PCI Compliance on AWS: PCI Requirement 8.2
Something You Know, Something You Have, Something You Are
PCI Requirement 8.2 adds an additional layer of security to user IDs by requiring authentication through something you know, something you have, or something you are. It states, “In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: something you know (such as a password or passphrase), something you have (such as a token device or smart card), something you are (such as a biometric).” These three authentication methods, when used with unique IDs, protect credentials from being compromised.
AWS IAM supports several ways to implement MFA, which will meet the requirement for a token or one-time code.
PCI Data Security Standard Requirement 8.2 is, in my opinion, all about protecting passwords. There are three things that are discussed in this. Number one is that you require people to access your environment using something that they know, something they are, or something they have. You have to have an authentication mechanism that does, in fact, require a password. But I want to emphasize the importance of keeping those things secret. It has to be a password that only you know. Not sharing passwords, teaching people about security awareness issues so that they’re not sharing their password with anybody else. They need to understand that this is something that they know. It’s very, very important to protect that password. They need to ensure that they are where they’re supposed to be when they’re logging into your AWS environment.
Secondly, 8.2 talks about protecting passwords in transmissions and in storage. So, whatever applications you are running within your EC2 instances or within your EKS environment or whatever your environment looks like, you want to ensure that your technologies and your mechanisms are protecting passwords as you’re logging into different resources or systems within your AWS environment. Also, any of those unique applications that you’re running in that environment needs to have proper protection of password files so that they cannot be accessed and broken by an attacker.
Finally, we’re needing to protect passwords when it comes to resetting it for employees. Having defined processes that are meant to protect your passwords in your AWS environment is very important when it comes to complying with requirement 8.2.