Deployment Steps - Standardized Architecture for PCI DSS on the AWS Cloud

Deployment Steps

Follow the step-by-step instructions in this section to sign in to your AWS account, customize the Quick Start templates, and deploy the software into your account.

What We’ll Cover

The procedure for deploying the Quick Start architecture on AWS consists of the following steps, which we’ll cover in detail in the following sections.

Step 1. Sign in to your AWS account

  • Sign in to your AWS account, and make sure that it’s configured correctly.

Step 2. Launch the stacks

  • Launch the main AWS CloudFormation template into your AWS account.

  • Enter values for required parameters.

  • Review the other template parameters, and customize their values if necessary.

Step 3. Test your deployment

  • Use the URL provided on the Outputs tab for the main stack to test the deployment.

  • Use the IP address for the bastion host provided by the Outputs tab for the main stack, and use your private key if you want to connect to that host through SSH.

Step 1. Sign in to Your AWS Account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the appropriate privileges (see IAM Permissions earlier in this document).

  2. Make sure that your AWS account is configured correctly. See the Technical Requirements and Pre-Deployment Steps sections for information. Note that if you plan to use an AWS Region with the AWS Config capability, you must first set up the AWS Config service manually by following the instructions in the previous section.

  3. Use the Region selector in the navigation bar to choose the AWS Region where you want to deploy the PCI DSS architecture on AWS.

    Amazon EC2 locations are composed of Regions and Availability Zones. Regions are dispersed and located in separate geographic areas. This Quick Start uses the m4.large instance type for the WordPress and NGINX portion of the deployment. The AWS Config rules service is currently available only in the AWS Regions listed on the endpoints and quotas webpage.

    Tip

    Consider choosing a Region closest to your data center or corporate network to reduce network latency between systems running on AWS and the systems and users on your corporate network. If you plan to use the optional AWS Config rules capability, you must choose you must choose one of the Regions listed on the endpoints and quotas webpage.

  4. Select the key pair that you created earlier. In the navigation pane of the Amazon EC2 console, choose Key Pairs, and then choose the key pair from the list.

Step 2. Launch the Stacks

For best results, launch the main template first, and then launch the other templates that you want, in order. Centralized logging includes two templates. Launch the primary template first, in your preferred account, and then launch the additional template from any other accounts you want to forward logs from.

Main Template

This automated AWS CloudFormation template deploys the Quick Start architecture into multiple Availability Zones in VPCs. Please review the technical requirements and pre-deployment steps before launching the stacks.

  1. Launch the main AWS CloudFormation template into your AWS account.

    
          PCI Quick Start main template launch button

    The template will be deployed into the AWS Region that appears in the navigation bar at the upper-right corner of the console. You can change the Region by using the Region selector in the navigation bar.

    If you have an AWS GovCloud (US-West) account, you can launch the template in the AWS GovCloud (US-West) Region.

    The stacks take approximately 8 minutes to create.

    Note

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service you will be using in this Quick Start or the AWS Pricing Calculator. Prices are subject to change.

    You can also download the template to use it as a starting point for your customization.

  2. On the Select Template page, keep the default settings for the template URL, and then choose Next.

  3. On the Specify Details page, provide the required parameter values for the template. These are described in the following table.

    VPC configuration:

    Label Parameter Default Description
    Instance tenancy VPCTenancy default The tenancy attribute for the instances launched into the VPC. By default, all instances in the VPC run as shared-tenancy instances. Choose dedicated to run them as single-tenancy instances instead. If unsure, leave as default.
    First Availability Zone AvailabilityZoneA Requires input The name of Availability Zone 1.
    Second Availability Zone AvailabilityZoneB Requires input The name of Availability Zone 2. This must be different from the name of the first Availability Zone.

    Amazon EC2 configuration:

    Label Parameter Default Description
    Existing SSH key for the bastion instance EC2KeyPairBastion Requires input The SSH key pair in your account to use for the bastion host login. This is one of the keys that you created in the pre-deployment steps.
    Existing SSH key for other instances EC2KeyPair Requires input The SSH key pair in your account to use for all other EC2 instance logins. This is one of the keys that you created in the pre-deployment steps.

