Standard Pci Dss Architecture On The Aws Cloud

Standardized Architecture for
PCI DSS on the AWS Cloud

Quick Start Reference Deployment
AWS Envision Engineering

AWS Professional Services
AWS Quick Start Reference Team
May 2016
(last update: January 2020)
This guide is also available in HTML format at

https://docs.aws.amazon.com/quickstart/latest/compliance-pci/.
Amazon Web Services – Standardized Architecture for PCI DSS January 2020
Contents
About This Guide ................................................................................................................... 4
Quick Links ............................................................................................................................ 4
About Quick Starts ................................................................................................................. 5
Overview .................................................................................................................................... 5
AWS Services.......................................................................................................................... 5
Compliance Architectures ......................................................................................................8
Architecture for PCI DSS on AWS .........................................................................................8
Main Architecture...............................................................................................................8
Centralized Logging Architecture .................................................................................... 10
Database Architecture .......................................................................................................11
Web Application Architecture .......................................................................................... 12
Best Practices ....................................................................................................................... 13
How You Can Use This Quick Start ..................................................................................... 13
Cost ....................................................................................................................................... 13
AWS CloudFormation Templates ........................................................................................... 14
AWS CloudFormation Stacks .............................................................................................. 14
Templates Used in this Quick Start ..................................................................................... 14
Managing the Quick Start Source Files ................................................................................... 16
Uploading the Templates to Amazon S3 ............................................................................. 16
Using the Console ............................................................................................................. 16
Using the AWS CLI ........................................................................................................... 17
Updating the Amazon S3 URLs ........................................................................................... 17
Planning the Deployment ....................................................................................................... 17
Prerequisites ........................................................................................................................ 17
Specialized Knowledge ..................................................................................................... 17
AWS Account .................................................................................................................... 18
Technical Requirements................................................................................................... 18
Page 2 of 50
Deployment Methods ........................................................................................................... 19

Pre-Deployment Steps............................................................................................................. 19
Review AWS Service Quotas ............................................................................................... 20
Create Amazon EC2 Key Pairs ............................................................................................ 20
Set up AWS Config ............................................................................................................... 21
Deployment Steps ...................................................................................................................23
What We’ll Cover .................................................................................................................23
Step 1. Sign in to Your AWS Account...................................................................................24
Step 2. Launch the Stacks ....................................................................................................24
Main Template ................................................................................................................. 25
Centralized Logging Template ........................................................................................ 28
Database Template ...........................................................................................................32
Web Application Template ...............................................................................................34
Step 3. Test Your Deployment ............................................................................................. 37
Main Template ................................................................................................................. 37
Centralized Logging Template ........................................................................................ 38
Database Template .......................................................................................................... 40
Web Application Template ............................................................................................... 41
Deleting the Stacks .................................................................................................................. 45
Troubleshooting ...................................................................................................................... 45
Integrating with AWS Service Catalog ....................................................................................46
Additional Resources .............................................................................................................. 47
Appendix: Enhancements in This Release ............................................................................ 48
Send Us Feedback ...................................................................................................................49
For Further Assistance ............................................................................................................49
Document Revisions................................................................................................................49
Page 3 of 50
About This Guide

This Quick Start reference deployment guide discusses architectural considerations and
steps for deploying security-focused baseline environments on the Amazon Web Services
(AWS) Cloud. Specifically, this Quick Start deploys a standardized environment that helps
organizations with workloads that fall in scope for Payment Card Industry (PCI) Data
Security Standard (DSS) compliance. The template relies on the requirements of PCI DSS
version 3.2.1. The deployment guide includes links for viewing and launching AWS
CloudFormation templates that automate the deployment.
This Quick Start is part of a set of AWS compliance offerings, which provide security-
focused, standardized architecture solutions to help Managed Service Providers (MSPs),
cloud-provisioning teams, developers, integrators, and information security teams adhere
to strict security, compliance, and risk management controls. For additional Quick Starts in
this category, see the Quick Start catalog.
Quick Links
If you have an AWS account that already meets the technical requirements for
the PCI deployment, you can launch the Quick Start to build the basic View main
architecture shown in Figure 2. The template is launched in the US East (N. template
Virginia) Region by default. If you have an AWS GovCloud (US) account, you
can launch the template in the AWS GovCloud (US) Region. View centralized
logging template
The main template deployment takes approximately 8 minutes. If you’re new to
AWS or to PCI-compliant architectures on AWS, please read the overview and View database
follow the detailed pre-deployment and deployment steps described in this template
guide.
View web
In addition to the main template, which provides a basic networking application
infrastructure, you can deploy three more templates on top of the main template
template, or individually. The three templates are for centralized logging,
database, and web application.
View security
If you want to take a look under the covers, you can view each template that controls
automates this deployment. The main template includes references to reference
additional templates, and it provides default settings that you can customize
by following the instructions in this guide. For descriptions of the templates and guidance
for using the nested templates separately, see the Templates Used in this Quick Start
section of this guide.
Page 4 of 50
To see how PCI DSS controls map to Quick Start architecture decisions, components, and
configuration, view the security controls reference (Microsoft Excel spreadsheet). The
excerpt in Figure 1 provides a sample of the available information.
Figure 1: Excerpt from PCI—DSS security controls reference
We’d like your feedback After you deploy this Quick Start, please take a few
minutes to fill out our survey. Your response is anonymous and will help us improve
this and other compliance-related reference deployments.
About Quick Starts

