PCI Compliance on AWS: PCI Requirement 10.4
Meeting PCI Requirement 10.4 with NTP
PCI Requirement 10.4 requires the use of time-synchronization technology in order to synchronize all critical system clocks and times. To comply with this requirement, Amazon utilizes the Amazon Time Sync Service. AWS explains, “…the Amazon Time Sync Service, which is accessible from all EC2 instances, and is also used by other AWS services. This service uses a fleet of satellite-connected and atomic reference clocks in each Region to deliver accurate current time readings of the Coordinated Universal Time (UTC) global standard through Network Time Protocol (NTP). The Amazon Time Sync Service automatically smooths any leap seconds that are added to UTC.”
There’s not enough time in the day – we all know that. But when we are talking about time in PCI DSS, we are talking about synchronization. Why? Everything has to be synchronized if we are going to analyze it later. When conducting forensic analysis for a breach or an incident, we have to know when things happened across which devices. Network Time Protocol (NTP) allows us to do that. That is the requirement for PCI Requirement 10.4. For this instance, Amazon gives us the Amazon Time Sync Service. I like this because it is built in and Amazon uses it themselves. All of Amazon’s platform – the AWS consoles and databases – are all using the Time Sync Service. When you point your host inside your VPCs to the same services, you get a consistent log entry. So when something happens at 11:11, you know it really happens at 11:11.