    IAM password policy:

    Label Parameter Default Description
    Maximum password age MaxPasswordAge 90 Maximum age for passwords, in number of days.
    Minimum password length MinPasswordLength 7 Minimum password length.
    Previous passwords retained PasswordHistory 4 Number of previous passwords to remember, to prevent password reuse.
    Lowercase characters required RequireLowercaseChars True Password requirement of at least one lowercase character.
    Uppercase character required RequireUppercaseChars True Password requirement of at least one uppercase character.
    Number required RequireNumbers True Password requirement of at least one number.
    Symbol required RequireSymbols True Password requirement of at least one nonalphanumeric character (! @ # $ % ^ & * ( ) _ + - = [ ] { } | ').

    Database configuration:

    Label Parameter Default Description
    Database user name DBUsername admin User name for connecting to the DB instance.
    Database password DBPassword Requires input Password for connecting to the DB instance.

    AWS Quick Start configuration:

    Label Parameter Default Description
    Quick Start S3 bucket name QSS3BucketName aws-quickstart S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). If you are unsure, do not change this value.
    Quick Start S3 key prefix QSS3KeyPrefix quickstart-compliance-pci/ S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). If you are unsure, do not change this value.
  4. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set additional options. You can use the tags to organize and control access to resources in the stacks. These are not required. When you’re done, choose Next.

  5. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the capability to auto-expand macros.

    

Resource acknowledgement

    Figure 10: Resource acknowledgement

  6. Choose Create to deploy the stack.

  7. Monitor the status of the stack being deployed. When the status is CREATE_COMPLETE for all the stacks deployed, the cluster for this reference architecture is ready. You should see multiple nested stacks deployed.

Centralized Logging Template

The primary centralized logging AWS CloudFormation template deploys the logging architecture in a single account. An additional centralized logging template can be used to forward logs from other accounts to the central log account. Before launching the stacks, review the technical requirements and pre-deployment steps.

  1. Launch the primary centralized logging AWS CloudFormation template into your AWS account.

    
          PCI Quick Start centralized logging template launch button

    The template will be deployed into the AWS Region that appears in the navigation bar at the upper-right corner of the console. You can change the Region by using the Region selector in the navigation bar.

    If you have an AWS GovCloud (US-West) account, you can launch the template in the AWS GovCloud (US-West) Region.

    The primary logging stack takes approximately 20 minutes to create.

    You can also download the template to use it as a starting point for your customization.

  2. On the Select Template page, keep the default settings for the template URL, and then choose Next.

  3. On the Specify Details page, provide the required parameter values for the template. These are described in the following table.

    Amazon ES configuration:

    Label Parameter Default Description
    Amazon ES domain name DOMAINNAME pcicentralizedlogging Name for the Amazon ES domain that this template will create. Domain names must start with a lowercase letter and must be between 3 and 28 characters. Valid characters are a-z (lowercase only), 0-9.
    Amazon ES domain admin email address DomainAdminEmail esdomainadmin@example.com Email address of the administrator for the Amazon ES domain. Alerts will be sent to this email address.
    Cluster size ClusterSize Small Amazon ES cluster size. Choose Small (4 data nodes), Medium (6 data nodes), Large (8 data nodes), xLarge (10 data nodes).
    Additional log account ProdAccount Optional Additional account ID for which you want to allow for centralized logging (e.g., Production).
    Additional log account TestAccount Optional Additional account ID for which you want to allow for centralized logging (e.g., Test).
    Additional log account DevAccount Optional Additional account ID for which you want to allow centralized logging (e.g., Develop).

    Amazon Cognito configuration:

    Label Parameter Default Description
    Amazon Cognito admin email address CognitoAdminEmail cognitoadmin@example.com Email address of the Amazon Cognito admin.

    Central logging S3 bucket name:

    Label Parameter Default Description
    S3 bucket name for CloudTrail logging BucketName Requires input The name of a new S3 bucket for logging CloudTrail events. The name must be a globally unique value and must be in lowercase letters.

    AWS Config:

    Label Parameter Default Description
    AWS Config DeployConfigRule No Config Deployment of AWS Config. Choose Yes Config to deploy AWS Config. This requires that you set up a configuration recorder in the pre-deployment steps.
    Required tag key RequiredTagKey Optional Tag key to use with the Amazon EC2/Amazon EBS REQUIRED_TAGS rule. (Optional; leave blank to ignore or if you are not deploying AWS Config.)

    AWS Quick Start configuration:

    Label Parameter Default Description
    Quick Start S3 bucket name QSS3BucketName aws-quickstart S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). If you are unsure, do not change this value.
    Quick Start S3 key prefix QSS3KeyPrefix quickstart-compliance-pci/ S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). If you are unsure, do not change this value.
  4. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set additional options. You can use the tags to organize and control access to resources in the stacks. These are not required. When you’re done, choose Next.