Quick Starts are automated reference deployments for key workloads on the AWS Cloud.
Each Quick Start launches, configures, and runs the AWS compute, network, storage, and
other services required to deploy a specific workload on AWS, using AWS best practices for
security and availability.
Overview
AWS Services
The core AWS components used by this Quick Start include the following AWS services. (If
you are new to AWS, see Getting Started with AWS.)
 AWS CloudTrail – AWS CloudTrail records AWS API calls and delivers log files that
include caller identity, time, source IP address, request parameters, and response
Page 5 of 50
elements. The call history and details provided by CloudTrail enable security analysis,
resource change tracking, and compliance auditing.
 Amazon CloudWatch – Amazon CloudWatch is a monitoring service for AWS Cloud
resources and the applications you run on AWS. You can use Amazon CloudWatch to
collect and track metrics, collect and monitor log files, set alarms, and automatically
react to changes in your AWS resources.
 AWS Config – AWS Config is a fully managed service that provides you with an AWS
resource inventory, configuration history, and configuration change notifications to
enable security and governance. AWS Config rules enable you to automatically check the
configuration of AWS resources recorded by AWS Config.
Note The AWS Config rules feature is currently available in the AWS Regions
listed on the endpoints and quotas webpage.
 Amazon EBS – Amazon Elastic Block Store (Amazon EBS) provides persistent block-
level storage volumes for use with Amazon Elastic Compute Cloud (Amazon EC2)
instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated
within its Availability Zone to protect you from component failure, offering high
availability and durability. Amazon EBS volumes provide the consistent and low-latency
performance needed to run your workloads.
 Amazon EC2 – Amazon Elastic Compute Cloud (Amazon EC2) enables you to launch
virtual machine instances with a variety of operating systems. You can choose from
existing Amazon Machine Images (AMIs) or import your own virtual machine images.
 Elastic Load Balancing – Elastic Load Balancing automatically distributes traffic across
multiple EC2 instances, to help achieve better fault tolerance and availability. This
Quick Start uses an Application Load Balancer for load balancing.
 Amazon S3 Glacier – Amazon Simple Storage Service Glacier (Amazon S3 Glacier) is a
storage service for archiving and long-term backup of infrequently used data. It provides
secure, durable, and extremely low-cost storage, supports data transfer over SSL, and
automatically encrypts data at rest. With Amazon S3 Glacier, you can store your data for
months, years, or even decades at a very low cost.
 Kinesis Data Firehose – Amazon Kinesis Data Firehose is a fully managed service for
delivering real-time streaming data to destinations such as Amazon Simple Storage
Service (Amazon S3), Amazon Redshift, Amazon Elasticsearch Service (Amazon ES),
and Splunk. With Kinesis Data Firehose, you don't need to write applications or manage
resources. You configure your data producers to send data to Kinesis Data Firehose, and
Page 6 of 50
it automatically delivers the data to the destination that you specified. You can also
configure Kinesis Data Firehose to transform your data before delivering it.
 Amazon RDS – Amazon Relational Database Service (Amazon RDS) enables you to set
up, operate, and scale a relational database in the AWS Cloud. It also handles many
database management tasks, such as database backups, software patching, automatic
failure detection, and recovery, for database products such as MySQL, MariaDB,
PostgreSQL, Oracle, Microsoft SQL Server, and Amazon Aurora. This Quick Start
includes an Amazon Aurora MySQL database by default.
 AWS Secrets Manager - AWS Secrets Manager is a credentials management service that
helps you protect access to your applications, services, and IT resources. This service
enables you to easily rotate, manage, and retrieve database credentials, API keys, and
other secrets throughout their lifecycle. Using Secrets Manager, you can secure and
manage secrets used to access resources in the AWS Cloud, on third-party services, and
on-premises.
 Amazon S3 - Amazon Simple Storage Service (Amazon S3) is an object storage service
that offers industry-leading scalability, data availability, security, and performance.
Customers of all sizes and industries can use Amazon S3 to store and protect any
amount of data for a range of use cases, such as websites, mobile applications, backup
and restore, archive, enterprise applications, IoT devices, and big data analytics.
Amazon S3 provides easy-to-use management features so you can organize your data
and configure finely tuned access controls to meet your specific business, organizational,
and compliance requirements.
 Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you
provision a private, logically isolated section of the AWS Cloud where you can launch
AWS services and other resources in a virtual network that you define. You have
complete control over your virtual networking environment, including selection of your
own IP address range, creation of subnets, and configuration of route tables and
network gateways.
 AWS WAF - AWS WAF is a web application firewall that helps protect web applications
from attacks by allowing you to configure rules that allow, block, or monitor (count) web
requests based on conditions that you define. These conditions include IP addresses,
HTTP headers, HTTP body, URI strings, structured query language (SQL) injection and
cross-site scripting.
Page 7 of 50
Compliance Architectures
AWS compliance solutions help streamline, automate, and implement secure baselines in
AWS—from initial design to operational security readiness. They incorporate the expertise
of AWS solutions architects, security and compliance personnel to help you build a secure
and reliable architecture easily through automation.
This Quick Start includes AWS CloudFormation templates, which can be integrated with
AWS Service Catalog, to automate building a standardized baseline architecture that
follows the requirements for PCI DSS. It also includes a security controls reference, which
maps security controls to architecture decisions, features, and configuration of the baseline.
Architecture for PCI DSS on AWS

Deploying this Quick Start can build a multi-tier, Linux-based infrastructure in the AWS
Cloud. Figures 2-5 illustrate the architecture.
Main Architecture
Page 8 of 50
Figure 2: Standard networking architecture for PCI DSS on AWS with multiple-VPC
integration
The main template architecture includes the following components and features:
 Basic AWS Identity and Access Management (IAM) configuration with custom IAM
policies, with associated groups, roles, and instance profiles.
 PCI-compliant password policy.
 Standard, external-facing virtual private cloud (VPC) Multi-AZ architecture with
separate subnets for different application tiers and private (back-end) subnets for the
application and the database.
 Managed network address translation (NAT) gateways to allow outbound internet
access for resources in the private subnets.
 A secured bastion login host to facilitate command-line Secure Shell (SSH) access to
EC2 instances for troubleshooting and systems administration activities.
 Network access control list (network ACL) rules to filter traffic.
 Standard security groups for EC2 instances.
Page 9 of 50
Centralized Logging Architecture
Figure 3: Centralized logging design for PCI DSS on AWS
The centralized logging template architecture includes the following components and
features:
 Logging, monitoring, and alerts using CloudTrail, CloudWatch, and AWS Config rules
(optional), Amazon ES cluster with a Kibana front end for CloudTrail log analysis, with
Amazon Cognito for access control
 Amazon S3 for centralized logging, utilizing lifecycle policies for archiving objects in
Amazon S3 Glacier, which supports PCI-compliant retention policies.
 A second template to forward CloudTrail logs to the main logging account from other
accounts (if applicable).
Page 10 of 50
Database Architecture
Figure 4: Database design, with Amazon Aurora MySQL database for PCI DSS on AWS
The database template architecture includes the following components and features:
 Encrypted, Multi-AZ Amazon RDS Aurora MySQL database cluster.
 Security group for the Amazon RDS database. The security group allows access only
through port 3306 and only from the specified VPC.
 AWS Key Management Service (AWS KMS) symmetric customer master key (CMK) with
user-defined key alias, and with automatic rotation enabled.
 IAM groups with usage permissions for Key Administrators and Key Users
 User-defined database user name and password.
Page 11 of 50
 Secrets Manager set to rotate the database password every 89 days.
Web Application Architecture
Figure 5: Web application (with AWS WAF) design for PCI DSS on AWS
The web application template architecture includes the following components and features:
 Three-tier Linux web application using Auto Scaling and an Application Load Balancer,
which can be modified or bootstrapped with the your application.S3 buckets for
encrypted web content, centralized logging, and AWS WAF logs.
 AWS WAF with rules to mitigate the Open Web Application Security Project (OWASP)
Top 10 web application vulnerabilities.
Page 12 of 50
 Kinesis Data Firehose for streaming AWS WAF logs to Amazon S3 and Amazon ES.
Best Practices
The architecture built by this Quick Start supports AWS best practices for high availability
and security:
 Multi-AZ architecture intended for high availability
 Isolation of instances between private/public subnets
 Security groups limiting access to only necessary services
 Network access control list (ACL) rules to filter traffic into subnets as an additional layer
of network security
 A secured bastion host instance to facilitate restricted login access for system
administrator actions
 Standard IAM policies with associated groups and roles, exercising least privilege
 Monitoring and logging; alerts and notifications for critical events
 S3 buckets (with security features enabled) for logging, archive, and application data
 Implementation of proper load balancing and Auto Scaling capabilities
 HTTPS-enabled Application Load Balancers with hardened security policy
 Amazon RDS database backup and encryption
How You Can Use This Quick Start

