PCI Compliance on AWS: PCI Requirement 2.4
Using AWS to Maintain a Systems Inventory
PCI Requirement 2.4 requires that you maintain an inventory of in-scope system components. This may seem not seem like it, but it’s actually one of the most critical requirements to comply with. Why? Because if you don’t know what your systems are, you cannot protect them. Having a documented, up-to-date systems inventory is your starting point for defining the scope of your CDE and cultivating a strong security posture.
PCI Requirement 2.4 requires that you maintain a systems inventory. If you look at the CIS Top 20 Controls, you’ll notice that #1 is documenting your inventory. Why is that the most critical control? Because if you don’t know what your systems are, how can you even begin to protect them? That’s the first place to start. When you find things that shouldn’t be in your inventory, you can take them out and thereby reduce the level of access that an attacker would have to your environment. Having a documented inventory is a very critical place to start. You’ll use AWS Systems Manager and AWS Config for assistance in putting this inventory together. A lot of times when we go through our assessments, we’ll find systems where people are like, “I don’t know what this instance is. I don’t know why we created this one. Let’s look and see who has access to this.” You don’t want to be in a situation where you’re guessing what you have in place. Be sure to use those tools that AWS has provided to you and get a good, documented, updated inventory ready for your assessor to review.