In this session, we discuss how to successfully architect for proper segmentation involving PCI DSS workloads running on AWS. We show you how the segmentation strategies and controls are different from those designed in a traditional on-premises environment, keeping in mind the unique characteristic of the AWS platform.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architect proper segmentation for PCI DSS
workloads on AWS
Avik Mukherjee
Senior Consultant
AWS Professional Services
Amazon Web Services
G R C 3 0 6
Aditya Patel
Security Architect
AWS Professional Services
Amazon Web Services

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals
Understand PCI guidance on scoping and segmentation
Learn how to apply the guidance on AWS
Learn how to validate segmentation boundaries

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Security Standard (DSS)
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI DSS—requirements
PCI DSS Requirement 0. Define scope and segmentation boundaries
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI DSS scope
People, processes, and technologies that can impact the security of CHD
Defined by the entity
Validated by the assessor (QSA/ISA)
Is required to meet all applicable PCI DSS controls

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why segmentation?
In Scope
Out of Scope
Organization
1. Reduce the security surface area
2. Reduce the compliance overhead
Pro tip! Segmentation is one way of reducing PCI DSS scope—others include using
P2PE solutions, PTS devices, outsourcing CHD handling functions

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI scoping and segmentation guidance
CDE Systems Connected-to or Security-Impacting
Systems
Have filtered direct or indirect network
connectivity to CDE systems
And/or
That affect the configuration and security of CDE
systems
And/or
Support PCI DSS requirements
Out-of-Scope Systems
Information supplement:
Guidance for PCI DSS
Scoping and Network
Segmentation
Published Dec. 2016

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
on AWS

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Unique AWS Cloud characteristics
Shared responsibility model
Security of the cloud & security in the cloud
Virtualization of traditional network—SDN
Elasticity
Abstracted services and API-based infrastructure
Automation
Hybrid infrastructure

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Communication layers on AWS
“The intent of segmentation is to prevent out-of-scope systems from being able to
communicate with systems in the CDE or impact the security of the CDE.” - Information
Supplement: Guidance for PCI DSS Scoping and Network Segmentation
Communication on AWS
• Network layer (Layer 3-4)—Primarily for AWS Infrastructure Services
• Application layer (Layer 7)—Primarily for AWS Containerized and Abstracted
Services

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure vs. containerizedvs. abstracted services
Infrastructure Containerized Abstracted
AWS services
Amazon EC2, Amazon ECS,
Amazon EKS
Amazon RDS,
AWS Fargate
AWS Lambda,
Amazon S3
Client
responsibility
(security)
GuestOS + network
isolation + logical access +
data
Network isolation + logical
access + data
Logical access + data
Connectivity Network Network + application Application
Segmentation Network isolation
Network isolation + data
control
Data control

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scope
CDE
PCI DSS scope identification—decision flow

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reference architecture—scope
Web application tier
Application logic tier
Database tier
Load balancer

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI scoping and segmentation guidance
CDE Systems Connected-to or Security-Impacting
Systems
Have filtered direct or indirect network
connectivity to CDE systems
And/or
That affect the configuration and security of CDE
systems
And/or
Support PCI DSS requirements
Out-of-Scope Systems
Information supplement:
Guidance for PCI DSS
Scoping and Network
Segmentation
Published Dec. 2016

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 1: Identify CHD data flow
Web application tier
Application logic tier
Database tier
Load balancer

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 2: Identify the AWS services

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 3: Type of AWS service

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 3a, 3b: Identify the CDE
CDE

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
PCI scoping and segmentation guidance
CDE Systems Connected-to or Security-Impacting
Systems
Have filtered direct or indirect network
connectivity to CDE systems
And/or
That affect the configuration and security of CDE
systems
And/or
Support PCI DSS requirements
Out-of-Scope Systems
Information supplement:
Guidance for PCI DSS
Scoping and Network
Segmentation
Published Dec. 2016

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 4: Identify the non-CDE scope
CDE

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Final PCI DSS scope
CDE

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scope
CDE
PCI DSS scope identification—decision flow

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS
Network Layer Application Layer

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS—AWS account layer
Highest level of segmentation within AWS
All resources logically isolated from other AWS accounts
By design isolation thus no burden for validation
Use AWS Organizations and service control policies (SCPs)
Lowest segmentation boundary is an AWS account

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reference architecture—multi-account
Account A Shared Services Account B Logging Account C Security Account E CDE Systems
Account F—Out of Scope
Core OU PCI OU
Non-PCI OU
Org Master
Account D Connected-to

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS
AWS Account Application Layer

