PCI Compliance on AWS: PCI Requirement 11.5
Detecting Unauthorized Changes
To achieve compliance with PCI Requirement 11.5, you must deploy a change-detection mechanism. Your personnel must know of any unauthorized changes to system files, configuration files, or content files. The change-detection mechanism must perform critical file comparisons at least weekly.
In AWS, compliance with PCI Requirement 11.5 means using AWS CloudFormation drift detection, AWS Config, or other third-party solutions offered in the AWS Marketplace. AWS also explains, “Customers must deploy a change detection mechanism for AWS Lambda code that handles PCI workloads, potentially using Amazon CloudWatch logs and defined alarms, to detect unauthorized changes by defined identities and principles within their AWS accounts.”
Change, change, change. Everything changes. In the world of PCI, monitoring and detecting approved and unapproved changes is critical. You have to be able to show what is going on in your network. How do we do that in AWS? Couple of things. CloudFormation or Terraform scripts can be used as baselines in a traditional change management or change control environment. If you have golden or baseline configurations, then you can store those in Terraform and in CloudFormation. If anything changes, then it will do a difference comparison against the baseline and raise a flag through GuardDuty if there’s an issue. AWS Config also constantly monitors the AWS environment and records AWS resource configurations that are different, so you can leverage that. The other way is inside a traditional VPC and that would require a third-party solution from the AWS Marketplace. Traditional, but virtualized products like Tripwire, ManageEngine, OSSEC, and Threat Stack are in the AWS Marketplace and all of those can be leveraged to make sure that changes are detected and reported on properly.