Defining Roles and Responsibilities in AWS
Supporting PCI Requirement 12.4 in AWS
Does your personnel know how to secure cardholder data in AWS on a daily basis? PCI Requirement 12.4 establishes the requirement to ensure that the information security policy and procedures clearly define responsibilities for all personnel. Anyone with access to cardholder data in AWS will have some level of security responsibility, and they must be aware of that. The PCI DSS guidance explains that without clearly defined security roles and responsibilities, there is likely to be inconsistent security practices that lead to the implementation or use of insecure or outdated technologies.
So you have a CDE, or systems in the CDE, and you have people working on them. Do those individuals know what they need to do on a daily basis or weekly basis? I am not really asking you if they know how to configure the equipment that they run on or they do their daily operations on, but are their responsibilities formalized or written down somewhere? PCI Requirement 12.4 says we have to ensure that the policies and procedures define these kinds of information security roles. If you have an admin that is responsible for the entire AWS cloud infrastructure, is he using the root account? He should not be. If you have a database admin working on your RDS, do they have access to the VPC or to the Elasticsearch? Should they? This is what PCI Requirement 12.4 is getting at. We need to formalize it and document it.