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS—network layer
Use security groups as segmentation boundaries
Acts as stateful virtual firewall to control network traffic at instance level
By default does not meet PCI DSS requirements—open outbound connection
Additionally, third-party host–based/network firewalls can also be used
Lowest segmentation boundary is an elastic network interface (ENI)

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reference architecture―network layer
Account E – CDE
VPC
Peering
Account D – Connected-to
VPC
Virtual private cloud
Availability Zone 1 Availability Zone 2
Security group Security group Security group
Security groupSecurity group
Security group
VPC
Availability Zone 1 Availability Zone 2
Virtual private cloud
In-scope
instances
Out-of-scope
resources

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS
AWS Account Network Layer

32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation on AWS―application layer (layer 7)
Network isolation is by design (AWS responsibility)
Scoping = data driven
If two API endpoints exchange CHD, they are in scope, otherwise they are not
Segmentation = application driven
Application logic should ensure segmentation (because of abstraction)
Lowest segmentation boundary is an application logic

33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reference architecture―API layer
Account E―CDEAccount D―Connected-to
VPC
Virtual private cloud
VPC
Virtual private cloud
Lambda function handling
CHD
Amazon Simple
Queue Service
(Amazon SQS)
Amazon
DynamoDB

34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
1. Hybrid environments―scoping
PCI scope spread over on-premises data center and AWS Cloud
CDE
Connected
to/Security
Impacting
Corporate data center
Out of Scope
AWS Cloud
CDE
Connected
to/Security
Impacting
Out of Scope
Pro tip! For defense in depth use multiple layers of segmentation boundaries

36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
2. Custom application APIs
Use Amazon API Gateway for segmentation between CDE resources and custom
APIs (non–PCI validated services)
Provides connection brokerage (it is like a jump host)
Pro tip! API Gateway provides additional security benefits such as custom
authentication & authorization, retrofitting to micro-services architecture, API life
cycle management, attaching a WAF

37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
2. Segmentation using API Gateway
API Gateway*
Lambda
Other Supported
AWS
Services
Endpointon Amazon EC2/
AWS Elastic Beanstalk
Account E—CDE
PCI DSS In-Scope Systems
Custom
App1
Custom
App2
Corporate data center
AWS Cloud
VPC

38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
3. Microservices—network layer segmentation
Amazon ECS—run containerized applications
Launch Type—Amazon EC2 instance, AWS Fargate
Amazon EC2 instance type—group into one or related clusters
Fargate type—group into one or related tasks
Use security groups for cluster and task isolation

39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation control validation
PCI DSS requirement 11.3.4—perform penetration testing at-least annually (bi-
annually for service providers) and after any changes to segmentation controls.
Information Supplement: Penetration Testing Guidance
“It should verify that all out-of-scope LANs truly have no access to the CDE.”
“Each unique segmentation methodology should be tested to ensure that all security controls
are functioning as intended.”

41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation control validation on AWS
Segmentation
validation
AWS account
AWS network
(SDN)
AWS API
(abstracted
services)
Custom API
(non-PCI
validated)
Client
responsibility
Validation
procedure
Validated as part
of AWS PCI DSS
Level 1 service
provider
assessment
Validate security
group ACL through
network pen
testing
Validate
application logic
through
application pen
testing
Validate both
network and
application logic
isolation through
pen testing

42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Penetration testing on AWS—pointers
Make sure that you understand the AWS Acceptable Use Policy.
Review the AWS Vulnerability and Penetration Testing guidelines.
Customer Service Policy for Pen Testing
Tips for Security Testing
AWS Policy Regarding the Use of Security Assessment Tools and Services
AWS recommends vetting potential penetration testing vendors/third parties

43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Segmentation controls—life cycle management
Identify
Protect
DetectRespond
Recover
—
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Preventive, detective, and reactive controls
Have proactive security controls to prevent any unauthorized modification of the
segmentation controls
Make use of infrastructure as code,
automation, and enhanced alerting capabilities
Use automated response to fix deviations
PreventiveDirective
Detective Responsive
AWS CAF Security Perspective

46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Putting it all together
Scope
CDE

48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Further reading
Whitepaper: Architecting for PCI DSS Scoping and Segmentation on AWS
(https://d1.awsstatic.com/whitepapers/pci-dss-scoping-on-aws.pdf)
Whitepaper: AWS Security Best Practices
(https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf)
Quick Start: Standardized Architecture for PCI DSS on the AWS Cloud
(https://docs.aws.amazon.com/quickstart/latest/compliance-pci/welcome.html)
AWS Shared Responsibility Model
(https://aws.amazon.com/compliance/shared-responsibility-model/)

49. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Avik Mukherjee
mukavik@amazon.com
Aditya Patel
adityapa@amazon.com