You can build an environment that serves as an example for learning, as a prototyping
environment, or as a baseline for customization.
Since AWS provides a very mature set of configuration options (and new services are being
released all the time), this Quick Start provides security templates that you can use for your
own environment. These security templates (in the form of AWS CloudFormation
templates) provide a comprehensive rule set that can be systematically enforced. You can
use these templates as a starting point and customize them to match your specific use cases.
Cost
You are responsible for the cost of the AWS services used while running this Quick Start
reference deployment. There is no additional cost for using the Quick Start.
The AWS CloudFormation templates for this Quick Start include configuration parameters
that you can customize. Some of these settings will affect the cost of deployment. For cost
Page 13 of 50
estimates, see the pricing pages for each AWS service you will be using or the AWS
Pricing Calculator. Prices are subject to change.
Tip After you deploy the Quick Start, we recommend that you enable the AWS Cost
and Usage Report. This report delivers billing metrics to an S3 bucket in your account. It
provides cost estimates based on usage throughout each month and finalizes the data at
the end of the month. For more information about the report, see the AWS
documentation.
AWS CloudFormation Templates

An AWS CloudFormation template is a JSON (JavaScript Object Notation) or YAML-
formatted text file that describes the AWS infrastructure needed to run an application or
service along with any interconnections among infrastructure components. You can deploy
a template and its associated collection of resources (called a stack) by using the AWS
Management Console or the AWS CloudFormation API. AWS CloudFormation is available
at no additional charge, and you pay only for the AWS resources needed to run your
applications. Resources can consist of any AWS resource you define within the template.
For a complete list of resources that can be defined within an AWS CloudFormation
template, see the AWS Resource Types Reference in the AWS documentation.
AWS CloudFormation Stacks

When you use AWS CloudFormation, you manage related resources as a single unit called a
stack. In other words, you create, update, and delete a collection of resources by creating,
updating, and deleting stacks. All the resources in a stack are defined by the stack’s AWS
CloudFormation template.
To update resources, you first modify the stack templates and then update the stack by
submitting the modified template. You can work with stacks by using the AWS
CloudFormation console, AWS CloudFormation API, or AWS CLI.
For more information about AWS CloudFormation and stacks, see Get Started in the AWS
CloudFormation documentation.
Templates Used in this Quick Start

The Quick Start consists of a main template and six additional AWS CloudFormation
templates: IAM, production VPC, management VPC, centralized logging, (with optional
AWS Config rules), database, and web application. These templates are designed to deploy
the architecture within stacks that align with AWS best practices and the security
Page 14 of 50
compliance framework. The following table describes each template and its dependencies.
To view the child templates, see the GitHub repository.
Stack and template Description Dependencies
Main stack Primary template file that deploys the rest of the None
(main.template stacks and passes parameters between nested
— or see GovCloud version) templates automatically.
IAM stack Creates a basic IAM configuration with custom None

(iam-template) policies, groups, roles, and PCI-compliant
password policy.
Centralized logging stack Sets up baseline AWS Config rules for None
(logging.template) monitoring. Enables CloudTrail, S3 buckets, and
bucket policies for logging and archive data.
Creates standard CloudWatch alarms for
security-related CloudTrail events. Creates
Amazon ES cluster with Kibana and Amazon
Cognito front end.
Production VPC stack Configures a secure VPC for a public-facing None

(vpc-production.template) application that includes subnets, NAT instances
or NAT gateways, route tables, and custom
network ACL rules.
Management VPC stack Configures a secure VPC for management Production VPC
(vpc-management.template) functions that support the production VPC, and stack
includes subnets, NAT, route tables, custom
network ACL rules, and a restricted, public-
facing bastion host to support a secured login
path for administrator access.
Config rules stack (Optional) Sets up baseline AWS Config rules for Centralized logging
(config-rules.template) monitoring. template
Database stack Sets up a subnet group from two private subnets None
(database.template) for the Amazon Aurora cluster, encrypted DB
with a symmetric CMK, IAM groups for Key
Admins and Key Users (usage). Adds a security
group that allows port 3306 access only from
within the customer-provided (or main template)
VPC. Enables Secrets Manager to rotate
passwords every 89 days.
Application stack Sets up EC2 instances for reverse proxy and web None
(application.template) application, HTTPS Elastic Load Balancing,
CloudWatch alarms, AWS WAF, and Auto
Scaling groups.
Page 15 of 50
The AWS CloudFormation template main.template is now only a basic architecture for
customers to deploy resources on top of. Customers can choose between the various
templates to test and customize their environments without needing to deploy the entire
architecture.
The IAM user must have permissions to deploy the resources each template creates, which
includes IAM configuration for groups and roles.
You can also edit main.template to customize the subnets and architecture. This can be
useful for provisioning teams who must deploy the initial base architecture in accounts for
application owners. For more information about deployment options and use cases, see
Deployment Methods.
Managing the Quick Start Source Files

We’ve provided a GitHub repository for the tools and templates for this Quick Start so you
can modify, extend, and customize them to meet your needs. You can also use your own Git
or Apache Subversion source code repository, or use AWS CodeCommit. This is
recommended to ensure proper version control, developer collaboration, and
documentation of updates.
The GitHub repository for this Quick Start includes the following directories:
assets Security controls matrix, architecture diagrams, and landing page assets
templates AWS CloudFormation template files for deployment
submodules Scripts and sub-templates used by the Quick Start templates
Uploading the Templates to Amazon S3

The Quick Start templates are available in an Amazon S3 bucket for Quick Starts. If you’re
using your own S3 bucket, you can upload the AWS CloudFormation templates by using the
AWS Management Console or the AWS CLI, by following these instructions.
Using the Console

Sign in to the console and open the Amazon S3 console at
https://console.aws.amazon.com/s3/.
Choose a bucket to store the templates in.
Choose Upload and specify the local location of the file to upload.
Page 16 of 50
Upload all template files to the same S3 bucket.

Find the template URLs by selecting each template file, and then choosing Properties.
Make a note of the URLs.
Using the AWS CLI

Download the AWS CLI tool from http://aws.amazon.com/cli/.
Use the following AWS CLI command to upload each template file:
aws s3 cp <template file>.template s3://<s3bucketname>/
Updating the Amazon S3 URLs

The template for the main stack lists the Amazon S3 URLs for the nested stacks. If you
upload the templates to your own S3 bucket and want to deploy the templates from there,
you must modify the Resources section of the main.template file.
Planning the Deployment

Prerequisites
Specialized Knowledge
This Quick Start requires a moderate to high level of understanding of the process to
achieve and manage PCI DSS control requirements and compliance processes within a
traditional hosting environment.
Additionally, this solution is targeted at Information Technology (IT) PCI DSS assessors
and security personnel, and assumes familiarity with basic security concepts in the area of
networking, operating systems, data encryption, operational controls, and cloud computing
services.
This deployment guide also requires a moderate level of understanding of AWS services and
requires the following, at a minimum:
 Access to a current AWS account with IAM administrator-level permissions

 Basic understanding of AWS services, AWS service quotas, and AWS CloudFormation
 Knowledge of architecting applications on AWS
 Understanding of security and compliance requirements in the customer organization
Page 17 of 50
AWS offers training and certification programs to help you develop skills to design, deploy,
and operate your infrastructure and applications on the AWS Cloud. Whether you are just
getting started or looking to deepen your technical expertise, AWS has a variety of resources
to meet your needs. For more information, see the AWS Training and Certification website,
or read the AWS Training and Certification Overview.
AWS Account
If you don’t already have an AWS account, create one at https://aws.amazon.com by
following the on-screen instructions. Part of the sign-up process involves receiving a phone
call and entering a PIN using the phone keypad.
Technical Requirements
Before you launch the Quick Start, your account must be configured as specified in the
following table. Otherwise, deployment might fail. For step-by-step configuration
instructions, see the Pre-Deployment Steps section.
Resources Resource Default Used in this deployment

