PCI Compliance on AWS: PCI Requirement 6.6
Using AWS Managed Rules
PCI Requirement 6.6 is about protecting public-facing web applications. You must address new threats and vulnerabilities on an ongoing basis and ensure your web applications are protected against known attacks by either of the following methods:
- Review public-facing web applications via manual or automated application vulnerability security assessment tools or methods (at least annually and after any changes).
- Install an automated technical solution that detects and prevents web-based attacks in front of public-facing web applications (to continually check all traffic).
AWS customers can utilize AWS Managed Rules under AWS WAF to meet the “automated technical solution” requirement. This service protects against common application vulnerabilities or other unwanted traffic, and the best part is: you don’t have write your own rules. You select applicable rule groups from AWS Managed Rules, apply them to web ACLs, and choose whether to monitor or block request that match the managed rules. To learn more about protecting web applications using AWS Managed Rules, visit the Developer Guide for AWS Managed Rules for AWS WAF.
PCI Requirement 6.6 is related to assessing our web applications or putting into place technologies that will protect web applications from the threats that are out there. Let’s start, first, with assessment. You have two choices, here, when it comes to complying with 6.6. In order to perform an assessment, the requirement says that it can be either a manual or automated approach to assessment. A lot of people utilize tools in order to accomplish the automated approach. Something that will evaluate your application according to the OWASP Top 10 Security Vulnerabilities for Web Applications. It will look for things like SQL injection, XXS, broken authentication, other session management issues – issues that are known and related to web application security flaws out there. Or, you can accomplish that by performing a manual review of the environment. Some companies will utilize a third party to perform a web application security inspection or they will have a dedicated member of their team who is knowledgeable, not only with the OWASP methodology, but also in the latest security vulnerability practices in order to utilize the tools and techniques that are out there in order to test the application to see if it has these known web application vulnerabilities. Or, if you don’t want to go the assessment route, you can implement a technology such as a web application firewall to protect the application against these threats that are out there. You might look at the AWS WAF as an option to comply because placing that firewall on the frontend to deflect those attacks and log an alert on those attacks as they are happening can be one way to satisfy PCI Requirements 6.6.