Overview - Standardized Architecture for PCI DSS on the AWS Cloud


AWS Services

The core AWS components used by this Quick Start include the following AWS services. (If you are new to AWS, see Getting Started with AWS.)

  • AWS CloudTrail – AWS CloudTrail records AWS API calls and delivers log files that include caller identity, time, source IP address, request parameters, and response elements. The call history and details provided by CloudTrail enable security analysis, resource change tracking, and compliance auditing.

  • Amazon CloudWatch – Amazon CloudWatch is a monitoring service for AWS Cloud resources and the applications you run on AWS. You can use CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources.

  • AWS Config – AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. AWS Config rules enable you to automatically check the configuration of AWS resources recorded by AWS Config.


    The AWS Config rules feature is currently available in the AWS Regions listed on the endpoints and quotas webpage.

  • Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides persistent block-level storage volumes for use with Amazon Elastic Compute Cloud (Amazon EC2) instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS volumes provide the consistent and low-latency performance needed to run your workloads.

  • Amazon EC2 – Amazon Elastic Compute Cloud (Amazon EC2) enables you to launch virtual machine instances with a variety of operating systems. You can choose from existing Amazon Machine Images (AMIs) or import your own virtual machine images.

  • Elastic Load Balancing – Elastic Load Balancing automatically distributes traffic across multiple EC2 instances, to help achieve better fault tolerance and availability. This Quick Start uses an Application Load Balancer for load balancing.

  • Amazon S3 Glacier – Amazon S3 Glacier is a storage service for archiving and long-term backup of infrequently used data. It provides secure, durable, and extremely low-cost storage, supports data transfer over SSL, and automatically encrypts data at rest. With S3 Glacier, you can store your data for months, years, or even decades at a very low cost.

  • Amazon Kinesis Data Firehose – Amazon Kinesis Data Firehose is a fully managed service for delivering real-time streaming data to destinations such as Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elasticsearch Service), and Splunk. With Kinesis Data Firehose, you don't need to write applications or manage resources. You configure your data producers to send data to Kinesis Data Firehose, and it automatically delivers the data to the destination that you specified. You can also configure Kinesis Data Firehose to transform your data before delivering it.

  • Amazon RDS – Amazon Relational Database Service (Amazon RDS) enables you to set up, operate, and scale a relational database in the AWS Cloud. It also handles many database management tasks, such as database backups, software patching, automatic failure detection, and recovery, for database products such as MySQL, MariaDB, PostgreSQL, Oracle, Microsoft SQL Server, and Amazon Aurora. This Quick Start includes an Amazon Aurora MySQL database by default.

  • AWS Secrets Manager – AWS Secrets Manager is a credentials management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Using Secrets Manager, you can secure and manage secrets used to access resources in the AWS Cloud, on third-party services, and on-premises.

  • Amazon S3 – Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. Customers of all sizes and industries can use Amazon S3 to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. Amazon S3 provides easy-to-use management features so you can organize your data and configure finely tuned access controls to meet your specific business, organizational, and compliance requirements.

  • Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you provision a private, logically isolated section of the AWS Cloud where you can launch AWS services and other resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

  • AWS WAF – AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, structured query language (SQL) injection and cross-site scripting.

Compliance Architectures

AWS compliance solutions help streamline, automate, and implement secure baselines in AWS—from initial design to operational security readiness. They incorporate the expertise of AWS solutions architects, security and compliance personnel to help you build a secure and reliable architecture easily through automation.

This Quick Start includes AWS CloudFormation templates, which can be integrated with AWS Service Catalog, to automate building a standardized baseline architecture that follows the requirements for PCI DSS. It also includes a security controls reference, which maps security controls to architecture decisions, features, and configuration of the baseline.

Architecture for PCI DSS on AWS

Deploying this Quick Start can build a multi-tier, Linux-based infrastructure in the AWS Cloud. Figures 2-5 illustrate the architecture.

Main Architecture

Standard networking architecture for PCI DSS on AWS
        with multiple-VPC integration

Figure 2: Standard networking architecture for PCI DSS on AWS with multiple-VPC integration

The main template architecture includes the following components and features:

  • Basic AWS Identity and Access Management (IAM) configuration with custom IAM policies, with associated groups, roles, and instance profiles.

  • PCI-compliant password policy.

  • Standard, external-facing virtual private cloud (VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for the application and the database.

  • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.

  • A secured bastion login host to facilitate command-line Secure Shell (SSH) access to EC2 instances for troubleshooting and systems administration activities.

  • Network access control list (network ACL) rules to filter traffic.

  • Standard security groups for EC2 instances.

Centralized Logging Architecture

Figure 3: Centralized logging design for PCI DSS on AWS

The centralized logging template architecture includes the following components and features:

  • Logging, monitoring, and alerts using CloudTrail, CloudWatch, and AWS Config rules (optional), Amazon ES cluster with a Kibana front end for CloudTrail log analysis, with Amazon Cognito for access control

  • Amazon S3 for centralized logging, utilizing lifecycle policies for archiving objects in S3 Glacier, which supports PCI-compliant retention policies.

  • A second template to forward CloudTrail logs to the main logging account from other accounts (if applicable).

Database Architecture

Figure 4: Database design, with Amazon Aurora MySQL database for PCI DSS on AWS

The database template architecture includes the following components and features:

  • Encrypted, Multi-AZ Amazon RDS Aurora MySQL database cluster.

  • Security group for the Amazon RDS database. The security group allows access only through port 3306 and only from the specified VPC.

  • AWS Key Management Service (AWS KMS) symmetric customer master key (CMK) with user-defined key alias, and with automatic rotation enabled.

  • IAM groups with usage permissions for Key Administrators and Key Users

  • User-defined database user name and password.

  • Secrets Manager set to rotate the database password every 89 days.

Web Application Architecture

Figure 5: Web application (with AWS WAF) design for PCI DSS on AWS

The web application template architecture includes the following components and features:

  • Three-tier Linux web application using Auto Scaling and an Application Load Balancer, which can be modified or bootstrapped with the your application.S3 buckets for encrypted web content, centralized logging, and AWS WAF logs.

  • AWS WAF with rules to mitigate the Open Web Application Security Project (OWASP) Top 10 web application vulnerabilities.

  • Kinesis Data Firehose for streaming AWS WAF logs to Amazon S3 and Amazon ES.

Best Practices

The architecture built by this Quick Start supports AWS best practices for high availability and security:

  • Multi-AZ architecture intended for high availability

  • Isolation of instances between private/public subnets

  • Security groups limiting access to only necessary services

  • Network access control list (ACL) rules to filter traffic into subnets as an additional layer of network security

  • A secured bastion host instance to facilitate restricted login access for system administrator actions

  • Standard IAM policies with associated groups and roles, exercising least privilege

  • Monitoring and logging; alerts and notifications for critical events

  • S3 buckets (with security features enabled) for logging, archive, and application data

  • Implementation of proper load balancing and Auto Scaling capabilities

  • HTTPS-enabled Application Load Balancers with hardened security policy

  • Amazon RDS database backup and encryption

How You Can Use This Quick Start

You can build an environment that serves as an example for learning, as a prototyping environment, or as a baseline for customization.

Since AWS provides a very mature set of configuration options (and new services are being released all the time), this Quick Start provides security templates that you can use for your own environment. These security templates (in the form of AWS CloudFormation templates) provide a comprehensive rule set that can be systematically enforced. You can use these templates as a starting point and customize them to match your specific use cases.


You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using or the AWS Pricing Calculator. Prices are subject to change.