PCI compliance involves adhering to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS standards are designed to secure credit and payment card transactions by reducing fraud and data breaches. 

Being PCI compliant on AWS means that the cloud infrastructure provided by Amazon, and workloads managed by customers on this infrastructure, meet the necessary security standards for processing, storing, or transmitting credit card information.

This is part of a series of articles about cloud compliance.

In this article:

AWS PCI Compliance and the Shared Responsibility Model 

PCI compliance on AWS operates under a shared responsibility model, which means both AWS and its customers have roles to play. AWS is responsible for the security “of” the cloud, which includes protecting the infrastructure that runs all of the services offered in the AWS Cloud. This covers areas like physical security of data centers, hardware maintenance, and the virtualization layer. Customers are responsible for security “in” the cloud. This means customers must manage their own operating systems, platforms, and data, including how they configure and use AWS services in a secure manner.

For example, while AWS ensures that the underlying hardware and managed services are secure and compliant, customers must configure their instances, data, and applications to meet PCI DSS requirements. Misconfigurations by the user, such as making an S3 bucket public, can lead to non-compliance even if the service itself is secure. Thus, AWS provides the tools and frameworks necessary for security and compliance, but the responsibility for implementing these tools correctly lies with the customer.

The complexity of PCI compliance increases with the breadth of services and configurations. While AWS provides documentation, security controls, and compliant infrastructure, customers must ensure that they implement these controls properly. This includes managing user access, ensuring data encryption, and maintaining an updated and secure environment. AWS offers guidance and resources, but ultimately, the responsibility for maintaining PCI DSS compliance rests with the customer.

Which AWS Services Are PCI Compliant? 

The following Amazon services are AWS compliant. The information was shared by Amazon and updated as of December, 2023.

CategoryAWS Services
ComputeAmazon EC2, AWS Lambda, Amazon ECS, Amazon EKS, AWS Elastic Beanstalk
StorageAmazon S3, Amazon EFS, Amazon FSx, AWS Backup, Amazon S3 Glacier
DatabaseAmazon RDS, Amazon DynamoDB, Amazon Redshift, Amazon DocumentDB, Amazon Neptune
Networking & Content DeliveryAmazon VPC, Elastic Load Balancing, Amazon CloudFront, AWS Direct Connect
Security, Identity, & ComplianceAWS IAM, AWS KMS, AWS Artifact, Amazon GuardDuty, AWS Security Hub
Management & GovernanceAWS CloudTrail, AWS Config, AWS Control Tower, AWS Systems Manager
AnalyticsAmazon Athena, Amazon EMR, Amazon QuickSight, AWS Glue
Machine LearningAmazon SageMaker, Amazon Comprehend, Amazon Rekognition, Amazon Lex
Application IntegrationAmazon API Gateway, Amazon SNS, Amazon SQS, AWS Step Functions
Developer ToolsAWS CodeBuild, AWS CodeCommit, AWS CodePipeline, AWS Cloud9
End User ComputingAmazon WorkSpaces, Amazon AppStream 2.0
IoTAWS IoT Core, AWS IoT Greengrass, AWS IoT SiteWise, AWS IoT Events
Media ServicesAWS Elemental MediaConvert, AWS Elemental MediaLive, AWS Elemental MediaPackage
Migration & TransferAWS Migration Hub, AWS DataSync, AWS Transfer Family, AWS Application Migration Service
Customer EngagementAmazon Connect, Amazon Pinpoint
RoboticsAWS RoboMaker
SatelliteAWS Ground Station
BlockchainAmazon Managed Blockchain, Amazon QLDB

AWS PCI Tools to Help Your Compliance Strategy 

AWS offers several tools that can help organizations ensure PCI compliance.

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity. Using machine learning, anomaly detection, and integrated threat intelligence, GuardDuty provides alerts to help pinpoint potential security vulnerabilities or unauthorized behaviors. 

Amazon Inspector

Amazon Inspector is an automated security assessment service that automatically checks applications for vulnerabilities or deviations from best practices. For organizations subject to PCI DSS, Inspector’s assessments help ensure that applications handling cardholder data are protected against common exploits and misconfigurations.

AWS Artifact

AWS Artifact provides on-demand access to AWS’s compliance documentation and agreements, including PCI DSS reports. It allows customers to download AWS compliance reports, helping them to conduct audits and manage their own compliance in accordance with PCI standards.

Customer Responsibilities for Achieving PCI Compliance on AWS 

Here are the primary customer responsibilities when deploying PCI-compliant systems on AWS.

1. Firewalls

Firewalls serve as a barrier between secure internal networks and potential external threats. In PCI-compliant environments on AWS, customers are responsible for setting up and maintaining firewalls to protect data environments. Proper configuration of firewalls ensures that only authorized traffic is allowed, conforming to PCI DSS requirements.

2. Data Encryption

On AWS, customers must ensure that all cardholder data is encrypted both at rest and during transmission. AWS provides tools like AWS KMS (Key Management Service) to manage encryption keys securely.

3. User Authentication and Authorization

AWS customers must ensure that access controls are set up to allow only authorized personnel to retrieve or process payment data. This includes implementing strong authentication methods and maintaining strict user role definitions. AWS provides services like IAM (Identity and Access Management) to help manage user access, but customers are responsible for configuring them. 

4. Monitoring and Logging

AWS customers must implement comprehensive logging mechanisms that capture and keep records of all access to and manipulation of cardholder data. AWS offers tools like CloudTrail for logging and monitoring user activities, but it is up to customers to configure these tools to capture adequate and necessary information.

5. AWS Master Accounts

The AWS master accounts structure helps in managing multiple AWS accounts securely. Customers must design their AWS environments to segregate duties, limit the risk of unauthorized access, and manage resources efficiently. The master account oversees user access and resource usage, ensuring consistent compliance across all sub-accounts.

6. Virtual Private Cloud Peering

Virtual Private Cloud (VPC) peering allows connectivity between two VPCs in AWS, enabling resources to communicate across different virtual networks securely. For PCI compliance, it is essential that all transferred data through VPC peering routes is encrypted and movements are monitored. Proper configuration and management of VPC peering involves implementing appropriate firewall rules, establishing precise routing policies, and monitoring network traffic.
Related content: Read our guide to AWS cloud security

The Cloud Native Experts
"The Cloud Native Experts" at Aqua Security specialize in cloud technology and cybersecurity. They focus on advancing cloud-native applications, offering insights into containers, Kubernetes, and cloud infrastructure. Their work revolves around enhancing security in cloud environments and developing solutions to new challenges.