5 Essential Tips for PCI Compliance in AWS
PCI is a globally accepted security standard that customers use to support a broad range of sensitive workloads, including the processing and storage of sensitive payment card data. The AWS shared responsibility model has two components for security. First, security measures provided by AWS are described as “security OF the cloud”. Second, security measures that are implemented by the customer can be described as “security IN the cloud”.
AWS provides the frameworks necessary to build secure applications in the cloud. These frameworks must be implemented and maintained correctly. Here are five essential tips on how to address PCI compliance requirements when working in AWS:
Install and maintain a firewall configuration to protect cardholder data
It’s important to install and maintain a firewall configuration to protect cardholder data and set up security groups that are restricted to administrative access only. Also, access to the cardholder database should only be obtained by application instances using security groups. Your production and development environments should be segregated using the security groups. Lastly, you can use encryption on the RDS database and database fields holding sensitive data.
Encrypt transmission of cardholder data across open, public networks
An AWS security best practice is to use IAM and Directory service. The Directory service will control access to the AWS console and EC2 instances. You can also configure ELB with an SSL certificate to ensure data encryption.
Track and monitor all access to network resources and cardholder data
It’s important to monitor network resources and cardholder data using AWS CloudTrail and the Directory service. This combination will log access attempts and monitor the logs for unauthorized or suspicious access.
Regularly test security systems and processes
Make sure you are regularly patching and monitoring systems. Testing the security of your instances is the portion of your responsibility in the AWS shared responsibility model. Your code should be reviewed and scanned for vulnerabilities. It is also recommended to use security scanning tools for infrastructure and applications.
Maintain a policy that addresses information security for all personnel
After implementing the above best practices, one of the best actions you can do is to create an information security policy. This policy should cover the responsibilities of staff and include a formal security awareness plan. The policy may also include an incident response plan, so you are fully prepared in the event of a security breach or vulnerability.
The security of an application is ultimately the responsibility of the application owner. Monitoring for changes in the application environment is critical to maintaining a secure environment. The architecture may be secure in the beginning, but if changes are made, the security of the environment can drift out of compliance over time. It is also important to proactively patch and improve the security of systems over time. For more information on PCI compliance, please contact a Relus Cloud Expert and we'll show you how to properly handle PCI compliance.