|   Trend Micro Cloud One™
Open menu

Check for non-compliant PCI DSS AWS services and resources

Cloud Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 500 automated best practice checks.

Last updated: 21 July 2019

Ensure that all AWS services and resources used by your e-commerce applications running within your AWS account are PCI DSS compliant in order to maintain a secure environment for storing, processing and transmitting credit card information. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by PCI Security Standards Council, an organization originally formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard. PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers and service providers. The PCI DSS is authorized by the card brands and administered by the Payment Card Industry Security Standards Council. As a customer who uses AWS products and services to store, process or transmit cardholder data, you can rely on AWS cloud infrastructure as you manage your own PCI DSS compliance certification. Amazon Web Services does not directly store, transmit or process any customer cardholder data (CHD) but you can create your own cardholder data environment (CDE) that can store, transmit or process cardholder data using AWS products. And since security and compliance is a shared responsibility between AWS and its customers, they should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their application environment, and applicable laws and regulations. Therefore, you can obtain PCI DSS compliance for your e-commerce websites and applications using only PCI DSS-eligible AWS services and resources.


Amazon API Gateway

Amazon Athena

Amazon Cloud Directory

Amazon CloudFront

Amazon CloudWatch Logs

Amazon Cognito

Amazon Comprehend

Amazon Connect

Amazon DocumentDB (with MongoDB compatibility)

Amazon DynamoDB

Amazon ElastiCache for Redis

Amazon Elastic Container Registry (ECR)

Amazon Elastic Container Service (ECS) - including both Fargate and EC2 launch types

Amazon Elastic Container Service for Kubernetes (EKS)

Amazon Elastic Block Store (EBS)

Amazon Elastic Compute Cloud (EC2)

Amazon Elastic MapReduce

Amazon Elastic File System (EFS)

Amazon Elasticsearch Service

Amazon FreeRTOS

Amazon FSx

Amazon Glacier

Amazon GuardDuty

Amazon Inspector

Amazon Kinesis Data Analytics

Amazon Kinesis Data Streams

Amazon Kinesis Data Firehose

Amazon Kinesis Video Streams

Amazon Macie

Amazon MQ

Amazon Neptune

Amazon Polly

Amazon Quicksight

Amazon Redshift

Amazon Rekognition

Amazon Relational Database Service (RDS) - including Amazon Aurora

Amazon Route 53

Amazon S3 Transfer Acceleration

Amazon SageMaker

Amazon SimpleDB

Amazon Simple Queue Service (SQS)

Amazon Simple Storage Service (S3)

Amazon Simple Notification Service (SNS)

Amazon Simple Workflow Service (SWF)

Amazon Transcribe

Amazon Translate

Amazon Virtual Private Cloud (VPC)

Amazon WorkDocs

Amazon WorkSpaces

Amazon Auto Scaling

Amazon AppSync

Amazon Backup

Amazon Batch

Amazon Certificate Manager (ACM)

Amazon CodeBuild

Amazon CodeCommit

Amazon CloudFormation

Amazon CloudHSM

Amazon CloudTrail

Amazon Config

Amazon Database Migration Service

Amazon DataSync

Amazon Direct Connect

Amazon Directory Service for Microsoft and AD Connector

Amazon Elastic Beanstalk

Amazon Elemental MediaConnect

Amazon Firewall Manager

Amazon Global Accelerator

Amazon Glue

Amazon IoT Greengrass

Amazon Identity & Access Management (IAM)

Amazon IoT Core - including Device Management

Amazon Key Management Service

Amazon Lambda

Amazon Lambda@Edge

Amazon Managed Services

Amazon OpsWorks CM - including Chef Automate and Puppet Enterprise

Amazon OpsWorks Stacks

Amazon RoboMaker

Amazon Secrets Manager

Amazon Serverless Application Repository

Amazon Server Migration Service (SMS)

Amazon Service Catalog

Amazon Shield

Amazon Snowball

Amazon Snowball Edge

Amazon Snowmobile

Amazon Step Functions

Amazon Storage Gateway

Amazon Systems Manager

Amazon Transfer for SFTP

Amazon WAF

Amazon X-Ray

Amazon Elastic Load Balancing

Amazon VM Import/Export

Verify the updated list of AWS services and resources that support PCI DSS requirements before you design, create, modify or upgrade your PCI-compliant application environment inside your AWS account. An example of non-compliant PCI DSS service is Amazon CloudSearch, a fully managed service that makes it easy to set up, manage and scale a search solution for your website or application, as Amazon CloudSearch resources are not compliant at this moment. Because these types of AWS resources are not yet eligible, your cloud application will fail to achieve PCI DSS compliance as long as is processing or transmitting cardholder data (CHD) using AWS CloudSearch resources. Therefore, Cloud Conformity strongly recommends to terminate any non-compliant PCI DSS resources (e.g. Amazon CloudSearch search domains) in order to obtain PCI DSS compliance within your AWS account. To help your organization maintain PCI DSS compliance, Cloud Conformity monitors your Amazon Web Services account in real time and sends notification alerts as soon as an AWS resource is created outside the PCI data security standard.


Amazon Web Services is certified as a PCI DSS 3.2 Level 1 Service Provider. The PCI DSS Attestation of Compliance (AOC) and Responsibility Summary are available to customers by using Amazon Artifact, a self-service portal for on-demand access to AWS compliance reports such as Payment Card Industry (PCI) and Service Organization Control (SOC) reports. That being said, AWS provides the necessary protections to satisfy the PCI DSS security requirements, so that you can use PCI-compliant cloud services and resources to build e-commerce websites and applications that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD). However, not all AWS components are PCI DSS-eligible, so using services and resources that fail to comply with the Payment Card Industry (PCI) Data Security Standard (DSS) regulations can lead to damaging financial and reputational effects, legal actions or even to fines between $5,000 to $100,000 per month for violating PCI DSS security rules.


Publication date Feb 4, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base

Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Check for non-compliant PCI DSS AWS services and resources

Risk level: