0

Requirement 8.1.1 of PCI DSS states:

Assign all users a unique ID before allowing them to access system components or cardholder data.

Using Amazon IAM I can set up individual accounts for users so they do not need to log into the Amazon AWS console as the root account.

However, I don't believe IAM can be used to manage Linux and Windows credentials on the instances within our AWS account.

Does having root and administrator accounts running on our instances mean that we cannot meet this requirement using IAM? If need be we could put a policy in place stating that users do not log onto live instances and that the root and administrator accounts on these boxes are only used in order to alter the images (AMIs) that the instances are created from.

However, since the AMIs share the credentials with any instances created from them we cannot keep these private.

Installing an Active Directory server seems overkill in this situation and possibly unreliable due to the transitory nature of EC2 instances.

Mark
  • 34,513
  • 9
  • 86
  • 135
SilverlightFox
  • 33,698
  • 6
  • 69
  • 185

2 Answers2

1

However, I don't believe IAM can be used to manage Linux and Windows credentials on the instances within our AWS account.

You can pretty much do this via OpsWorks for Linux instances. OpsWorks lets you register IAM users with a stack and then orchestrate creating their account and managing their public SSH key. You also have the option to let them manage their public SSH key if you want and control whether they have sudo privileges.

Does having root and administrator accounts running on our instances mean that we cannot meet this requirement using IAM?

There's an option in OpsWorks to launch instances without a default SSH key which I believe means the only way to log in is via one of the IAM users. This can make debugging a little bit difficult if any issues occur before the OpsWorks agent has started though.

I'm not an expert in PCI DSS though so I'm not sure if there's any aspects of how OpsWorks manages instances which would prevent compliance.

thexacre
  • 8,484
  • 3
  • 24
  • 35
  • 1
    A default SSH key doesn't necessarily violate PCI DSS as long as the key is assigned to a specific user and only that user has the corresponding private key. – freb Jan 06 '15 at 23:10
0

I asked whether you were using a VPC because I don't really think of that as very transitory. Certainly if you're aiming to be PCI certified you will want a central directory services system whether it's AD or LDAP. You can spin instances up or down rapidly, but you're creating subnets and assigning systems to those subnets. As an aside, it's more or less required in PCI to have the network segmentation.

To answer your specific question, shared logins are not acceptable as per 8.1.1. This is for accounts of any kind on systems or applications within your PCI scope. As it further expounds in the document you linked, this is for audit purposes. If users aren't uniquely identified, how can you determine who performed what action at a specific time?

theterribletrivium
  • 2,679
  • 17
  • 18
  • Thanks. We have segmentation into subnets, and our system is also comprised of several VPCs. Some of the VPCs are created dynamically via code (these contain transitory instances). We wondered if there was another way of achieving this requirement - if we could use the logon to AWS as evidence that it was a certain user that logged onto a box during that time frame (I know some 3rd parties you can use with AWS offer similar like [GhostPorts](http://www.cloudpassage.com/press-releases/2012-06-12-Halo-Ghostports-SMS.html)). – SilverlightFox Jan 06 '15 at 09:03