(by default)
VPCs 5 per Region 2
Elastic IP 5 per Region 5

addresses
IAM groups 100 per account 6
IAM roles 250 per account 5
Amazon EC2 Auto 20 per Region 2

Scaling groups
ELB load balancers 20 per Region 2
Regions The AWS services used in this Quick Start exist in all commercial Regions, but AWS
Config rules, which are used for configuration enforcement, are currently available only
in the Regions listed in Service Endpoints and Quotas. If you require this capability, you
must deploy in one of these Regions until AWS Config rules become available more
widely.
It is important to be aware of what is available in the Region you choose to deploy. To
see the latest list of supported services per Region, see Service Endpoints and Quotas in
the AWS documentation. For information about service differences in the AWS
GovCloud (US) Region, see Supported Services in the AWS GovCloud documentation.
AWS Config and AWS If you deploy this Quick Start in an AWS Region where AWS Config and AWS Config
Config rules rules are available, the AWS CloudFormation template config-rules.template will
attempt to automatically use the service. However, the deployment will fail if you
have not previously manually set up AWS Config in that Region. Before you deploy the
Quick Start, navigate to the AWS Config console, and choose the Get Started Now
button. Note that this feature is currently available only in the AWS Regions listed in
Service Endpoints and Quotas.
Page 18 of 50
Amazon S3 URLs If you’re copying the templates to your own S3 bucket for deployment, make sure that
you update the Resources section of the main.template file. Otherwise,
deployment will fail.
IAM permissions To deploy the Quick Start using the console, you must be logged in to the console with
IAM permissions for the resources and actions the templates will deploy. The
AdministratorAccess managed policy within IAM provides sufficient permissions,
although your organization may choose to use a custom policy with more restrictions.
S3 buckets Unique S3 bucket names are automatically generated based on the account number and
Region. If you delete a stack, the logging buckets are not deleted (to support
security review). If you plan to re-deploy this Quick Start in the same Region, you must
first manually delete the previously created S3 buckets; otherwise, the re-
deployment will fail.
Deployment Methods
You can deploy the Quick Start templates by using AWS CLI commands or from the
console. You can also deploy the template package as an AWS Service Catalog product.
AWS Service Catalog enables a self-service model for deploying applications and
architecture on AWS. You can create portfolios that include one or more products, which
are defined by AWS CloudFormation templates. You can grant IAM users, groups, or roles
access to specific portfolios, which they can then launch from a separate interface. We’ve
provided step-by-step instructions for the console deployment option in the following
sections.
Pre-Deployment Steps
Before you deploy the PCI DSS Quick Start templates, follow the instructions in this section
to confirm that your account is set up correctly:
 Review the service quotas and service usage of your AWS account and request increases
if required, to ensure that there is available capacity to launch resources in your account.
 Ensure that your AWS account is set up with at least one SSH key pair (but preferably
two separate key pairs) in the AWS Region where you plan to deploy, for use with
the bastion login host and other Amazon EC2 hosts.
 Ensure that you have manually set up AWS Config in the AWS Config console, if you are
deploying into an AWS Region where AWS Config is available. AWS Config is currently
available only in the Regions listed on the endpoints and quotas webpage.
Page 19 of 50
Review AWS Service Quotas

To review and (if necessary) increase service quotas for the resources you need for the PCI
Quick Start deployment, you use the Service Quotas console and the Amazon EC2 console.
You’ll need the resources specified in the Technical Requirements table.
Use the Service Quotas console to view the existing service quotas for Amazon VPC, IAM
groups, and IAM roles within your account, and ensure that there is availability to deploy
additional resources:
Open the Service Quotas console at
https://console.aws.amazon.com/servicequotas/home?region=us-east-1#!/.
In the navigation pane, choose AWS services.
On the AWS services page, scroll through the list of services until you find the service
that you want to check, and then choose that service.
Scroll through the service quota names and compare the AWS default quota value
column to the Applied quota value column, to ensure that you can allocate the
following without exceeding the default quota in the AWS Region you will deploy this
Quick Start into (US East [N. Virginia] is recommended):
– Two (2) more VPCs
– Six (6) more IAM groups
– Five (5) more IAM roles
If an increase is needed, you can choose the quota name, and then choose Request quota
increase to open the Request quota increase form.
Create Amazon EC2 Key Pairs

Make sure that at least one Amazon EC2 key pair exists within your AWS account in the
Region you are planning to deploy the Quick Start in.
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
Use the Region selector in the navigation bar to choose the AWS Region where you plan
to deploy.
In the navigation pane, under Network & Security, choose Key Pairs.
In the key pair list, verify that at least one available key pair (but preferably two
available key pairs) exist and make note of the key pair name or names. You’ll need to
provide a key pair name for the parameters pEC2KeyPairBastion (for bastion host login
access) and pEC2KeyPair (for all other Amazon EC2 host login access) when you launch
Page 20 of 50
the Quick Start. Although you can use the same key pair for both parameters, we
recommend that you use a different key pair for each.
If you want to create a new key pair, choose Create Key Pair. For additional
information, see the Amazon EC2 documentation.
Figure 6: Creating a key pair
Note If you’re deploying the Quick Start for testing or proof of concept, we
recommend that you create a new key pair instead of specifying a key pair that’s already
being used by a production instance.
Set up AWS Config

If AWS Config has not yet been initialized in the Region where you are deploying this Quick
Start, follow the steps below in the Region where you are planning to deploy the
Quick Start.
Open the AWS Config console at https://console.aws.amazon.com/config/.
Use the Region selector in the navigation bar to choose the AWS Region where you plan
to deploy.
In the AWS Config console, choose Get Started (or Get Started Now).
Page 21 of 50
Figure 7: AWS Config console
On the Set up AWS Config screen, you may leave all default values in place, or make
modifications as you see fit, and then choose Continue.
Figure 8: AWS Config setup screen
Page 22 of 50
On the next screen, you are prompted to select rules for AWS Config. The centralized
logging template deploys rules for your environment and you can add more rules, or
remove rules, as you see fit. Choose Skip to proceed.
Figure 9: Skip AWS Config rules selection
On the Review screen, you review settings and confirm setup of AWS Config. To finish
setup, choose Confirm.
Deployment Steps
Follow the step-by-step instructions in this section to sign in to your AWS account,
customize the Quick Start templates, and deploy the software into your account.
What We’ll Cover

The procedure for deploying the Quick Start architecture on AWS consists of the following
steps, which we’ll cover in detail in the following sections.
Step 1. Sign in to your AWS account
 Sign in to your AWS account, and make sure that it’s configured correctly.
Step 2. Launch the stacks

 Launch the main AWS CloudFormation template into your AWS account.
Page 23 of 50
 Enter values for required parameters.

 Review the other template parameters, and customize their values if necessary.
Step 3. Test your deployment

 Use the URL provided on the Outputs tab for the main stack to test the deployment.
 Use the IP address for the bastion host provided by the Outputs tab for the main stack,
and use your private key if you want to connect to that host through SSH.
Step 1. Sign in to Your AWS Account

Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has
the appropriate privileges (see IAM Permissions earlier in this document).
Make sure that your AWS account is configured correctly. See the Technical
Requirements and Pre-Deployment Steps sections for information. Note that if you plan
to use an AWS Region with the AWS Config capability, you must first set up the AWS
Config service manually by following the instructions in the previous section.
Use the Region selector in the navigation bar to choose the AWS Region where you want
to deploy the PCI DSS architecture on AWS.
Amazon EC2 locations are composed of Regions and Availability Zones. Regions are
dispersed and located in separate geographic areas. This Quick Start uses the m4.large
instance type for the WordPress and NGINX portion of the deployment. The AWS
Config rules service is currently available only in the AWS Regions listed on the
endpoints and quotas webpage.
Tip Consider choosing a Region closest to your data center or corporate network to
reduce network latency between systems running on AWS and the systems and users on
your corporate network. If you plan to use the optional AWS Config rules capability, you
must choose you must choose one of the Regions listed on the endpoints and quotas
webpage.
Select the key pair that you created earlier. In the navigation pane of the Amazon EC2
console, choose Key Pairs, and then choose the key pair from the list.
Step 2. Launch the Stacks

For best results, launch the main template first, and then launch the other templates that
you want, in order. Centralized logging includes two templates. Launch the primary
Page 24 of 50
template first, in your preferred account, and then launch the additional template from any
other accounts you want to forward logs from.
Main Template
This automated AWS CloudFormation template deploys the Quick Start architecture into
multiple Availability Zones in VPCs. Please review the technical requirements and pre-
deployment steps before launching the stacks.
Launch the main AWS CloudFormation template into your AWS account.
Launch
The template will be deployed into the AWS Region that appears in the navigation bar at
the upper-right corner of the console. You can change the Region by using the Region
selector in the navigation bar.
If you have an AWS GovCloud (US) account, you can launch the template in the AWS
GovCloud (US) Region.
The stacks take approximately 8 minutes to create.
Note You are responsible for the cost of the AWS services used while running this
Quick Start reference deployment. There is no additional cost for using this Quick Start.
For full details, see the pricing pages for each AWS service you will be using in this
Quick Start or the AWS Simple Monthly Calculator. Prices are subject to change.
You can also download the template to use it as a starting point for your customization.
On the Select Template page, keep the default settings for the template URL, and then
choose Next.
On the Specify Details page, provide the required parameter values for the template.
These are described in the following table.
VPC configuration:
Parameter label
Default Description
(name)
Instance tenancy default The tenancy attribute for the instances

(VPCTenancy) launched into the VPC. By default, all
instances in the VPC run as shared-tenancy
instances. Choose dedicated to run them as
single-tenancy instances instead. If unsure,
leave as default.
Page 25 of 50
Parameter label
Default Description
(name)
First Availability Zone Requires input The name of Availability Zone 1.

(AvailabilityZoneA)
Second Availability Zone Requires input The name of Availability Zone 2. This must be
(AvailabilityZoneB) different from the name of the first
Availability Zone.
Amazon EC2 configuration:

Parameter label
Default Description
(name)
Existing SSH key for the Requires input The SSH key pair in your account to use for
bastion instance the bastion host login. This is one of the keys
(EC2KeyPairBastion) that you created in the pre-deployment steps.
Existing SSH key for other Requires input The SSH key pair in your account to use for
instances all other EC2 instance logins. This is one of
(EC2KeyPair) the keys that you created in the pre-
deployment steps.
IAM password policy:

Parameter label
Default Description
(name)
Maximum password age 90 Maximum age for passwords, in number of

(MaxPasswordAge) days.
Minimum password length 7 Minimum password length.

(MinPasswordLength)
Previous passwords retained 4 Number of previous passwords to remember,

(PasswordHistory) to prevent password reuse.
Lowercase characters True Password requirement of at least one

required lowercase character.
(RequireLowercaseChars)
Uppercase character True Password requirement of at least one

required uppercase character.
(RequireUppercaseChars)
Number required True Password requirement of at least one

(RequireNumbers) number.
Symbol required True Password requirement of at least one

(RequireSymbols) nonalphanumeric character (! @ # $ % ^
& * ( ) _ + - = [ ] { } | ').
Database configuration:
Page 26 of 50
Parameter label
Default Description
(name)
Database user name admin User name for connecting to the DB instance.
(DBUsername)
Database password Requires input Password for connecting to the DB instance.

(DBPassword)
AWS Quick Start configuration:

Parameter label
Default Description
(name)
Quick Start S3 bucket name aws-quickstart S3 bucket name for the Quick Start assets.
(QSS3BucketName) Quick Start bucket name can include
numbers, lowercase letters, uppercase letters,
and hyphens (-). It cannot start or end with a
hyphen (-). If you are unsure, do not change
this value.
Quick Start S3 key prefix quickstart-compliance- S3 key prefix for the Quick Start assets. Quick
(QSS3KeyPrefix) pci/ Start key prefix can include numbers,
lowercase letters, uppercase letters, hyphens
(-), and forward slash (/). If you are unsure,
do not change this value.
On the Options page, you can specify tags (key-value pairs) for resources in your stack
and set additional options. You can use the tags to organize and control access to
resources in the stacks. These are not required. When you’re done, choose Next.
On the Review page, review and confirm the template settings. Under Capabilities,
select the two check boxes to acknowledge that the template creates IAM resources and
might require the capability to auto-expand macros.
Figure 10: Resource acknowledgement
Choose Create to deploy the stack.
Page 27 of 50
Monitor the status of the stack being deployed. When the status is
CREATE_COMPLETE for all the stacks deployed, the cluster for this reference
architecture is ready. You should see multiple nested stacks deployed.
Centralized Logging Template

The primary centralized logging AWS CloudFormation template deploys the logging
architecture in a single account. An additional centralized logging template can be used to
forward logs from other accounts to the central log account. Before launching the stacks,
review the technical requirements and pre-deployment steps.
Launch the primary centralized logging AWS CloudFormation template into your AWS
account.
Launch
The primary logging stack takes approximately 20 minutes to create.
choose Next.
On the Specify Details page, provide the required parameter values for the template.
These are described in the following table.
Amazon ES configuration:
Parameter label
Default Description
(name)
Amazon ES domain name pcicentralizedlogging Name for the Amazon ES domain that this
(DOMAINNAME) template will create. Domain names must
start with a lowercase letter and must be
between 3 and 28 characters. Valid
characters are a-z (lowercase only), 0-9.
Amazon ES domain admin esdomainadmin@exam Email address of the administrator for the
email address ple.com Amazon ES domain. Alerts will be sent to
(DomainAdminEmail) this email address.
Page 28 of 50
Parameter label
Default Description
(name)
Cluster size Small Amazon ES cluster size. Choose Small (4

(ClusterSize) data nodes), Medium (6 data nodes),
Large (8 data nodes), xLarge (10 data
nodes).
Additional log account Optional Additional account ID for which you want to
(ProdAccount) allow for centralized logging (e.g.,
Production).
(TestAccount) allow for centralized logging (e.g., Test).
(DevAccount) allow centralized logging (e.g., Develop).
Amazon Cognito configuration:

Parameter label
Default Description
(name)
Amazon Cognito admin email cognitoadmin@exampl Email address of the Amazon Cognito admin.
address e.com
(CognitoAdminEmail)
Page 29 of 50
Central logging S3 bucket name:

Parameter label
Default Description
(name)
S3 bucket name for Requires input The name of a new S3 bucket for logging
CloudTrail logging CloudTrail events. The name must be a
(BucketName) globally unique value and must be in
lowercase letters.
AWS Config:
Parameter label
Default Description
(name)
AWS Config No Config Deployment of AWS Config. Choose Yes

(DeployConfigRule) Config to deploy AWS Config. This requires
that you set up a configuration recorder in the
pre-deployment steps.
Required tag key Optional Tag key to use with the Amazon EC2/Amazon
(RequiredTagKey) EBS REQUIRED_TAGS rule. (Optional; leave
blank to ignore or if you are not deploying
AWS Config.)

