AWS CloudFront | PCI Compliance | Steps for Auditing

Steps for Auditing PCI Compliance with AWS CloudFront

Q: Your company currently has a web distribution hosted using the AWS CloudFront service.The IT Security department has confirmed that the application using this web distribution now falls under the scope of PCI (Payment Card Industry) compliance.What are the necessary steps to be followed before auditing? (SELECT TWO)

Enable CloudFront access logs.Capture requests that are sent to the CloudFront API.

Prev Question Next Question

Question

Your company currently has a web distribution hosted using the AWS CloudFront service.

The IT Security department has confirmed that the application using this web distribution now falls under the scope of PCI (Payment Card Industry) compliance.

What are the necessary steps to be followed before auditing? (SELECT TWO)

Answers

A. Enable CloudFront access logs.

B. Enable Cache in CloudFront.

C. Capture requests that are sent to the CloudFront API.

D. Enable VPC Flow Logs.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - A and C.

AWS Documentation mentions the following:

If you run PCI or HIPAA-compliant workloads based on the AWS Shared Responsibility Model, we recommend that you log your CloudFront usage data for the last 365 days for future auditing purposes.

Third-party auditors assess the security and compliance of Amazon CloudFront as part of multiple AWS compliance programs.

Option B is incorrect.

It helps to reduce latency.

Option D is incorrect.

VPC flow logs capture information about the IP traffic going to and from network interfaces in a VPC but not for CloudFront.

For more information on compliance with CloudFront, please visit the following URLs:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html https://aws.amazon.com/blogs/aws/pci-compliance-for-amazon-cloudfront/ https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SERVICENAME-compliance.html

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. If an application falls under the scope of PCI compliance, there are certain steps that need to be followed to ensure that the environment is secure. In this case, since the company is using AWS CloudFront for hosting its web distribution, the following two steps need to be taken:

Enable CloudFront access logs: Enabling access logs in CloudFront allows you to track all requests made to your distribution, including information about the source IP address, the user agent, and the response status. This is an important step in ensuring that you can monitor and audit all activity on your web distribution, which is necessary for PCI compliance.
Enable VPC Flow Logs: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. This feature can be used to monitor and audit traffic to and from your web distribution, which is necessary for PCI compliance.

Option B, enabling cache in CloudFront, is not related to PCI compliance. Option C, capturing requests that are sent to the CloudFront API, is also not necessary for PCI compliance as the API is not relevant to the web distribution being hosted. Therefore, the correct answers are A and D.

Prev Question Next Question