EC2 Security Groups vs VPC for PCI

Question

Is using VPC required for PCI on a platform level? Or can PCI be achieved by security groups alone?

I'm only asking this because I've gotten mixed responses from Amazon on this question, the sales reps state VPC is required to be PCI compliant, however several engineers have asserted VPC isn't required and standard security groups is enough.

I broke down some of the PCI-DSS requirements and I hope we can hash this out as a community.

Questionable Things:

1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. - I should be able to do this at the software level, since standard security groups don't allow for it.

Things that should be fine:

1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. - Both allow for this.

1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. - I can easily create a security group for application servers and databases, then only allow applications to access the database group.

1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. - I can disallow all public access with security groups.

1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. - I'll utilize a loadbalancer for this task.

1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ. - The loadbalancer will be the only publicly accessible server.

1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only ―established‖ connections are allowed into the network.) - Standard security groups perform stateful inspection.

Based on that list, I don't think here is anything stopping me from achieving PCI compliance with security groups alone. Please let me know if you agree/disagree.

**Also, i'm not storing any PANs, It's a clean pass through.

I appreciate the feedback.

Answer 1

1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. - I should be able to do this at the software level, since standard security groups don't allow for it.

Filtering egress traffic is only possible using VPC security groups. You do not want to rely upon your application to do this; it must be done at the network level (what happens when an attacker comprises your app or simply installs another app to steal your data?). Using VPC, you can also use network ACLs to implement a multilayered approach to filter egress traffic there as well--"security in-depth is security done right."

Really, this criterion alone is enough for a VPC to be the obvious choice. Why the reluctance? VPC doesn't cost anything more, greatly increases security, and offers some additional functionality not found with EC2 (Elastic Network Interfaces, multiple IPs per instance, IPSec VPN, etc).