PCI Compliance in AWS Cloud

intelligent information securityAN IT IAN

PCI COMPLIANCE IN AWS


Meet the Speakers

Adam Gaydosh

• Director of Security Intelligence

• Qualified Security Assessor (QSA)

• 15+ years experience in IT and Security

Jordan Wiseman

• Senior Security Intelligence Advisor

• Qualified Security Assessor (QSA)

• 15+ years experience in IT and Security


AN I T I AN


Intent

• Discuss PCI compliance in AWS

• Outline AWS services that help meet PCI requirements

Outline

1. AWS Services for PCI Compliance

2. PCI Reference Architectures

3. Third Party Solutions

4. AWS PCI Best Practices

5. Q&A

Overview


PCI IN AWSOVERVIEW


AWS Compliance Status

• AWS is validated annually as a compliant PCI DSS Level 1 Service Provider

• Available to AWS Customers pursuing PCI compliance:

• Attestation of Compliance (AOC)

• Responsibility Matrix

• Customer’s compliance is not inherited from AWS


Cloud Compliance is a Shared Responsibility


AWS COMPLIANTPCI SERVICES


Requirement 1: Install and maintain a firewall configuration to protect cardholder data

• AWS Services• Virtual Private Clouds (VPCs)

• Security Groups

• Network ACLs

• CloudFormation

• Other Strategies and Considerations• Third-party Amazon Machine Images (AMIs)

– Firewall, NGFW/UTM, IDS/IPS

• Scalability and automation

– Security Groups

– Host-based firewalls


Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• AWS Services• Elastic Compute Cloud (EC2)

• AWS CloudFormation

• AWS Container Service

• AWS OpsWorks Stacks

• Other Strategies and Considerations• Amazon-supplied AMIs have no default credentials

• Third-party AMIs might have defaults

• Pre-hardened AMIs available from Anitian in AWS Marketplace

• Configuration management platforms (Chef, Puppet, Ansible)


Requirement 3: Protect stored cardholder data

• AWS Services• Elastic Block Store (EBS)

• Simple Storage Service (S3)

• Key Management Service (KMS)

• Relational Database Service (RDS)

• AWS CloudHSM

• AWS SimpleDB

• AWS RedShift

• Other Strategies and Considerations• EBS not OS independent

• Self-managed DBs


Requirement 4: Encrypt transmission of cardholder data across open, public networks

• AWS Services• Elastic load balancers

• Network ACLs

• Security Groups

• Customer Gateways

• Virtual Private Gateways

• VPN Connections

• AWS Direct Connect

• CloudFront

• Other Strategies and Considerations• Setup and manage TLS and VPNs

• Standard encryption strength and algorithms change

• AWS Certificate Manager


Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

• AWS Services• AWS does not provide anti-malware for customer AWS instances

• Other Strategies and Considerations• Third-party management AMIs

• Manage from within AWS

• Use existing on premise solutions


Requirement 6: Develop and maintain secure systems and applications

• AWS Services• AWS Config

• AWS CloudFormation

• AWS WAF

• Amazon CloudFront

• Other Strategies and Considerations• Amazon Linux AMI Security Bulletins (ALAS)

– https://alas.aws.amazon.com/

• CodeCommit and CodeDeploy

• Third-party management AMIs

• Separation of production, test, development environments

• AWS Systems Manager


Requirement 7: Restrict access to cardholder data by business need to know

• AWS Services• Identity and Access Management (IAM)

• Directory Service

• Cognito

• Other Strategies and Considerations• IAM controls access AWS itself

– AWS Console

– AWS APIs


Requirement 8: Identify and authenticate access to system components

• AWS Services• Identity and Access Management (IAM)

• Directory Service

• Cognito

• Other Strategies and Considerations• IAM limitations by default (but supports GPOs)

– lockouts for invalid login attempts (Req. 8.1.6)

– minimum lockout durations (Req. 8.1.7)

– idle session timeouts (Req. 8.1.8)

• Hosting your own IAM/Directory service in AWS


Requirement 9: Restrict Physical Access to Cardholder Data

• Amazon’s Attestation of Compliance (AOC)• Fully covers physical security of AWS