  5. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the capability to auto-expand macros.

  6. Choose Create to deploy the stack.

  7. Monitor the status of the stack being deployed. When the status field displays CREATE_COMPLETE for all the stacks deployed, the cluster for this reference architecture is ready. Since you’re deploying the full architecture, you’ll see eight stacks listed (for the main template and seven nested templates).

  8. If using the additional account template to forward logs from another account, follow the same steps to launch the template, filling in the following parameters.

    Amazon ES configuration:

Label Parameter Default Description
Amazon ES endpoint ESDomain Requires input Amazon ES endpoint for centralized logging (remove https://).
Central log account ID CentralLogAcct Requires input AWS account ID for the central logging account (12 digits).
Master account role MasterRole Requires input IAM Role Amazon Resource Name (ARN) for cross-account log indexing. Use the value that is provided in the centralized logging template outputs.
Cluster size ClusterSize Small Amazon ES cluster size, as deployed in primary account.

Central logging S3 bucket:

Label Parameter Default Description
Central S3 log bucket name S3BucketName Requires input S3 bucket for central log storage, created in the primary log account.

  1. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set additional options. You can use the tags to organize and control access to resources in the stacks. These are not required. When you’re done, choose Next.

  2. On the Review page, review the settings and select the acknowledgement check box. This states that the template will create IAM resources.

  3. Choose Create to deploy the stack.

  4. Monitor the status of the stack being deployed. When the status is CREATE_COMPLETE, the cluster for this reference architecture is ready.

Database Template

This automated AWS CloudFormation template deploys the database architecture in the Production VPC. It includes the deployment of Secrets Manager and a customer master key (CMK).

Note

The database password is maintained within Secrets Manager with PCI-compliant complexity, length, and expiration and rotation.

  1. Launch the Database AWS CloudFormation template into your AWS account.

    
          PCI Quick Start database template launch button

    The template will be deployed into the AWS Region that appears in the navigation bar at the upper-right corner of the console. You can change the Region by using the Region selector in the navigation bar.

    If you have an AWS GovCloud (US-West) account, you can launch the template in the AWS GovCloud (US-West) Region.

    You can also download the template to use it as a starting point for your customization.

  2. On the Select Template page, keep the default settings for the template URL, and then choose Next.

  3. On the Specify Details page, provide the seven required parameter values for the template. These are described in the following table.

    Availability Zone selection:

    Label Parameter Default Description
    First Availability Zone for Aurora RegionAZ1Name Requires input The name of the first Availability Zone where you will deploy the Aurora database cluster.
    Second Availability Zone for Aurora RegionAZ2Name Requires input The name of the second Availability Zone where you will deploy the Aurora database cluster.

    Network configuration (existing VPC):

    Label Parameter Default Description
    CIDR for Aurora database ProductionCIDR 10.100.0.0/16 CIDR range to allow input into the database.
    VPC ID for Aurora database ProductionVPC Requires input ID of the VPC where you will deploy the Aurora
    First private database subnet for Aurora DBPrivateSubnetA Requires input The ID of the first private subnet in your Production VPC.
    Second private database subnet for Aurora DBPrivateSubnetB Requires input The ID of the second private subnet in your Production VPC.

    Database configuration:

    Label Parameter Default Description
    Aurora database name DBName Requires input The name of the Aurora database.
    Aurora database user DBUser Requires input The user name for the database administrator of the Aurora database.
    Aurora database password DBPassword Requires input Password for the database instance.
    Centralized logging bucket CentralLogBucket Optional The S3 bucket to send Aurora audit logs. This can be the bucket that you created when you launched the centralized logging template.

    AWS Quick Start configuration:

    Label Parameter Default Description
    Quick Start S3 bucket name QSS3BucketName aws-quickstart S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). If you are unsure, do not change this value.
    Quick Start S3 key prefix QSS3KeyPrefix quickstart-compliance-pci/ S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). If you are unsure, do not change this value.
  4. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set additional options. You can use the tags to organize and control access to resources in the stacks. These can be left alone. When you’re done, choose Next.

  5. On the Review page, review the settings and select the acknowledgement check box. This states that the template will create IAM resources.

  6. Choose Create to deploy the stack.

  7. Monitor the status of the stack being deployed. When the status field displays CREATE_COMPLETE for all the stacks deployed, the cluster for this reference architecture is ready. Since you’re deploying the full architecture, you’ll see eight stacks listed (for the main template and seven nested templates).

