Encrypting Traffic In and Out of AWS
Protect CHD Across Open Networks
PCI Requirement 4 states, “Encrypt transmission of cardholder data across open, public networks.” In AWS environments, there are several ways to comply with this encryption requirement. AWS recommends using services like:
- CloudFront, API Gateway, and Elastic Load Balancing support transport encryption levels of TLS 1.1 or higher
- Security groups and network ACLs block the use of insecure protocols
- CloudFront’s field-level encryption, used in conjunction with HTTPS
- Customer gateways, virtual private gateways, transit gateways, and VPN connections can set up encrypted VPN tunnels into an Amazon VPC
No matter the AWS capability that you use, you must ensure that strong encryption is present and your policies support that.
Requirement 4 of the PCI Data Security Standard says that you have to encrypt cardholder data across open, public networks. This means that you can’t allow any unencrypted traffic to come into your AWS instances, but also you can’t allow it to traverse out of your environment across the open, public Internet. You can do this by applying certain security policies in your environment using the services that AWS provides to you in order to enforce strong encryption. You can enforce TLS 1.2, for example, by configuring CloudFront with these policies, API Gateway, and also Elastic Load Balancing. You can utilize security groups and network access control lists to disallow any insecure protocols from coming into your environment.