As part of its efforts to facilitate the implementation of controls of different security standards in its customers' environments, Amazon Web Services (AWS), as a cloud service provider (Cloud Service Provider – CSP), published in August 2023 the update of its Compliance Guide in PCI DSS, this time aligning it with the controls of this standard in its version 4.0.

According to the definition of NIST, ,Cloud computing is a model that enables ubiquitous, convenient and on-demand access to a shared set of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be quickly provisioned and released with minimal management effort or interaction with the service provider.’. The main factors driving the growth of the global cloud computing market are the expansion of digital transformation in companies, the increase in Internet adoption (including the use of 5G), the massification of mobile devices worldwide and the increased consumption of state-of-the-art services and platforms, including IoT and industrial solutions, Big Data, edge computing and real-time analytics and Artificial Intelligence (AI), the use of which increases the value of computer technology among companies.

Currently, the cloud services market is mature and consolidated, with Amazon Web Services (AWS) as the leading provider, followed by Microsoft Azure and Google Cloud Platform (GCP):

Infographic: Amazon Maintains Lead in the Cloud Market | Statista

Due to the innate dependence that an entity will have on its cloud service provider (Cloud Service Provider – CSP) and once you migrate your services on-premises to the cloud, it is important to consider the type of services and the responsibility that will be delegated to that provider. Likewise, if the services migrated to the cloud process, store or transmit payment card data, the scope of customer compliance may be extended to the infrastructure of the employed CSP.

In accordance with PCI DSS v4.0 requirement 12.8, an entity shall maintain a list of service providers with whom it shares card data or whose services may affect the security of managed card data. This requirement also affects cloud service providers. To support and guide entities in the process of technical, legal and compliance assessment of different cloud service providers, in April 2018 the PCI SSC published the document.Information Supplement – Cloud Computing Guidelines«, which describes the relationships between the CSP and its clients and the different considerations to be analyzed from the perspective of PCI DSS compliance, including risk analysis, due diligence (due diligence), service level agreements, continuity and disaster recovery plans, incident management and different technical safety considerations for environments multi-tenancy, hypervisor and container control, cryptography, event log management, etc.

Amazon Web Services (AWS) and PCI DSS

The relationship between AWS and PCI DSS dates back many years. AWS was one of the first CSPs to validate its own infrastructure in PCI DSS to facilitate the integration into its environment of entities affected by compliance with that standard. To this day, AWS has more than 100 services within the scope of its PCI DSS validation and makes its compliance reports available to its customers (Attestation of Compliance) which can be unloaded in AWS Artifact.

The fundamental element in this compliance scenario where the customer and CSP environment are involved is called ‘shared responsibility model’ (shared responsibility). This model establishes the responsibility in the operation and management of both the underlying technological platform and the physical facilities and services involved in the environment. In the case of AWS, your shared responsibility model states that AWS's responsibilities are limited to the security of the cloud platform (responsibility for security OF the cloud) , while the responsibility of the client entity will focus on the security of the services executed on that platform (responsibility for security IN the cloud), with a number of controls shared between the two actors. As indicated in req. 12.8.5 of PCI DSS, AWS also provides a matrix of responsibilities for each of the PCI DSS controls, which can be downloaded at AWS Artifact:

AWS PCI DSS v4.0 Compliance Guide

In addition to the AWS infrastructure's PCI DSS compliance, the AWS Security Assurance Services AWS developed the documentPayment Card Industry Data Security Standard (PCI DSS) v4.0 on AWS – Compliance Guide’, which includes a detailed description of the AWS service for environments affected by PCI DSS v4.0 compliance and different recommendations and best practices for each of the requirements groups, thus becoming an indispensable reading document for any entity that uses AWS services in its PCI DSS environment or for any QSA that has to evaluate environments deployed in this CSP.

Some of the most noteworthy aspects of this guide are:

  • Examples of flowcharts, network diagrams, and asset inventories to support PCI DSS compliance scope identification exercises.
  • Integration with the tool AWS Well-Architected to define secure, high-performance, resilient, and efficient infrastructures based on AWS best practices.
  • Recommendations are provided regarding the use of the ‘personalised approach’ (customized approach) and the implementation of targeted risk analysis (targeted risk analysis).

Among the most relevant technical recommendations are:

  • Use of AWS Bottlerocket as an operating system optimized for container execution. This operating system offers enhanced security and resource optimization in environments subject to PCI DSS compliance.
  • The following are listed: network security controls (NSCs) affected by requirement 1 under AWS: VPCs, security groups, VPC network access control lists (network ACLs) and IAM. AWS ACLs, being stateless, were not considered a valid network control in PCI DSS v3.2.1, but this has changed in PCI DSS v4.0.
  • Included AWS Firewall Manager as an additional tool for configuring and managing NSC rules between accounts and applications.
  • Using AWS CloudFront or Amazon API Gateway as controls to "isolate" card data repositories from direct access from open public networks.
  • The use of EC2Config for EC2 instances under Microsoft Windows to configure a local administrator password randomly and encrypted.
  • The use of AWS Systems Manager Session Manager as a "replacement" of traditional jump servers (bastion host o jump box).