Web Application Template

This automated AWS CloudFormation template deploys a web application architecture, including a nested AWS WAF template. Please review the technical requirements and pre-deployment steps before launching the stacks.

  1. Launch the Web Application AWS CloudFormation template into your AWS account.

    
          PCI Quick Start web application template launch button

    The template will be deployed into the AWS Region that appears in the navigation bar at the upper-right corner of the console. You can change the Region by using the Region selector in the navigation bar.

    If you have an AWS GovCloud (US-West) account, you can launch the template in the AWS GovCloud (US-West) Region.

    The stacks take approximately 10 minutes to create.

    You can also download the template to use it as a starting point for your customization.

  2. On the Select Template page, keep the default settings for the template URL, and then choose Next.

  3. On the Specify Details page, provide the seven required parameter values for the template. These are described in the following table.

    Availability Zone selection:

    Label Parameter Default Description
    First Availability Zone for deployment AvailabilityZoneA Requires input The name of the first Availability Zone where you will deploy the the web application architecture.
    Second Availability Zone for deployment AvailabilityZoneB Requires input The name of the second Availability Zone where you will deploy the web application architecture.

    Network configuration:

    Label Parameter Default Description
    Management VPC CIDR ManagementCIDR 10.10.0.0/16 CIDR range or IP address to allow access to the web application servers.
    Production VPC CIDR ProductionCIDR 10.100.0.0/16 VPC CIDR for web application deployment. Can be production VPC CIDR from the main template.
    Production VPC ID ProductionVPC Requires input ID of the Production VPC, where the web application architecture will be deployed.
    First public subnet ID DMZSubnetA Requires input The ID of the first public subnet where the proxy servers will be deployed in the Production VPC.
    Second public subnet ID DMZSubnetB Requires input The ID of the second public subnet where the proxy servers will be deployed in the Production VPC.
    First private subnet ID AppPrivateSubnetA Requires input The ID of the first private subnet where the application servers will be deployed in the Production VPC.
    Second private subnet ID AppPrivateSubnetB Requires input The ID of the second private subnet where the application servers will be deployed in the Production VPC.

    Logging configuration:

    Label Parameter Default Description
    Centralized logging bucket for AWS WAF logs CentralLogBucket Requires input The S3 bucket to send AWS WAF logs to. This bucket should already exist and can be same bucket from the centralized logging template.
    Log storage location WAFlogging Amazon S3 Only The storage location for AWS WAF logs. Choose Amazon Elasticsearch_S3 to have AWS WAF logs streamed to Amazon ES (current Region) and your central logging bucket.

    Amazon ES configuration:

    Label Parameter Default Description
    Amazon ES cluster ESClusterARN Optional input (If Amazon Elasticsearch_S3 is chosen for the WAFlogging parameter) The Amazon Resource Name (ARN) of the Amazon ES domain that Kinesis Data Firehose delivers data to. Cluster must be in same account and Region.

    Amazon EC2 configuration:

    Label Parameter Default Description
    Existing SSH key EC2KeyPair Requires input The SSH key pair in your account to use for all other EC2 instance logins.

    Database configuration:

    Label Parameter Default Description
    Aurora database name DBName Requires input The name of the Aurora database.
    Aurora database user DBUser Requires input The user name for the database administrator of the Aurora database.
    Aurora database password DBPassword Requires input Password for the database instance.

    AWS Quick Start Configuration:

    Label Parameter Default Description
    Quick Start S3 bucket name QSS3BucketName aws-quickstart S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). If you are unsure, do not change this value.
    Quick Start S3 key prefix QSS3KeyPrefix quickstart-compliance-pci/ S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). If you are unsure, do not change this value.
  4. On the Options page, you can specify tags (key-value pairs) for resources in your stack and set additional options. You can use the tags to organize and control access to resources in the stacks. These can be left alone. When you’re done, choose Next.

  5. On the Review page, review the settings and select the acknowledgement check boxes. The first states that the template will create IAM resources. The second has to do with a stack template containing macros to perform custom processing on a template and requires acknowledgement that this processing will occur.

  6. Choose Create to deploy the stack.

  7. Monitor the status of the stack being deployed. When the status field displays CREATE_COMPLETE for all the stacks deployed, the cluster for this reference architecture is ready. Since you’re deploying the full architecture, you’ll see eight stacks listed (for the main template and seven nested templates).

Step 3. Test Your Deployment

Main Template

After the deployment has completed, note the bastion host public IP address from the Outputs tab.


