In a recent question to the PCI DSS Guru, Chris asked:

“I am building an e-commerce application that must be PCI DSS compliant.  Our company has chosen to use Amazon Web Services (AWS) for our hosting.  Does using security groups in AWS meet the stateful inspection requirements of PCI DSS?”

That’s a great question, Chris.  As you probably already know, Amazon Web Services is a validated PCI DSS service provider.  Of course, this does not mean that you are automatically PCI DSS compliant because you are using AWS.  It does mean, however, that you may use AWS as one of the building blocks of your PCI DSS compliance program.  You are able to rely upon those AWS services that are part of the certification scope as components of your infrastructure.  These include, for example, EC2, S3, Glacier, RDS and VPC, some of the major services you are likely to use.  For a full list, read the AWS PCI DSS FAQ.  (BTW, if you understood all of those TLAs strung together, you qualify for a master’s degree in acronyms!)

Your specific question revolved around the firewall requirements of PCI DSS and, in particular, the provisions of PCI DSS requirement 1.3.6, which states that you must

“Implement stateful inspection, also known as dynamic packet filtering. (That is, only “established” connections are allowed into the network.)”

If you are using security groups and VPCs, the good news is that, yes, AWS security groups do perform stateful inspection and, when properly configured to meet your business and security requirements, can be used to fulfill requirement 1.3.6.  For background on this, see the Amazon VPC Documentation, which contains a list of the basic characteristics of VPC security groups.  One of those reads:

“Responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa (security groups are therefore stateful).”

So it looks like you’re covered for this requirement.

I do strongly suggest that you obtain more information from Amazon about their PCI DSS compliance status.  Amazon has a PCI DSS Compliance Package available that was prepared by their Qualified Security Assessor (QSA) and contains all of the details you need to know to implement your PCI DSS activities within AWS in a compliant manner.  The package is not available on the web, but may be obtained directly from an AWS sales representative.