How to Build a PCI-DSS-Compliant Environment With AWS

by Zohar Alon, CEO & Co-Founder at Dome9

In today’s digital age, PCI-DSS compliance is one of the most important security standards, and quite possibly the highest in demand by online service providers. According to AWS, their PCI FAQ page has received more than 45K views, and their PCI compliance package has been issued to customers from industries across the board. Moreover, they recently released their PCI Compliance Workbook, which describes the methodologies that are used to deploy environments that are PCI compliant within AWS. The book provides general guidelines that aim to help AWS users meet all of the 12 PCI requirements.

After having read the 50-page book, we would like to share our key takeaways. Below, we’ve highlighted the most important tips and guidelines, which can serve as a checklist to make your environment PCI-compliant.

Who’s Responsible?

As you may know, most of AWS is already PCI-compliant, including all infrastructure and management. Here is a list of AWS services and regions that are compliant (which is practically all of them). However, it’s important to note that AWS’ PCI compliance only provides customers with a secure environment on AWS’ end, according to the organization’s shared responsibility model.

AWS provides customers with a PCI-compliant environment and the building blocks they need to create a secure cloud (a.k.a. “security of the cloud”). In turn, AWS customers are expected to implement and operate their own security measures for their network and assets (a.k.a. “security in the cloud”). Ultimately, PCI compliance lies in the hands of the customer rather than AWS.

Now, if you don’t know about the shared responsibility model, we advise you to take the time to learn about it before you continue learning about PCI in AWS. Learn more here.

The 12 Requirements

#1 Implement and Maintain a Firewall

No one should be able to directly access a private subnet from the public internet. Therefore, all network security policies should be clearly defined and implemented. Separate a compliant environment’s network from other environments’ less sensitive ones, and secure the network using a VPC in order to monitor both outbound and inbound traffic. Lastly, you should continuously and consistently configure security groups and network ACL rules in order to control traffic. See how AWS WAF and Dome9 network security controls can help you implement a secure AWS network.

#2 Change System Defaults

As part of the PCI requirement to harden your hosts, make sure to change your default administrator and root credentials. In addition, instances should be single-purpose, which can be done by separating your web server from your database and making sure that services like FTP are not installed on production instances. Remove redundant services or scripts, and make sure to leverage additional measures such as passphrases on SSH key pairs.

#3 Protect Cardholder Data

AWS supports several different ways to store information in a secure manner. EBS non-root volumes and S3 buckets support volume-level encryption using AES-256. If you keep your data in S3, you can use three different server-side mechanisms for key management: S3-Managed Keys, KMS and your own keys (with KMS). If you use RDS, you can use both KMS and TDE (Transparent Data Encryption) with SQL and Oracle instances. In addition, there are multiple tools in the AWS marketplace that can facilitate encryption. And, last but not least, use AWS IAM to control access to your environment, especially acess to sensitive data repositories.

#4 Encrypt Data in Transit

AWS ELB (Elastic Load Balancing) supports SSL/TLS (see the ELB security policies table), and by correctly using security groups and NACLs, you can block unwanted traffic and avoid using unsecure protocols. In addition, you can leverage AWS Direct Connect to create a dedicated secure tunnel between your enterprise data center and your AWS environment.

#5 Protect Against Malware

Use anti-virus protection on your EC2 instances, and make sure that everything is up-to-date. You should also use vulnerability scanners on a regular basis in order to keep your dynamic system robust.

#6 Develop With Security in Mind

Maintain security patches and track AWS security-related updates. Employ change management processes and tools to make sure your code and environment updates are tracked and documented. Monitor system behavior and performance using CloudTrail and other third-party tools. Make sure you are able to use these logs to quickly track and remediate security issues. Automate delivery, and leverage it to streamline security enhancements on a continuous basis.

#7 Limit Access

In order to keep your AWS environment secure for PCI, or in general, it is a best practice to limit access to different environments according to their needs right from the get-go. As mentioned in the firewall section above, maintain a dedicated environment that is PCI-compliant, use AWS IAM to control who has access to that environment, and limit SSH, RDP, and other network protocols. If your organization is used to working with AD (Active Directory), you can leverage AWS AD Connector. Learn more about AWS AD Connector here.

#8 Identification and Authentication

Everyone in your team needs to have an IAM user, and root access should not be used. AWS supports various options for MFA (multi-factor authentication), including the use of virtual, and even physical devices. According to the AWS compliance workbook, you will need to employ an external identity provider in order to enforce account lockouts and idle session timeouts. In addition, if your organization uses SAML authentication, you can enable SSO (single sign-on) to directly authenticate accounts with the AWS management console. Learn how to enable SAML 2.0 for the AWS Console.

#9 Restrict Physical Access

This is AWS’ part of the deal…so, no worries here — you are covered.

#10 Monitor Network and Access

You need to maintain complete transparency in your AWS compliant network. This includes your network’s security policy and instance configuration, as well as retaining an audit trail on all changes. In addition, all user activities need to be monitored as well. Monitoring includes receiving alerts in a timely manner and keeping the log data in a separate data repository with limited access. The use of Dome9, CloudTrail and VPC Flow Logs will support your SIEM (security information and event management) specifications and help you gain the transparency you need.

#11 Test Security Routine

Create a routine that includes vulnerability scanning, penetration testing, file integrity monitoring, and log inspection. It is advisable to automate these actions by streamlining them through integration and test processes (i.e., continuous integration and testing), as is done in every automated functional or any other system test. You should also run periodic third-party audits. Learn more about rugged DevOps here.

#12 Write Your Own Book

Document and share security policies with relevant product stakeholders and IT personnel. Your workbook should include login information and network security preferences, in addition to resource information and network topology and configuration. It should also include how your NOC team will react in the case of security breaches or related issues.

Summary

The AWS technical workbook for PCI compliance also includes three references to common compliant architectures. The best practices relate to the option of having a separate dedicated PCI environment that is still part of a larger deployment or hybrid scenario. One of the major issues regarding PCI compliance deployment is that it can delay time to market. As such, we welcome you to learn more about Dome9’s broad set of controls that can help you accelerate deployment, or simply contact us for more information.