Blog BLOG

ブログ

Blog

BLOG

How to deal with PCI DSS compliance using AWS – Requirement 1 “Install and maintain a firewall configuration to protect cardholder data”

Based on our experience,

it is the content that tells you how to deal with PCI DSS compliance using AWS (Amazon Web Service).

AWS has been certified as the highest rated PCI DSS 3.2 Level 1 service provider and offers service packages that satisfy PCI DSS compliance.

URL: https://aws.amazon.com/quickstart/architecture/compliance-pci/

The ideal network configuration diagram for AWS is as follows.

 

In this article, we’ll elaborate on Requirement 1, “Install a firewall and maintain a configuration to protect cardholder data.”

※ The PCI DSS version is 3.2.1.

 

  • 1.1: Establish and implement firewall and router configuration standards that include the following

    • 1.1.1: A formal process for approving and testing all network connections and changes to the firewall and router configurations

    • 1.1.2: Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks

    • 1.1.3: Current diagram that shows all cardholder data flows across systems and networks

    • 1.1.4: Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

    • 1.1.5: Description of groups, roles, and responsibilities for management of network components

    • 1.1.6: Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure

    • 1.1.7: Requirement to review firewall and router rule sets at least every six months

       

  • 1.2: Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

    • 1.2.1: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

    • 1.2.2: Secure and synchronize router configuration files.

    • 1.2.3: Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.

  •  1.3: Prohibit direct public access between the Internet and any system component in the cardholder data environment.
    • 1.3.1: Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

    • 1.3.2: Limit inbound Internet traffic to IP addresses within the DMZ.

    • 1.3.3: Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.

    • 1.3.4: Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

    • 1.3.5: Permit only “established” connections into the network.

    • 1.3.6: Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

    • 1.3.7: Do not disclose private IP addresses and routing information to unauthorized parties.

  • 1.4: Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.

  • 1.5: Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.

 

1.1: Establish and implement firewall and router configuration standards that include the following

1.1.1: A formal process for approving and testing all network connections and changes to the firewall and router configurations

 

To prevent network, router or firewall misconfigurations, you should document the implementation process for approving and testing all connections and changes to your firewalls and routers. It is better to have an implementation process for rollback in case the network configuration becomes incorrect.

For AWS, it is better to use the following two services.

 

  • Config
    • A service that can record / manage when and what operation was performed for each AWS resource.

    • The Security Group will also be managed.

 

  • CloudFormation

    • Resources can be provisioned exactly as they are, by defining the infrastructure in the “should state” with a coded file.

    • Coding review before provisioning can require approval for resource changes.

    • It is possible to provision and test AWS resources with the same configuration as the production environment as a verification environment.

 

1.1.2: Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks

You need the latest network diagram that includes all connections to cardholder data, including wireless networks.

 

Even AWS does not have a service that automatically creates a network configuration diagram, so you need to create it yourself. However, AWS provides architecture icons, so you should use them. 

There are other cloud-based drawing tools, so it is also good you use that.

URL: https://aws.amazon.com/jp/architecture/icons/

 

1.1.3: Current diagram that shows all cardholder data flows across systems and networks

It must show the flow of all cardholder data stored, processed, or transmitted within the system and network. 

 

Same as 1.1.2, there is no service in AWS that automatically creates a data flow diagram, so you need to create it yourself.

 

1.1.4: Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

Based on the documented configuration standards and network diagrams, you need to look at your network configuration to ensure that you have a firewall between each Internet connection, the DMZ and internal network zones.

 

In AWS, you can manage and check the setting information such as firewall by using Security Group and Network ACL.

 

1.1.5: Description of groups, roles, and responsibilities for management of network components

You should ensure that your firewall and router configuration standards include a description of groups, roles, and responsibilities for managing network components.

 

In AWS you can manage which users are authenticated and authorized for your system by using the IAM service.

 

1.1.6: Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure

Identify services, protocols, and ports that are authorized to use but are not secure. Then, verify that the security function is documented for each service, and confirm that it is implemented for each service, protocol, and port.

 

In AWS, it is possible to set a firewall in the Security Group, but there is no tool that can automatically create documentation, so you need create it yourself.

 

1.1.7: Requirement to review firewall and router rule sets at least every six months

You should inspect the documents related to the rule set review and interview personnel to ensure that the rule set is reviewed at least every 6 months.

 

In AWS, there is no service that can be specified, so you need to create your own review material.

 

1.2: Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

 

1.2.1: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

You need to ensure that incoming and outgoing traffic is limited to the traffic required for your cardholder data environment.

 

In AWS, you can specify and set the IP and port numbers with the inbound and outbound rules defined in the Security Group.

By connecting AWS Config and SSM Automation, it is possible to restrict access / detection / automatic repair of other security groups that are not the default.

 

1.2.2: Secure and synchronize router configuration files.

You should check your router configuration file to make sure it is secure from unauthorized access.

In AWS, for example, make sure the running (active) configuration file matches the launch configuration (used when the machine is restarted).

 

1.2.3: Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.

You should ensure that your firewall denies all traffic between your wireless environment and your cardholder data environment, or only allows authorized traffic if your business requires it.

In AWS, it has nothing to do especially but  Security Groups and Network ACLs.

 

1.3: Prohibit direct public access between the Internet and any system component in the cardholder data environment.

1.3.1: Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

You need to make sure that you limit incoming traffic to only system components.

 

In AWS, the setting information of Security Group, Network ACLs, Route Table is related.

 

1.3.2: Limit inbound Internet traffic to IP addresses within the DMZ.

You need to make sure that incoming internet traffic is restricted to the IP address in the DMZ.

 

In AWS, it is the same as 1.3.1.

 

1.3.3: Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.

You need to make sure that you have implemented anti-spoofing measures, such as internal addresses not being able to pass from the Internet into the DMZ.

 

In AWS, it is the same as 1.3.1.

 

1.3.4: Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

Examine your firewall / router configuration to ensure that outbound traffic from your cardholder data environment to the Internet is explicitly authorized.

 

In AWS, it is the same as 1.3.1.

 

1.3.5: Permit only “established” connections into the network.

You need to make sure that your firewall only allows established connections into your internal network and rejects incoming connections that aren’t due to pre-established sessions.

 

In AWS, it is the same as 1.3.1.

 

1.3.6: Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

You must sure that the system components that store cardholder data are in the internal network zone, which is isolated from the DMZ and other untrusted networks.

 

In AWS, it is the same as 1.3.1.

 

1.3.7: Do not disclose private IP addresses and routing information to unauthorized parties.

You need to ensure that you have implemented a method that doesn’t disclose private IP addresses and routing information from your internal network to the Internet.

 

AWS uses IAM to limit user authentication and privilege management.

 

1.4: Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.

 

A personal firewall (or equivalent) must be installed, actively running, and unmodified by the user of the portable computing device.

 

AWS does not support it, so please create your own documentation.

 

1.5: Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.

You should review the documentation and interview stakeholders to ensure that your security policies and operational procedures for managing your firewall meet the following requirements:

 

  • AWS does not support it, so please create your own documentation.

 

The above is the workaround for PCI DSS compliant requirement 1 using AWS.

back

CONTACT

お気軽にお問い合わせください

img_contact

03-6281-8883

メールでのお問い合わせ お申し込み