Menu
Standardized Architecture for PCI DSS on AWS
Quick Start Reference Deployment Guide

Pre-Deployment Steps

Before you deploy the PCI DSS Quick Start templates, follow the instructions in this section to confirm that your account is set up correctly:

  • Review the service limits and service usage of your AWS account and request increases if required, to ensure that there is available capacity to launch resources in your account.

  • Ensure that your AWS account is set up with at least one SSH key pair (but preferably two separate key pairs) in the AWS Region where you plan to deploy, for use with the bastion login host and other Amazon EC2 hosts.

  • Ensure that you have manually set up AWS Config in the AWS Config console, if you are deploying into an AWS Region where AWS Config is available. AWS Config is currently available only in the regions listed in

Review AWS Service Limits

To review and (if necessary) increase service limits for the resources you need for the PCI Quick Start deployment, you use the AWS Trusted Advisor console and the Amazon EC2 console. You'll need the resources specified in the Technical Requirements table.

Use Trusted Advisor to view the existing service limits for Amazon VPC, IAM groups, and IAM roles within your account, and ensure that there is availability to deploy additional resources:

  1. Open the Trusted Advisor console at https://console.aws.amazon.com/trustedadvisor/.

  2. In the navigation pane, choose Performance.

  3. On the Performance page, scroll through the list of performance checks until you find Service Limits, and expand that section.

  4. Scroll through the service limit names and compare the Limit Amount column to the Current Usage column, to ensure that you can allocate the following without exceeding the default limit in the AWS Region you will deploy this Quick Start into (US East (N. Virginia) Region is recommended):

    • Two (2) more VPCs

    • Six (6) more IAM groups

    • Five (5) more IAM roles

    If an increase is needed, you can choose the limit name which to open the limit increase request form shown in Figure 4.

    
              Requesting a service limit increase

    Figure 4: Requesting a service limit increase

Now use the Amazon EC2 console to check your limits for Elastic IP addresses, load balancers, and Auto Scaling groups:

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, under Network & Security, choose Elastic IPs.

  3. Count the number of allocated Elastic IPs (if any) displayed in the list, and ensure that you can allocate three (3) more without exceeding the default limit of 5 (or the limit increase you have previously requested).

  4. In the navigation pane, under Load Balancing, choose Load Balancers.

  5. Count the number of existing load balancers (if any) displayed in the list and ensure that you can create two (2) more without exceeding the default limit of 20 (or the limit increase you previously requested).

  6. In the navigation pane, under Auto Scaling, choose Auto Scaling Groups.

  7. Count the number of existing Auto Scaling groups (if any) displayed in the list and ensure that you can create two (2) more without exceeding the default limit of 20 (or the limit increase you previously requested).

Create Amazon EC2 Key Pairs

Make sure that at least one Amazon EC2 key pair exists within your AWS account in the region you are planning to deploy the Quick Start in.

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Use the region selector in the navigation bar to choose the AWS region where you plan to deploy.

  3. In the navigation pane, under Network & Security, choose Key Pairs.

  4. In the key pair list, verify that at least one available key pair (but preferably two available key pairs) exist and make note of the key pair name(s). You’ll need to provide a key pair name for the parameters pEC2KeyPairBastion (for bastion host login access) and pEC2KeyPair (for all other Amazon EC2 host login access) when you launch the Quick Start. Although you can use the same key pair for both parameters, we recommend that you use a different key pair for each.

    If you want to create a new key pair, choose Create Key Pair. For additional information, see the Amazon EC2 documentation.

    
              Creating a key pair

    Figure 5: Creating a key pair

Note

If you’re deploying the Quick Start for testing or proof of concept, we recommend that you create a new key pair instead of specifying a key pair that’s already being used by a production instance.

Set up AWS Config

If AWS Config has not yet been initialized in the region where you are deploying this Quick Start, follow the steps below in the region where you are planning to deploy the Quick Start.

  1. Open the AWS Config console at https://console.aws.amazon.com/config/.

  2. Use the region selector in the navigation bar to choose the AWS Region where you plan to deploy.

  3. In the AWS Config console, choose Get Started (or Get Started Now).

    
                AWS Config console

    Figure 6: AWS Config console

  4. On the Set up AWS Config screen, you may leave all default values in place, or make modifications as you see fit, and then choose Continue.

    
                AWS Config setup screen

    Figure 7: AWS Config setup screen

  5. On the next screen, you are prompted to select or create an IAM role for AWS Config. You may leave all default values in place, or make modifications as you see fit, and then choose Allow.

    
                Specifying an IAM role for AWS Config

    Figure 8: Specifying an IAM role for AWS Config

  6. On the Resource Inventory screen, you should now see Recording is on in the upper-right corner. This indicates that AWS Config is now active in this AWS Region.

    
                AWS Config activation

    Figure 9: AWS Config activation