Segmentation in the AWS Cloud – How to Reduce Your PCI DSS Scope

2. December 2020

More and more organizations rely on outsourcing processes to the “cloud” in their daily business. The best-known provider and current market leader among cloud services is the Amazon subsidiary Amazon Web Services (AWS). While there are clear advantages to switching to a cloud service provider, there are also some obstacles: Processing credit card data in a cloud shifts the PCI Scope which must be reassessed as a result. In this article, we explain how you can best secure your processes with AWS systems through segmentation and keep the scope manageable.

AWS offers a variety of services: virtual servers, databases, container orchestration and various storage options are just a few examples. These services are only connected in the background via a physical network divided into subnets and VLANs, but primarily via Software-Defined Networking (SDN). SDN enables centralized and dynamic control of the network environment, as well as flexible management of resources, making it easy to adapt AWS services to the needs arising from business processes.

But the use of different AWS services also requires a redefinition of the scope. The PCI scope refers to the areas of the system infrastructure that come into contact with the data of credit card holders, for example through storage, transmission or processing. All systems or services located within the scope must be PCI DSS compliant. Systems outside the scope do not require this certification – but any interface that an in-scope system has with another system can potentially extend the scope. A too large scope not only reduces security, but also leads to high costs in certification and operation. Therefore, systems that come into contact with credit card data should be isolated where possible.

An important tool for separating systems from each other is segmentation, in which systems are isolated from each other. This isolation of certain systems within a network yields security-relevant advantages and can significantly reduce the scope of a PCI DSS assessment. AWS offers three measures for segmentation, which are used at different points and serve to secure the data traffic and keep the scope smaller:

  1. Account layer
    Accounts are collections of AWS services that are isolated from each other and initially have no connections to each other even within the same organization. One account could contain the test environment, another the databases and another all resources that process credit card data. The scope is thus limited to the last account, which is isolated from the others and thus secured.
  2. Network layer – Security groups
    Virtual Private Clouds (VPC) are isolated sections of the AWS cloud where resources can be run on a virtual network. Security groups form the security features within these VPCs and act like a host-based firewall that controls ports, sources and destinations. Network-based security rules are thus no longer centralized, as is the case with firewalls, but are controlled separately for each host system. Furthermore, the VPC connections between accounts are not transitive – there are no uncontrolled connections between the VPCs, just like with accounts.
  3. Application layer – APIs
    The connections between the AWS services or external services can be pure data connections. Thus, scoping requires controls to be set up in the application layer to prevent credit card data from being forwarded to the wrong services. APIs, i.e. program interfaces in the application layer, can be controlled centrally, e.g. via the AWS API Gateway or Lambda services, since these are already certified by AWS PCI DSS and are used as a tool for segmentation.

The presented means for segmentation when using the AWS Cloud are effective means to ensure that all processes are PCI DSS compliant, even after a change.

For a comprehensive introduction to this topic, we recommend watching our usd webinar “PCI DSS Scoping in the AWS Cloud” in German or English on our YouTube channel.

Do you need assistance in identifying or reducing your PCI DSS scope in the cloud? Contact us, we are happy to help.

Also interesting: