Standardized Architecture for PCI DSS on AWS
PCI DSS Quick Start

Appendix: Enhancements in This Release

This is part of a set of compliance Quick Starts. AWS is constantly working to improve the design, ease of use, and security features of these solutions. This latest compliance Quick Start for PCI DSS includes the following security and compliance enhancements:

  • HTTPS load balancers with custom security policy using TLS and auto-generation of a self-signed certificate for testing purposes

  • Network access control list (ACL) rules for filtering ingress/egress traffic as an additional layer of network security

  • Security groups to limit both inbound and outbound traffic to only available ports and protocols

  • AWS Config rules automatically deployed for monitoring specific resources most relevant to compliance

  • Secure Amazon S3 policies for logging and application buckets, including custom lifecycle policies for archiving objects in Amazon S3 Glacier and use of versioning

  • Custom CloudWatch alarms and notifications for specific security-related events in CloudTrail logging of root activity, IAM changes, and changes to logging policies

  • Simplified AWS CloudFormation templates that decouple components, including VPCs, to allow for easier modification and reuse

  • Reduced set of AWS CloudFormation parameter groups and labels to simplify console use during the deployment process

  • Elastic Load Balancing and Amazon S3 access logging enabled for the application layer

  • Deployment of a secured login bastion host for SSH access to Amazon EC2 instances within the architecture