reference deployment

Standardized Architecture for PCI DSS Compliance on AWS

Deploy an AWS architecture that helps support Payment Card Industry requirements

This Quick Start sets up an AWS Cloud environment that provides a standardized architecture for Payment Card Industry (PCI) Data Security Standard (DSS) compliance. PCI DSS helps ensure that companies maintain a secure environment for storing, processing, and transmitting credit card information. The Quick Start relies on the requirements of PCI DSS version 3.2.1.

The templates in the Quick Start automatically configure the AWS resources and deploy a multi-tier, Linux-based web application in a few simple steps. The Quick Start includes a main template for initial setup and three optional templates for additional customization.

The Quick Start also includes a security controls reference (Microsoft Excel spreadsheet), which shows how the Quick Start components and configuration map to PCI DSS controls.

This Quick Start is part of a set of AWS compliance offerings, which provide security-focused architecture solutions to help Managed Service Providers (MSPs), cloud provisioning teams, developers, integrators, and information security teams follow strict security, compliance, and risk management controls. For additional Quick Starts in this category, see the Quick Start catalog.


This Quick Start was developed by AWS technical consultants and solutions architects.

This Quick Start supports the AWS GovCloud (US) Region.
  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  Resources
  •  What you'll build
  • Use the main template in this Quick Start to build a cloud architecture that supports PCI DSS requirements. The main.template.yaml deployment includes the following components and features:

    • Basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, with associated groups, roles, and instance profiles.
    • PCI-compliant password policy.
    • Standard, external-facing virtual private cloud (VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for the application and the database.
    • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.
    • A secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances for troubleshooting and systems administration activities.
    • Network access control list (network ACL) rules to filter traffic.
    • Standard security groups for EC2 instances.

    Separate templates provide the following features:

    • Centralized logging, monitoring, and alerts using AWS CloudTrail, AWS CloudWatch, and, optionally, AWS Config rules.
    • An Amazon Relational Database Service (Amazon RDS) cluster.
    • Web application architecture, with three-tier Linux web application using Auto Scaling and an Application Load Balancer, and AWS WAF, are provided by separate templates.

    For more information, see the deployment guide.

  •  How to deploy
  • Before you deploy the Quick Start, you need to confirm that your AWS account is set up correctly by checking quota limits and SSH key pairs, and setting up AWS Config, where available. You can then build your standardized PCI DSS environment, using all four templates, in less than an hour by following the instructions in the deployment guide. The deployment process includes these steps:

    1. Sign in to your AWS account at
    2. Begin by launching the main.template.yaml template. The deployment takes about 30 minutes. You can choose from two options:
    3. Launch any additional templates. For details and links, see the deployment guide.
    4. Test your deployment by connecting to the WordPress site built by the Quick Start.

    The Quick Start is modular and customizable. It includes nested AWS CloudFormation templates that automate deploying and configuring resources for IAM, logging, production VPC, management VPC, AWS Config rules, NAT, Amazon RDS, and the web application. You can deploy the entire architecture, or customize or omit resources.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type and storage, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using or the AWS Pricing Calculator. Prices are subject to change.

    Tip     After you deploy the Quick Start, we recommend that you enable the AWS Cost and Usage Report. This report delivers billing metrics to an S3 bucket in your account. It provides cost estimates based on usage throughout each month and finalizes the data at the end of the month. For more information about the report, see the AWS documentation.
  •  Resources
  • AWS Partner Network (APN) partners provide resources to help deploy this AWS Quick Start. You can view offers and learn about use cases where this Quick Start has been deployed.