The new v2022 CSCF saw 5 changes compare to the v2021 document:

Control # Description
Control 2.9 Transaction Business Controls changed to mandatory
A new advisory control for Customer Environment Protection
is created to ensure protection of the ‘customer connector’
Control 1.5A for architecture A4
Control 6.2 Software Integrity changed to Advisory for architecture A4
Controls 6.3 Database Integrity changed to Advisory for architecture A4

Scope of the existing Operating System Privileged Account

Control is extended, in an advisory way, to general-purpose
Control 1.2 operator PCs and as such to architecture B as well
AWS Comment
Per Appendix G of the CSP this is out-of-scope for all Cloud Providers

This is nearly a copy of Control 1.1 and hence the guidelines are the same
for customers using a Service Bureau
Per Appendix G of the CSP this is out-of-scope for Cloud Providers
Per Appendix G of the CSP this is out-of-scope for Cloud Providers

No changes, the guidance remains the same since the scope is just
extended for this control
 Security Control Control Statement
Number & Title

1. SWIFT Environment Protection

A segregated secure zone

safeguards the user's SWIFT
1.1 SWIFT Environment infrastructure from compromises
Protection and attacks on the broader
enterprise and external
environments.

Access to administrator-level
operating system accounts is
restricted to the maximum extent
possible. Usage is controlled,
1.2 Operating System monitored, and only permitted for
Privileged Account relevant activities such as software
Control installation and configuration,
maintenance, and emergency
activities. At all other times, an
account with least privilege access
is used.
 Secure virtualisation platform,
virtualised machines and
1.3 Virtualisation supporting virtual infrastructure
Platform Protection (such as firewalls) to the same
level as physical systems.

All general purpose and dedicated

operator PCs as well as systems
1.4 Restriction of
Internet Access within the secure zone have
controlled direct internet access in
line with business

A separated secure zone

safeguards the customer's
1.5A Customer infrastructure used for external
connectivity from external
Environment Protection environments and compromises or
attacks on the broader enterprise
environment. 

2. Reduce Attack Surface and Vulnerabilities

Confidentiality, integrity, and

authentication mechanisms are
2.1 Internal Data Flow implemented to protect SWIFT-
Security related application-to-application
and, when used, jump server-to-
application, data flows.

All hardware and software inside

the secure zone and on operator
PCs are within the support
2.2 Security Updates lifecycle of the vendor, have been
upgraded with mandatory
software updates, and have had
security updates promptly applied.

Security hardening is conducted

2.3 System Hardening and maintained on all in-scope
components.
 Confidentiality, integrity, and
mutual or message level based
authentication mechanisms are
2.4A Back-office Data implemented to protect data flows
Flow Security
between SWIFT infrastructure
components and the back office
first hop they connect to.

Sensitive SWIFT-related data

leaving the secure zone as the
result of (i) operating
system/application backups,
2.5A External business transaction data
Transmission Data replication for archiving or
Protection recovery purposes or (ii)
extraction for off-line processing is
protected when stored outside of
a secure zone and encrypted while
in transit.

The confidentiality and integrity of

interactive operator sessions
2.6 Operator Session connecting to SWIFT-related
Confidentiality and
applications (local or at the service
Integrity provider) or into the secure zone
is safeguarded.

Secure zone including dedicated

operator PC systems are scanned
2.7 Vulnerability for vulnerabilities using an up-to-
Scanning date, reputable scanning tool and
results are considered for
appropriate resolving actions

Critical outsourced activities are

protected, at a minimum, to the
2.8A Critical Activity
Outsourcing same standard of care as if
operated within the originating
organisation.
 Implement transaction detection,
prevention and validation controls
2.9A Transaction
Business Controls to restrict outbound transaction
activity to within the expected
bounds of normal business.

All messaging interfaces and

communication interfaces
2.10 Application products within the secure zone
are SWIFT-compatible. Application
Hardening security hardening is conducted
and maintained on all in-scope
components.

Implement RMA controls to

2.11A RMA Business restrict transaction activity with
Controls effective business counterparties.

