Has anyone achieved PCI compliance on AWS?

Question

All the FAQs, documents and statements published by AWS aside, did any Level 1 merchant or service provider actually achieve PCI compliance on AWS yet? We're evaluating moving some of our services to EC2/VPC, but our auditor is saying that AWS hadn't been cooperative when their other clients were trying to achieve compliance and had to go to Rackspace instead. The issues they ran into were,

AWS isn't providing itemized list of controls assessed in AWS' own PCI audit, making it impossible for auditor to mark which items are covered off by AWS and which are the responsibility of the client
AWS isn't clarifying how the hypervisor was assessed and which tests were performed to ensure tenant isolation

Very interesting question! We have are considering AWS for PCI hosting as well... — Nakedible, Jul 30 '11 at 08:39
I have been trying to get some hard info from anywhere on this, but have failed so far - sorry — Rory Alsop, Aug 02 '11 at 14:51

score 16 · Answer 1 · edited Apr 13 '17 at 12:13

16

Amazon does have a Type II SAS 70 report. Requesting a detailed copy of that should show all the controls they have in place. It may that people are asking Amazon the wrong questions. As a quick note, the SAS 70 testing in the future will be referred to as an SOC -- one of those accounting industry quirks.

Especially with an Amazon-sized company, one looks at the report, sees that it is reasonable, and declares that they have done due-diligence. In very vague terms, Amazon and their PCI auditor then have some sort of fiduciary duty in the case of a whoopsie-daisy on their part.

See also:

Update: The relevant control objective for you as a client is this: 2.4 Hosting providers must protect each entity’s hosted environment and data. These providers must meet specific requirements as detailed in Appendix A: “PCI DSS Applicability for Hosting Providers.”

At least in my interpretation, Amazon principally has to deal with the four controls specified in A.1. There are many others that don't matter, and some that do. I don't know what your auditor is able to get, but as I understand without documentation in front of me: Amazon has passed without remark. That means they have been independently reviewed to meet all those objectives. With that in mind, the rest of the burden is on your company to meet everything else that's relevant to what is inside the instance.

Auditors aren't always right. You may find it worthwhile to engage another auditor. You may find I'm wrong (though I'm confident I've got this). At least you don't have this: https://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants

edited Apr 13 '17 at 12:13

Community

1

answered Jul 31 '11 at 21:35

Jeff Ferland

38,090
9
93
171

1

From the top link I think this paragraph says it all: What this certification really does is eliminate any doubts that you are allowed to deploy an in-scope PCI system on AWS, and reduces your assessment scope to only your in-scope bits on AWS, not the entire service. This is a big deal, but your organization’s assessment scope isn’t necessarily reduced, as it might be when you move to something like a tokenization service where you reduce your handling of PAN data. – Ori Aug 01 '11 at 01:38
1

It would be nice to get a detailed copy of that Type II SAS 70 report. I've heard the same complaints from a PCI auditor I talked to - it's hard to know exactly what PCI parts can be relied on to have been taken care of in a manner that the PCI council will approve. – Nakedible Aug 01 '11 at 04:57
1

There's a whitepaper that covers the SAS 70 control objectives: http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf and since Amazon's WS team is ISO 27001 you can infer some of them anyways. Further, they provide a nice set of whitepapers to go over: http://aws.amazon.com/security/ . In any case you're trusting them at some level, if it's a make or break you can always try getting a hold of someone in their customer relations department. In all likelyhood that will probably take a higher level of support than just the basic tier which won't be free. – Ori Aug 01 '11 at 05:39
1

I've read the whitepapers and so has the PCI auditor. They obviously do not describe the scope of their PCI audit fully in public documents. Also, it's not about trust, it's about liability for the auditor and getting the paperwork done right for the audit - and that needs something concrete to refer to. – Nakedible Aug 01 '11 at 06:40
1

@Jeff The controls in A.1. are *additional* requirements, as said in the title: "Requirement A.1: Additional PCI DSS Requirements for Shared Hosting Providers". The whole PCI DSS 2.0 is littered with requirements that need to be met by the hosting provider, not only the stuff in A.1. – Nakedible Aug 01 '11 at 19:31
1

@Nakedible Indeed, it actually says, "A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS," right in the test plan. I was too quick with skimming through and reading a lot that wasn't relevant. Updated. – Jeff Ferland Aug 01 '11 at 20:22

Has anyone achieved PCI compliance on AWS?

1 Answers1

Linked