            Bastion host IP address in the Value column  on the Outputs tab.

Figure 11: Bastion host IP address

Select the nested templates, such as the Management VPC template, and view the resources that were created.


            Resources tab for Management VPC template.

Figure 12: Management VPC resources

Centralized Logging Template

After the deployment has completed, view the Outputs tab and note the Amazon ES domain endpoint, S3 bucket, and the login URL for the Kibana dashboard.


            DomainEndpoint, CentralLogBucket, and KibanaLoginURL in the Value column on the Outputs tab.

Figure 13: Centralized logging outputs

To login to the Kibana dashboard, use the temporary password that was sent to your email address.

  1. After you are signed in, in the left navigation pane, choose Management.

  2. Under Configure an index pattern, set the Index name or pattern field to cwl-* (the message box underneath should change from red to green, confirming that there are matching indices and aliases). Then choose Next step.

  3. Under Time Filter, choose @timestamp.

  4. To see a list of every field in the index, choose Create index pattern.

  5. To start viewing logs, in the left navigation pane, choose Discover.

    
            Discover tab on the Kibana dashboard.

    Figure 14: Kibana dashboard

Database Template

After the deployment has completed, note the AWS KMS key alias, the database security group, and the database name from the Outputs tab.


            Outputs tab for the database template

Figure 15: Database template Outputs tab

To retrieve the automatically generated PCI-compliant password, on the Secrets Manager console, choose the secret that has the description This is my pci db instance secret, and choose Retrieve Secret Value.


            Secrets Manager dashboard

Figure 16: Secrets Manager dashboard

Note

In the Rotation configuration section, the value is set to 89 days and not 90. This is because Secrets Manager schedules the next rotation when the previous one is complete. Secrets Manager schedules the date by adding the rotation interval (number of days) to the actual date of the last rotation. The service chooses the hour within that 24-hour date window randomly. The minute is also chosen randomly, but it is weighted towards the top of the hour and influenced by a variety of factors that help distribute load. For compliance requirements, it is recommended to set the value at 1 day less than the requirement.

Web Application Template

After the deployment has completed, on the Outputs tab, choose the LandingPageURL link.


            Landing page URL in the Value column on the Outputs tab.

Figure 17: Opening the landing page

The link should launch a new page in your browser that looks similar to Figure 18.


            Landing page that confirms successful launch and provides next steps.

Figure 18: Landing page for PCI architecture on AWS

This deployment builds a working demo of a Multi-AZ WordPress site. To connect to the WordPress site, on the Outputs tab, choose the WebsiteURL link. The WebsiteURL link is also available on the Outputs tab for the main stack.

Note

WordPress is provided for testing and proof-of-concept purposes only; it is not intended for production use. You can replace it with another application of your choice.


            Welcome page for WordPress installation with fields to fill out.

Figure 19: Installing WordPress

You can install and test the WordPress deployment from the page that loads. To access the admin page when AWS WAF is deployed, you must add your IP address in the AWS WAF rules. To allow your IP address, follow these steps:

  1. On the AWS WAF console, in the left navigation pane, choose WebACL.

  2. Choose the Region where you deployed the stack.

  3. Select the WebACL named standard-owasp-acl.

  4. In the left navigation pane, select IP Addresses.

  5. In the IP match conditions section, choose standard-match-admin-remote-ip.

  6. On the right side, choose Add IP addresses or ranges.

    
            Add IP addresses or ranges button

    Figure 20: Adding the IP address

  7. Add your IP address or CIDR range to the allow list, and click Add.

  8. In the left navigation pane, choose Rules.

  9. Choose standard-enforce-csrf.

  10. On the right side, choose Edit rule then Add condition.

  11. Under When a Request, choose does not, originate from an IP address in, standard-match-admin-remote-ip.

    Three dropdown menus under When a request.

    Figure 21: Adding the IP Address condition

  12. Choose Update.

    You should now be able to access and set up WordPress.

Important

The WordPress application included in this Quick Start deployment is for demo purposes only. Application-level security, including patching, operating system updates, and addressing application vulnerabilities, is the customer’s responsibility (see the AWS Shared Responsibility Model).

For this Quick Start, we recommend that you delete the AWS CloudFormation stacks after your proof-of-concept demo or testing is complete.

Now that you have deployed and tested the PCI architecture on AWS, please take a few minutes to complete our survey for this Quick Start. Your response is anonymous and will help us improve these reference deployments.