Configuring Network Border Controls

Supporting PCI Requirement 1 in AWS 
The focus of PCI Requirement 1 is configuring firewalls to protect CHD. To support compliance for this requirement, AWS provides the following network border capabilities:

  • Amazon Virtual Privacy Cloud (VPC)
  • EC2 Security Groups
  • VPC Network Access Control Lists (NACLs) 
  • AWS Identity and Access Management (IAM) 

While AWS does provide these firewall capabilities, you have control over how these are configured. Under the Shared Responsibility model, it is your responsibility to properly architect the infrastructure, configure these functions, and implement policies and procedures that govern these configurations. Strategically use these network border capabilities to comply with PCI Requirement 1. 

Transcription
A common misconception about PCI compliance in AWS is that AWS is responsible for things that you don’t have to interact with. While that’s true for some of the requirements, it’s too often stated to us, “Well, AWS handles all of the network border controls. We’re not responsible for that.” While AWS provides you with the capabilities, it is your responsibility to have policies and procedures that govern how you have those things configured and it is your responsibility to configure those controls that AWS provides you for your own PCI compliance purposes. It’s up to you on how you configure the VPC, it’s up to you on how you configure security groups. You have control over IAM and you are the one responsible for putting access control lists in place. Use these capabilities that AWS has provided to you, but put these configuration standards in place to put your own network border controls in place because, ultimately, they are your responsibility. 

Related Videos