PCI DSS Compliant Infrastructure on AWS

Overview

A client operating in a regulated industry needed a cloud infrastructure that could pass PCI DSS compliance audits while maintaining high availability and secure connectivity between their on-premises data center and AWS. The solution had to enforce strict network segmentation, encrypt all sensitive data, and provide a complete, auditable trail of every action taken within the environment.

The Challenge

PCI DSS compliance on AWS is not simply a matter of enabling the right services. It requires a defensible architecture that satisfies multiple requirement domains — from network segmentation and access control to logging, monitoring, and cryptographic key management. The architecture had to support both internet-facing users and a secure Site-to-Site VPN connection from the client’s on-premises data center.

Architecture

The solution is deployed in AWS us-east-1 with a VPC segmented into public and private subnets, connected to the client’s on-premises environment via a Site-to-Site VPN through a VPN Gateway and Customer Gateway.

Network Layer

• AWS Network Firewall in the public subnet as the primary traffic inspection point
• Application Load Balancer (ALB) and AWS WAF in the private subnet for application-layer protection and web traffic filtering
• NAT Gateway for controlled outbound internet access from private resources
• Internet Gateway for public-facing traffic
• VPN S2S for encrypted connectivity to the customer data center

Compute

• EC2 instances in the private subnet, isolated from direct internet exposure and accessible only through the ALB/WAF layer

Security & Compliance

• AWS KMS for encryption key management across all data at rest
• AWS Certificate Manager (ACM) and Private Certificate Authority for TLS certificate management
• AWS Secrets Manager for secure credential storage
• AWS CloudWatch for real-time monitoring and alerting
• AWS CloudTrail for a complete, tamper-evident audit log of all API activity
• AWS Config for continuous compliance rule evaluation and configuration drift detection

Outcome

The architecture passed PCI DSS compliance evaluation with zero critical findings. The layered security model — combining network-level firewall inspection, application-layer WAF filtering, encryption at rest and in transit, and continuous compliance monitoring — gave the client both a strong security posture and the audit evidence required to demonstrate it.