Configuring Network Border Controls
Supporting PCI Requirement 1 in AWS
The focus of PCI Requirement 1 is configuring firewalls to protect CHD. To support compliance for this requirement, AWS provides the following network border capabilities:
- Amazon Virtual Privacy Cloud (VPC)
- EC2 Security Groups
- VPC Network Access Control Lists (NACLs)
- AWS Identity and Access Management (IAM)
While AWS does provide these firewall capabilities, you have control over how these are configured. Under the Shared Responsibility model, it is your responsibility to properly architect the infrastructure, configure these functions, and implement policies and procedures that govern these configurations. Strategically use these network border capabilities to comply with PCI Requirement 1.
Transcription
A common misconception about PCI compliance in AWS is that AWS is responsible for things that you don’t have to interact with. While that’s true for some of the requirements, it’s too often stated to us, “Well, AWS handles all of the network border controls. We’re not responsible for that.” While AWS provides you with the capabilities, it is your responsibility to have policies and procedures that govern how you have those things configured and it is your responsibility to configure those controls that AWS provides you for your own PCI compliance purposes. It’s up to you on how you configure the VPC, it’s up to you on how you configure security groups. You have control over IAM and you are the one responsible for putting access control lists in place. Use these capabilities that AWS has provided to you, but put these configuration standards in place to put your own network border controls in place because, ultimately, they are your responsibility.
Related Videos
AWS Controls for Implementing a DMZ
Authenticate and Authorize Users with Client Certificates
Avoid Using Default Service Account When Configuring Instances
Best Practices for Container Security
Best Practices for Secret Management
Consistently Manage User Accounts with OS Login
Create a Minimal Audit Policy for Logging
Do Not Enable Serial Ports for VM Instance
Do Not Use Project-Wide SSH Keys When Authenticating Instances
Do Not Use RSASHA1 for DNSSEC Key-Signing Keys
Enable DNSSEC to Protect DNS Protocols
Enable HTTPS Connections on App Engine Applications
Enable Shielded VM to Ensure Operating System is Trustworthy
Enable VPC Flow Logs for Every Subnet
Encrypt BigQuery Datasets with Customer Managed Encryption Key (CMEK)
Ensure BigQuery Datasets Are Not Publicly Accessible
Ensure Cloud Storage Buckets Are Not Publicly Accessible
Ensure Container Network Interfaces Support Network Policies
Ensure GKE Nodes are Configured Properly
Ensure Kubernetes Idle Timeout Parameter is Appropriately Set
Ensure No Weak SSL Cipher Suites Are Permitted
Ensure Only Authorized Users Can Create Security Groups
Ensure to Restrict SSH Access from the Internet
GKE Cluster Configuration Security Benchmarks
General Policies for Cluster Management
Harden Cloud SQL Database with Logging
House Accounts in CloudTrail
How To Configure Your Cluster Networks
How to Configure Kubelet Within Your Environment
How to Restrict Public Access to S3 Buckets
How to Use S3 Bucket Policies
IP Forwarding Should Not Be Enabled for Instances
Image Registry and Scanning Best Practices
Industry Best Practices for Configuration Standards
Introduction to AWS Network Firewall
Introduction to AWS WAF and Shield
Introduction to Amazon EKS
Introduction to PCI DSS Requirement 1
Introduction to PCI Requirement 2.mp4
Leverage Confidential Computing to Protect Data
Manage Access Securely Using Uniform Bucket-Level Access
Meeting Firewall and Router Configuration Standards
Migrate Away from RSASHA1 for DNSSEC Zone-Signing Keys
Migrate Legacy Networks to VPC Networks
Minimize Public IP Address on Compute Instances
Minimize Root and SA Account Access in Cloud SQL
Network Segmentation for AWS
Networking Configurations in Kubernetes Environment
Node MetaData Recommendations in GKE
PCI DSS Requirement 1.1.1 - Implementing a Change Control Program
PCI DSS Requirement 1.1.2 and 1.1.3 - Network Documentation Best Practices
PCI DSS Requirement 1.1.4 - Establishing a Firewall and DMZ
PCI DSS Requirement 1.1.5 Defining Roles and Responsibilities for Managing Network Components
PCI DSS Requirement 1.1.6 Documentation of Business Justification & Approval for use of all Services, Ports and Protocols
PCI DSS Requirement 1.1.7 - Review Firewall and Router Rule Sets
PCI DSS Requirement 1.2 Restrict Connections to Untrusted Networks
PCI DSS Requirement 1.2.1 Restrict Traffic to that which is Necessary
PCI DSS Requirement 1.2.2 Secure and Synchronize Router Configuration Files
PCI DSS Requirement 1.2.3 Install Firewalls Between all Wireless Networks and the CDE
PCI DSS Requirement 1.3.1 - Establishing a DMZ
PCI DSS Requirement 1.3.2 Limit Inbound Internet Traffic
PCI DSS Requirement 1.3.3 - Implement Anti Spoofing Measures
PCI DSS Requirement 1.3.4 - Deny Unauthorized Outbound Traffic
PCI DSS Requirement 1.3.5 - Permit Only Established Connections into the Network
PCI DSS Requirement 1.3.6 Segregate the CDE from the DMZ
PCI DSS Requirement 1.3.7 Do Not Disclose Private IP Addresses
PCI DSS Requirement 1.4 Install Personal Firewall Software
PCI DSS Requirement 1.5 Ensure Security Policies are Known to all Affected Parties
PCI Requirement 2.1 - Always Change Vendor-Supplied Defaults
PCI Requirement 2.1.1 - Change all Wireless Vendor Defaults
PCI Requirement 2.2 - Develop Configuration Standards for all System Components
PCI Requirement 2.2.1 - Implement Only One Primary Function Per Server
PCI Requirement 2.2.2 - Enable Only Necessary Services, Protocols and Daemons
PCI Requirement 2.2.3 - Implement Additional Security Features
PCI Requirement 2.2.4 - Configure System Security Parameters to Prevent Misuse
PCI Requirement 2.2.5 - Remove all Unnecessary Functionality
PCI Requirement 2.3 - Encryption
PCI Requirement 2.4 - Maintain an Inventory of In-Scope System Components
PCI Requirement 2.5 - Ensure Security Policies Are Known to All Affected Parties
PCI Requirement 2.6 - Shared Hosting Providers Must Protect Each Entity’s Hosted Environment
PCI Requirement 6.4 – Follow Change Control Processes & Procedures for Changes to System Components
Pods Security Policies Benchmarks
Preventing Publicly Available S3 Buckets
Protect Against Threats With Extensible Admission Control
Protect Kernel Defaults Through Configuration Settings
Remove Default Networks from All Projects
Restrict API Permissions If Using Default Service Accounts
Restrict RDP Authorized Access from the Internet
Restrict Unnecessary External Access in Cloud SQL
Reviewing Firewall and Router Configurations
SOC 2 Academy: Change Control Processes
SOC 2 Academy: Change Management Best Practices
Specify Customer-Managed Encryption Key (CMEK) as Default in BigQuery Datasets
Systems Manager Maintenance
The Importance of Patch Management in Virtual Machines
Use Customer Supplied Encyryption Keys (CSEK) for Critical VM Disks
Use Identity Aware Proxy (IAP) to Restrict Access to Network
Use TLS to Encrypt All Connections in Cloud SQL
Utilize Managed Disks for Virtual Machines
