The Inner Circle

 View Only

  • 1.  Amazon S3 and PCI-DSS Requirement 5

    Posted Jun 30, 2020 08:59:00 AM
    Does PCI-DSS Requirement 5 include object storage scanning?  It is possible to upload malware from unknown third parties in many use cases.  I am looking to put a position paper together around the necessity to scan objects and files as they are written to S3.

    5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

    Although Amazon S3 is not executable, I would think the requirement would include object storage like S3 and Azure Blobs.  Can someone help provide clarity?

    What are your thoughts?

    ------------------------------
    Tim Albrecht
    GM Cloud Practice
    ------------------------------


  • 2.  RE: Amazon S3 and PCI-DSS Requirement 5

    Posted Jul 01, 2020 08:29:00 AM
    Hi Tim,
    As you rightly said that S3 is not executable and the applicable requirement to S3 should be requirement 3.1., 3.4, & 3.6,  and other storage-related requirements. 
    However, 5.1 can still be achieved with multiple AWS services likes Amazon Inspector, Cloudwatch, and Cloudtrail and many other services

    ------------------------------
    Teju Oyewole
    Indigo Books & Musics
    Indigo Books & Musics
    ------------------------------

    Original Message


  • 3.  RE: Amazon S3 and PCI-DSS Requirement 5

    Posted Jul 06, 2020 05:21:00 AM
    Hi Teju,

    I don't think I understand your response.  Requirement 5 is specific to antivirus.  None of the AWS services referenced include antimalware or antivirus scanning and hence the Requirement is not being addressed.  

    Please explain.

    Tim

    ------------------------------
    Tim Albrecht
    GM Cloud Practice
    Cloud Storage Security
    ------------------------------

    Original Message


  • 4.  RE: Amazon S3 and PCI-DSS Requirement 5

    Posted Jul 07, 2020 08:59:00 AM
    Hi Tim,
    PCI DSS is very explicit in its requirements. Requirement 5 addresses Anti-virus but that does not mean all the PCI components are commonly affected by malicious software. However, a merchant can perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. In this case, S3 is a storage bucket it does not require a running anti-virus but it can be monitored for any Zero-day vulnerabilities and that is the purposes of AWS services likes Amazon Inspector, Cloudwatch, and Cloudtrail and many other services. 
    For more information about the Anti-virus requirement, please read further on requirement 5.1.2. 
    Furthermore, please understand the statement in 5.1 as well - "Deploy anti-virus software on all systems COMMONLY affected by malicious software ( particularly personal computers and servers)"
    You can see the bolded and upper case word.

    Amazon Web Services is responsible for the deployment and management of antivirus and antimalware solutions on AWS managed services such as Amazon RDS, Amazon ECS, and AWS Fargate. Customers inherit the security and compliance provided by the AWS PCI DSS assessment for AWS managed operating systems. Customers are responsible for configuring and running appropriate antivirus software on any applicable EC2 instance in which they have access to and responsibility for the underlying operating system. The AWS Marketplace offers numerous products for customer consumption

    EC2 is a compute service while S3 is storage.
    I hope I'm explicit enough.

    Thanks 

    ------------------------------
    Teju Oyewole
    Indigo Books & Musics
    Indigo Books & Musics
    ------------------------------

    Original Message


  • 5.  RE: Amazon S3 and PCI-DSS Requirement 5

    Posted Jul 07, 2020 10:42:00 AM
    Hi Tim,
    PCI DSS is very explicit in its requirements. Requirement 5 addresses Anti-virus but that does not mean all the PCI components are commonly affected by malicious software. However, a merchant can perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. In this case, S3 is a storage bucket it does not require a running anti-virus but it can be monitored for any Zero-day vulnerabilities and that is the purposes of AWS services likes Amazon Inspector, Cloudwatch, and Cloudtrail and many other services.
    For more information about the Anti-virus requirement, please read further on requirement 5.1.2.
    Furthermore, please understand the statement in 5.1 as well - "Deploy anti-virus software on all systems COMMONLY affected by malicious software ( particularly personal computers and servers)"
    You can see the bolded and upper case word.

    Amazon Web Services is responsible for the deployment and management of antivirus and antimalware solutions on AWS managed services such as Amazon RDS, Amazon ECS, and AWS Fargate. Customers inherit the security and compliance provided by the AWS PCI DSS assessment for AWS managed operating systems. Customers are responsible for configuring and running appropriate antivirus software on any applicable EC2 instance in which they have access to and responsibility for the underlying operating system. The AWS Marketplace offers numerous products for customer consumption

    EC2 is a compute service while S3 is storage.
    I hope I'm explicit enough.

    Thanks 

    ------------------------------
    Teju Oyewole
    Indigo Books & Musics
    Indigo Books & Musics
    ------------------------------

    Original Message