A guide to creating PCI DSS Compliant Infrastructure in AWS

PCI DSS or Payment Card Industry Data Security Standard is a proprietary information security standard administered by the Payment Card Industry (PCI) Security Standards Council. It applies to everything within the cardholder data environment (CDE) including technologies, people, and processes. For any organization that stores, processes or transmits cardholder data (CHD) or sensitive authentication data (SAD), PCI DSS compliance is essential. CHD includes Primary Account Number (PAN), cardholder name, expiration date, and service code, while SAD includes full track data (magnetic-stripe data or equivalent), CAV2/CVC2/CVV2/CID, and PINs/PIN blocks. If you are an organization looking to build a PCI DSS-compliant environment in AWS, this guide will tell you everything you need to know about building a PCI DSS-compliant environment in Amazon Web Services (AWS).

We will address the 6 key ‘principles’  that animate the 12 PCI DSS requirements and how  to achieve them an AWS environment.   This post will confine itself to infrastructure related components in AWS and the implications to you under the ‘shared responsibility model’. Please note, your organization will need to meet all 12 requirements in their entirety in order to make your payment card transaction environment PCI DSS compliant. Subsequent posts in this series will address how to meet the other requirements and the non-infrastructure parts of the requirements.

Amazon Web Services and PCI DSS

Amazon Web Services (AWS) is certified as a PCI DSS 3.2 Level 1 Service Provider, the highest level of assessment available. This means that AWS has effectively implemented security management processes and PCI DSS requirements (in a virtualized, multi-tenant environment). AWS publishes a very good Standardized Architecture for PCI DSS Compliance on AWS which outlines key principles, provides architectural guidance and has links to CloudFormation templates for realizing a basic architecture. Small organizations and organizations who are starting out will do well to familiarize themselves with the principles outlined there. Organizations that use AWS products and services to store, process or transmit cardholder data do not need to assess AWS infrastructure. They can configure these services to help them manage their own PCI DSS compliance certification. It’s important to note that security and compliance are shared responsibilities  between AWS and the organization.

So while AWS operates, manages and controls all the components from the host operating system and virtualization layer down to the physical security of facilities ( “security of the cloud”), organizations are responsible for their systems and services configured and provisioned on AWS (“security in the cloud”).

Principles of PCI DSS Compliance

The twelve primary requirements for PCI DSS compliance on AWS are broadly classified under six areas or ‘principles’. If all the conditions specified by these principles – which are both ‘operational’ and ‘technical’ – are met, then the organization’s payment card transaction environment is compliant with PCI DSS requirements:

1. Build and maintain a secure network This involves using a firewall to protect data without the use of vendor-supplied (default) security protocols, e.g. passwords. AWS provides a Quick Start template (one main template for initial setup and three optional customization templates) with a standardized architecture to create a secure network that complies with PCI DSS v3.2.1. These templates automatically configure the AWS resources and deploy a multi-tier, Linux-based web application in just a few steps.
2. Protect CHD This entails protecting cardholder data and encrypting its transmission across open/public networks. A number of AWS services can help support the encryption and key management requirements of PCI DSS for protecting CHD, such as Amazon Simple Storage Service (Amazon S3) and AWS Key Management Services (KMS). To support the transit encryption requirements of PCI DSS, AWS components like AWS Direct Connect, elastic load balancers, network ACLs, etc. can be used.
3. Maintain a Vulnerability Management Program The vulnerability of the data network can be reduced by installing antivirus and anti-malware software, and by developing and maintaining secure systems and applications. AWS Security Hub [LINK TO CHILD PAGE] provides a comprehensive solution to centrally view and manage high-priority security alerts, and to automate security checks. The Vulnerability Management Program can be further strengthened by Amazon Inspector and Amazon GuardDuty. The former is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. GuardDuty provides intelligent threat detection and continuous monitoring to protect AWS accounts, workloads and data, and ensure compliance with PCI DSS. To know how to implement these solutions for your AWS setup, check these pages here. [LINK TO BOTH CHILD PAGES]
4. Implement strong access control measures Access control is implemented by restricting physical access to CHD, restricting access on a ‘need-to-know’ basis, and by incorporating identity authentication. To support the account management requirements of PCI DSS, AWS provides comprehensive Identity and Access Management (IAM). IAM enables organizations to manage access to AWS service APIs and resources securely. This means that they can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. In addition, IAM provides multi-factor authentication (MFA) for highly privileged users to further strengthen AWS environment protection. AWS recommends some best practices and solutions to help organizations manage access to AWS resources and cardholder data as per PCI DSS. One such solution, AWS CloudTrail tracks user activity and detects unusual API usage. Another – AWS Config enables continuous assessment, audit and evaluation of AWS resource configurations. To know how these solutions help with PCI DSS compliance, check these pages here. [LINK TO BOTH CHILD PAGES]
5. Monitor and test networks regularly Access to all network resources and CHD must be tracked and monitored. In addition, regular security system checks must be conducted in the form of vulnerability scanning, penetration testing, and intrusion prevention.
6. Maintain an information security policy This policy must address information security, and document all the procedures to be followed by all personnel handling secure data.

