PCI Compliance on AWS: The Shared Responsibility Model
Customer Responsibility in AWS
One of the most common mistakes that AWS customers make is relying too heavily on AWS for cloud security. They falsely believe that AWS is responsible for everything related to security – which is not the case. If you do not understand the Shared Responsibility Model, you will find non-compliant and insecure areas in your AWS environment.
The Shared Responsibility Model outlines that AWS is responsible for the security of the cloud, and customers are responsible for security in the cloud. Essentially, if there is something that is configurable, then it’s the customer's responsibility to configure it so that it meets the compliance requirements. AWS is responsible for the physical infrastructure, the network, and hypervisors. AWS customers are responsible for the operating system, applications, and data. This means that the provider (AWS) and the customer must work together to comprehensively meet cloud security objectives. Understanding the Shared Responsibility Model is a crucial element of compliance that should not be overlooked.
When you’re pursuing PCI compliance in your AWS environment, one important thing to consider is the Shared Responsibility Model. AWS has published their Shared Responsibility Model (we’ve provided it in a link below) and it’s a great place to start so that you can understand what they’re responsible for and what you’re responsible for. In essence, they are responsible for security of the cloud and you are responsible for what is in the cloud. One thing that AWS says is that if it’s something that’s configurable, then it’s your responsible for configuring it so that it meets the compliance requirements. As you go through your own responsibilities, you should develop your own Shared Responsibility Model that you will share with your clients; this stipulates the things you’re responsible for, they’re responsible for, and AWS is responsible for. Too often, people think that just because AWS provides the ability to perform encryption, that they are responsible for that. That is your responsibility. Or they think that because AWS provides the operating system, that they are responsible for that. That is not correct. You are responsible for configuring and hardening the operating system. AWS provides you with many great controls, but ultimately, you must configure those things and have your own policies and procedures that govern what you expect those things to look like and how you use them. If you need help developing your own Shared Responsibility Model, we would love to help you with it. Please connect with us and we’d be happy to put that together for you.