Building, maintaining PCI-DSS compliant cloud infrastructure in AWS with cloudandthings.io

Evan Rubin, Technical Lead for Cloud at cloudandthings.io
Evan Rubin, Technical Lead for Cloud at cloudandthings.io

As financial services organisations increasingly move their operations to the cloud, ensuring Payment Card Industry Data Security Standard (PCI DSS) compliance remains a top priority.

“Building and maintaining PCI-DSS-compliant cloud infrastructure in AWS with cloudandthings.io offers a reliable foundation for creating secure, scalable and PCI-compliant environments. For organisations handling payment card data, the cloudandthings.io managed AWS environment follows the PCI-DSS requirements, ensuring that sensitive data is protected while maintaining the flexibility and agility of the cloud,” says Evan Rubin, Technical Lead for Cloud at cloudandthings.io.

PCI-DSS and AWS Managed Services by cloudandthings.io

As a payment gateway provider, our client needs to pass their PCI-DSS audit annually. We delivered a managed AWS environment on which all their cloud workloads are securely provisioned and maintained as per the required standards.

The challenge was twofold: auditing a cloud environment differs from auditing an on-premises set-up and securing workloads in the cloud requires a different approach when compared to traditional on-premises security measures. Both the client and the auditors required cloudandthings.io’s support in conducting the audit and addressing any identified issues.

Our team collaborated closely with the auditing firm, ensuring they had access to all necessary accounts and networks to conduct the audit. We also provided the auditors with AWS documentation detailing the standards adhered to by the various AWS services.

Key components of a PCI-compliant AWS Landing Zone

● Account structure and isolation

  • A critical aspect of PCI compliance is isolating environments to prevent unauthorised access and data leakage. AWS Landing Zone supports a multi-account strategy where each account can be dedicated to a specific function (eg, development, testing, production) or compliance scope (eg, cardholder data environment, non-cardholder data environment).
  • AWS organisations allow you to group accounts into OUs, enabling centralised management and the application of service control policies (SCPs) for compliance.

● Network security

  • Implement a virtual private cloud (VPC) with strict subnet segregation, ensuring that PCI scope is limited to specific subnets. Use network access control lists (NACLs) and security groups to control traffic flow, adhering to the principle of least privilege.
  • Enforce TLS 1.2 or higher for all communications involving cardholder data. AWS Certificate Manager (ACM) can help manage SSL/TLS certificates efficiently.

● Identity and access management (IAM)

  • Implement RBAC using AWS IAM to ensure that only authorised personnel can access PCI-relevant systems. Use IAM roles with strict permissions and enforce multi-factor authentication (MFA) for all users accessing sensitive environments.
  • Leverage AWS single sign-on (SSO) for federated access, ensuring that user identities are managed according to PCI requirements.
  • Ensure any roles or permissions follow a least-privilege permission model.

● Monitoring and logging

  • AWS CloudTrail and Config: Enable CloudTrail and AWS Config across all accounts to capture detailed logs of all API activity and configuration changes. These logs are crucial for audit purposes and for detecting and responding to security incidents.
  • Log aggregation: Centralise logs in an Amazon S3 bucket or use AWS Security Hub and Amazon GuardDuty for real-time threat detection and monitoring across the Landing Zone.

● Data protection

  • Utilise AWS Key Management Service (KMS) to encrypt all sensitive data at rest. Ensure that encryption keys are rotated regularly and that access to keys is strictly controlled.
  • For certain PCI use cases, consider implementing data masking or tokenisation to further protect sensitive information.

● Automation and infrastructure as code (IaC)

  • Use AWS Control Tower to automate the set-up and governance of your Landing Zone, ensuring that all deployed resources meet PCI requirements. Control Tower provides blueprints and guardrails that align with best practices.
  • Automate the deployment of PCI-compliant infrastructure using Terraform. This ensures consistency across environments and makes it easier to manage compliance over time.

Following the completion of the audit, we collaborated closely with the client team to address the audit findings related to their workloads.

This involved building CI/CD pipelines to deploy their applications using PCI-Certified Golden Images, ensuring all data was encrypted with KMS, and implementing various other necessary adjustments to the infrastructure supporting their workloads.

Best practices for PCI compliance with AWS Managed Services by cloudandthings.io

Below are some of the best practices being followed as part of the cloudandthings.io AWS Managed Services:

  1. Regular Compliance Audits: Conduct regular audits of your AWS environment to ensure ongoing PCI compliance. Use AWS Audit Manager to streamline the process and generate reports that align with PCI DSS requirements.
  2. Security by Design: Integrate security into every layer of your Landing Zone design. This includes implementing least privilege access, network segmentation, and continuous monitoring from the outset.
  3. Continuous Monitoring and Incident Response: Establish a robust incident response plan and continuously monitor your environment for potential threats. AWS services like GuardDuty, Security Hub, and CloudWatch can help automate threat detection and response.
  4. Document and Maintain Compliance: Maintain thorough documentation of your compliance controls and procedures. This documentation will be essential during PCI audits and for demonstrating compliance to stakeholders.

Conclusion

cloudandthings.io provides a managed services framework for building PCI-compliant cloud environments on AWS, by implementing the best practices outlined above and leveraging our extensive experience from numerous engagements in the banking and payment industry.

Our AWS Cloud Managed Services ensures that PCI compliance is consistently managed through continuous monitoring, automated controls and proactive maintenance, allowing organisations to focus on their core business while confidently meeting regulatory requirements.

Share