is just
extended for this control
Security Control
Number & Title Control Statement
Access to administrator-level
operating system accounts is
restricted to the maximum extent
possible. Usage is controlled,
1.2 Operating System monitored, and only permitted for
Privileged Account relevant activities such as software
Control installation and configuration,
maintenance, and emergency
activities. At all other times, an
account with least privilege access
is used.
Secure virtualisation platform,
virtualised machines and
1.3 Virtualisation supporting virtual infrastructure
Platform Protection
(such as firewalls) to the same
level as physical systems.
Connected hardware
authentication or personal tokens
are managed appropriately during
assignment, distribution,
5.2 Token Management revocation, use, and storage.
A personnel vetting process,
internal or external clearance,
provides additional assurance that
operators or administrators of the
local SWIFT infrastructure are
5.3A Personnel Vetting trustworthy, and reduces the risk
Process of insider threats.
Intrusion detection is
implemented to detect
6.5A Intrusion Detection unauthorised network access and
anomalous activity.
All resources as part of the Quick Start CDK code and AWS Account
Cloudformation templates are in scope of the secure zone. AWS Organization - SCP
The resources are meant to be deployed in a single AWS AWS CloudFormation
account and the AWS account should be designated to run AWS Config
SWIFT connectivity components only. Security Group
NACL
SWIFT components are deployed in a VPC with private Subnet
subnets only. with no Internet Gateway attached. AWS VPC
services are accessed through VPC Endpoints.
Security Groups protecting SWIFT Components (SAA,
SAG/SNL, AMH ), Middleware Components ( MQ, Oracle ),
VPC Endpoints. Subnets are built for each components and
NACLs are deployed to provide addtional protection
Amazon MQ
N/A for Quick Start as this is on the application level Amazon RDS - Oracle
AWS Systems Manager
N/A N/A
AWS IAM
N/A AWS SSO
The Quick Start has 4 roles and policies defined for fit for
purpose operation in the secure zone:
-Admin - Breakglass use AWS IAM - IAM Policy
-ReadOnly - Audit use Resource Policy
-SWIFT Operator - SWIFT Host Access
-SWIFT Infra Admin - Networking, Security, IAC,
N/A N/A
N/A N/A
Amazon MQ and RDS Oracle password are stored in AWS AWS Secrets Manager
Secrets Manager with Customer Managed CMK KMS key AWS KMS
action Records
N/A N/A
N/A
N/A N/A
Additional AWS Guidance
- Use dedicated AWS Account for the secure zone running SWIFT production
system
- Use Separate AWS Account for running Dev/Test SWIFT digital connectivity
components
- Use different AWS Accounts for Back office and other workloads
- Leverage AWS CloudFormation to deploy to the environment and Use
CloudFormation Drift detection to make sure the intented resources are deployed
- Leverage AWS Organization Service Control Policies to restrict the resources that
can be deployed in this AWS Account
- Leverage AWS Config to detect Drift in this AWS Account
- Leverage AWS Code Pipeline to deploy changes in the production environment
- Enable Logging function to capture session information, stream the session data
to encrypted Amazon CloudWatch Log or encrypted Amazon S3 bucket.
- Add AWS KMS Encryption on Sessions Manager
- Use aws:MultiFactorAuthPresentMFA enabled for root os user login
- Tag SSMSessionRunAs to run as a os user
- Access Systems Manager Session Manager from private network
- AWS Directory Service can be used for authentication of the operators on
Windows or Linux instances and restricted to identities and credentials of users of
any of the secure zone components: bastion instances, AMH instances (OS
operators), database instances (OS operators) or applicative accounts: AMH
authentication can use LDAP as identity provider, and Oracle can use an LDAP
account for administration purposes
- Predefined Linux users in AMI build process, and use SSMSessionRunAs to login as
particular user
- Avoid logging into the OS except breakglass situation.
- Execute routine maintenance tasks using AWS Systems Manager Document
automation and Run Command
- Store local user password in AWS Secrets Manager
- AWS Directory Service can be used for authentication of the operators on
Windows or Linux instances and restricted to identities and credentials of users of
any of the secure zone components: bastion instances, AMH instances (OS
operators), database instances (OS operators) or applicative accounts: AMH
authentication can use LDAP as identity provider, and Oracle can use an LDAP
account for administration purposes
- No IGW attachment to the VPC
- Use SCP to block IGW resources to prevent egress/ingress access to the internet
- If Internet access is required, consider using Gateway LoadBalancer and AWS
Network Firewall to control Internet Ingress and Egress traffic
- If hybrid architecture is used, ie back office applications are on-prem and SWIFT
secure zone is on AWS, consider using VPN over Direct Connect for networking
connectivity
- mTLS can be setup from on-prem application to Amazon MQ in AWS
- Leverage AWS Backup for backing up application content in EBS volume and RDS
Oracle database periodically
- Back up of the EBS volume and RDS Oracle is encrypted using KMS by default.
N/A
N/A
https://www2.swift.com/knowledgecentre/publications/aa_7_5_rma_guid/2.0
- AWS Secrets Manager helps you protect secrets needed to access your
applications, services, and IT resources. The service enables you to easily rotate,
manage, and retrieve database credentials, API keys, and other secrets throughout
their lifecycle.
- Password Policy is defined by the organization and ahere to this CSP control
- If AWS Users are used, password policy can be set using the steps documented
here
- If federation is used for accessing AWS environment, the password policy must be
implemented on the IDP
For Logical Access Control on the application level, Please refer to
Guidance for securing Messaging and Communication interfaces for SWIFT
applications ( AMH, SAA, SAG, SNL ) are in SWIFT Knowledge Centers. For example,
Security Guidance document for AMH can be found here
https://www2.swift.com/knowledgecentre/rest/v1/publications/amh_sec_guid_d
oc/3.0/amh__Security_Guidance_1901108_v1_3.pdf?logDownload=true
N/A
N/A
- AWS Secrets Manager helps you protect secrets needed to access your
applications, services, and IT resources. The service enables you to easily rotate,
manage, and retrieve database credentials, API keys, and other secrets throughout
their lifecycle.
If customer is only using SWIFT provided software in the secure zone, the control is
met. If custom software is run in the secure zone, third party FIM tool
like, TripWire, CrowdStrike (FIM) tools can be employed.
Customer:
This is a customer responsibility. Customers decide what applications and
systems will connect to the public internet.
AWS:
Please contact your AWS account team for more details