intelligent information securityANITIAN
PCI COMPLIANCE
IN AWS
intelligent information securityANITIAN
Meet the SpeakersAdam Gaydosh• Director of Security Intelligence• Qualified Security Assessor (QSA)• 15+ years experience in IT and Security
Jordan Wiseman• Senior Security Intelligence Advisor• Qualified Security Assessor (QSA)• 15+ years experience in IT and Security
intelligent information securityANITIAN
Vision: Security is essential for growth, innovation and prosperity.
Mission: Build great security leaders.
ANIT IAN
Rapid Risk Assessment Compliance
Penetration Testing Managed Threat Intelligence
intelligent information securityANITIAN
Intent • Discuss PCI compliance in AWS• Outline AWS services that help meet PCI requirements
Outline1. AWS Services for PCI Compliance2. PCI Reference Architectures3. Third Party Solutions4. AWS PCI Best Practices5. Q&A
Overview
intelligent information securityANITIAN
PCI IN AWSOVERVIEW
intelligent information securityANITIAN
AWS Compliance Status• AWS is validated annually as a compliant PCI DSS Level 1 Service
Provider• Available to AWS Customers pursuing PCI compliance:• Attestation of Compliance (AOC)• Responsibility Matrix
• Customer’s compliance is not inherited from AWS
intelligent information securityANITIAN
Cloud Compliance is a Shared Responsibility
intelligent information securityANITIAN
AWS COMPLIANTPCI SERVICES
intelligent information securityANITIAN
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• AWS Services• Virtual Private Clouds (VPCs)• Security Groups• Network ACLs
• Other Strategies and Considerations• Third-party Amazon Machine Images (AMIs)
– Firewall, NGFW/UTM, IDS/IPS• Scalability and automation
– Security Groups– Host-based firewalls
intelligent information securityANITIAN
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• AWS Services• Elastic Compute Cloud (EC2)
• Other Strategies and Considerations• Amazon-supplied AMIs have no default credentials• Third-party AMIs might have defaults• Pre-hardened AMIs available from Anitian in AWS Marketplace
intelligent information securityANITIAN
Requirement 3: Protect stored cardholder data• AWS Services
• Elastic Block Store (EBS)• Simple Storage Service (S3)• Key Management Service (KMS)• Relational Database Service (RDS)
• Other Strategies and Considerations• EBS not OS independent• Self-managed DBs
intelligent information securityANITIAN
Requirement 4: Encrypt transmission of cardholder data across open, public networks
• AWS Services• Elastic load balancers• Network ACLs• Security Groups• Customer Gateways• Virtual Private Gateways• VPN Connections• AWS Direct Connect
• Other Strategies and Considerations• Setup and manage TLS and VPNs• Standard encryption strength and algorithms change• AWS Certificate Manager
intelligent information securityANITIAN
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
• AWS Services• AWS does not provide anti-malware for customer AWS instances
• Other Strategies and Considerations• Third-party management AMIs• Manage from within AWS• Use existing on premise solutions
intelligent information securityANITIAN
Requirement 6: Develop and maintain secure systems and applications
• AWS Services• None
• Other Strategies and Considerations• Amazon Linux AMI Security Bulletins (ALAS)
– https://alas.aws.amazon.com/• CodeCommit and CodeDeploy• Third-party management AMIs• Separation of production, test, development environments• AWS WAF and Amazon CloudFront
intelligent information securityANITIAN
Requirement 7: Restrict access to cardholder data by business need to know• AWS Services
• Identity and Access Management (IAM)• Directory Service
• Other Strategies and Considerations• IAM controls access AWS itself
– AWS Console– AWS APIs
intelligent information securityANITIAN
Requirement 8: Identify and authenticate access to system components• AWS Services
• Identity and Access Management (IAM)• AD Connector
• Other Strategies and Considerations• IAM limitations
– lockouts for invalid login attempts (Req. 8.1.6)– minimum lockout durations (Req. 8.1.7)– idle session timeouts (Req. 8.1.8)
• Hosting your own IAM/Directory service in AWS
intelligent information securityANITIAN
Requirement 9: Restrict Physical Access to Cardholder Data• Amazon’s Attestation of Compliance (AOC)
• Fully covers physical security of AWS• Applies to any PCI components hosted in AWS
• Other Strategies and Considerations• Does not cover in-scope, but on premise components• Does not cover data or media pulled from AWS
