intelligent information securityANITIAN

PCI COMPLIANCE IN AWS

intelligent information securityANITIAN

Overview

Intent • Discuss PCI compliance in AWS• Outline AWS services that help meet PCI requirements

Outline1. PCI Reference Architectures2. AWS Services for PCI Compliance3. Third Party Solutions4. AWS PCI Best Practices5. Q&A

intelligent information securityANITIAN

Meet the Speakers

Adam Gaydosh• Anitian’s Director of Professional Services• Qualified Security Assessor• 15+ years experience in IT and Security

Jordan Wiseman• Certified Risk Assessor• Cloud Security Specialist• 15+ years experience in IT and Security

intelligent information securityANITIAN

We enlighten, protect and empower great security leaders. We believe security will make the world a better place. • Security is necessary for innovation and growth• Security can be empowering when it is practical and pragmatic• Good security comes from rational, scientific methods of

analysis

ANITIAN

intelligent information securityANITIAN

PCI IN AWS OVERVIEW

intelligent information securityANITIAN

AWS Compliance Status

• AWS is validated annually as a compliant PCI DSS Level 1 Service Provider

• Attestation of Compliance (AOC) & Responsibility Matrix available to customers pursuing their own compliance

• Customer’s compliance is not inherited from AWS

intelligent information securityANITIAN

Cloud Compliance is a Shared Responsibility

intelligent information securityANITIAN

AWS COMPLIANTPCI SERVICES

intelligent information securityANITIAN

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

• AWS Services• Virtual Private Clouds (VPCs)• Security Groups• VPC Network ACLs

• Other Strategies and Considerations• Third-party Amazon Machine Images (AMIs)

– Firewall– UTM– IDS/IPS

intelligent information securityANITIAN

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• AWS Services• Elastic Compute Cloud AMIs

• Other Strategies and Considerations• Amazon-supplied AMIs have no defaults• Third-party AMIs might have defaults• Pre-hardened AMIs available from Anitian in AWS Marketplace

intelligent information securityANITIAN

Requirement 3: Protect stored cardholder data• AWS Services

• Elastic Block Store (EBS)• Simple Storage Service (S3)• Key Management Service (KMS)• Relational Database Service (RDS)

• Other Strategies and Considerations• EBS not OS independent• Self-managed DBs and Transparent Data Encryption

intelligent information securityANITIAN

Requirement 4: Encrypt transmission of cardholder data across open, public networks

• AWS Services• Elastic load balancers• Network ACLs• Security Groups• Customer Gateways• Virtual Private Gateways• VPN Connections• AWS Direct Connect

• Other Strategies and Considerations• Setup and manage TLS and VPNs• Standard encryption strength and algorithms change

intelligent information securityANITIAN

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

• AWS Services• AWS does not provide anti-malware for customer AWS instances

• Other Strategies and Considerations• Third-party management AMIs• Manage from within AWS• Use existing on premise solutions

intelligent information securityANITIAN

Requirement 6: Develop and maintain secure systems and applications

• AWS Services• None

• Other Strategies and Considerations• Amazon Linux AMIs Security Bulletins (ALAS)

– https://alas.aws.amazon.com/• CodeCommit and CodeDeploy• Third-party management AMIs

intelligent information securityANITIAN

Requirement 7: Restrict access to cardholder data by business need to know• AWS Services

• Identity and Access Management (IAM)• Directory Service

• Other Strategies and Considerations• IAM controls access AWS itself

– AWS Console– AWS APIs

Requirement 8: Identify and authenticate access to system components• Same as above

intelligent information securityANITIAN

Requirement 9: Restrict Physical Access to Cardholder Data

• N/A

Requirement 10: Track and monitor all access to network resources and cardholder data• AWS Services

• CloudTrail• S3

• Other Strategies and Considerations• S3 supports lifecycle management• Leverage CloudTrail APIs to obtain SEIM data• CloudTrail will log AWS Console and API activity• AWS does not include time synchronization

intelligent information securityANITIAN

Requirement 11: Regularly test security systems and processes

• AWS Services• Amazon’s Attestation of Compliance (AOC)

– Fully covers physical security of AWS– Fully covers rogue Wireless Access Point detection– Applies to any PCI components hosted in AWS– Does not cover in-scope but on premise components

intelligent information securityANITIAN

Requirement 12: Maintain a policy that addresses information security for all personnel

• AWS Services• None

Requirement A.1: Shared hosting providers must protect the cardholder data environment

• AWS Services• See Requirements 1, 7, and 8

intelligent information securityANITIAN

PCI REFERENCEARCHITECTURES

intelligent information securityANITIAN

Architecture 1: Dedicated

intelligent information securityANITIAN

Architecture 1: Dedicated• An entire AWS environment dedicated to a web-based e-

commerce application.

• Features• DMZ subnet for webserver and management “Jumpbox”

instances.• Internal subnet for application and AWS RDS instances.

• PCI Scope• Everything

NOTE: While the Jumpbox does not handle cardholder data itself, it does impact the security of the instances and is therefore in-scope.

intelligent information securityANITIAN

Architecture 2: Segmented

intelligent information securityANITIAN

Architecture 2: Segmented• Adding non-PCI systems to the AWS environment hosting our

existing web-based e-commerce application.

• Features• Separate Virtual Private Clouds for PCI and non-PCI

environments• Network segmentation between VPCs

• PCI Scope• Instances in the PCI VPC only

intelligent information securityANITIAN

Architecture 3: Connected

intelligent information securityANITIAN

Architecture 3: Connected• Extending an on premise network to the AWS PCI environment

to leverage existing services.

• Features• Connectivity between on premise systems and AWS PCI

environment.• Network segmentation between PCI and non-PCI

environments.• PCI Scope• AWS CDE VCP• AWS In-scope VCP and In-scope On Premise Network

intelligent information securityANITIAN

THIRD PARTYSOLUTIONS

intelligent information securityANITIAN

Pre-built AMIs• Familiar technologies • Trusted vendors

https://aws.amazon.com/marketplace/

intelligent information securityANITIAN

PCI Compliance Related• AWS Service Gaps

• IDS/IDP• SEIM• Patching• Vulnerability Management• FIM

• Enhance AWS Services• Firewalls• VPN• AWS Automation

intelligent information securityANITIAN

AWS PCIBEST PRACTICES

intelligent information securityANITIAN

Non-technical Actions• Request a copy of the AWS PCI Compliance Package• Requires NDA• AWS AOC• Responsibility Matrix

• Documentation• Config• Trusted Advisor• AMI Identifiers• AWS Console• Resource Groups and Tagging

intelligent information securityANITIAN

Technical Considerations• Monitoring• Cloud Watch

• First things first• Naming conventions• KMS encryption keys

• Elastic Load Balancers (ELB)• Availability• Abstract or conceal real endpoints• ELB all the things!

intelligent information securityANITIAN

Audit Preparation• Readiness assessment • Documentation • Network diagrams and data flows• Scope and inventory• Penetration tests and vulnerability scans • QSA who knows AWS

intelligent information securityANITIAN

Questi ons

? ? ?Use the chat feature to ask your questions

Or email info@anitian.com

intelligent information securityANITIAN

Thank YouEMAIL: adam.gaydosh@anitian.com

jordan.wiseman@anitian.com WEB: www.anitian.comBLOG: blog.anitian.comSLIDES: http://bit.ly/anitianCALL: 888-ANITIAN