I am wondering how to comply with PCI DSS requirements (11.3) to test segmentation controls using penetration testing in AWS serverless architecture.
We are using components such as AWS Lambda, AWS API Gateway, AWS Cloudfront, etc., which are serverless, so there is no OS we can connect to and from which we can start penetration testing.
I was trying to read through AWS documentation regarding PCI responsibilities and there is no mention about segmentation controls. Also in PCI guidance regarding cloud computing there is written that it is client's responsibility to perform segmentation tests.
Is there any idea how to comply with this in AWS serverless architecture?