Spanish PCI Note: Although this guide does not explicitly mention it, you can also make use of AWS Cloud Shell for the same purpose.

Spanish PCI Note: Although not mentioned in this guide, AWS offers a service called AWS Payment Cryptography, which provides paid HSMs (certified in PCI HSM) that meet the controls required by PCI DSS, PCI PIN and PCI P2PE.

  • The use of Amazon Macie for the identification, classification and protection of sensitive data stored in AWS S3.
  • It is important to note that under PCI DSS v4.0, encryption of non-removable disks requires the use of an additional encryption mechanism for the protection of stored data (req. 3.5.1.2). In this case, if native encryption is used for services such as AWS S3 or AWS RDS, additional encryption controls are required at the data level, using AWS KMS CMKs, for example.
  • Reference is made to the field-level encryption AWS CloudFront. Through this service, an additional layer of encryption can be added at the data level from its origin (in this case, the user's browser) using asymmetric cryptography to complement the channel encryption provided by TLS.

Spanish PCI Note: AWS created a spectacular manual that describes the procedure to protect card data using field-level encryption: How to Enhance the Security of Sensitive Customer Data by Using Amazon CloudFront Field-Level Encryption.

  •  The use of AWS Certificate Manager (ACM) for the provisioning, management and deployment of digital certificates for TLS services.
  • At the malware management level, the client is responsible for the implementation of antimalware solutions in EC2 instances, containers or any service where the client operates the operating system layer. However, can be made use of Amazon GuardDuty Malware Protection to scan bulk Amazon Elastic Block Store (EBS) files that are linked to an EC2 instance (AWS Fargate (EKS/ECS) is not supported).
  • For the review of potential vulnerabilities in the source code you can make use of Amazon CodeGuru.
  • For the inspection of security vulnerabilities can be made use of Amazon Inspector (in running instances) or Amazon Elastic Container Registry (ECR) for scanning container images.
  • Can be used Systems Manager Patch Manager for the management and deployment of updates to operating systems under the responsibility of the customer.
  • AWS WAF (with its managed rules) can be used to cover requirement 6.4 for the protection of web applications connected to public networks.
  • You can make use of IAM Access Analyzer to identify resource and data access issues in AWS IAM.
  • By AWS Secrets Manager o AWS Systems Manager Parameter Store Clear storage of API and database connection credentials will no longer be required.
  • It is the responsibility of the entity:
    • Identify and remove or disable user accounts with more than 90 days of inactivity.
    • Manage session downtime.
    • Blocking of accounts
  • MFA is available for access to management consoles, AWS CLI, and API access.

Spanish PCI Note: From mid-2024, AWS will make the use of MFA mandatory in the root account.

  • The entire requirement 9 (physical security) is under the responsibility of AWS
  • AWS CloudTrail includes functionality for validate the integrity of event logs (logs) stored on that service.
  • AWS Security Hub It can be used to automate AWS security checks and centralize security alerts.
  • Since 2017, AWS has been running its own redundant, satellite-connected atomic reference clock service in different regions. This service (Amazon Time Sync Service) can be used for compliance with requirement 10.6.
  • As for internal vulnerability scans you can make use of Amazon Inspector.
  • For network intrusion detection management (Intrusion Detection System – IDS), the traditional concept of connection at layer 2 level of the OSI model does not apply in software-defined networks (SDNs). Therefore, AWS recommends the use of AWS GuardDuty in conjunction with information provided by other services such as AWS WAF or host-level intrusion detection (HIDS) solutions. AWS provides a guide to using and evaluating AWS GuardDuty in PCI DSS environments.
  • The entity is responsible for implementing controls to detect changes in the payment pages of its environment.
  • Systems Manager, AWS Config, and Application Discovery service can be used to identify services and assets in the AWS environment.
  • For security incident management, AWS developed a detailed guide for responding to security events within the AWS environment.

Spanish PCI Note: AWS has created a series of free incident response-oriented technical courses on its cloud platform (Security Incident Response Series – CRS)

Finally, this document includes an annex where the different AWS services are related to the PCI DSS controls that can be covered.

Do you have any comments or doubts regarding this guide? Leave us your comments and subscribe to our mailing list.

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

All Posts Website

Leave to Reply