Automating PCI Compliance on AWS using Puppet

The Challenge

A customer who brought in a large pre-existing AWS environment had an upcoming PCI audit and requested that our Security team advise and assist in preparing for the audit. Because the Datapipe Security team had been active participants in developing our PCI compliance Puppet modules, they knew immediately we could deploy them and quickly prepare the instances for the audit. (More work would be required to audit Security Groups and IAM roles, and so on.) Our PCI compliance Puppet modules run every 30 minutes, automatically checking about 1,000 data points to ensure that the Linux server is secure and hardened against attack. Should anything be found to be insecurely configured, the Puppet agent will change that setting back to a hardened secure state immediately. For a human being to achieve this level of security on 1,000 servers, he or she would need to monitor 1,000 servers, each with 1,000 data points – a total of 1,000,000 data points every 30 minutes.

Deploying the Solution

The customer already had a pre-existing Puppet installation that was not managed by Datapipe. We jumped on a screen share with our automation counterparts at the customer offices and worked as a team to integrate our compliance modules with their pre-existing modules. This process took two days and was very successful. In addition, we worked with our software vendors to develop Puppet modules to ensure that third-party IDS, antivirus and patching agents were up to date and properly configured. After testing two exemplar instances, we handed off the test environment to quality assurance for a complete round of tests. We were now ready for the audit.

The Takeaway

While Datapipe's Security team is well versed in preparing Linux servers for PCI compliance, preparing over a thousand instances for a PCI audit is not a fast process. Each server needs to be scanned and reported on, the reports need to be read and analyzed and the problems need to be remediated one by one. That's why we quickly decided to deploy our already-written Puppet module. At this scale, it makes a great deal of sense to automate hardening the servers.

This customer certainly had the skill set to develop PCI compliance modules on its own, but its developers' bandwidth was taken up by other tasks.  Lucky for them, they had already partnered with Datapipe, who had the modules ready to go! A bit of integration and testing here and there, and we have over a thousand AWS instances fully in compliance for PCI DSS in the space of a 5-minute Puppet run. What's even better, Puppet will continue to run every 30 minutes, ensuring that the server stays in compliance and does not require manual remediation in the future.