Planning the Deployment
Prerequisites
Specialized Knowledge
This Quick Start requires a moderate to high level of understanding of the process to achieve and manage PCI DSS control requirements and compliance processes within a traditional hosting environment.
Additionally, this solution is targeted at Information Technology (IT) PCI DSS assessors and security personnel, and assumes familiarity with basic security concepts in the area of networking, operating systems, data encryption, operational controls, and cloud computing services.
This deployment guide also requires a moderate level of understanding of AWS services and requires the following, at a minimum:
-
Access to a current AWS account with IAM administrator-level permissions
-
Basic understanding of AWS services, AWS service quotas, and AWS CloudFormation
-
Knowledge of architecting applications on AWS
-
Understanding of security and compliance requirements in the customer organization
AWS offers training and certification programs to help you
develop skills to design, deploy, and operate your
infrastructure and applications on the AWS Cloud. Whether you
are just getting started or looking to deepen your technical
expertise, AWS has a variety of resources to meet your needs.
For more information, see the
AWS Training
and Certification website
AWS Account
If you don’t already have an AWS account, create one at
https://aws.amazon.com
Technical Requirements
Before you launch the Quick Start, your account must be configured as specified in the following table. Otherwise, deployment might fail. For step-by-step configuration instructions, see the Pre-Deployment Steps section.
Resources |
|
|||||||||||||||||||||
Regions |
The AWS services used in this Quick Start exist in all commercial Regions, but AWS Config rules, which are used for configuration enforcement, are currently available only in the Regions listed in Service Endpoints and Quotas. If you require this capability, you must deploy in one of these Regions until AWS Config rules become available more widely. It is important to be aware of what is available in the Region you choose to deploy. To see the latest list of supported services per Region, see Service Endpoints and Quotas in the AWS documentation. For information about service differences in the AWS GovCloud (US-West) Region, see Supported Services in the AWS GovCloud documentation. |
|||||||||||||||||||||
AWS Config and AWS Config rules |
If you deploy this Quick Start in an AWS Region where
AWS Config and AWS Config rules are available, the AWS CloudFormation template
config-rules.template
will attempt to automatically use the service. However,
the deployment will
fail if you have not previously manually set
up AWS Config in that Region. Before you deploy the
Quick Start, navigate to the AWS Config console, and
choose the Get Started
Now button. Note that this feature is
currently available only in the AWS Regions listed in
Service
Endpoints and Quotas.
|
|||||||||||||||||||||
Amazon S3 URLs |
If you’re copying the templates to your own S3 bucket
for deployment, make sure that you update the Resources
section of the
main.template file.
Otherwise, deployment will fail.
|
|||||||||||||||||||||
To deploy the Quick Start using the console, you must be logged in to the console with IAM permissions for the resources and actions the templates will deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. | ||||||||||||||||||||||
S3 buckets | Unique S3 bucket names are automatically generated based on the account number and Region. If you delete a stack, the logging buckets are not deleted (to support security review). If you plan to re-deploy this Quick Start in the same Region, you must first manually delete the previously created S3 buckets; otherwise, the re-deployment will fail. |
Deployment Methods
You can deploy the Quick Start templates by using AWS CLI commands
or from the console. You can also deploy the template package as
an
AWS Service Catalog