by Adam M. Lechnos, CISSP
Payment Card Industry Data Security Standards or PCI DSS, are a set of 12 requirements with over 300 controls which apply to any organization which stores, processes or transmits credit card data. Today, I will attempt to add some clarity around PCI compliance within AWS.
Concepts and practices were sourced from the referenced document below and here I will break it down further. I do suggest you first read the Architecting for PCI DSS Scoping and Segmentation on AWS and come back to enhance your understanding of the methods being applied and its rationale.
For a quick primer on PCI-DSS, please refer to the council’s overview PDF .Referenced from: https://d1.awsstatic.com/whitepapers/pci-dss-scoping-on-aws.pdf
Infrastructure services such as EC2 require the most amount of effort from a PCI compliance perspective based on the AWS Shared Responsibility Model.
Kubernetes on EC2
Like EC2, ECS and EKS are all deemed ‘Infrastructure’ based services. These services expose administrative access and control at the OS layer and hence their designation. Today, since we manually manage Kubernetes in a cluster of EC2 instances, we therefore must apply PCI practices at all layers of the shared responsibility model except for physical controls such as in the examples mentioned above.
AWS Fargate Considerations
Using AWS Fargate in lieu of EC2 hosting Kubernetes would reduce the PCI compliance footprint as Fargate is considered a ‘Containerized’ service and hence, the degree of PCI compliance requirements is greatly reduced as per the AWS Shared Responsibility Model.
URL Load Balancers, API Gateways, and other ‘Abstracted’ services are services in which the degree of control is limited to the movement of data using AWS APIs. AWS handles network, OS, and physical controls therefore, minimizing PCI scope of work.
The instantiation of an Abstracted service within its own AWS Account and the endpoints it connects would be in scope. Fargate would not require network or OS level controls and like EC2 nor physical level controls, like Containerized services.
Network and Encryption Level Abstracted Services
Application Load Balancers, Web Application Firewalls, and KMS must be configured to terminate TLS version 1.1 or greater between itself and all endpoints.
Connected-to and Security-Impacting Gotchas
Any service that supports, directly impacts, or provide security to the CDE fall with-in scope of PCI compliance.
Abstracted Service Caveats
Normally, if Abstracted services such as AWS S3 or Application Load Balancer transmits or stores CHD, these services fall with-in scope of PCI compliance. Since these services are considered ‘Abstracted’, network and OS level controls do not apply. If these services do not handle CHD, segmentation is assumed and therefore out of scope for PCI compliance even if located within the same CDE environment.
S3 Bucket without CHD
S3 Bucket with CHD
SQS without CHD
SQS with CHD
Within the newly created AWS PCI Zone, replacing Kubernetes on EC2 with Fargate and possibly Kafka with SQS, would eliminate many of the PCI requirements in that zone as a result of using only. Abstracted and Containerized services as mentioned in the preceding examples above.
by Adam M. Lechnos, CISSP