10 Step Guide for Making your AWS Application PCI-DSS Compliant
As per the information available on Amazon Web Service (AWS) website, AWS is a certified PCI-DSS 3.2 Level 1 service provider which is the highest level of assessment prescribed by PCI-DSS. Similar to what we discussed in the last article, an organization using AWS products and services can rely on AWS infrastructure but has to get its own PCI-DSS compliance certification. AWS Attestation of Compliance (AOC) will assist your Qualified Security Assessor (QSA) by ensuring that minimum security standards are being maintained while managing the cardholder data environment (CDE). In addition, here is a checklist helping you become compliant with the PCI-DSS standard.
To start with, you should install, configure, and maintain a firewall to protect the stored cardholder data. You should ensure that your environment is configured under VPC (Virtual Private Cloud) with proper segregations into public (DMZ zones) and private subnets. Also, you can utilize Unified Threat Management (UTM) tools in the public subnets i.e. DMZ zones for an additional layer of protection. For changes to be made in the configuration of the network or any tool, a formal process is necessary.
2. Change the defaults
According to a Verizon report, 63% of breaches are caused by weak, stolen, or default passwords. If you are using a service provider or vendor, you should immediately change the default password provided by them. Every time a service is restarted, it should prompt for a password. Unwanted scripts, packages, and services must be removed from the instances. While using an instance, you must verify that one instance caters to a single function.
3. Cardholder Data
In order to be compliant with PCI-DSS, certain measures must be taken to protect cardholders’ data. Some of those steps are:-
- Stored data must be encrypted.
- Minimum card data must be stored.
- Encryption keys must be changed at regular intervals and they should be stored at the minimum possible locations.
- Access to cardholder data must be limited to a few employees.
- Policies for retention and deletion of sensitive data must be documented and implemented.
- When cardholder data is being transmitted over the internet or public networks, it must be encrypted.
4. Access Restriction
This step can be divided into two parts – physical access and virtual access.
Irrespective of how strong implemented security controls or techniques are, physical security is a vital component in information security. For example, there is no use of a state-of-the-art security system if it is placed on the road outside your company’s office. Technical systems must be secured by an efficient physical security system. Since your application is based on AWS and it is already PCI-DSS compliant, more than half of the work is done.
For virtual access, strict identity and access management (IAM) policies shall be implemented to grant access to limited individuals whose job KRAs cannot be fulfilled without such access.
An IAM policy should clearly define the accounts which can access your AWS management console. Certain clauses of an IAM policy should be –
- There shall be no shared accounts.
- Unique IDs must be created for each individual.
- 2FA must be enabled for everyone.
In addition, behavior analysis can be incorporated to detect logins and changes at unusual times.
6. Secure Development
You can develop and maintain a secure application by –
- Regularly reviewing and applying security patches.
- Checking AWS security bulletins as they are launched.
- Segregating environment for developing, staging, and testing your application.
- Adding a strong password policy to your IAM policy.
- Recording log data for every event on your AWS.
- Avoiding manual deployment and relying on automation tools.
- Performing regular audits of your environment.
Monitoring is an essential step to understand network events. Apart from performing regular security audits of your AWS infrastructure, you should inspect logs to identify login events, creation/deletion of resources, etc. Further, intrusion detection systems (IDS) and intrusion prevention systems (IPS) should be deployed which for monitoring login events, file integrity, security events, changes, etc.
Here, testing is not related to testing of an application under development. Performing vulnerability assessment, penetration testing, log inspection, monitoring of file integrity, etc. should be a key part of your periodical routine. To simulate real-life attacks, you can avail external penetration testing services of a suitable service provider. Please note that you must notify AWS before conducting a penetration test.
9. Vulnerability Management Program
“Precaution is better than cure.”
“Better late than never.”
are the two quotes that fit perfectly when vulnerability management is being discussed. A good starting point can be configuring antivirus software and using vulnerability scanners on your AWS. An efficient vulnerability management program will assist you in establishing a comprehensive framework for identifying, analyzing, and addressing the vulnerabilities in your application. On any given day, addressing vulnerability is an ideal step instead of waiting for an attacker to exploit it.
10. Information Security Policy
An information security policy is like the Bible for your organization when it comes to your IT information security policy. It must be properly documented in easy-to-understand language so that there are no ambiguities or contextual differences. As a matter of general practice, it should be applicable to all employees and must contain –
- Purpose, Scope, and Information Security Objectives
- Access Control Policy
- Vulnerability Management Program
- Data Classification
- Rights and Responsibilities
- Awareness and Training programs
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019