Parameter label
Default Description
(name)
this value.
On the Review page, review and confirm the template settings. Under Capabilities,
select the two check boxes to acknowledge that the template creates IAM resources and
might require the capability to auto-expand macros.
Page 30 of 50

Monitor the status of the stack being deployed. When the status field displays
architecture is ready. Since you’re deploying the full architecture, you’ll see eight stacks
listed (for the main template and seven nested templates).
If using the additional account template to forward logs from another account, follow
the same steps to launch the template, filling in the following parameters.
Parameter label
Default Description
(name)
Amazon ES endpoint Requires input Amazon ES domain endpoint for centralized

(ESDomain) logging (remove https://).
Central log account ID Requires input AWS account ID for the central logging
(CentralLogAcct) account (12 digits).
Master account role Requires input IAM Role Amazon Resource Name (ARN) for
(MasterRole) cross-account log indexing. Use the value
that is provided in the centralized logging
template outputs.
Cluster size Small Amazon ES cluster size, as deployed in

(ClusterSize) primary account.
Central logging S3 bucket:

Parameter label
Default Description
(name)
Central S3 log bucket name S3 bucket for central log storage, created in
Requires input
(S3BucketName) the primary log account.
On the Review page, review the settings and select the acknowledgement check box.
This simply states that the template will create IAM resources.
Monitor the status of the stack being deployed. When the status is
CREATE_COMPLETE, the cluster for this reference architecture is ready.
Page 31 of 50
Database Template
This automated AWS CloudFormation template deploys the database architecture in the
Production VPC. It includes the deployment of Secrets Manager and a customer master key
(CMK).
Note The database password is maintained within Secrets Manager with PCI-
compliant complexity, length, and expiration and rotation.
Launch the Database AWS CloudFormation template into your AWS account.
Launch
choose Next.
On the Specify Details page, provide the seven required parameter values for the
template. These are described in the following table.
Availability Zone selection:

Parameter label
Default Description
(name)
First Availability Zone for Requires input The name of the first Availability Zone where
Aurora you will deploy the Aurora database cluster.
(RegionAZ1Name)
Second Availability Zone for Requires input The name of the second Availability Zone
Aurora where you will deploy the Aurora database
(RegionAZ2Name) cluster.
Network configuration (existing VPC):
Page 32 of 50
Parameter label
Default Description
(name)
CIDR for Aurora database 10.100.0.0/16 CIDR range to allow input into the database.
(ProductionCIDR)
VPC ID for Aurora database Requires input ID of the VPC where you will deploy the
(ProductionVPC) Aurora database cluster.
First private database subnet Requires input The ID of the first private subnet in your
for Aurora Production VPC.
(DBPrivateSubnetA)
Second private database Requires input The ID of the second private subnet in your
subnet for Aurora Production VPC.
(DBPrivateSubnetB)
Parameter label
Default Description
(name)
Aurora database name Requires input The name of the Aurora database.
(DBName)
Aurora database user Requires input The user name for the database
(DBUser) administrator of the Aurora database.
Aurora database password Requires input Password for the database instance.
(DBPassword)
Centralized logging bucket Optional The S3 bucket to send Aurora audit logs.
(CentralLogBucket) This can be the bucket that you created when
you launched the centralized logging
template.

Parameter label
Default Description
(name)
this value.
Page 33 of 50
resources in the stacks. These can be left alone. When you’re done, choose Next.
On the Review page, review the settings and select the acknowledgement check box.
This states that the template will create IAM resources.
Web Application Template

This automated AWS CloudFormation template deploys a web application architecture,
including a nested AWS WAF template. Please review the technical requirements and pre-
deployment steps before launching the stacks.
Launch the Web Application AWS CloudFormation template into your AWS account.
Launch
choose Next.
On the Specify Details page, provide the seven required parameter values for the
template. These are described in the following table.
Availability Zone selection:
Page 34 of 50
Parameter label
Default Description
(name)
First Availability Zone for Requires input The name of the first Availability Zone where
deployment you will deploy the the web application
(AvailabilityZoneA) architecture.
Second Availability Zone for Requires input The name of the second Availability Zone
deployment where you will deploy the web application
(AvailabilityZoneB) architecture.
Network configuration:
Parameter label
Default Description
(name)
Management VPC CIDR 10.10.0.0/16 CIDR range or IP address to allow access to

(ManagementCIDR) the web application servers.
Production VPC CIDR 10.100.0.0/16 VPC CIDR for web application deployment.
(ProductionCIDR) Can be production VPC CIDR from the main
template.
Production VPC ID Requires input ID of the Production VPC, where the web
(ProductionVPC) application architecture will be deployed.
First public subnet ID Requires input The ID of the first public subnet where the
(DMZSubnetA) proxy servers will be deployed in the
Production VPC.
Second public subnet ID Requires input The ID of the second public subnet where the
(DMZSubnetB) proxy servers will be deployed in the
Production VPC.
First private subnet ID Requires input The ID of the first private subnet where the
(AppPrivateSubnetA) application servers will be deployed in the
Production VPC.
Second private subnet ID Requires input The ID of the second private subnet where
(AppPrivateSubnetB) the application servers will be deployed in
the Production VPC.
Logging configuration:
Parameter label
Default Description
(name)
Centralized logging bucket Requires input The S3 bucket to send AWS WAF logs to.
for AWS WAF logs This bucket should already exist and can be
(CentralLogBucket) same bucket from the centralized logging
template.
Page 35 of 50
Parameter label
Default Description
(name)
Log storage location Amazon S3 Only The storage location for AWS WAF logs.
(WAFlogging) Choose Amazon Elasticsearch_S3 to have
AWS WAF logs streamed to Amazon ES
(current Region) and your central logging
bucket.
Parameter label
Default Description
(name)
Amazon ES cluster Optional input (If Amazon Elasticsearch_S3 is chosen for

(ESClusterARN) the WAFlogging parameter) The Amazon
Resource Name (ARN) of the Amazon ES
domain that Kinesis Data Firehose delivers
data to. Cluster must be in same
account and Region.
Amazon EC2 configuration:

Parameter label
Default Description
(name)
Existing SSH key Requires input The SSH key pair in your account to use for
(EC2KeyPair) all other EC2 instance logins.
Parameter label
Default Description
(name)
Aurora database name Requires input The name of the Aurora database.
(DBName)
Aurora database user Requires input The user name for the database
(DBUser) administrator of the Aurora database.
Aurora database password Requires input Password for the database instance.
(DBPassword)
AWS Quick Start Configuration:
Page 36 of 50
Parameter label
Default Description
(name)
this value.
resources in the stacks. These can be left alone. When you’re done, choose Next.
On the Review page, review the settings and select the acknowledgement check boxes.
The first states that the template will create IAM resources. The second has to do with a
stack template containing macros to perform custom processing on a template and
requires acknowledgement that this processing will occur.
Step 3. Test Your Deployment

Main Template
After the deployment has completed, note the bastion host public IP address from the
Outputs tab.
Page 37 of 50
Figure 11: Bastion host IP address
Select the nested templates, such as the Management VPC template, and view the resources
that were created.
Figure 12: Management VPC resources
Centralized Logging Template

After the deployment has completed, view the Outputs tab and note the Amazon ES
domain endpoint, S3 bucket, and the login URL for the Kibana dashboard.
Page 38 of 50
Figure 13: Centralized logging outputs
To login to the Kibana dashboard, use the temporary password that was sent to your email
address.
After you are signed in, in the left navigation pane, choose Management.
Under Configure an index pattern, set the Index name or pattern field to cwl-*
(the message box underneath should change from red to green, confirming that there
are matching indices and aliases). Then choose Next step.
Under Time Filter, choose @timestamp.
To see a list of every field in the index, choose Create index pattern.
To start viewing logs, in the left navigation pane, choose Discover.
Page 39 of 50
Figure 14: Kibana dashboard
Database Template
After the deployment has completed, note the AWS KMS key alias, the database security
group, and the database name from the Outputs tab.
Figure 15: Database template Outputs tab
To retrieve the automatically generated PCI-compliant password, on the Secrets Manager

console, choose the secret that has the description This is my pci db instance secret,
and choose Retrieve Secret Value.
Page 40 of 50
Figure 16: Secrets Manager dashboard
Note In the Rotation configuration section, the value is set to 89 days and not
90. This is because Secrets Manager schedules the next rotation when the previous
one is complete. Secrets Manager schedules the date by adding the rotation interval
(number of days) to the actual date of the last rotation. The service chooses the hour
within that 24-hour date window randomly. The minute is also chosen randomly, but
it is weighted towards the top of the hour and influenced by a variety of factors that
help distribute load. For compliance requirements, it is recommended to set the
value at 1 day less than the requirement.
Web Application Template

After the deployment has completed, on the Outputs tab, choose the LandingPageURL
link.
Page 41 of 50
Figure 17: Opening the landing page
The link should launch a new page in your browser that looks similar to Figure 18.
Figure 18: Landing page for PCI architecture on AWS
Page 42 of 50
This deployment builds a working demo of a Multi-AZ WordPress site. To connect to the
WordPress site, on the Outputs tab, choose the WebsiteURL link. The WebsiteURL
link is also available on the Outputs tab for the main stack.
Note WordPress is provided for testing and proof-of-concept purposes only; it is

not intended for production use. You can replace it with another application of your
choice.
Figure 19: Installing WordPress
You can install and test the WordPress deployment from the page that loads. To access the
admin page when AWS WAF is deployed, you must add your IP address in the AWS WAF
rules. To allow your IP address, follow these steps:
On the AWS WAF console, in the left navigation pane, choose WebACL.
Choose the Region where you deployed the stack.
Select the WebACL named standard-owasp-acl.
In the left navigation pane, select IP Addresses.
In the IP match conditions section, choose standard-match-admin-remote-ip.
On the right side, choose Add IP addresses or ranges.
Page 43 of 50
Figure 20: Adding the IP address
Add your IP address or CIDR range to the allow list, and click Add.
In the left navigation pane, choose Rules.
Choose standard-enforce-csrf.
On the right side, choose Edit rule then Add condition.
Under When a Request, choose does not, originate from an IP address in,
standard-match-admin-remote-ip.
Figure 21: Adding the IP Address condition
Choose Update.
You should now be able to access and set up WordPress.
Important The WordPress application included in this Quick Start deployment is

for demo purposes only. Application-level security, including patching, operating
system updates, and addressing application vulnerabilities, is the customer’s
responsibility (see the AWS Shared Responsibility Model).
Page 44 of 50
For this Quick Start, we recommend that you delete the AWS CloudFormation
stacks after your proof-of-concept demo or testing is complete.
Now that you have deployed and tested the PCI architecture on AWS, please take a few
minutes to complete our survey for this Quick Start. Your response is anonymous and will
help us improve these reference deployments.
Deleting the Stacks

When you’ve finished using the baseline environment, you can delete the stacks. Deleting a
stack, either via AWS CLI and APIs or through the AWS CloudFormation console, will
remove all the resources created by the template for that stack. The only exceptions are the
S3 buckets for logging and backup. By default, the deletion policy for those buckets is set to
Retain, so you have to delete them manually.
Important This Quick Start deployment uses nested AWS CloudFormation templates
for some deployments, so deleting the main stack from each deployment will remove the
nested stacks and all associated resources.
Troubleshooting
If you encounter a CREATE_FAILED error when you deploy the Quick Start, refer to the
following table for known issues and solutions.
Error message Possible cause What to do
The following resource(s) failed to The Support Config Set the Support Config parameter to No,
create: parameter was set to Yes, or select another Region. Also make sure
[rConfigRuleForRequiredTags, but AWS Config isn’t that AWS Config is set up properly, as
rConfigRuleForUnrestrictedPorts, available in the Region you described in the pre-deployment steps.
rConfigRuleForSSH, selected, or AWS Config has
rConfigRulesLambdaRole] not been initialized.
Maximum VPCs limit reached You’ve exceeded the Delete VPCs and/or request a quota
number of VPCs allowed in increase. Try to create the stack again. For
your account. more information, see technical
requirements.
Maximum EIPs limit reached You’ve exceeded the quota Disassociate Elastic IP addresses or request
of Elastic IP addresses in an Elastic IP address quota increase, and
your account. try to create the stack again. For more
information, see technical requirements.
Page 45 of 50
Error message Possible cause What to do
Other limits exceeded You’ve exceeded the use of See technical requirements, and request
resources in your AWS service quota increases as necessary.
account.
If the problem you encounter isn’t covered in this table, we recommend that you re-launch
the template with Rollback on failure set to No (this setting is under Advanced in the
AWS CloudFormation console, Options page) and open a support case in the AWS
Support Center for further troubleshooting. When rollback is disabled, the stack’s state will
be retained and the instance will be left running, so the support team can help troubleshoot
the issue.
Important When you set Rollback on failure to No, you’ll continue to incur AWS
charges for this stack. Please make sure to delete the stack when you’ve finished
troubleshooting.
Integrating with AWS Service Catalog

You can add the AWS CloudFormation templates for this Quick Start to AWS Service
Catalog as portfolios or products to manage them from a central location. This helps
support consistent governance, security, and compliance requirements. It also enables you
to quickly deploy only the approved IT services they need.
For complete information about using AWS Service Catalog, see the AWS documentation.
The following table provides links for specific tasks.
To See
Create a new portfolio Creating and Deleting Portfolios
Create a new product Adding and Removing Products
Give users access Granting Access to Users
Assign IAM roles for deploying stacks Applying Launch Constraints

