Hi Tim,
As you rightly said that S3 is not executable and the applicable requirement to S3 should be requirement 3.1., 3.4, & 3.6, and other storage-related requirements.
However, 5.1 can still be achieved with multiple AWS services likes Amazon Inspector, Cloudwatch, and Cloudtrail and many other services
------------------------------
Teju Oyewole
Indigo Books & Musics
Indigo Books & Musics
------------------------------
Original Message:
Sent: Jun 30, 2020 08:58:35 AM
From: Tim Albrecht
Subject: Amazon S3 and PCI-DSS Requirement 5
Does PCI-DSS Requirement 5 include object storage scanning? It is possible to upload malware from unknown third parties in many use cases. I am looking to put a position paper together around the necessity to scan objects and files as they are written to S3.
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Although Amazon S3 is not executable, I would think the requirement would include object storage like S3 and Azure Blobs. Can someone help provide clarity?
What are your thoughts?
------------------------------
Tim Albrecht
GM Cloud Practice
------------------------------