PCI Compliance on AWS: Network Segmentation
Reducing the Scope of Your CDE
While network segmentation is not a requirement for PCI compliance, it can drastically reduce the scope of your assessment by limiting the CDE. The fewer systems involved in your payment flow, the better. By identifying the resources that fall within the scope of PCI requirements, you can create strategic segmentation boundaries. You need to consider CDE systems, components connected to CDE systems or that impact the security of CDE systems, as well as out-of-scope systems. Your network diagram needs to reflect the controls that restrict traffic with out-of-scope systems.
AWS recommends that you design segmentation into your AWS environment by properly configuring the following:
- AWS Account Layer – Consider individual accounts and multi-account architecture
- Network Layer – Use security groups for traffic filtering
- Application Layer – Use API-based services to manage the CHD flow
- Docker Containerized Workloads – Use Amazon ECS for container orchestration
- Hybrid Environments – Control the connections between your on-premises system components and your AWS environment
To learn more about network segmentation resources, read Architecting for PCI DSS Scoping and Segmentation on AWS or PCI SSC Guidance for PCI DSS Scoping and Network Segmentation.
I want to talk about network segmentation and how that relates to PCI compliance in your AWS environment. Network segmentation is not required, but it’s an important strategy in order to limit the landscape of your PCI cardholder data environment. The fewer systems that you can have in scope for PCI compliance means fewer systems that you have to put all the requirements onto and it can be an important way to make your life a little simpler. Network segmentation is something to consider.
Too often in our clients’ network diagrams, we find that they say that there’s segmentation, when actually traffic is still allowed across whatever controls they’ve put into place for segmentation. By definition, network segmentation means that you restrict traffic from out-of-scope systems into your cardholder data environment. If you allow traffic, then it is not segmentation. In your network diagram, you want to illustrate that the controls that you’ve put into place in order to restrict traffic with out-of-scope systems. If you allow connectivity from IT systems that manage the cardholder data environment and there’s two factor authentication, and you point to two factor authentication and say that is network segmentation, that is incorrect. You still allow that traffic to flow after you authenticate from one network to the other. A proper segmented environment would be putting bastion hosts into place in order to have out-of-scope systems connect to that host, and then only allowing traffic from that host to the rest of your cardholder data environment. You might also look into AWS Systems Manager for methods and strategies for setting up controls that properly segment your environment away from everything else. So put that diagram together, illustrate where your controls are, then contact us here at KirkpatrickPrice. We can take a look at it with you, and help you understand exactly how to reduce the scope of your environment and apply network segmentation properly.