Menu
Standardized Architecture for PCI DSS on AWS
Quick Start Reference Deployment Guide

Appendix: Enhancements in This AWS Enterprise Accelerator – Compliance Release

This is second in a set of AWS Enterprise Accelerator – Compliance Quick Starts. AWS is constantly working to improve the design, ease of use, and security features of these solutions. This latest compliance Quick Start for PCI DSS includes the following security and compliance enhancements:

  • HTTPS load balancers with custom security policy using TLS and auto-generation of a self-signed certificate for testing purposes

  • Network access control list (ACL) rules for filtering ingress/egress traffic as an additional layer of network security

  • Security groups to limit both inbound and outbound traffic to only available ports and protocols

  • AWS Config rules automatically deployed for monitoring specific resources most relevant to compliance

  • Secure Amazon S3 policies for logging and application buckets, including custom lifecycle policies for archiving objects in Amazon Glacier and use of versioning

  • Custom CloudWatch alarms and notifications for specific security-related events in CloudTrail logging of root activity, IAM changes, and changes to logging policies

  • Simplified AWS CloudFormation templates that decouple components, including VPCs, to allow for easier modification and reuse

  • Reduced set of AWS CloudFormation parameter groups and labels to simplify console use during the deployment process

  • Elastic Load Balancing and Amazon S3 access logging enabled for the application layer

  • Deployment of a secured login bastion host for SSH access to Amazon EC2 instances within the architecture