AWS Cloud-Based Segmentation Testing

PCI DSS Requirement 11.4.5 requires segmentation testing to confirm that controls isolate the CDE from other network segments. In on-premises environments, this is commonly validated through physical network paths and access points. In cloud environments, segmentation testing relies on configuration review, logical network paths, and controlled access to cloud services.

In AWS environments, segmentation testing is often conducted alongside internal penetration testing, allowing both activities to be performed within the same access scope and testing window.

Prerequisites for AWS Segmentation Testing

1. Dedicated IAM Test User

Segmentation testing requires a dedicated IAM user created specifically for testing. This user should be:

• Non-administrative: Permissions must be limited to prevent configuration changes while still allowing identification of insecure configurations
• Scope-restricted: Access limited to systems and services included in the test scope
• Temporary: Credentials should be valid only for the duration of testing

This allows testers to review AWS configurations and access paths without introducing risk to production workloads.

2. Bastion Host or Container

A bastion host is required to provide controlled network access to in-scope systems within AWS.

Network placement:

• Deployed in a public subnet to allow tester access
• Configured with network access to private subnet resources included in scope
• Able to reach all CDE components subject to testing

Technical requirements:

• Linux-based operating system
• Sufficient CPU, memory, and disk space for penetration testing tools
• Clean system image to avoid conflicts with installed software

Access controls:

• SSH key-based authentication (public key supplied by the testing team)
• IP whitelisting limited to approved tester addresses
• Root or sudo access to install and configure testing tools

3. VPC Reachability Analyser Access

AWS VPC Reachability Analyser is required to validate network segmentation paths. It allows verification of whether traffic can flow between defined source and destination resources based on AWS network configuration.

This includes analysis of:

• Security groups
• Network ACLs
• Route tables
• Gateway and firewall paths

The IAM test user must have permission to run reachability analysis queries via API or console. Outputs from this tool are commonly used as evidence during PCI DSS assessments and are accepted by QSAs as part of segmentation validation.

4. Read-Only AWS Console Access

Read-only access to the AWS Management Console is required for configuration review and use of assessment tools. This enables:

• Execution of configuration review tools (e.g., ScoutSuite)
• Review of service configurations across AWS accounts
• Validation of IAM policies and role assignments
• Review of logging and monitoring settings

Read-only permissions are sufficient for these activities and reduce the risk of unintended changes. These credentials can also be used for tools that rely on AWS APIs.

Read the article from a QSA perspective.

Setup Process

A typical setup includes:

• Creating an IAM test user with permissions for read-only access and VPC Reachability Analyser
• Deploying a bastion host in a public subnet with access to in-scope private resources
• Exchanging SSH public keys with the testing team
• Restricting bastion host access by IP address
• Providing AWS access keys for console and API-based testing tools

Security Controls During Testing

Testing access should be controlled and monitored:

• Time limits: Enable access only for the approved testing period
• Logging: Ensure CloudTrail is enabled for all test user activity
• Segregation: Prevent access to production data and write permissions
• Credential handling: Share credentials using secure channels only

For organizations requiring assistance with PCI DSS segmentation testing in cloud environments, Tenendo’s penetration testing team has experience conducting assessments across AWS, Azure, and GCP infrastructures.