intelligent information securityANITIAN
Requirement 10: Track and monitor all access to network resources and cardholder data• AWS Services
• CloudTrail• S3
• Other Strategies and Considerations• S3 supports lifecycle management• Leverage CloudTrail APIs to obtain SEIM data• CloudTrail will log AWS Console and API activity• AWS does not include time synchronization
intelligent information securityANITIAN
Requirement 11: Regularly test security systems and processes
• AWS Services• Amazon’s Attestation of Compliance (AOC)
– Fully covers physical security of AWS– Fully covers rogue Wireless Access Point detection– Applies to any PCI components hosted in AWS– Does not cover in-scope, but on premise components
• Other Strategies and Considerations– External security testing requires approval, BEFORE it begins
Requirement 12: Maintain a policy that addresses information security for all personnel
• AWS Services• None
intelligent information securityANITIAN
Requirement A.1: Additional PCI DSS Requirements for Shared Hosting Providers• AWS Services
• VPCs, Security Groups• IAM and AD Connector
Requirement A.2: Additional PCI DSS Requirements for Entities using SSL/early TLS• AWS Services
• None
intelligent information securityANITIAN
Requirement A.3: Designated Entities Supplemental Validation (DESV) • AWS Services
• None• Other Strategies and Considerations
• AWS Config, CloudTrail, and CloudWatch– Change detection– Event monitoring and response
• S3– API access can help with CHD discovery
• IAM, Directory Service, and AD Connector– Logical access control– Access policies within AWS
intelligent information securityANITIAN
PCI REFERENCE ARCHITECTURES
intelligent information securityANITIAN
Architecture 1: Dedicated
intelligent information securityANITIAN
Architecture 1: Dedicated• An entire AWS environment dedicated to a web-based e-
commerce application.
• Features• DMZ subnet for webserver instance• Management subnet for “Jumpbox” instance• Internal subnet for application and AWS RDS instances.
• PCI Scope• Everything
NOTE: While the Jumpbox does not handle cardholder data itself, it does impact the security of the instances and is therefore in-scope.
intelligent information securityANITIAN
Architecture 2: Segmented
intelligent information securityANITIAN
Architecture 2: Segmented• Adding non-PCI systems to the AWS environment hosting our
existing web-based e-commerce application.
• Features• Separate Virtual Private Clouds for PCI and non-PCI
environments• Network segmentation between VPCs
• PCI Scope• Instances in the PCI VPC only
intelligent information securityANITIAN
Architecture 3: Connected
intelligent information securityANITIAN
Architecture 3: Connected• Extending an on premise network to the AWS PCI environment
to leverage existing services.
• Features• Connectivity between on premise systems and AWS PCI
environment.• Network segmentation between PCI and non-PCI
environments.• PCI Scope• AWS CDE VPC• AWS In-scope VPC and In-scope On Premise Network
intelligent information securityANITIAN
THIRD PARTYSOLUTIONS
intelligent information securityANITIAN
Pre-built AMIs• Familiar technologies • Trusted vendors
https://aws.amazon.com/marketplace/
intelligent information securityANITIAN
PCI Compliance Related• AWS Service Gaps
• IDS/IDP• SEIM• Patching• Vulnerability Management• FIM
• Enhance AWS Services• Firewalls• VPN• AWS Automation
intelligent information securityANITIAN
AWS PCIBEST PRACTICES
intelligent information securityANITIAN
Non-technical Actions• Request a copy of the AWS PCI Compliance Package• Requires NDA• AWS AOC• Responsibility Matrix
• Documentation• Config• Trusted Advisor• AMI Identifiers• AWS Console• Resource Groups and Tagging
intelligent information securityANITIAN
Technical Considerations• First things first• Naming conventions• KMS encryption keys• Trusted Advisor
• Monitoring• CloudWatch
• Elastic Load Balancers (ELB)• Abstract or conceal real endpoints• ELB all the things!
• Design for the cloud• Dynamic environments• Control implementation points
intelligent information securityANITIAN
Audit Preparation• Readiness assessment • Documentation • Network diagrams and data flows• Scope and inventory• Penetration tests and vulnerability scans• QSA who knows AWS
intelligent information securityANITIAN
QUESTIONS?
intelligent information securityANITIAN
EMAIL: [email protected]@anitian.com
WEB: www.anitian.comBLOG: blog.anitian.comSLIDES: http://bit.ly/anitianCALL: 888-ANITIAN
THANK YOU