Meeting Firewall and Router Configuration Standards
Industry-Accepted Firewall and Router Standards for AWS
During a PCI assessment, your assessor will need to verify that your firewall and router standards are consistent with industry best practices. This means that when you establish your firewall and router configurations, there must be a methodology behind them. As you work to comply with this requirement, you don’t need to start from scratch. You can rely on industry-accepted resources such as:
- NIST SP 800-41: Guidelines on Firewalls and Firewall Policy
- CIS Control 11: Secure Configuration for Network Devices
- SANS Firewall Checklist
- SANS Methodology for Firewall Reviews for PCI Compliance
The PCI Data Security Standard requires that you configure firewalls and routers according to certain configurations and that you also test those configurations to ensure that you’ve configured them the way you expected to. When you’re an AWS user, you want to look at the WAF (web application firewall) capabilities, Shield, and Firewall Manager. These are the tools that AWS has provided to you to go in and configure things according to your standards and also perform testing, which is your requirement under PCI Requirement 1.1.4.