• Applies to any PCI components hosted in AWS

• Other Strategies and Considerations• Does not cover in-scope, but on premise components

• Does not cover data or media pulled from AWS


Requirement 10: Track and monitor all access to network resources and cardholder data

• AWS Services• CloudTrail

• CloudWatch Logs

• S3

• Other Strategies and Considerations• S3 supports lifecycle management

• Leverage CloudTrail APIs to obtain SEIM data

• CloudTrail will log AWS Console and API activity

• AWS does not include time synchronization


Requirement 11: Regularly test security systems and processes

• AWS Services• Amazon’s Attestation of Compliance (AOC)

– Fully covers physical security of AWS

– Fully covers rogue Wireless Access Point detection– Applies to any PCI components hosted in AWS

– Does not cover in-scope, but on premise components

• Other Strategies and Considerations

– External security testing requires approval, BEFORE it begins

Requirement 12: Maintain a policy that addresses information security for all personnel

• AWS Services• None


Requirement A.1: Additional PCI DSS Requirements for Shared Hosting Providers

• AWS Services• VPCs, Security Groups

• IAM and AD Connector

Requirement A.2: Additional PCI DSS Requirements for Entities using SSL/early TLS



Requirement A.3: Designated Entities Supplemental Validation (DESV)


• Other Strategies and Considerations• AWS Config, CloudTrail, and CloudWatch

– Change detection

– Event monitoring and response

• S3

– API access can help with CHD discovery

• IAM, Directory Service, and AD Connector

– Logical access control

– Access policies within AWS


PCI REFERENCE ARCHITECTURES


Architecture 1: Dedicated


Architecture 1: Dedicated

• An entire AWS environment dedicated to a web-based e-commerce application.

• A cloud formation template in available from Anitian in the AWS Marketplace

• Features

• DMZ subnet for webserver instance

• Management subnet for “Jumpbox” instance

• Internal subnet for application and AWS RDS instances.

• PCI Scope

• Everything

NOTE: While the Jumpbox does not handle cardholder data itself, it does impact the security of the instances and is therefore in-scope.


Architecture 2: Segmented


Architecture 2: Segmented

• Adding non-PCI systems to the AWS environment hosting our existing web-based e-commerce application.

• Features

• Separate Virtual Private Clouds for PCI and non-PCI environments

• Network segmentation between VPCs

• PCI Scope

• Instances in the PCI VPC only


Architecture 3: Connected


Architecture 3: Connected

• Extending an on premise network to the AWS PCI environment to leverage existing services.

• Features

• Connectivity between on premise systems and AWS PCI environment.

• Network segmentation between PCI and non-PCI environments.

• PCI Scope

• AWS CDE VPC

• AWS In-scope VPC and In-scope On Premise Network


THIRD PARTYSOLUTIONS


Pre-built AMIs

• Familiar technologies

• Trusted vendors

https://aws.amazon.com/marketplace/


PCI Compliance Related

• AWS Service Gaps• IDS/IDP

• SEIM

• Patching

• Vulnerability Management

• FIM

• Enhance AWS Services

• Firewalls

• VPN

• AWS Automation


AWS PCIBEST PRACTICES


Non-technical Actions

• Request a copy of the AWS PCI Compliance Package

• Requires NDA

• AWS AOC

• Responsibility Matrix

• Documentation

• Config

• Trusted Advisor

• AMI Identifiers

• AWS Console

• Resource Groups and Tagging


Technical Considerations

• First things first

• Naming conventions

• KMS encryption keys

• Trusted Advisor

• Monitoring

• CloudWatch

• Elastic Load Balancers (ELB)

• Abstract or conceal real endpoints

• ELB all the things!

• Design for the cloud

• Dynamic environments

• Control implementation points


Audit Preparation

• Readiness assessment

• Documentation

• Network diagrams and data flows

• Scope and inventory

• Penetration tests and vulnerability scans

• QSA who knows AWS


QUESTIONS?


EMAIL: [email protected]

[email protected]

WEB: www.anitian.com

BLOG: blog.anitian.com

SLIDES: http://bit.ly/anitian

CALL: 888-ANITIAN

THANK YOU

Technology

PCI Compliance in AWS Cloud