Make sure that the IAM role has a policy and trust
relationship defined.
Assign tags to portfolios to track resource ownership, Tagging Portfolios

access, and cost allocations
Perform other administrative tasks AWS Service Catalog Administrator Guide
Launch products from AWS Service Catalog AWS Service Catalog User Guide
Page 46 of 50
Additional Resources
AWS services
 AWS CloudFormation
https://docs.aws.amazon.com/cloudformation/
 Amazon EC2 User Guide for Linux:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
 Amazon VPC
https://docs.aws.amazon.com/vpc/
 AWS CloudTrail
https://docs.aws.amazon.com/cloudtrail/
 AWS Config
https://docs.aws.amazon.com/config/
 Amazon CloudWatch
https://docs.aws.amazon.com/cloudwatch/
 AWS IAM
https://docs.aws.amazon.com/iam/
 Amazon RDS
https://docs.aws.amazon.com/rds/
 AWS CLI
https://docs.aws.amazon.com/cli/
 AWS Service Catalog
https://docs.aws.amazon.com/servicecatalog/
PCI DSS
 PCI Data Security Standard
https://www.pcisecuritystandards.org/document_library?category=pcidss&document=
pci_dss
 Technical Workbook for PCI Compliance in the AWS Cloud
http://d0.awsstatic.com/whitepapers/compliance/AWS_Anitian_Wookbook_PCI_Clo
ud_Compliance.pdf
Quick Start Reference Deployments
Page 47 of 50
 AWS Quick Start home page

https://aws.amazon.com/quickstart/
Appendix: Enhancements in This Release

This is part of a set of compliance Quick Starts. AWS is constantly working to improve the
design, ease of use, and security features of these solutions. This latest compliance Quick
Start for PCI DSS includes the following security and compliance enhancements:
 HTTPS load balancers with custom security policy using TLS and auto-generation of a
self-signed certificate for testing purposes.
 Network ACL rules for filtering inbound/outbound traffic as an additional layer of
network security
 Security groups to limit both inbound and outbound traffic to only available ports and
protocols
 AWS Config rules automatically deployed for monitoring specific resources most
relevant to compliance
 Secure Amazon S3 policies for logging and application buckets, including custom
lifecycle policies for archiving objects in Amazon S3 Glacier and use of versioning
 Custom CloudWatch alarms and notifications for specific security-related events in
CloudTrail logging of root activity, IAM changes, and changes to logging policies
 Simplified AWS CloudFormation templates that decouple components, including VPCs,
to allow for easier modification and reuse
 Reduced set of AWS CloudFormation parameter groups and labels to simplify console
use during the deployment process
 Elastic Load Balancing (using an Application Load Balancer, which also enables
integration with AWS WAF) and Amazon S3 access logging enabled for the application
layer
 Deployment of a secured login bastion host for SSH access to EC2 instances within the
architecture
 PCI-compliant IAM password policy
 Deployment of AWS WAF with OWASP Top 10 filtering rules
 Kinesis Data Firehose to stream AWS WAF logs to Amazon S3 and Amazon ES and to
stream Aurora MySQL audit logs to Amazon S3
Page 48 of 50
 Secrets Manager to store and rotate the Aurora credentials

 Creation of an AWS KMS symmetric CMK with automatic rotation enabled
 IAM groups for split knowledge–dual control of the CMK
 Features divided into separate child templates that do not rely on each other to be
deployed
Send Us Feedback
You can visit our GitHub repository to download the templates and scripts for this Quick
Start, and to share your customizations with others.
If you haven’t filled out our survey yet, please take a few minutes to do so. Your response is
anonymous and will help us improve the quality of this PCI DSS Quick Start and other AWS
reference deployments.
For Further Assistance

If you need assistance with an enterprise implementation of the capabilities introduced
through this Quick Start, AWS Professional Services can guide and assist with the related
training, customization, and implementation of deployment and maintenance processes.
Please contact your AWS Account Manager for further information, or send an inquiry to
[email protected].
Document Revisions
Date Change In sections
January 2020 Major updates to template structure and guidance. Template updates and changes
Added new features and services as well as split throughout guide
templates into individual AWS CloudFormation
templates for customer customization.
July 2019 Updated PCI DSS link Additional Resources
December 2016 Reconfigured templates to improve modularity Template updates
Page 49 of 50
Date Change In sections

June 2016 Support for the new Asia Pacific (Mumbai) Region Template updates
May 2016 Major updates based on user feedback to align Template updates and changes
with changes to AWS CloudFormation templates throughout guide
and to reduce customization requirements
April 2016 Pre-release —
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Notices
This document is provided for informational purposes only. It represents AWS’s current product offerings
and practices as of the date of issue of this document, which are subject to change without notice. Customers
are responsible for making their own independent assessment of the information in this document and any
use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether
express or implied. This document does not create any warranties, representations, contractual
commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of,
nor does it modify, any agreement between AWS and its customers.
The software included with this paper is licensed under the Apache License, Version 2.0 (the "License"). You
may not use this file except in compliance with the License. A copy of the License is located at
http://aws.amazon.com/apache2.0/ or in the "license" file accompanying this file. This code is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.
Page 50 of 50

Standard Pci Dss Architecture On The Aws Cloud

Uploaded by

Copyright:

Available Formats

Standard Pci Dss Architecture On The Aws Cloud

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Standard Pci Dss Architecture On The Aws Cloud

Uploaded by

Copyright:

Available Formats

Standardized Architecture for

PCI DSS on the AWS Cloud

AWS Envision Engineering

This guide is also available in HTML format at

Deployment Methods ........................................................................................................... 19

About This Guide

Figure 1: Excerpt from PCI—DSS security controls reference

About Quick Starts

Architecture for PCI DSS on AWS

Centralized Logging Architecture

Figure 3: Centralized logging design for PCI DSS on AWS

 Secrets Manager set to rotate the database password every 89 days.

Web Application Architecture

How You Can Use This Quick Start

AWS CloudFormation Templates

AWS CloudFormation Stacks

Templates Used in this Quick Start

Stack and template Description Dependencies

IAM stack Creates a basic IAM configuration with custom None

Production VPC stack Configures a secure VPC for a public-facing None

Managing the Quick Start Source Files

templates AWS CloudFormation template files for deployment

submodules Scripts and sub-templates used by the Quick Start templates

Uploading the Templates to Amazon S3

Using the Console

Upload all template files to the same S3 bucket.

Using the AWS CLI

aws s3 cp <template file>.template s3://<s3bucketname>/

Updating the Amazon S3 URLs

Planning the Deployment

 Access to a current AWS account with IAM administrator-level permissions

Resources Resource Default Used in this deployment

VPCs 5 per Region 2

Elastic IP 5 per Region 5

IAM groups 100 per account 6

IAM roles 250 per account 5

Amazon EC2 Auto 20 per Region 2

ELB load balancers 20 per Region 2

Review AWS Service Quotas

Create Amazon EC2 Key Pairs

Figure 6: Creating a key pair

Set up AWS Config

Figure 7: AWS Config console

Figure 8: AWS Config setup screen

Figure 9: Skip AWS Config rules selection

What We’ll Cover

Step 2. Launch the stacks

 Enter values for required parameters.

Step 3. Test your deployment

Step 1. Sign in to Your AWS Account

Step 2. Launch the Stacks

Instance tenancy default The tenancy attribute for the instances

First Availability Zone Requires input The name of Availability Zone 1.

Amazon EC2 configuration:

IAM password policy:

Maximum password age 90 Maximum age for passwords, in number of

Minimum password length 7 Minimum password length.

Previous passwords retained 4 Number of previous passwords to remember,

Lowercase characters True Password requirement of at least one