PCI Compliance on AWS: PCI Requirement 10
Using CloudTrail, CloudWatch, and Config
In AWS environment, PCI Requirement 10 translates to logging. It states, “Track and monitor all access to network resources and cardholder data.” Without logging mechanisms in place, it’s nearly impossible to track access to CHD and user activity. If data is compromised in your AWS environment, how would you determine the cause? Logging plays a crucial role in minimizing the impact of a data breach or security incident.
AWS recommends using three services to support proper logging and monitoring:
- AWS CloudTrail is a key service for governance and risk auditing because it tracks all AWS account activity and actions.
- Amazon CloudWatch is a log aggregator, and the monitoring and observability arm for applications on AWS.
- AWS Config gives you the ability to record and evaluate the configurations of your AWS resources.
We also recommend using Kibana, an open-source tool for visualization, in combination with AWS services for logging and monitoring.
When it comes to PCI Requirement 10, we are talking about logging. We are discussing audit trails and how to keep them secure. It is the integrity of the logs that ultimately matter because if something goes wrong and you need to get into a security incident or data breach, then you will have to go back to your logs. AWS gives you tools built-in to take care of most of your login functions. CloudTrail, the audit engine, gives you the time stamps. CloudWatch, the log aggregator, takes things form Lambda, VPC instances, and databases. Then you can utilize Kibana to visualize what is going on in your network or your VPCs.