PCI Compliance for 3 Tier Apps hosted on AWS
PCI Compliance requires that the network as well as the data be secured – both at rest and in transit. Here are some relevant AWS services that help achieve PCI compliance on AWS.
AWS Services used for PCI Compliance
Securing the network
- Segment Card data specific servers into their own VPC/Subnet. This makes a PCI audit easier.
- A firewall configuration must be installed and maintained. System passwords must be original (not vendor-supplied) – AWS IAM and AWS Security Groups, NACLs. 3rd party FW appliances.
- Secure cardholder data – Stored cardholder data must be protected.
- Transmissions of cardholder data across public networks must be encrypted – Native DB TDE or SSE (including AWS KMS, with customer managed keys)
Vulnerability management – Anti-virus software must be used and regularly updated. Secure systems and applications must be developed and maintained. – AWS Inspector and AWS Systems Manager
Access control – Cardholder data access must be restricted to a business need-to-know basis. Every user with computer access must be assigned a unique ID. Physical access to cardholder data must be restricted. AWS IAM and AWS SSO groups would be the services that would be needed.
Network monitoring and testing – Access to cardholder data and network resources must be tracked and monitored. – Cloudtrail and Cloudwatch enabled. VPC Flow Logs Enabled.
Need an experienced Cloud Security Expert?
Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.
Leave a Reply