AWS Security Blog

Now Available: PCI DSS Quick Start for Deploying PCI DSS In-Scope Workloads

PCI image

Released today, the PCI DSS Quick Start includes learnings from AWS field teams that have migrated and deployed workloads that are in scope for Payment Card Industry Data Security Standard (PCI DSS) compliance. The AWS CloudFormation templates and scripts included in this Quick Start can help you build a standardized environment that supports compliance with the applicable PCI DSS controls. A deployment guide with detailed instructions for deployment and configuration is also included in the Quick Start.

PCI DSS version 3.1 was used as the baseline during the creation of this Quick Start. The included CloudFormation templates employ the concept of nesting to build independent stacks for the global, network, access, and application portions of the architecture.

The first guide in the AWS Enterprise Accelerator – Compliance series targeted organizations that follow the National Institute of Standards and Technology (NIST) 800-53 standards. In the NIST series, we identified positive enterprise patterns and included foundational elements that can kick-start you when deploying regulated workloads. Features such as an Amazon S3 bucket for storing AWS CloudTrail logs and a read-only AWS Identity and Access Management (IAM) role to support visibility for the security teams were included in NIST Quick Start templates so that customers could build their technical security controls on top of these pre-built constructs.

PCI DSS Quick Start builds on the core CloudFormation templates and includes configurations such as a “write once, read many” S3 policy for the S3 bucket storing PCI-specific logs. PCI DSS Quick Start includes other modifications based on customer feedback as well as patterns for the most common use cases.

The core concepts and the architecture of PCI DSS Quick Start are described in detail in the following resources that are included in the download:

For more information about the Quick Start series, see AWS Quick Start Reference Deployments.

Note that this PCI DSS Quick Start facilitates meeting PCI requirements that impact your AWS resources, in an automated and repeatable fashion. You still must address the controls that fall on the customer side of the Shared Responsibility Model and retain responsibility for the overall PCI DSS compliance of your PCI environment. You can read Coalfire’s detailed perspective on this topic.

If the scope of your PCI environment is enterprise scale with the accompanying complexity, and you need assistance with the implementation of the concepts presented in this Quick Start, AWS Professional Services offers a custom Compliance Playbook for PCI Workloads to help you with the AWS portion of your PCI DSS compliance program. Contact your AWS Account Manager for further information, or contact us by email.

– Balaji