3. Physically Secure the Environment

Physical security controls are in

3.1 Physical Security place to protect access to sensitive
equipment, hosting sites, and
storage.

4. Prevent Compromise of Credentials

All application and operating

system accounts enforce
passwords with appropriate
parameters such as length,
complexity, validity, and the
4.1 Password Policy number of failed log-in attempts.
Similarly, personal tokens and
mobile devices enforce passwords
or Personal Identification Number
(PIN) with appropriate
parameters.

Multi-factor authentication is used

4.2 Multi-factor for interactive user access to
Authentication SWIFT-related applications and
operating system accounts.
5. Manage Identities and Segregate Privileges

Accounts are defined according to

5.1 Logical Access the security principles of need-to-
Control know access, least privilege, and
segregation of duties.

Connected hardware
authentication or personal tokens
are managed appropriately during
assignment, distribution,
5.2 Token Management revocation, use, and storage.

A personnel vetting process,

internal or external clearance,
provides additional assurance that
operators or administrators of the
local SWIFT infrastructure are
5.3A Personnel Vetting trustworthy, and reduces the risk
Process of insider threats.
Recorded passwords are stored in
5.4 Physical and Logical a protected physical or logical
Password Storage location, with access restricted on
a need-to-know basis.

6. Detect Anomalous Activity to Systems or Transaction Records

Anti-malware software from a

reputable vendor is installed, kept
6.1 Malware Protection up-to-date on all systems, and
results are considered for
appropriate resolving actions

A software integrity check is

performed at regular intervals on
messaging interface,
6.2 Software Integrity communication interface, and
other SWIFT-related applications.
and results are considered for
appropriate resolving action
 A database integrity check is
performed at regular intervals on
6.3 Database Integrity databases that record SWIFT
transactions and results are
considered for appropriate
resolving actions.

Capabilities to detect anomalous

6.4 Logging and activity are implemented, and a
Monitoring process or tool is in place to
frequently store and review logs.

Intrusion detection is
implemented to detect
6.5A Intrusion Detection
unauthorised network access and
anomalous activity.

7. Plan for Incident Response and Information Sharing

7.1 Cyber Incident The user has a defined and tested

Response Planning cyber incident response plan.

Annual security awareness

7.2 Security Training and sessions are conducted for all staff
members, including role-specific
Awareness training for SWIFT roles with
privileged access.

Application, host, and network

penetration testing is conducted
7.3A Penetration
Testing towards the secure zone and the
operator PCs or, when used, the
jump server.

Scenario-based risk assessments

are conducted regularly to
7.4A Scenario Risk improve incident response
Assessment preparedness and to increase the
maturity of the organisation’s
security programme
 Description of AWS Implementation in Quick Start AWS Resource Type(s)

The Quick Start guide follows the Architecture A1 topology

specified in SWIFT Customer Security Controls Framework
v2021 (CSCF_v2021). SWIFT Alliance Message Hub (AMH)
is considered the Messaging Interface in the architecture
and it's part of the resources in the Quick Start

All resources as part of the Quick Start CDK code and AWS Account
Cloudformation templates are in scope of the secure zone. AWS Organization - SCP
The resources are meant to be deployed in a single AWS AWS CloudFormation
account and the AWS account should be designated to run AWS Config 
SWIFT connectivity components only.  Security Group 
NACL
SWIFT components are deployed in a VPC with private Subnet
subnets only. with no Internet Gateway attached. AWS VPC 
services are accessed through VPC Endpoints. 
Security Groups protecting SWIFT Components (SAA,
SAG/SNL, AMH ), Middleware Components ( MQ, Oracle ),
VPC Endpoints. Subnets are built for each components and
NACLs are deployed to provide addtional protection 

