Enforcing Strong Encryption in AWS
Protecting the AWS Management Console
PCI Requirement 2.3 states, “Encrypt all non-console administrative access using strong cryptography.” But if you’re using AWS, you’re never going to have anything other than non-console access. To comply with this PCI requirement, all management of AWS resources must use encryption (SSH, HTTPS, VPN).
The AWS Management Console also comes into play here; AWS says that because this and AWS CLI are susceptible to attacks, they must be treated like all other systems that impact the security of the CDE. Controlling access to the AWS Management Console is extremely important to security and scoping your PCI assessment.
PCI Requirement 2.3 requires that you secure any non-console access to your system. If you’re using Amazon Web Services, you’re never going to have anything other than non-console access. You’re never going to be sitting in front of a system managing it directly. Everything is going to be coming in through your AWS Management Console. So how you provide that access out to systems that are connecting to your environment and managing your systems is up to you. You need to ensure that you’re using VPN or SSH or HTTPS to ensure that those sessions are encrypted. You want to enforce strong encryption using something like TLS 1.2 and ensure that you have nothing enabled that is not encrypted.