2

I am wondering how to comply with PCI DSS requirements (11.3) to test segmentation controls using penetration testing in AWS serverless architecture.

We are using components such as AWS Lambda, AWS API Gateway, AWS Cloudfront, etc., which are serverless, so there is no OS we can connect to and from which we can start penetration testing.

I was trying to read through AWS documentation regarding PCI responsibilities and there is no mention about segmentation controls. Also in PCI guidance regarding cloud computing there is written that it is client's responsibility to perform segmentation tests.

Is there any idea how to comply with this in AWS serverless architecture?

user1563721
  • 1,099
  • 11
  • 22
  • You might find https://aws.amazon.com/compliance/pci-dss-level-1-faqs/ useful. Essentially, your QSA should be able to accept details from Amazon for their bits, and your bits need testing as the QSA specifies. Pen testing can still be performed without an OS - checking whether it's possible to bypass restrictions in functions, or seeing what the configuration for specific components is. – Matthew Jan 15 '19 at 13:26
  • Looks like explicit permission to run PEN tests migh thave gone away: https://www.geekwire.com/2019/amazon-web-services-will-no-longer-require-security-pros-running-penetration-tests-cloud-based-apps-get-permission-first/ – Mike Dec 01 '19 at 21:51

2 Answers2

2

Very interesting question.

In theory you could deploy your lambda into a VPC, and then your lambda exists on a network segment with other lambdas that are sensitive. But where are you storing your data, backing it up, logging your data? So many questions!

So yes, you'd probably need a pentest, or at least someone to take a long hard look at your serverless environment to ensure no data is leaking out.

Things like:

  • Is the lambda writing sensitive data out to cloudwatch logs?
  • Is Cloudfront caching any sensitive cardholder data? Do you have lambda@edge running there that might come in contact with sensitive cardholder data?
  • Are you backing up the data to S3 -- who has access to that S3 bucket?
  • Where are you storing data? In RDS, or DynamoDB or a traditional DB. Is that DB on the same network as the lambdas?
  • Are there any EC2 that are directly connected to/from the lambdas?

In order to run a penetration test on AWS, you need to first explicitly get their permission. Link here

keithRozario
  • 3,571
  • 2
  • 12
  • 24
0

AWS should have a PCI audit document were it states the audited / certified requirements you should only comply with the remaining topics related with your piece of the landscape. In the end both documents should be equivalent to the full audit just done in 2 or more steps.

If AWS has no such document it means that they did not do any PCI audit and it will be very hard for you to comply with all requirements.

This is similar to SOC controls or other type of audit requirements.

Hugo
  • 1,701
  • 11
  • 12