SlideShare ist ein Scribd-Unternehmen logo
1 von 49
Downloaden Sie, um offline zu lesen
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architect proper segmentation for PCI DSS
workloads on AWS
Avik Mukherjee
Senior Consultant
AWS Professional Services
Amazon Web Services
G R C 3 0 6
Aditya Patel
Security Architect
AWS Professional Services
Amazon Web Services
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals
Understand PCI guidance on scoping and segmentation
Learn how to apply the guidance on AWS
Learn how to validate segmentation boundaries
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Security Standard (DSS)
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI DSS—requirements
PCI DSS Requirement 0. Define scope and segmentation boundaries
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI DSS scope
People, processes, and technologies that can impact the security of CHD
Defined by the entity
Validated by the assessor (QSA/ISA)
Is required to meet all applicable PCI DSS controls
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why segmentation?
In Scope
Out of Scope
Organization
1. Reduce the security surface area
2. Reduce the compliance overhead
Pro tip! Segmentation is one way of reducing PCI DSS scope—others include using
P2PE solutions, PTS devices, outsourcing CHD handling functions
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI scoping and segmentation guidance
CDE Systems Connected-to or Security-Impacting
Systems
Have filtered direct or indirect network
connectivity to CDE systems
And/or
That affect the configuration and security of CDE
systems
And/or
Support PCI DSS requirements
Out-of-Scope Systems
Information supplement:
Guidance for PCI DSS
Scoping and Network
Segmentation
Published Dec. 2016
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
on AWS
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Unique AWS Cloud characteristics
Shared responsibility model
Security of the cloud & security in the cloud
Virtualization of traditional network—SDN
Elasticity
Abstracted services and API-based infrastructure
Automation
Hybrid infrastructure
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Communication layers on AWS
“The intent of segmentation is to prevent out-of-scope systems from being able to
communicate with systems in the CDE or impact the security of the CDE.” - Information
Supplement: Guidance for PCI DSS Scoping and Network Segmentation
Communication on AWS
• Network layer (Layer 3-4)—Primarily for AWS Infrastructure Services
• Application layer (Layer 7)—Primarily for AWS Containerized and Abstracted
Services
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure vs. containerizedvs. abstracted services
Infrastructure Containerized Abstracted
AWS services
Amazon EC2, Amazon ECS,
Amazon EKS
Amazon RDS,
AWS Fargate
AWS Lambda,
Amazon S3
Client
responsibility
(security)
GuestOS + network
isolation + logical access +
data
Network isolation + logical
access + data
Logical access + data
Connectivity Network Network + application Application
Segmentation Network isolation
Network isolation + data
control
Data control
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scope
CDE
PCI DSS scope identification—decision flow
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reference architecture—scope
Web application tier
Application logic tier
Database tier
Load balancer
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI scoping and segmentation guidance
CDE Systems Connected-to or Security-Impacting
Systems
Have filtered direct or indirect network
connectivity to CDE systems
And/or
That affect the configuration and security of CDE
systems
And/or
Support PCI DSS requirements
Out-of-Scope Systems
Information supplement:
Guidance for PCI DSS
Scoping and Network
Segmentation
Published Dec. 2016
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 1: Identify CHD data flow
Web application tier
Application logic tier
Database tier
Load balancer
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 2: Identify the AWS services
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 3: Type of AWS service
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 3a, 3b: Identify the CDE
CDE
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI scoping and segmentation guidance
CDE Systems Connected-to or Security-Impacting
Systems
Have filtered direct or indirect network
connectivity to CDE systems
And/or
That affect the configuration and security of CDE
systems
And/or
Support PCI DSS requirements
Out-of-Scope Systems
Information supplement:
Guidance for PCI DSS
Scoping and Network
Segmentation
Published Dec. 2016
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 4: Identify the non-CDE scope
CDE
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Final PCI DSS scope
CDE
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scope
CDE
PCI DSS scope identification—decision flow
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS
Network Layer Application Layer
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS—AWS account layer
Highest level of segmentation within AWS
All resources logically isolated from other AWS accounts
By design isolation thus no burden for validation
Use AWS Organizations and service control policies (SCPs)
Lowest segmentation boundary is an AWS account
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reference architecture—multi-account
Account A Shared Services Account B Logging Account C Security Account E CDE Systems
Account F—Out of Scope
Core OU PCI OU
Non-PCI OU
Org Master
Account D Connected-to
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS
AWS Account Application Layer
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS—network layer
Use security groups as segmentation boundaries
Acts as stateful virtual firewall to control network traffic at instance level
By default does not meet PCI DSS requirements—open outbound connection
Additionally, third-party host–based/network firewalls can also be used
Lowest segmentation boundary is an elastic network interface (ENI)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reference architecture―network layer
Account E – CDE
VPC
Peering
Account D – Connected-to
VPC
Virtual private cloud
Availability Zone 1 Availability Zone 2
Security group Security group Security group
Security groupSecurity group
Security group
VPC
Availability Zone 1 Availability Zone 2
Virtual private cloud
In-scope
instances
Out-of-scope
resources
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS
AWS Account Network Layer
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS―application layer (layer 7)
Network isolation is by design (AWS responsibility)
Scoping = data driven
If two API endpoints exchange CHD, they are in scope, otherwise they are not
Segmentation = application driven
Application logic should ensure segmentation (because of abstraction)
Lowest segmentation boundary is an application logic
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reference architecture―API layer
Account E―CDEAccount D―Connected-to
VPC
Virtual private cloud
VPC
Virtual private cloud
Lambda function handling
CHD
Amazon Simple
Queue Service
(Amazon SQS)
Amazon
DynamoDB
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
1. Hybrid environments―scoping
PCI scope spread over on-premises data center and AWS Cloud
CDE
Connected
to/Security
Impacting
Corporate data center
Out of Scope
AWS Cloud
CDE
Connected
to/Security
Impacting
Out of Scope
Pro tip! For defense in depth use multiple layers of segmentation boundaries
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
2. Custom application APIs
Use Amazon API Gateway for segmentation between CDE resources and custom
APIs (non–PCI validated services)
Provides connection brokerage (it is like a jump host)
Pro tip! API Gateway provides additional security benefits such as custom
authentication & authorization, retrofitting to micro-services architecture, API life
cycle management, attaching a WAF
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
2. Segmentation using API Gateway
API Gateway*
Lambda
Other Supported
AWS
Services
Endpointon Amazon EC2/
AWS Elastic Beanstalk
Account E—CDE
PCI DSS In-Scope Systems
Custom
App1
Custom
App2
Corporate data center
AWS Cloud
VPC
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
3. Microservices—network layer segmentation
Amazon ECS—run containerized applications
Launch Type—Amazon EC2 instance, AWS Fargate
Amazon EC2 instance type—group into one or related clusters
Fargate type—group into one or related tasks
Use security groups for cluster and task isolation
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation control validation
PCI DSS requirement 11.3.4—perform penetration testing at-least annually (bi-
annually for service providers) and after any changes to segmentation controls.
Information Supplement: Penetration Testing Guidance
“It should verify that all out-of-scope LANs truly have no access to the CDE.”
“Each unique segmentation methodology should be tested to ensure that all security controls
are functioning as intended.”
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation control validation on AWS
Segmentation
validation
AWS account
AWS network
(SDN)
AWS API
(abstracted
services)
Custom API
(non-PCI
validated)
Client
responsibility
Validation
procedure
Validated as part
of AWS PCI DSS
Level 1 service
provider
assessment
Validate security
group ACL through
network pen
testing
Validate
application logic
through
application pen
testing
Validate both
network and
application logic
isolation through
pen testing
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Penetration testing on AWS—pointers
Make sure that you understand the AWS Acceptable Use Policy.
Review the AWS Vulnerability and Penetration Testing guidelines.
Customer Service Policy for Pen Testing
Tips for Security Testing
AWS Policy Regarding the Use of Security Assessment Tools and Services
AWS recommends vetting potential penetration testing vendors/third parties
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation controls—life cycle management
Identify
Protect
DetectRespond
Recover
—
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Preventive, detective, and reactive controls
Have proactive security controls to prevent any unauthorized modification of the
segmentation controls
Make use of infrastructure as code,
automation, and enhanced alerting capabilities
Use automated response to fix deviations
PreventiveDirective
Detective Responsive
AWS CAF Security Perspective
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Putting it all together
Scope
CDE
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Further reading
Whitepaper: Architecting for PCI DSS Scoping and Segmentation on AWS
(https://d1.awsstatic.com/whitepapers/pci-dss-scoping-on-aws.pdf)
Whitepaper: AWS Security Best Practices
(https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf)
Quick Start: Standardized Architecture for PCI DSS on the AWS Cloud
(https://docs.aws.amazon.com/quickstart/latest/compliance-pci/welcome.html)
AWS Shared Responsibility Model
(https://aws.amazon.com/compliance/shared-responsibility-model/)
Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Avik Mukherjee
mukavik@amazon.com
Aditya Patel
adityapa@amazon.com