How AWS can help you in meeting your compliance needs?

AWS PCI DSS Complied Reference Architecture

Three AWS reference architectures commonly used to build or assess a PCI DSS-compliant environment are: 1. Dedicated: An AWS PCI environment that’s not connected to anything else 2. Segmented: A Card Data Environment (CDE) and in-scope systems within a larger AWS environment 3. Connected: An environment with both AWS and on-premise items

AWS Tools

To help organizations plan for, document and achieve the PCI DSS compliance of their AWS workloads, AWS offers a number of tools or ‘compliance aids’.

AWS CloudTrail

With AWS CloudTrail, organizations can continuously log, monitor, and retain account activity across their AWS infrastructure. CloudTrail enables governance, compliance and risk auditing of AWS accounts, simplifies operational analysis, resource change tracking and troubleshooting, and helps automate security. Here is a blog that we published recently on AWS CloudTrail. You may follow the link to see how AWS can simplify your AWS account audit.

AWS Config

AWS Config enables organizations to assess, audit and evaluate the configurations of their AWS resources through continuous monitoring and recording. This helps them simplify their enterprise-wide PCI DSS compliance auditing, security analysis, AWS resource inventory, operational troubleshooting and change management. Here one of our blogs that you can follow to enable AWS Config - Enabling AWS Config.

AWS Security Hub

AWS Security Hub aggregates, organizes, and prioritizes an organization’s security alerts/ findings from multiple AWS services/accounts in a single place. It continuously monitors the environment using automated security checks based on AWS best practices and industry standards, and thus enables them to improve their security posture based on PCI DSS. In summary, AWS Security Hub is a terrific tool to automate your compliance need.

Amazon Inspector

The Amazon Inspector automated service runs on applications deployed on AWS to improve their security and compliance. It operates on a set of knowledge-based rules to assess these applications for exposure, vulnerabilities, and deviations from security best practices, thus improving development agility and streamlining security compliance processes. It then produces a report detailing a list of security findings prioritized by level of severity. We recently published a blog on AWS Inspector too. You can follow up this step-by-step instruction to enable CVE scan in EC2 instances - CVE Scan using AWS Inspector.

AWS GuardDuty

AWS GuardDuty is intelligent, ‘managed’, comprehensive, and cost-effective threat detection service in AWS. It uses Machine Learning, anomaly detection and integrated threat intelligence to continuously detect, monitor, and report malicious activities or unauthorized behaviors across multiple AWS data sources, and instances of possible account compromise. It can be enabled without deploying or maintaining expensive software or hardware. Here is a link you can follow to enable Threat Management Using AWS GuardDuty.