AWS Functions to Restrict Database Access
Security Best Practices for Amazon RDS
PCI Requirement 8.7 is all about restricting access to your database. In an AWS environment, this means protecting Amazon RDS. There are three ways to restrict access to databases containing CHD:
- All user access to, user queries of, and user actions on databases is completed through programmatic methods.
- Only database administrators have the ability to directly access or query the database.
- Application IDs for database applications can only be used by the applications.
You can implement these restrictions in RDS, plus add an additional layer of security by controlling access to DB instances through security groups and following AWS’s recommended security best practices for Amazon RDS.
When you look at PCI Requirement 8.7, it’s talking about database access. You shouldn’t allow individuals to have access to a database in order to perform queries unless they are truly database administrators within your organization. Access to databases and the ability to run those queries should only be allowed by applications that should have access to your RDS database. You can set up parameters within your security groups in order to limit certain accounts to be used only by the applications that are intended to be utilized. You can ensure that individuals cannot use those accounts to directly query the database. Then, secondarily, within your IAM roles, people who do have access to the database should certainly be database administrators. When we go through a PCI audit with our clients running within an AWS environment, these are the types of questions we ask and the types of settings that we look at to ensure that databases are only accessed in these compliant manners.