Understanding the "Deny All" Function
Creating an Access Control System
To comply with PCI Requirement 7.2, you are tasked with establishing an access control system that restricts access based on business need to know. This access control system must include “deny all” functionality. By starting out with “deny all” access for users rather than broad access, you are following best practices and the least privilege principle.
In AWS, an access control system is established through the IAM service. AWS IAM is how you manage access to AWS services and resources, as well as grant permissions for users and groups. AWS IAM also offers a default “deny all” setting that satisfies PCI Requirement 7.2.3. To learn more about, visit the User Guide for policy evaluation logic in IAM.
When it comes to complying with PCI Requirement 7.2, you will need to demonstrate that you have implemented an access control system. In an AWS environment, that is IAM (Identity and Access Management). That’s the system that governs the users and groups who have access and permissions accessing the various system resources within your AWS environment. There’s a default setting within IAM to ensure that it is enabled, which is “deny all.” This is the principle of least privilege. You start with a “deny all” rather than starting with providing access to everything. You turn off access to everything, which is called “deny all,” and then you explicitly allow access to the things that individuals and groups only need to perform their job duties. When we go in to select various roles and groups in order to evaluate those permissions, we will be looking to see that the way that you have it configured in IAM matches with your policies that state what users require what permissions.