Weitere ähnliche Inhalte

Was ist angesagt?

[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy☁ Hicham KADIRI ☁
 
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018Amazon Web Services Korea
 
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018Amazon Web Services
 
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS SummitPlan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS SummitAmazon Web Services
 
20200826 AWS Black Belt Online Seminar AWS CloudFormation
20200826 AWS Black Belt Online Seminar AWS CloudFormation 20200826 AWS Black Belt Online Seminar AWS CloudFormation
20200826 AWS Black Belt Online Seminar AWS CloudFormation Amazon Web Services Japan
 
Deep Dive into Amazon ECS & Fargate
Deep Dive into Amazon ECS & FargateDeep Dive into Amazon ECS & Fargate
Deep Dive into Amazon ECS & FargateAmazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
20190410 AWS Black Belt Online Seminar Amazon Elastic Container Service for K...
20190410 AWS Black Belt Online Seminar Amazon Elastic Container Service for K...20190410 AWS Black Belt Online Seminar Amazon Elastic Container Service for K...
20190410 AWS Black Belt Online Seminar Amazon Elastic Container Service for K...Amazon Web Services Japan
 
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Amazon Web Services
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfBenAissaTaher1
 
20200812 AWS Black Belt Online Seminar Amazon Macie
20200812 AWS Black Belt Online Seminar Amazon Macie20200812 AWS Black Belt Online Seminar Amazon Macie
20200812 AWS Black Belt Online Seminar Amazon MacieAmazon Web Services Japan
 
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019Amazon Web Services Korea
 
20190604 AWS Black Belt Online Seminar Amazon Simple Notification Service (SNS)
20190604 AWS Black Belt Online Seminar Amazon Simple Notification Service (SNS)20190604 AWS Black Belt Online Seminar Amazon Simple Notification Service (SNS)
20190604 AWS Black Belt Online Seminar Amazon Simple Notification Service (SNS)Amazon Web Services Japan
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesAmazon Web Services
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon Web Services
 

Was ist angesagt? (20)

[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy
 
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
AWS Elastic Beanstalk 활용하여 수 분만에 코드 배포하기 (최원근, AWS 솔루션즈 아키텍트) :: AWS DevDay2018
 
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
 
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS SummitPlan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
Plan Advanced AWS Networking Architectures - SRV323 - Chicago AWS Summit
 
20200826 AWS Black Belt Online Seminar AWS CloudFormation
20200826 AWS Black Belt Online Seminar AWS CloudFormation 20200826 AWS Black Belt Online Seminar AWS CloudFormation
20200826 AWS Black Belt Online Seminar AWS CloudFormation
 
AWS PrivateLink Fundamentals
AWS PrivateLink FundamentalsAWS PrivateLink Fundamentals
AWS PrivateLink Fundamentals
 
Deep Dive into Amazon ECS & Fargate
Deep Dive into Amazon ECS & FargateDeep Dive into Amazon ECS & Fargate
Deep Dive into Amazon ECS & Fargate
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
[NEW LAUNCH!] AWS Transit Gateway and Transit VPCs - Reference Architectures ...
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
20190410 AWS Black Belt Online Seminar Amazon Elastic Container Service for K...
20190410 AWS Black Belt Online Seminar Amazon Elastic Container Service for K...20190410 AWS Black Belt Online Seminar Amazon Elastic Container Service for K...
20190410 AWS Black Belt Online Seminar Amazon Elastic Container Service for K...
 
