This is from the PCI-DSS guideline:
In order for a system to be considered out of scope, controls must be
in place to provide reasonable assurance that the out-of-scope system
cannot be used to compromise an in-scope system component, as . the
in-scope system could then be used to gain access to the CDE or impact
security of the CDE. Examples of controls that could be applied to
prevent out-of-scope systems from compromising a connected-to
orsecurity-impacting system include:
- Host-based firewall and/or intrusion detection and prevention system (IDS/IPS) on in-scope systems that block connection attempts
from out-of-scope systems.
- Physical access controls that allow only designated users to access in-scope systems.
- Logical access controls that permit only designated users to login to in-scope systems.
- Multi-factor authentication on in-scope systems.
- Restricting administrative access privileges to designated users and systems/networks.
- Actively monitoring for suspicious network or system behavior that could indicate an out-of-scope system attempting to gain access to an
in-scope system component or the CDE.
So in short having peering isn't an issue as long as you have strong control to segregate access to sensitive systems. If your RDS does not contain sensitive information but your PCI systems still require to read from the RDS, you can put rules in place that your PCI scoped systems can pull information from the RDS but the RDS itself cannot push information. If your RDS is not a CDE, then I suggest you move it out. Ideally you have three tiers of network, where one is your CDE, one is a middle ground for information exchange and one is your more "general" environment. This will make it easier for you to segregate and apply monitoring as well.
