Achieving Cloud Compliance with AWS
- August 31, 2017
As Software Engineers we build products belong to various domains. Regardless of the domain, the responsibility of securing our customers’ sensitive data rests on our shoulders. You could be running your product on-premises, You could be running it on cloud or may be you are planning to migrate to cloud. Whichever the case, ‘customer data security’ is important.
Oftentimes, you must adhere to inherent regulatory compliances of specific product domains as well. For example if you are into the domain of e-commerce and handle credit card information of the users, you must be PCI DSS compliant. If you are into the healthcare domain, you probably have to be HIPAA compliant. Likewise, there are many regulatory compliances exist in various domains.
If your product belongs to such a domain you must adhere to related compliances. Failure to compliance could lead to legal actions and major penalties.
If your systems happen to be in the AWS cloud platform, you are lucky. AWS offers many services to achieve compliance much easier. Have a look at the Key AWS Certifications and Assurance Programs in the below figure.
The rest of this post will focus on how AWS supports to achieve PCI DSS (The Payment Card Industry Data Security Standard) compliance for an e-commerce company. We will discuss about the usage of different AWS services in achieving it.
PCI DSS compliance must be implemented by all the entities involving in processing, storing or transmitting credit/debit cardholder data. If your product accepts VISA, MasterCard, American Express and etc… credit/debit cards from customers to process payments, you must adhere to PCI DSS compliance. Have a look at the PCI DSS reference guide. There are 12 major requirements to achieve the PCI Data Security Standards. Under each of the major requirement, there are a lot of sub-requirements to satisfy by the customer. Download the PCI DSS standard published by PCI Security Standards Council.
The first requirement enforces to have firewall at each internet connection. Sounds difficult to implement? Well it’s not.
AWS Services: We can make use of VPC, Security Groups, NACALs and Config when architecting our product. Here is one way you can do it.
Sometimes we do this. We keep the defaults passwords/configurations provided along with the software at installation. This shouldn’t be done as those configurations may not be optimal for your needs.
AWS Services: Use of Amazon supplied AMIs — They don’t contain default configurations.
This is about encrypting data at rest(data that is stored) to protect card holder data.
AWS Services: Leverage AWS services that supports encryption. Such as EBS(Elastic Block Storage), S3 Encryption, KMS (Key Management Service), RDS(Relational Database Service)
This is about encrypting data in transit(data that travels among hops).
AWS Services: ELB, Network ACLs, Security Groups, Customer Gateways, Virtual Private Gateways, VPN Connections, AWS Direct Connect
In terms of vulnerability management, AWS does not provide anti-malware for customer EC2 instances. AWS customers have to,
AWS Services: AMI, CloudTrail, CloudWatch, Config, CloudFormation, CodeCommit, CodeDeploy, CodePipeline
AWS Services: IAM, Directory Services
AWS Services: IAM
You don’t have to worry about this at all. According to the shared responsibility model, AWS manages and maintains their physical infrastructure and security. AWS covers this for you.
AWS Services: CloudTrail, CloudWatch, S3
Amazon’s Attestation of Compliance(AOC). AWS tests their systems annually for security vulnerabilities. Similarly you have to test your system annually as well.
So far we have discussed about how to achieve PCI DSS compliance with AWS Cloud. AWS itself is compliant to many cloud compliances including PCI DSS, but to claim your product’s compliance you have to use necessary services provided by AWS.
For more from Manoj, check out his blog over on Medium