I. Introduction.

Many of my customers, who have extensive experience with traditional on-premise segmentation testing, often ask me:

“Why do you need read-only access to our AWS environment? We never had to provide this for on-premise segmentation testing.”

It’s a valid question. In the old days, segmentation testing was relatively straightforward—you had physical firewalls, VLANs, and isolated subnets that could be tested externally with simple network scans and controlled penetration testing. If a firewall blocked access, segmentation was proven.

However, cloud environments like AWS work differently. Segmentation isn’t just about firewalls anymore—it’s about IAM policies, VPC configurations, security groups, cross-account roles, Lambda execution permissions, S3 bucket policies, Kubernetes namespaces, and more. These controls aren’t visible from the outside, and testing them requires internal verification.

This article outlines 10 common segmentation violations that illustrate why AWS read-only access is necessary for accurate segmentation testing. These are real-world scenarios that could put PCI compliance at risk if not properly assessed.

Based on the PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures (September 2024) document and our experience, here are 10 common segmentation violations in AWS cloud environments where read-only AWS CLI/Console access would be needed to verify compliance:

II. Common Segmentation Violations in AWS.

1. Shared VLANs and Subnets

  • AWS VPCs with insufficient segmentation between PCI in-scope and out-of-scope environments.
  • Overlapping CIDR ranges allowing unintended access.
  • Insufficient security group policies allowing broad access.

2. Misconfigured AWS IAM Roles and Policies

  • Overly permissive IAM policies allowing cross-account access.
  • Shared IAM roles with excessive privileges, leading to lateral movement risks.
  • Lack of IAM boundary enforcement between PCI-scoped and non-PCI environments.

3. Unsegmented AWS Accounts in an Organization

  • AWS Organizations with accounts that should be segmented but are not.
  • Shared IAM users across multiple accounts with unnecessary permissions.
  • Improper SCP (Service Control Policy) configurations allowing unwanted access.

4. Overly Permissive S3 Bucket Policies

  • S3 buckets with open access or broad IAM policies allowing external access.
  • Lack of bucket policy restrictions to ensure the least privilege for PCI data.
  • Insecure cross-account sharing of PCI-relevant data.

5. Cross-Account AWS Resource Sharing

  • VPC peering between PCI and non-PCI AWS accounts without proper segmentation.
  • Misconfigured AWS PrivateLink allowing unauthorized access to PCI data.
  • Uncontrolled AWS Transit Gateway usage creating unintended connections.

6. Poorly Configured AWS Security Groups and NACLs

  • Security Groups allowing unrestricted inbound/outbound access from non-PCI systems.
  • Inconsistent use of Network ACLs (NACLs) for VPC segmentation.
  • Overuse of 0.0.0.0/0 rules, increasing exposure to attacks.

7. Lack of Segmentation in AWS Lambda and Serverless Services

  • AWS Lambda functions having unrestricted access to PCI-scoped services.
  • Inadequate IAM role segregation between Lambda functions and EC2 instances.
  • Misconfigured API Gateway allowing open access to PCI data.

8. Overly Permissive AWS ECS/EKS/Kubernetes Configurations

  • Shared Kubernetes namespaces between PCI and non-PCI workloads.
  • Inadequate pod security policies allowing unrestricted cross-pod communication.
  • Lack of proper network policies for PCI segmentation in AWS EKS.

9. Unrestricted Database Connectivity

  • RDS instances allowing unrestricted inbound traffic from non-PCI segments.
  • No VPC Endpoint or PrivateLink restrictions for database access.
  • Improper AWS Secrets Manager use leading to data leakage.

10. Misconfigured AWS VPC Peering and Transit Gateway

  • Direct peering between PCI and non-PCI VPCs without strict controls.
  • No proper routing table segmentation enforcing PCI DSS boundaries.
  • Use of AWS Transit Gateway for broad interconnectivity without clear isolation.

III. AWS CLI/Console Access Justification

To perform segmentation testing effectively, read-only AWS CLI/Console access would be required to:

  • Review AWS IAM policies (aws iam list-policies, aws iam get-policy).
  • Audit security groups and NACLs (aws ec2 describe-security-groups, aws ec2 describe-network-acls).
  • Inspect VPC Peering and Transit Gateway configs (aws ec2 describe-vpc-peering-connections, aws ec2 describe-transit-gateway-attachments).
  • Check bucket policies (aws s3api get-bucket-policy).
  • Verify database security settings (aws rds describe-db-instances).
  • Analyze Kubernetes namespace segregation in AWS EKS (kubectl get namespaces, kubectl describe networkpolicy).
  • Assess Lambda execution permissions (aws lambda get-policy).

IV. Sample checklists and basic AWS CLI commands

1. Shared VLANs and Subnets (VPC Segmentation)

Checklist:

  • Ensure separate VPCs for PCI and non-PCI workloads.
  • Verify route table rules to prevent unintended connections.
  • Confirm no overlapping CIDR ranges between PCI and non-PCI environments.
  • Validate Network ACLs (NACLs) blocking unnecessary traffic.
# List all VPCs and check CIDR blocks
aws ec2 describe-vpcs --query "Vpcs[*].{VPC_ID:VpcId,CIDR:CidrBlock}" --output table
# Check route tables for connections between PCI and non-PCI VPCs
aws ec2 describe-route-tables --query "RouteTables[*].Routes"
# Verify NACL rules for segmentation
aws ec2 describe-network-acls --query "NetworkAcls[*].Entries"

2. Misconfigured AWS IAM Roles and Policies

Checklist:

  • Ensure IAM roles for PCI resources follow least privilege.
  • Check for wildcard permissions (*) in IAM policies.
  • Confirm no cross-account roles unless explicitly required.
# List IAM roles with policies attached
aws iam list-roles --query "Roles[*].RoleName"
# Identify roles with excessive permissions
aws iam list-policies --query "Policies[*].{Policy:PolicyName,ARN:Arn,Scope:Scope}"
# Find policies with wildcards (*)
for user in $(aws iam list-users --query 'Users[*].UserName' --output text); do
  aws iam list-user-policies --user-name "$user" --query 'PolicyNames' --output text | while read policy; do
    aws iam get-user-policy --user-name "$user" --policy-name "$policy" --query 'PolicyDocument.Statement[?Action==`*`]'
  done
done

3. Unsegmented AWS Accounts in an Organization

Checklist:

  • Check for non-PCI accounts accessing PCI resources.
  • Validate AWS Organizations SCP policies restricting access.
  • Confirm no shared IAM users across accounts.
# List all AWS accounts under the organization
aws organizations list-accounts --query "Accounts[*].{ID:Id,Name:Name}"
# Check IAM trust relationships between accounts
aws iam list-roles --query "Roles[*].AssumeRolePolicyDocument"

4. Overly Permissive S3 Bucket Policies

Checklist:

  • Ensure PCI-related S3 buckets are not publicly accessible.
  • Verify no overly permissive bucket policies (“Principal”: “*” ).
  • Check if S3 encryption and access logging are enabled.
# List all S3 buckets
aws s3api list-buckets --query "Buckets[*].Name"
# Check bucket permissions (ensure no `Everyone` or `AuthenticatedUsers` access)
aws s3api get-bucket-policy --bucket <bucket-name>
# Verify S3 encryption
aws s3api get-bucket-encryption --bucket <bucket-name>
# Check if S3 logging is enabled
aws s3api get-bucket-logging --bucket <bucket-name>

5. Cross-Account AWS Resource Sharing

Checklist:

  • Ensure PCI VPCs are not peered with non-PCI VPCs.
  • Confirm AWS PrivateLink services are used securely.
  • Check AWS Transit Gateway settings.
# List VPC Peering connections
aws ec2 describe-vpc-peering-connections --query "VpcPeeringConnections[*].{Requester:RequesterVpcInfo.VpcId, Accepter:AccepterVpcInfo.VpcId, Status:Status.Code}"
# List Transit Gateway attachments
aws ec2 describe-transit-gateway-attachments --query "TransitGatewayAttachments[*].{ID:TransitGatewayAttachmentId, State:State, Type:ResourceType}"

6. Poorly Configured AWS Security Groups and NACLs

Checklist:

  • Ensure PCI security groups do not allow 0.0.0.0/0 inbound access.
  • Validate only necessary ports are open.
  • Check PCI systems are isolated via NACLs.
# List all security groups
aws ec2 describe-security-groups --query "SecurityGroups[*].{Group:GroupName,ID:GroupId}"
# Check security groups allowing wide access
aws ec2 describe-security-groups --query "SecurityGroups[*].IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']].{GroupId:GroupId, FromPort:FromPort, ToPort:ToPort}"
# Verify NACLs restricting access
aws ec2 describe-network-acls --query "NetworkAcls[*].Entries"

7. Lack of Segmentation in AWS Lambda and Serverless Services

Checklist:

  • Ensure Lambda functions have the least privilege IAM policies.
  • Confirm PCI-sensitive Lambda functions do not run in shared VPCs.
  • Check Lambda execution roles.
# List all Lambda functions
aws lambda list-functions --query "Functions[*].FunctionName"
# Check Lambda permissions
aws lambda get-policy --function-name <lambda-function-name>

8. Overly Permissive AWS ECS/EKS/Kubernetes Configurations

Checklist:

  • Ensure PCI-related Kubernetes pods are in isolated namespaces.
  • Validate Kubernetes network policies enforce segmentation.
  • Check no unauthorized cross-namespace communication.
# List all namespaces in EKS (for EKS Kubernetes Cluster via kubectl)
kubectl get namespaces
# Check network policies
kubectl get networkpolicy --all-namespaces
# Verify pod-to-pod communication restrictions
kubectl describe networkpolicy -n <namespace>

9. Unrestricted Database Connectivity

Checklist:

  • Ensure PCI RDS databases are not accessible from non-PCI segments.
  • Confirm no public RDS instances.
  • Validate RDS security groups.
# List all RDS instances
aws rds describe-db-instances --query "DBInstances[*].{DBInstance:DBInstanceIdentifier,Public:PubliclyAccessible,SubnetGroup:DBSubnetGroup.DBSubnetGroupName}"
# Check RDS security groups
aws ec2 describe-security-groups --query "SecurityGroups[*].IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']].{GroupId:GroupId, FromPort:FromPort, ToPort:ToPort}"

10. Misconfigured AWS VPC Peering and Transit Gateway

Checklist:

  • Ensure PCI VPCs are not peered with non-PCI VPCs.
  • Validate Transit Gateway routes do not allow unintended connections.
  • Check firewall rules in peered VPCs.
# List VPC Peering Connections
aws ec2 describe-vpc-peering-connections --query "VpcPeeringConnections[*].{RequesterVpcId:RequesterVpcInfo.VpcId, AccepterVpcId:AccepterVpcInfo.VpcId, Status:Status.Code}"
# Check Transit Gateway Routes
aws ec2 describe-transit-gateway-routes --query "Routes[*].DestinationCidrBlock"

Of course, these checklists are not exhaustive but you may use them as a baseline when conducting a self-assessment prior to your PCI DSS assessment.