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdf
 
20200812 AWS Black Belt Online Seminar Amazon Macie
20200812 AWS Black Belt Online Seminar Amazon Macie20200812 AWS Black Belt Online Seminar Amazon Macie
20200812 AWS Black Belt Online Seminar Amazon Macie
 
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019
KINX와 함께 하는 AWS Direct Connect 도입 - 남시우 매니저, KINX :: AWS Summit Seoul 2019
 
Azure App Service Deep Dive
Azure App Service Deep DiveAzure App Service Deep Dive
Azure App Service Deep Dive
 
20190604 AWS Black Belt Online Seminar Amazon Simple Notification Service (SNS)
20190604 AWS Black Belt Online Seminar Amazon Simple Notification Service (SNS)20190604 AWS Black Belt Online Seminar Amazon Simple Notification Service (SNS)
20190604 AWS Black Belt Online Seminar Amazon Simple Notification Service (SNS)
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless Architectures
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and Remediation
 
Cloud Migration: A How-To Guide
Cloud Migration: A How-To GuideCloud Migration: A How-To Guide
Cloud Migration: A How-To Guide
 

Ähnlich wie Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:Inforce 2019

How to Architect and Bring to Market SaaS on AWS GovCloud (US)
How to Architect and Bring to Market SaaS on AWS GovCloud (US)How to Architect and Bring to Market SaaS on AWS GovCloud (US)
How to Architect and Bring to Market SaaS on AWS GovCloud (US)Amazon Web Services
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Amazon Web Services
 
Strengthen Your Organizations Security and Privacy.pdf
Strengthen Your Organizations Security and Privacy.pdfStrengthen Your Organizations Security and Privacy.pdf
Strengthen Your Organizations Security and Privacy.pdfAmazon Web Services
 
AWS PROTECTED Certification - Lunch & Learn
  AWS PROTECTED Certification - Lunch & Learn  AWS PROTECTED Certification - Lunch & Learn
AWS PROTECTED Certification - Lunch & LearnAmazon Web Services
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Amazon Web Services
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudAmazon Web Services
 
Building a Secured Network environment on AWS
Building a Secured Network environment on AWSBuilding a Secured Network environment on AWS
Building a Secured Network environment on AWSAmazon Web Services
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...Amazon Web Services
 
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduAWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduVladimir Simek
 
Costruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWSCostruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWSAmazon Web Services
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewEagleDream Technologies
 
Learn how AWS customers are implementing robust security posture for their A...
 Learn how AWS customers are implementing robust security posture for their A... Learn how AWS customers are implementing robust security posture for their A...
Learn how AWS customers are implementing robust security posture for their A...Amazon Web Services
 
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitThreat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitAmazon Web Services
 
深入淺出 AWS 混合式雲端架構
深入淺出 AWS 混合式雲端架構 深入淺出 AWS 混合式雲端架構
深入淺出 AWS 混合式雲端架構 Amazon Web Services
 
Delivering applications securely with AWS - SVC303 - Chicago AWS Summit
Delivering applications securely with AWS - SVC303 - Chicago AWS SummitDelivering applications securely with AWS - SVC303 - Chicago AWS Summit
Delivering applications securely with AWS - SVC303 - Chicago AWS SummitAmazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 

Ähnlich wie Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:Inforce 2019 (20)

How to Architect and Bring to Market SaaS on AWS GovCloud (US)
How to Architect and Bring to Market SaaS on AWS GovCloud (US)How to Architect and Bring to Market SaaS on AWS GovCloud (US)
How to Architect and Bring to Market SaaS on AWS GovCloud (US)
 
AWS_Security_Essentials
AWS_Security_EssentialsAWS_Security_Essentials
AWS_Security_Essentials
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
 
Strengthen Your Organizations Security and Privacy.pdf
Strengthen Your Organizations Security and Privacy.pdfStrengthen Your Organizations Security and Privacy.pdf
Strengthen Your Organizations Security and Privacy.pdf
 
AWS PROTECTED Certification - Lunch & Learn
  AWS PROTECTED Certification - Lunch & Learn  AWS PROTECTED Certification - Lunch & Learn
AWS PROTECTED Certification - Lunch & Learn
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloud
 
Building a Secured Network environment on AWS
Building a Secured Network environment on AWSBuilding a Secured Network environment on AWS
Building a Secured Network environment on AWS
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
 
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS clouduAWS Webinar CZSK 02 Bezpecnost v AWS cloudu
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
 
Costruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWSCostruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWS
 
Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
 
Learn how AWS customers are implementing robust security posture for their A...
 Learn how AWS customers are implementing robust security posture for their A... Learn how AWS customers are implementing robust security posture for their A...
Learn how AWS customers are implementing robust security posture for their A...
 
