PCI Compliance on AWS: PCI Requirement 8.5
Avoiding Generic Credentials and Authentication
Group, shared, or generic authentication methods cause a loss of accountability for the actions that have taken place within your AWS environment and make it impossible to determine who has taken which actions. That is why PCI Requirement 8.5 focuses on avoiding group, shared, or generic IDs, as well as group or generic authentication methods – especially when it comes to administrative actions, vendor access, or other critical functions.
The most important account to avoid using is the root account. Because the root account has access to all AWS services and resources in your AWS account, active use of this user should be avoided. There are many layers of security that should surround the root account so that, unless emergency access is required, actions cannot be taken from this account.
Requirement 8.5 in the PCI Data Security Standard states that you should not use group, shared, or other generic accounts within your AWS environment. This is very important because, for integrity purposes and accountability purposes, you need to have your actions recorded in your logs to ensure that you know who took what actions at what time. You need to evaluate if you have accounts that are being utilized by multiple individuals. We’ve seen accounts where an administrator at our client as well as a vendor was also using that same account. You don’t want that to happen, especially if you are trying to comply with the PCI Data Security Standard.
Be sure to inspect your IAM accounts in order to understand what they’re intended to be used for and how you have those assigned out to individual users. You’ll also notice in something like the CIS Benchmark standard that they talk about avoiding the use of root. You can run our AWS scan in order to see the last time that your root account was used because when a generic administrative account, like that, is utilized, it should be only in extreme situations where it must be used rather than the individually-assigned administrative account. So, checking that periodically to understand when it was used and setting up alerts so that you understand when it is being used so that you can investigate why that happened is very important under a lot of different compliance frameworks.