PCI Compliance requires that the network as well as the data be secured – both at rest and in transit. Here are some relevant AWS services that help achieve PCI compliance on AWS.

AWS Services used for PCI Compliance

Securing the  network

  1.    Segment Card data specific servers into their own VPC/Subnet. This makes a PCI audit easier.
  2.    A firewall configuration must be installed and maintained. System passwords must be original (not vendor-supplied) – AWS IAM and AWS Security Groups, NACLs. 3rd party FW appliances.
  3.    Secure cardholder data – Stored cardholder data must be protected.
  4.    Transmissions of cardholder data across public networks must be encrypted – Native DB TDE or SSE (including AWS KMS, with customer managed keys)

Vulnerability management – Anti-virus software must be used and regularly updated. Secure systems and applications must be developed and maintained. – AWS Inspector and AWS Systems Manager

Access control – Cardholder data access must be restricted to a business need-to-know basis. Every user with computer access must be assigned a unique ID. Physical access to cardholder data must be restricted. AWS IAM and AWS SSO groups would be the services that would be needed.

Network monitoring and testing – Access to cardholder data and network resources must be tracked and monitored. – Cloudtrail and Cloudwatch enabled. VPC Flow Logs Enabled.



Need an experienced Cloud Security Expert? 
Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.