PCI Compliance on AWS: Controls for Implementing a DMZ
Using CloudFront and API Gateway for PCI Requirement 1
PCI Requirement 1 has several sub-requirements regarding the implementation of a demilitarized zone (DMZ). These requirements include:
- PCI Requirement 1.1.4 requires “a firewall at each internet connection and between any DMZ and the internal network zone.”
- PCI Requirement 1.3.1 states, “Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.”
- PCI Requirement 1.3.6 says, “Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.”
To support compliance for this requirement, AWS provides services such as CloudFront and API Gateway to protect your network and prohibit untrusted networks from accessing your VPC. By using these capabilities from AWS, you are using a PCI-compliant service.
The PCI Requirement 1 has a few requirements in there that talk about implementing a DMZ (a demilitarized zone). You can utilize services from AWS such as CloudFront or API Gateway in order to achieve compliance in these areas. It’s about not allowing untrusted networks, such as the public Internet, from accessing your VPC. By implementing these controls that AWS provides to you, you can accomplish these requirements and, actually put those requirements on AWS. AWS goes through their own PCI Data Security Standard assessment every year and these services, such as CloudFront and API Gateway, are assessed as a part of that; so they don’t have to be reassessed as part of your engagement. If you do utilize those controls that they provide to you in order to accomplish those requirements, those requirements become the responsibility of AWS and are not tested as part of your engagement.