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitThreat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
 
深入淺出 AWS 混合式雲端架構
深入淺出 AWS 混合式雲端架構 深入淺出 AWS 混合式雲端架構
深入淺出 AWS 混合式雲端架構
 
Delivering applications securely with AWS - SVC303 - Chicago AWS Summit
Delivering applications securely with AWS - SVC303 - Chicago AWS SummitDelivering applications securely with AWS - SVC303 - Chicago AWS Summit
Delivering applications securely with AWS - SVC303 - Chicago AWS Summit
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
 
Hybrid Cloud on AWS
Hybrid Cloud on AWSHybrid Cloud on AWS
Hybrid Cloud on AWS
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Architect proper segmentation for PCI DSS workloads on AWS Avik Mukherjee Senior Consultant AWS Professional Services Amazon Web Services G R C 3 0 6 Aditya Patel Security Architect AWS Professional Services Amazon Web Services
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Goals Understand PCI guidance on scoping and segmentation Learn how to apply the guidance on AWS Learn how to validate segmentation boundaries
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Security Standard (DSS) https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. PCI DSS—requirements PCI DSS Requirement 0. Define scope and segmentation boundaries https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. PCI DSS scope People, processes, and technologies that can impact the security of CHD Defined by the entity Validated by the assessor (QSA/ISA) Is required to meet all applicable PCI DSS controls
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why segmentation? In Scope Out of Scope Organization 1. Reduce the security surface area 2. Reduce the compliance overhead Pro tip! Segmentation is one way of reducing PCI DSS scope—others include using P2PE solutions, PTS devices, outsourcing CHD handling functions
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. PCI scoping and segmentation guidance CDE Systems Connected-to or Security-Impacting Systems Have filtered direct or indirect network connectivity to CDE systems And/or That affect the configuration and security of CDE systems And/or Support PCI DSS requirements Out-of-Scope Systems Information supplement: Guidance for PCI DSS Scoping and Network Segmentation Published Dec. 2016
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. on AWS
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Unique AWS Cloud characteristics Shared responsibility model Security of the cloud & security in the cloud Virtualization of traditional network—SDN Elasticity Abstracted services and API-based infrastructure Automation Hybrid infrastructure
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Communication layers on AWS “The intent of segmentation is to prevent out-of-scope systems from being able to communicate with systems in the CDE or impact the security of the CDE.” - Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation Communication on AWS • Network layer (Layer 3-4)—Primarily for AWS Infrastructure Services • Application layer (Layer 7)—Primarily for AWS Containerized and Abstracted Services
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure vs. containerizedvs. abstracted services Infrastructure Containerized Abstracted AWS services Amazon EC2, Amazon ECS, Amazon EKS Amazon RDS, AWS Fargate AWS Lambda, Amazon S3 Client responsibility (security) GuestOS + network isolation + logical access + data Network isolation + logical access + data Logical access + data Connectivity Network Network + application Application Segmentation Network isolation Network isolation + data control Data control
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Scope CDE PCI DSS scope identification—decision flow
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reference architecture—scope Web application tier Application logic tier Database tier Load balancer
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. PCI scoping and segmentation guidance CDE Systems Connected-to or Security-Impacting Systems Have filtered direct or indirect network connectivity to CDE systems And/or That affect the configuration and security of CDE systems And/or Support PCI DSS requirements Out-of-Scope Systems Information supplement: Guidance for PCI DSS Scoping and Network Segmentation Published Dec. 2016
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 1: Identify CHD data flow Web application tier Application logic tier Database tier Load balancer
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 2: Identify the AWS services
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 3: Type of AWS service
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 3a, 3b: Identify the CDE CDE
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. PCI scoping and segmentation guidance CDE Systems Connected-to or Security-Impacting Systems Have filtered direct or indirect network connectivity to CDE systems And/or That affect the configuration and security of CDE systems And/or Support PCI DSS requirements Out-of-Scope Systems Information supplement: Guidance for PCI DSS Scoping and Network Segmentation Published Dec. 2016
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 4: Identify the non-CDE scope CDE
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Final PCI DSS scope CDE
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Scope CDE PCI DSS scope identification—decision flow
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS Network Layer Application Layer
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS—AWS account layer Highest level of segmentation within AWS All resources logically isolated from other AWS accounts By design isolation thus no burden for validation Use AWS Organizations and service control policies (SCPs) Lowest segmentation boundary is an AWS account
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reference architecture—multi-account Account A Shared Services Account B Logging Account C Security Account E CDE Systems Account F—Out of Scope Core OU PCI OU Non-PCI OU Org Master Account D Connected-to
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS AWS Account Application Layer
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS—network layer Use security groups as segmentation boundaries Acts as stateful virtual firewall to control network traffic at instance level By default does not meet PCI DSS requirements—open outbound connection Additionally, third-party host–based/network firewalls can also be used Lowest segmentation boundary is an elastic network interface (ENI)
  • 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reference architecture―network layer Account E – CDE VPC Peering Account D – Connected-to VPC Virtual private cloud Availability Zone 1 Availability Zone 2 Security group Security group Security group Security groupSecurity group Security group VPC Availability Zone 1 Availability Zone 2 Virtual private cloud In-scope instances Out-of-scope resources
  • 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS AWS Account Network Layer
  • 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS―application layer (layer 7) Network isolation is by design (AWS responsibility) Scoping = data driven If two API endpoints exchange CHD, they are in scope, otherwise they are not Segmentation = application driven Application logic should ensure segmentation (because of abstraction) Lowest segmentation boundary is an application logic
  • 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reference architecture―API layer Account E―CDEAccount D―Connected-to VPC Virtual private cloud VPC Virtual private cloud Lambda function handling CHD Amazon Simple Queue Service (Amazon SQS) Amazon DynamoDB
  • 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 1. Hybrid environments―scoping PCI scope spread over on-premises data center and AWS Cloud CDE Connected to/Security Impacting Corporate data center Out of Scope AWS Cloud CDE Connected to/Security Impacting Out of Scope Pro tip! For defense in depth use multiple layers of segmentation boundaries
  • 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 2. Custom application APIs Use Amazon API Gateway for segmentation between CDE resources and custom APIs (non–PCI validated services) Provides connection brokerage (it is like a jump host) Pro tip! API Gateway provides additional security benefits such as custom authentication & authorization, retrofitting to micro-services architecture, API life cycle management, attaching a WAF
  • 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 2. Segmentation using API Gateway API Gateway* Lambda Other Supported AWS Services Endpointon Amazon EC2/ AWS Elastic Beanstalk Account E—CDE PCI DSS In-Scope Systems Custom App1 Custom App2 Corporate data center AWS Cloud VPC
  • 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 3. Microservices—network layer segmentation Amazon ECS—run containerized applications Launch Type—Amazon EC2 instance, AWS Fargate Amazon EC2 instance type—group into one or related clusters Fargate type—group into one or related tasks Use security groups for cluster and task isolation
  • 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation control validation PCI DSS requirement 11.3.4—perform penetration testing at-least annually (bi- annually for service providers) and after any changes to segmentation controls. Information Supplement: Penetration Testing Guidance “It should verify that all out-of-scope LANs truly have no access to the CDE.” “Each unique segmentation methodology should be tested to ensure that all security controls are functioning as intended.”
  • 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation control validation on AWS Segmentation validation AWS account AWS network (SDN) AWS API (abstracted services) Custom API (non-PCI validated) Client responsibility Validation procedure Validated as part of AWS PCI DSS Level 1 service provider assessment Validate security group ACL through network pen testing Validate application logic through application pen testing Validate both network and application logic isolation through pen testing
  • 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Penetration testing on AWS—pointers Make sure that you understand the AWS Acceptable Use Policy. Review the AWS Vulnerability and Penetration Testing guidelines. Customer Service Policy for Pen Testing Tips for Security Testing AWS Policy Regarding the Use of Security Assessment Tools and Services AWS recommends vetting potential penetration testing vendors/third parties
  • 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation controls—life cycle management Identify Protect DetectRespond Recover — https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
  • 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Preventive, detective, and reactive controls Have proactive security controls to prevent any unauthorized modification of the segmentation controls Make use of infrastructure as code, automation, and enhanced alerting capabilities Use automated response to fix deviations PreventiveDirective Detective Responsive AWS CAF Security Perspective
  • 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Putting it all together Scope CDE
  • 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Further reading Whitepaper: Architecting for PCI DSS Scoping and Segmentation on AWS (https://d1.awsstatic.com/whitepapers/pci-dss-scoping-on-aws.pdf) Whitepaper: AWS Security Best Practices (https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf) Quick Start: Standardized Architecture for PCI DSS on the AWS Cloud (https://docs.aws.amazon.com/quickstart/latest/compliance-pci/welcome.html) AWS Shared Responsibility Model (https://aws.amazon.com/compliance/shared-responsibility-model/)
  • 49. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Avik Mukherjee mukavik@amazon.com Aditya Patel adityapa@amazon.com