AWS Systems Manager- Session

Manager
The Quick Start leveraged AWS Systems Manager Session Systems Manager - Automation
Manager in place of the bastion host. 
Systems Manager Agent are deployed on EC2 Host that Systems Manager - Document
Systems Manager - Run Command
host the SWIFT components with proper SSM role to Amazon VPC - VPC Endpoints
enable Session Manager access. VPC Endpoints for
Systems Manager is enabled for private network Amazon CloudWatch Logs
Amazon S3
access. SSMSessionRunAs Tagging on EC2 is enabled for
specific Linux user access to the individual Linux host AWS KMS
AWS IAM
N/A AWS Artifact

AWS Organization - SCP

No Internet Gateway attached to the VPC in the Quick
Start architecture  AWS Network Firewall
Gateway LoadBalancer 

This is nearly identical to Control 1.1 where it focuses on

the customer connection and expected separation
Refer to row 3 for Control 1.1
between operational (production) and the wider general IT
environment

Amazon MQ
N/A for Quick Start as this is on the application level  Amazon RDS - Oracle
AWS Systems Manager 

AWS Systems Manager - Patch

Quick Start assumes Systems Manager Agent to be
deployed on the EC2 Host which enables AWS Systems Manager 
Amazon EC2 Image Builder 
Manager - Patch Manager to work. 
AWS Code Pipeline

N/A for Quick Start as this is on the application level  Amazon Machine Images (AMI )
CIS Hardened Image
The Quick Start assumes back office application is in
AWS PrivateLink
separate VPC, in another AWS Account. Back office AWS DirectConnect
application can access the SWIFT secure zone using AWS
PrivateLink technology.  AWS Site-to-Site VPN

N/A for the Quick Start Guide N/A

The Quick Start leveraged AWS Systems Manager Session

Manager in place of the bastion host.  AWS Systems Manager Session
Systems Manager Agent are deployed on EC2 Host that
host the SWIFT components with proper SSM role to Manager
AWS KMS
enable Session Manager access. VPC Endpoints for
Systems Manager is enabled for private network Amazon CloudWatch Log
Amazon S3
access. SSMSessionRunAs Tagging on EC2 is enabled for
specific Linux user access to the individual Linux host

- Leverage Amazon Inspector for vulnerability scanning

 Host accessment includes Check for vulnerabilities in
software (CVE), Host hardening benchmarks (CIS), Security Amazon Inspector
best practices for configuration
- Configured to run weekly on EC2 host that's deployed in
the secure zone

N/A N/A
N/A - Application specific N/A

N/A - Application specific N/A

N/A - Application specific N/A

- Refer to SOC report on AWS Data Center Security AWS Artifact

AWS Secrets Manager is used for generating and storing

the password for Amazon MQ and RDS Oracle
AWS Secrets Manager 

N/A AWS IAM 

AWS SSO 
 The Quick Start has 4 roles and policies defined for fit for
purpose operation in the secure zone:
-Admin - Breakglass use AWS IAM - IAM Policy 
-ReadOnly - Audit use Resource Policy
-SWIFT Operator - SWIFT Host Access 
-SWIFT Infra Admin - Networking, Security, IAC, 

N/A N/A

N/A N/A

Amazon MQ and RDS Oracle password are stored in AWS AWS Secrets Manager 
Secrets Manager with Customer Managed CMK KMS key AWS KMS 

action Records

Not applicable as there is no Windows operating system

involved in the Quick Start

Not applicable as Software Integrity functions are buildin

to the SWIFT software. No additional software are
deployed on the host
RDS Oracle is encrypted with customer managed KMS
key. 

Amazon CloudWatch Log

Amazon CloudWatch Alarm
- RDS Oracle trace, audit, listener, alert logs are sent to Amazon CloudWatch Metrics
CloudWatch
- Amazon MQ audit and general logs are sent to AWS CloudTrail
CloudWatch AWS Config
- VPC Flow Log are enabled VPC Flow Log
AWS Control Tower 

