Standardized Architecture for PCI DSS on the AWS Cloud - Standardized Architecture for PCI DSS on the AWS Cloud

Standardized Architecture for PCI DSS on the AWS Cloud

Deployment Guide

AWS Envision Engineering, AWS Professional Services, and AWS Quick Start Reference Team

May 2016 (last update: January 2020)

This Quick Start reference deployment guide discusses architectural considerations and steps for deploying security-focused baseline environments on the Amazon Web Services (AWS) cloud. Specifically, this Quick Start deploys a standardized environment that helps organizations with workloads that fall in scope for Payment Card Industry (PCI) Data Security Standard (DSS) compliance. The template relies on the requirements of PCI DSS version 3.2.1. The deployment guide includes links for viewing and launching AWS CloudFormation templates that automate the deployment.

This Quick Start is part of a set of AWS compliance offerings, which provide security-focused, standardized architecture solutions to help Managed Service Providers (MSPs), cloud-provisioning teams, developers, integrators, and information security teams adhere to strict security, compliance, and risk management controls. For additional Quick Starts in this category, see the Quick Start catalog.

If you have an AWS account that already meets the technical requirements for the PCI deployment, you can launch the Quick Start to build the basic architecture shown in Figure 2. The template is launched in the US East (N. Virginia) Region by default. If you have an AWS GovCloud (US-West) account, you can launch the template in the AWS GovCloud (US-West) Region.

The main template deployment takes approximately 8 minutes. If you’re new to AWS or to PCI-compliant architectures on AWS, please read the overview and follow the detailed pre-deployment and deployment steps described in this guide.


            Launch the Main template.

In addition to the main template, which provides a basic networking infrastructure, you can deploy three more templates on top of the main template, or individually. The three templates are for centralized logging, database, and web application.

If you want to take a look under the covers, you can view the main template that automates this deployment. The main template includes references to child templates, and provides default settings that you can customize by following the instructions in this guide. For descriptions of the templates and guidance for using the nested templates separately, see the Templates Used in this Quick Start section of this guide.


            View the Main template.

To see how PCI DSS controls map to Quick Start architecture decisions, components, and configuration, view the security controls reference (Microsoft Excel spreadsheet). The excerpt in Figure 1 provides a sample of the available information.


            View the security controls reference.


          Excerpt from the PCI-DSS security controls reference

Figure 1: Excerpt from the PCI DSS security controls reference

We'd like your feedback

After you deploy this Quick Start, please take a few minutes to fill out our survey. Your response is anonymous and will help us improve this and other compliance-related reference deployments.

Quick Starts are automated reference deployments for key workloads on the AWS Cloud. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability.