Menu
Standardized Architecture for PCI DSS on AWS
Quick Start Reference Deployment Guide

Planning the Deployment

Prerequisites

Specialized Knowledge

This Quick Start requires a moderate to high level of understanding of the process to achieve and manage PCI DSS control requirements and compliance processes within a traditional hosting environment.

Additionally, this solution is targeted at Information Technology (IT) PCI DSS assessors and security personnel, and assumes familiarity with basic security concepts in the area of networking, operating systems, data encryption, operational controls, and cloud computing services.

This deployment guide also requires a moderate level of understanding of AWS services and requires the following, at a minimum:

  • Access to a current AWS account with IAM administrator-level permissions

  • Basic understanding of AWS services, AWS service limits, and AWS CloudFormation

  • Knowledge of architecting applications on AWS

  • Understanding of security and compliance requirements in the customer organization

AWS offers training and certification programs to help you develop skills to design, deploy, and operate your infrastructure and applications on the AWS cloud. Whether you are just getting started or looking to deepen your technical expertise, AWS has a variety of resources to meet your needs. For more information, see the AWS Training and Certification website, or read the AWS Training and Certification Overview.

AWS Account

If you don’t already have an AWS account, create one at http://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Technical Requirements

Before you launch the Quick Start, your account must be configured as specified in the following table. Otherwise, deployment might fail. For step-by-step configuration instructions, see the Pre-Deployment Steps section.

Resources

Resource Default Used in this deployment (by default)
VPCs 5 per region 2
EIPs 5 per region 3
IAM groups 100 per account 6
IAM roles 250 per account 5
Amazon EC2 Auto Scaling groups 20 per region 2
ELB load balancers 20 per region 2
Regions

The AWS services used in this Quick Start exist in all commercial regions, but AWS Config rules, which are used for configuration enforcement, are currently available only in the regions listed in AWS Regions and Endpoints. If you require this capability, you must deploy in one of these regions until AWS Config rules become available more widely.

It is important to be aware of what is available in the region you choose to deploy. To see the latest list of supported services per region, see AWS Regions and Endpoints in the AWS documentation. For information about service differences in the AWS GovCloud (US), see Supported Services in the AWS GovCloud documentation.

AWS Config and AWS Config rules

If you deploy this Quick Start in an AWS region where AWS Config and AWS Config rules are available, the AWS CloudFormation template config-rules.template will attempt to automatically use the service. However, the deployment will fail if you have not previously manually set up AWS Config in that region. Before you deploy the Quick Start, navigate to the AWS Config console, and choose the Get Started Now button. Note that this feature is currently available only in the AWS Regions listed in AWS Regions and Endpoints.

Amazon S3 URLs

If you’re copying the templates to your own S3 bucket for deployment, make sure that you update the Resources section of the main.template file with a valid and accessible URL. Otherwise, deployment will fail.

IAM permissions

To deploy the Quick Start using the console, you must be logged in to the AWS Management Console with IAM permissions for the resources and actions the templates will deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions.

S3 buckets

Unique S3 bucket names are automatically generated based on the account number and region. If you delete a stack, the logging buckets are not deleted (to support security review). If you plan to re-deploy this Quick Start in the same region, you must first manually delete the previously created S3 buckets; otherwise, the re-deployment will fail.

Deployment Methods

You can deploy the Quick Start templates by using AWS CLI commands or directly from the AWS Management Console. You can also deploy the template package as an AWS Service Catalog product. AWS Service Catalog enables a self-service model for deploying applications and architecture on AWS. You can create portfolios that include one or more products, which are defined by AWS CloudFormation templates. You can grant IAM users, groups, or roles access to specific portfolios, which they can then launch from a separate interface. We’ve provided step-by-step instructions for the AWS Management Console deployment option in the following sections.