Amazon GuardDuty for continuously monitor malicious

Amazon Guard Duty
activity and unautorized behavior 

N/A N/A

N/A AWS Training and Certification

N/A

N/A N/A
 Additional AWS Guidance

- Use dedicated AWS Account for the secure zone running SWIFT production
system
- Use Separate AWS Account for running Dev/Test SWIFT digital connectivity
components
- Use different AWS Accounts for Back office and other workloads
- Leverage AWS CloudFormation to deploy to the environment and Use
CloudFormation Drift detection to make sure the intented resources are deployed
- Leverage AWS Organization Service Control Policies to restrict the resources that
can be deployed in this AWS Account
- Leverage AWS Config to detect Drift in this AWS Account
- Leverage AWS Code Pipeline to deploy changes in the production environment
- Enable Logging function to capture session information, stream the session data
to encrypted Amazon CloudWatch Log or encrypted Amazon S3 bucket. 
- Add AWS KMS Encryption on Sessions Manager
- Use aws:MultiFactorAuthPresentMFA enabled for root os user login
- Tag SSMSessionRunAs to run as a os user
- Access Systems Manager Session Manager from private network
- AWS Directory Service can be used for authentication of the operators on
Windows or Linux instances and restricted to identities and credentials of users of
any of the secure zone components: bastion instances, AMH instances (OS
operators), database instances (OS operators) or applicative accounts: AMH
authentication can use LDAP as identity provider, and Oracle can use an LDAP
account for administration purposes

- Predefined Linux users in AMI build process, and use SSMSessionRunAs to login as
particular user
- Avoid logging into the OS except breakglass situation.
- Execute routine maintenance tasks using AWS Systems Manager Document
automation and Run Command 
- Store local user password in AWS Secrets Manager
- AWS Directory Service can be used for authentication of the operators on
Windows or Linux instances and restricted to identities and credentials of users of
any of the secure zone components: bastion instances, AMH instances (OS
operators), database instances (OS operators) or applicative accounts: AMH
authentication can use LDAP as identity provider, and Oracle can use an LDAP
account for administration purposes
- No IGW attachment to the VPC 
- Use SCP to block IGW resources to prevent egress/ingress access to the internet 
- If Internet access is required, consider using Gateway LoadBalancer and AWS
Network Firewall to control Internet Ingress and Egress traffic 

Refer to row 3 for Control 1.1

- Two way TLS for Amazon MQ to AMH

- TLS connection to RDS Oracle instance 
- Host access with AWS Systems Manager are TLS enabled
- Consider to use AWS Certificate Manager to issue certificate and renewal of the
certificates
- Use current, commonly accepted cryptographic algorithms, with key lengths in
accordance with current best practices. More guidelines on cryptographic
algorithms supporting secure protocols can be found in SWIFT Knowledge Base TIP
5021566.

- Leverage Systems Manager - Patch Manager for host patching 

- Recommand to use immutable infrastructure instead of in-place upgrade and
patching of the system
- AMH, SAA, SAG/SNL host can be build using EC2 Image Builder with the latest
patching  
- Leverage AWS CodePipline to deploy immutable infrastructure 

- Leverage CIS Hardened image as the based AMI image of SWIFT components
- Consider periodically restarting the host from the latest CIS hardening baseline to
ensure the system is continuously hardened
- If hybrid architecture is used, ie back office applications are on-prem and SWIFT
secure zone is on AWS, consider using VPN over Direct Connect for networking
connectivity 
- mTLS can be setup from on-prem application to Amazon MQ in AWS

- Leverage AWS Backup for backing up application content in EBS volume and RDS
Oracle database periodically
- Back up of the EBS volume and RDS Oracle is encrypted using KMS by default.

- Use AWS Systems Manager Session Manager for Jump Host

- Enable Logging function to capture session information, stream the session data
to encrypted Amazon CloudWatch Log or encrypted Amazon S3 bucket. 
- (Optional) Add AWS KMS Encryption on Session Manager
- Use aws:MultiFactorAuthPresentMFA enabled for root os user login
- Tag SSMSessionRunAs to run as a os user
- Access Systems Manager Session Manager from private network

- Bundle Amazon Inspector Agent as the based image of the AMI

- Leverage AWS Secruity Hub for the single pane of glass view of security alert and
security posture

