AWS Serverless PCI-DSS Compliance

Question

I noticed recently that Amazon got API Gateway and Lambda PCI-DSS certified. I would be interested to know what that does imply regarding the isolated network consideration, specifically:

• Is Amazon Lambda execution considered to be an isolated network, protected by a firewall?
• Is Amazon Lambda fulfilling the server IP masking property?

In essence, I would:

• Open an API allowing credit card processing over HTTPS with API Gateway
• Encrypt this data inside a Lambda function, using the Key Management Service
• Store the encrypted cards at rest in DynamoDB

Could this architecture be considered PCI-DSS compliant?

Answer 1

I think using managed services is a great idea, it's more secure by default, and lets you focus on providing the functionality.

Lambda functions can be isolated in a VPC, so the firewall requirements are taken care of. Req 1.3 asks for a DMZ, where there is no direct connection into the private CDE. This is generally done with a NAT and public and private subnets (reference here). Using the API gateway may allow you to avoid that direct connection, but presumably you still need to call a payment processing gateway from your lambda function, in that case you still need the NAT anyway according to the AWS documentation:

When you add VPC configuration to a Lambda function, it can only access resources in that VPC. If a Lambda function needs to access both VPC resources and the public Internet, the VPC needs to have a Network Address Translation (NAT) instance inside the VPC.

I would also check that logging and code deployment are handled in a PCI compliant manner.

I'd also point out that the architecture, while important, is basically only 1/12th of becoming PCI compliant, so is not going to necessarily make a big difference in the scheme of things.