PCI Compliance on AWS: PCI Requirement 2.2
Developing Your Configuration Standards
PCI Requirement 2.2 requires you to, “Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.” As you work to comply with this requirement and you develop your own AWS configuration standards, you don’t need to start from scratch. You can rely on industry-accepted resources such as:
- AWS Security Checklist
- AWS Best Practices for Security, Identity, and Compliance
- CIS Benchmark for Securing Amazon Web Services
- NIST Guidelines for Firewalls and Firewall Policy
Along with the extensive resources AWS, CIS, and NIST, other benchmarks could come from ISO or the SANS Institute.
PCI Requirement 2.2 requires that you have configuration standards based on industry best practices. Within the AWS environment, you might look to industry resources such as the Center for Internet Security (CIS). We’ve provided links below that will get you to some of these industry best practices that are published out there. AWS has published a security checklist and security best practices for securing your AWS environment. When you document your configuration standards, you want to refer to one of these industry-accepted resources as your benchmark that you’ve utilized in order to secure your environment. Interestingly enough, AWS also offers images that are pre-configured against some of these standards out there in the marketplace, so be sure to check those out as well.