Is using VPC required for PCI on a platform level? Or can PCI be achieved by security groups alone?
I'm only asking this because I've gotten mixed responses from Amazon on this question, the sales reps state VPC is required to be PCI compliant, however several engineers have asserted VPC isn't required and standard security groups is enough.
I broke down some of the PCI-DSS requirements and I hope we can hash this out as a community.
Questionable Things:
1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. - I should be able to do this at the software level, since standard security groups don't allow for it.
Things that should be fine:
1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. - Both allow for this.
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. - I can easily create a security group for application servers and databases, then only allow applications to access the database group.
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. - I can disallow all public access with security groups.
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. - I'll utilize a loadbalancer for this task.
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ. - The loadbalancer will be the only publicly accessible server.
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only ―established‖ connections are allowed into the network.) - Standard security groups perform stateful inspection.
Based on that list, I don't think here is anything stopping me from achieving PCI compliance with security groups alone. Please let me know if you agree/disagree.
**Also, i'm not storing any PANs, It's a clean pass through.
I appreciate the feedback.