Making sure you’re PCI compliant in Amazon Web Services
We recently published some information on PCI Compliance in the Cloud, highlighting how Dome9 can help with several sections of the PCI DSS regulation for cloud computing.
As a follow up, we thought we’d dive a bit deeper into how this applies within AWS EC2 & VPC, specifically – arguably the most widely used cloud computing platforms on the market today.
First of all, we have to tip our hat to Amazon Web Services team and give them much deserved credit. They’ve built a tremendous platform rich with security controls, so by no means is this post meant to diminish that in any way. In fact, we’ve written a paper on AWS EC2 & VPC security, which you can read here.
Compliance, however, is about how you – the user – implement policy and controls, so the focus here is on how you, the AWS customer create, manage, monitor, and enforce good policy for PCI compliance in AWS EC2 and VPC.
Access Controls for PCI Compliance in AWS
Most folks think encryption when they think of PCI. And, certainly, if you’re not encrypting your CCNs / PANs, you’re not in compliance. But while encryption is a critical component to PCI DSS (section 3, specifically), policy, monitoring, access controls, etc. are too.
AWS IAM provides controls for access management to your EC2 and VPC console, which helps check off part of the requirements of PCI DSS. But these controls are limited to the AWS resources – not your servers and applications, where PCI compliance is arguably most critical. So, when it comes to access to your instances, where your applications and data live, you also need to ensure you’ve got the proper set of access controls.
Don’t let, for example, vendors and employees have unfettered SSH, RDP, SQL, etc. access to your servers. Most people leave these services open and restrict access based on credentials. But doing so leaves them open to the world, and just about anyone (employee, partner, or not) can attempt to access your machines. Worse yet, the bad guys can easily exploit vulnerabilities in the protocol (see our post on the Morto worm) to gain access without ever having to enter a username and password. So, make sure you implement strong user access controls for each individual or group of instances, and set your policy to close administrative ports on your servers at all times and open them only when, for whom, and for as long as is needed.
AWS Security Groups do a nice job of letting you configure what services are open and closed, and for what IP addresses. There are limits, however, and the larger your infrastructure gets the more cumbersome it is to manage and keep organized. Inevitably, you’ll have gaps. Moreover, if you place service and port-level restrictions in your policies, you may end up unnecessarily managing IAM repeatedly. There are terrific ways to streamline this process through technology.
With Dome9 SecOps for AWS, for example, you can configure dynamic access, on-demand… click the Dome9 Get Access button and instantly your port (e.g., 3306 for SQL) is open for your IP address for the next hour. This alleviates the need to manage IAM in AWS for the users that need access only to your instances, and not your infrastructure management. What’s more, you can centralize and automate your security group management across multiple AWS regions. Together, this helps satisfy PCI DSS 2.2, 7.1, 7.2, and 8.5.6.
Monitoring Users and Policy for PCI Compliance in AWS
We jumped ahead pretty quickly into access controls. Let’s now back up to cover policy and monitoring – sections 1, 10, and 11 of the PCI regulation, which are more focused on policy, configuration, and monitoring, respectively.
As mentioned, AWS Security Groups let you configure your firewall policy for groups of instances. What it lacks, however – which is critical to PCI compliance, is the ability to:
1) Display your policy configuration across all EC2 and VPC regions, and alert you to any potential misconfigurations. (sections 1.1, 1.2, 1.3, 11.2, etc.);
2) Retain an audit trail of all policy changes, and store those independently of the infrastructure so they can’t be altered (sections 10.1, 10.2, 10.5, etc.); and
3) Link access to instances to individual users, and log their activity as well as any policy changes. (sections 10.1, 10.2, 10.3, etc.).
If you’re serious about PCI compliance in AWS EC2 and/or VPC, you need to be able to do the three items above.
Dome9 for AWS PCI Compliance
Dome9 SecOps for AWS provides advanced security and compliance controls for AWS EC2 and VPC. Dome9’s SecOps service includes:
- ➢ Compliance auditing, independently recording policy, access, and configuration changes across your entire AWS infrastructure.
- ➢ Centralized policy management for your entire cloud, with controls to map user access privileges to only authorized instances.
- ➢ Tamper and vulnerability protection with intelligent alerting for misconfigured systems and unauthorized access and policy edits.
- ➢ Dynamic access controls with time-based leasing for employees and vendors, coupled with full auditing for PCI compliance reporting.
To learn more about Dome9 for a PCI compliance cloud, visit our PCI Compliance page at http://www.dome9.com/security-challenges/pci-cloud-compliance