N/A
N/A

Guidance for securing Messaging and Communication interfaces for SWIFT

applications  ( AMH, SAA, SAG, SNL ) are in SWIFT Knowledge Centers. For example,
Security Guidance document for AMH can be found here
https://www2.swift.com/knowledgecentre/rest/v1/publications/amh_sec_guid_d
oc/3.0/amh__Security_Guidance_1901108_v1_3.pdf?logDownload=true

Guidance for relationship management can be found in this document supplied by

SWIFT

https://www2.swift.com/knowledgecentre/publications/aa_7_5_rma_guid/2.0

- AWS Secrets Manager helps you protect secrets needed to access your
applications, services, and IT resources. The service enables you to easily rotate,
manage, and retrieve database credentials, API keys, and other secrets throughout
their lifecycle.
- Password Policy is defined by the organization and ahere to this CSP control
- If AWS Users are used,  password policy can be set using the steps documented
here
- If federation is used for accessing AWS environment, the password policy must be
implemented on the IDP

- Enable MFA on AWS root user

- Enable MFA on user/role that has access to Systems Manager - Session Manager 
- Enable MFA on AWS SSO 
- Use aws:MultiFactorAuthPresent IAM condition to enforce MFA
- leverage the above flag to restrict Systems Manager Session manager access with
the use of MFA
For Logical Access Control on the application level, Please refer to 
Guidance for securing Messaging and Communication interfaces for SWIFT
applications  ( AMH, SAA, SAG, SNL ) are in SWIFT Knowledge Centers. For example,
Security Guidance document for AMH can be found here
https://www2.swift.com/knowledgecentre/rest/v1/publications/amh_sec_guid_d
oc/3.0/amh__Security_Guidance_1901108_v1_3.pdf?logDownload=true

N/A

N/A

- AWS Secrets Manager helps you protect secrets needed to access your
applications, services, and IT resources. The service enables you to easily rotate,
manage, and retrieve database credentials, API keys, and other secrets throughout
their lifecycle.

If customer is looking to accomplish this optional requirement for Linux host or

hosting the various components inWindows hosts, AWS partner solutions can be
considered. 
- Symentec 
- TrendMicro
- CrowdStrike

If customer is only using SWIFT provided software in the secure zone, the control is
met. If custom software is run in the secure zone, third party FIM tool
like, TripWire, CrowdStrike (FIM) tools can be employed. 
- Don't share the database instance with other workload.
- Having designited users and roles for ensuring segreation of duty for the database
tables.
-  Use AWS Secrets Manage to store and rotate the password for the database user
login
- Implement detective control for checking out of the database password from
Secrets Manager 

- Leverage AWS Control Tower to setup the landing zone which comes with
centralized Audit Trail and Config by default
- CloudTrail, AWS Config, should be turned on and forward the logs to the
centralized location
- CloudWatch Agent are installed in the based AMI  It's configured to send logs to
CloudWatch
- For CloudTrail, the Log file validation should be enabled. Digest files will be
deliveried as part of the CloudTrail log delivery
- If CloudTrail is deliveried to S3, the S3 buckuct should have MFA delete enabled

- Amazon GuardDuty is a threat detection service that continuously monitors for

malicious activity and unauthorized behavior to protect your AWS accounts,
workloads, and data stored in Amazon
- Leverage AWS Partner solution for network layer IDS/IPS
- Leverage AWS Gateway Loadbalancer for traffic inspection

Please see the AWS Security Incident Response Guide -

https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

Security Engineering on AWS Training is availble here

https://aws.amazon.com/training/course-descriptions/security-operations/

Certified Security Specialty Certification is available here 

https://aws.amazon.com/certification/certified-security-specialty/

Using SWIFT.com training including SWIFTSmarts

Please see AWS penetration testing guideline here -

https://aws.amazon.com/security/penetration-testing/

Please refer to CSCF_v2021 for additional guidance 

 References to AWS Artifact

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Customer:
This is a customer responsibility. Customers decide what applications and
systems will connect to the public internet.

AWS:
Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details

Please contact your AWS account team for more details