PCIDSS Over AWS
PCIDSS Over AWS
PCIDSS Over AWS
PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication
data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated
by the card brands and administered by the Payment Card Industry Security Standards Council.
For the list of AWS services that are PCI DSS compliant, see the link below under PCI Tab:
https://aws.amazon.com/compliance/services-in-scope/
Basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, with
associated groups, roles, and instance profiles.
PCI-compliant password policy.
Standard, external-facing virtual private cloud (VPC) Multi-AZ architecture with separate subnets for
different application tiers and private (back-end) subnets for the application and the database.
Managed network address translation (NAT) gateways to allow outbound internet access for
resources in the private subnets.
A secured bastion login host to facilitate command-line Secure Shell (SSH) access to EC2 instances for
troubleshooting and systems administration activities.
Network access control list (network ACL) rules to filter traffic.
Standard security groups for EC2 instances.
Centralized logging, monitoring, and alerts using AWS CloudTrail, AWS CloudWatch, and, optionally,
AWS Config rules.
PCI DSS Checklist: Security Goals & Requirements
To build more robust apps in AWS and offer the reliability that all your customers are expecting by achieving
the six goals stated by PCI, you will get bulletproof systems prepared for the significant demand of the market.
Each of the next security goals is subdivided into requirements that make a complete set of 12 security
controls that you need to integrate with AWS so that your apps become compliant with this PCI DSS
Compliance Checklist.
Tech side: This category refers to those technologies, tools, network controls, etc., that you should integrate
on your AWS infrastructure to add security and high protection to your information assets.
Doc side: This category addresses the documented processes and configurations that PCI DSS requires you to
support your security offer, as well as to make visible to all your stakeholders why your application is secure
and reliable.
Following examples below show how to achieve your goal for a PCI DSS compliant infrastructure over AWS.
Requirement 1: Build and Maintain a Secure Network and Systems - Install and maintain a firewall
configuration to protect the cardholder data.
Tech Side:
Configure the AWS Web Application Firewall (WAF) to protect the applications layer.
Create Access Control Lists for restricting access to infrastructure.
Create AWS Security Groups to restrict user access for application services.
Enable access for applications and infrastructure only for those countries from where you need to be
available in the world.
Store the code for applications on private repositories on AWS CodeCommit or any other code
repository service like Github or Bitbucket.
Secure endpoints via two-factor authentication, user agent, or geo-location.
Doc Side:
Create a Network Security Policy document which addresses the process to approve and test all new
network connections. The process to approve and test changes to the firewall and router
configurations.
A network diagram that documents all connections between the cardholder data environment and
other networks, (including any wireless networks).
The process for updating the network diagram as required.
A diagram that shows all cardholder data flows across systems and networks.
The process for updating the data flow diagram as required.
The list of vulnerable services, protocols, and ports; and the security controls applied on them.
The plan for periodically performing reviews and maintenance on firewalls and networking rules.
The accepted standard for firewall configurations:
Controls and rules for inbound and outbound traffic.
Process and rules for adding new connections for external networks.
Owner(s) of each process.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters.
Tech Side:
Configure AWS Multi-factor authentication. Ascertained it is configured for all IAM roles to access
applications and infrastructure elements are enabled for all users.
Doc Side:
Tech side:
Isolate your database service (Relational Database Service (RDS), DynamoDB, Aurora Serverless, etc.)
from the internet.
Grant access to database services only to those IAM roles who really require it to complete their
functions.
Replicate all the data stored in databases across multiple zones in the cloud, so that it is not lost in
case of disaster.
Create periodic backups for either code or data stored on databases.
Store the backups on AWS S3 and create a backup rotation approach.
Enable scalability and failover for your database servers in order to stay highly available to attend user
demand.
Docs side: