PCI Compliance on AWS: PCI Requirement 1.1.2
How Does Your AWS Environment Connect to the CDE?
An up-to-date, comprehensive network diagram is required by PCI Requirement 1.1.2, which states that organizations must have a “current network diagram that identifies all connections between the Cardholder Data Environment (CDE) and other networks, including any wireless networks.”
To comply with this critical element of PCI compliance for AWS environments, we recommend maintaining two types of network diagrams: a high-level diagram and a very detailed diagram. Your network diagram needs to illustrate all of the connections within your AWS environment related to traffic flow and systems, including:
· Boundaries of your in-scope networks
· All points where traffic enters and exists your networks
· Network access controls for both trusted and untrusted networks
· In-scope resources and technologies
· Any system that impacts the security of the cardholder data environment
Creating a network diagram for your AWS environment is a critical step for PCI compliance that requires thoughtfulness to achieve the level of detail required.
An important requirement for PCI compliance in your AWS environment is having a network diagram. In the Report on Compliance, there are actually two spots for network diagrams. There’s a place for a high-level diagram and then there’s one for a very specific, detailed diagram. It’s a good idea to maintain both of these documents. At a detailed level, you want to show all of the connections within your environment that relate to the traffic flow and systems that are connected to one another. In order to determine which systems are in scope and which systems are out of scope, you want to have something in your document that shows the out-of-scope networks. You’ll want to represent the network access controls that you have in place taking those systems out of scope. For things that are in scope, you’ll want to consider shared services such as logging services and patching servers, or directory services from active directory or something like that. Too often, people leave those out of their network diagram when they’re actually in scope because they’re providing a very important service to the environment in order to maintain the environment.
The other thing that people miss in their network diagram would be systems that are connected to the environment but also maybe affect the security of the environment. Systems that are managing the cardholder data environment, things that are providing security services, IT Professionals who are connecting in order to perform certain tasks; it’s very important to illustrate how those connections are happening because there are components that will be potentially be in scope that need to be represented on your network diagram. Be sure to check out the description below where we’ve provided some links to some examples of good network diagrams for PCI compliance. AWS has published some of those. The PCI Security Standards Council has published some as well. We want those to be good examples for you to follow, but as always, please reach out to us if you need some help putting that diagram together.