PCI compliance involves adhering to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS standards are designed to secure credit and payment card transactions by reducing fraud and data breaches.
Being PCI compliant on AWS means that the cloud infrastructure provided by Amazon, and workloads managed by customers on this infrastructure, meet the necessary security standards for processing, storing, or transmitting credit card information.
This is part of a series of articles about cloud compliance.
In this article:
- AWS PCI Compliance and the Shared Responsibility Model
- Which AWS Services Are PCI Compliant?
- AWS PCI Tools to Help Your Compliance Strategy
- Customer Responsibilities for Achieving PCI Compliance on AWS
AWS PCI Compliance and the Shared Responsibility Model
PCI compliance on AWS operates under a shared responsibility model, which means both AWS and its customers have roles to play. AWS is responsible for the security “of” the cloud, which includes protecting the infrastructure that runs all of the services offered in the AWS Cloud. This covers areas like physical security of data centers, hardware maintenance, and the virtualization layer. Customers are responsible for security “in” the cloud. This means customers must manage their own operating systems, platforms, and data, including how they configure and use AWS services in a secure manner.
For example, while AWS ensures that the underlying hardware and managed services are secure and compliant, customers must configure their instances, data, and applications to meet PCI DSS requirements. Misconfigurations by the user, such as making an S3 bucket public, can lead to non-compliance even if the service itself is secure. Thus, AWS provides the tools and frameworks necessary for security and compliance, but the responsibility for implementing these tools correctly lies with the customer.
The complexity of PCI compliance increases with the breadth of services and configurations. While AWS provides documentation, security controls, and compliant infrastructure, customers must ensure that they implement these controls properly. This includes managing user access, ensuring data encryption, and maintaining an updated and secure environment. AWS offers guidance and resources, but ultimately, the responsibility for maintaining PCI DSS compliance rests with the customer.
Which AWS Services Are PCI Compliant?
The following Amazon services are AWS compliant. The information was shared by Amazon and updated as of December, 2023.
| Category | AWS Services |
| Compute | Amazon EC2, AWS Lambda, Amazon ECS, Amazon EKS, AWS Elastic Beanstalk |
| Storage | Amazon S3, Amazon EFS, Amazon FSx, AWS Backup, Amazon S3 Glacier |
| Database | Amazon RDS, Amazon DynamoDB, Amazon Redshift, Amazon DocumentDB, Amazon Neptune |
| Networking & Content Delivery | Amazon VPC, Elastic Load Balancing, Amazon CloudFront, AWS Direct Connect |
| Security, Identity, & Compliance | AWS IAM, AWS KMS, AWS Artifact, Amazon GuardDuty, AWS Security Hub |
| Management & Governance | AWS CloudTrail, AWS Config, AWS Control Tower, AWS Systems Manager |
| Analytics | Amazon Athena, Amazon EMR, Amazon QuickSight, AWS Glue |
| Machine Learning | Amazon SageMaker, Amazon Comprehend, Amazon Rekognition, Amazon Lex |
| Application Integration | Amazon API Gateway, Amazon SNS, Amazon SQS, AWS Step Functions |
| Developer Tools | AWS CodeBuild, AWS CodeCommit, AWS CodePipeline, AWS Cloud9 |
| End User Computing | Amazon WorkSpaces, Amazon AppStream 2.0 |
| IoT | AWS IoT Core, AWS IoT Greengrass, AWS IoT SiteWise, AWS IoT Events |
| Media Services | AWS Elemental MediaConvert, AWS Elemental MediaLive, AWS Elemental MediaPackage |
| Migration & Transfer | AWS Migration Hub, AWS DataSync, AWS Transfer Family, AWS Application Migration Service |
| Customer Engagement | Amazon Connect, Amazon Pinpoint |
| Robotics | AWS RoboMaker |
| Satellite | AWS Ground Station |
| Blockchain | Amazon Managed Blockchain, Amazon QLDB |
AWS PCI Tools to Help Your Compliance Strategy
AWS offers several tools that can help organizations ensure PCI compliance.
Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity. Using machine learning, anomaly detection, and integrated threat intelligence, GuardDuty provides alerts to help pinpoint potential security vulnerabilities or unauthorized behaviors.
Amazon Inspector
Amazon Inspector is an automated security assessment service that automatically checks applications for vulnerabilities or deviations from best practices. For organizations subject to PCI DSS, Inspector’s assessments help ensure that applications handling cardholder data are protected against common exploits and misconfigurations.
AWS Artifact
AWS Artifact provides on-demand access to AWS’s compliance documentation and agreements, including PCI DSS reports. It allows customers to download AWS compliance reports, helping them to conduct audits and manage their own compliance in accordance with PCI standards.
Customer Responsibilities for Achieving PCI Compliance on AWS
Here are the primary customer responsibilities when deploying PCI-compliant systems on AWS.
1. Firewalls
Firewalls serve as a barrier between secure internal networks and potential external threats. In PCI-compliant environments on AWS, customers are responsible for setting up and maintaining firewalls to protect data environments. Proper configuration of firewalls ensures that only authorized traffic is allowed, conforming to PCI DSS requirements.
2. Data Encryption
On AWS, customers must ensure that all cardholder data is encrypted both at rest and during transmission. AWS provides tools like AWS KMS (Key Management Service) to manage encryption keys securely.
3. User Authentication and Authorization
AWS customers must ensure that access controls are set up to allow only authorized personnel to retrieve or process payment data. This includes implementing strong authentication methods and maintaining strict user role definitions. AWS provides services like IAM (Identity and Access Management) to help manage user access, but customers are responsible for configuring them.
4. Monitoring and Logging
AWS customers must implement comprehensive logging mechanisms that capture and keep records of all access to and manipulation of cardholder data. AWS offers tools like CloudTrail for logging and monitoring user activities, but it is up to customers to configure these tools to capture adequate and necessary information.
5. AWS Master Accounts
The AWS master accounts structure helps in managing multiple AWS accounts securely. Customers must design their AWS environments to segregate duties, limit the risk of unauthorized access, and manage resources efficiently. The master account oversees user access and resource usage, ensuring consistent compliance across all sub-accounts.
6. Virtual Private Cloud Peering
Virtual Private Cloud (VPC) peering allows connectivity between two VPCs in AWS, enabling resources to communicate across different virtual networks securely. For PCI compliance, it is essential that all transferred data through VPC peering routes is encrypted and movements are monitored. Proper configuration and management of VPC peering involves implementing appropriate firewall rules, establishing precise routing policies, and monitoring network traffic.
Related content: Read our guide to AWS cloud security
