AWS payment-cryptography documentation change
Summary
Reorganized HSM security documentation sections, added PCI compliance details, expanded key management processes, and enhanced communication security descriptions
Security assessment
Changes focus on improving documentation of security controls (PCI compliance validation, third-party assessments, key management processes) but do not indicate remediation of a specific vulnerability. Enhanced descriptions of HSM protection mechanisms and customer key segregation demonstrate security feature documentation improvements.
Diff
diff --git a/payment-cryptography/latest/userguide/cryptographic-details-internalops.md b/payment-cryptography/latest/userguide/cryptographic-details-internalops.md index 24161ad2d..f42deef21 100644 --- a//payment-cryptography/latest/userguide/cryptographic-details-internalops.md +++ b//payment-cryptography/latest/userguide/cryptographic-details-internalops.md @@ -5 +5 @@ -HSM specifications and lifecycleHSM device physical security HSM initialization HSM service and repair HSM decommissioning HSM firmware update Operator access Key management +HSM protectionGeneral key management Management of customer keysCommunication security Logging and monitoring @@ -13 +13 @@ This topic describes internal requirements implemented by the service to secure - * HSM specifications and lifecycle + * HSM protection @@ -15 +15 @@ This topic describes internal requirements implemented by the service to secure - * HSM device physical security + * General key management @@ -17,3 +17 @@ This topic describes internal requirements implemented by the service to secure - * HSM initialization - - * HSM service and repair + * Management of customer keys @@ -21 +19 @@ This topic describes internal requirements implemented by the service to secure - * HSM decommissioning + * Communication security @@ -23 +21 @@ This topic describes internal requirements implemented by the service to secure - * HSM firmware update + * Logging and monitoring @@ -25 +22,0 @@ This topic describes internal requirements implemented by the service to secure - * Operator access @@ -27 +23,0 @@ This topic describes internal requirements implemented by the service to secure - * Key management @@ -29,0 +26 @@ This topic describes internal requirements implemented by the service to secure +## HSM protection @@ -30,0 +28 @@ This topic describes internal requirements implemented by the service to secure +### HSM specifications and lifecycle @@ -32 +30 @@ This topic describes internal requirements implemented by the service to secure -## HSM specifications and lifecycle +AWS Payment Cryptography uses a fleet of commercially available HSMs. The HSMs are FIPS 140-2 Level 3 validated and also use firmware versions and the security policy listed on the PCI Security Standards Council [approved PCI PTS Devices list](https://listings.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices) as PCI HSM v3 complaint. The PCI PTS HSM standard includes additional requirements for the manufacturing, shipment, deployment, management, and destruction of HSM hardware which are important for payment security and compliance but not addressed by FIPS 140. @@ -34 +32 @@ This topic describes internal requirements implemented by the service to secure -AWS Payment Cryptography uses a fleet of commercially available HSM. The HSMs are FIPS 140-2 Level 3 validated and also use firmware versions and the security policy listed on the PCI Security Standards Council [approved PCI PTS Devices list](https://listings.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices) as PCI HSM v3 complaint. The PCI PTS HSM standard includes additional requirements for the manufacturing, shipment, deployment, management, and destruction of HSM hardware which are important for payment security and compliance but not addressed by FIPS 140. +Third party assessors verify HSM make model, firmware, configuration, lifecycle physical management, change control, operator access controls, main key management, and all PCI PIN and P2PE requirements related to HSMs and HSM operations. @@ -38 +36 @@ All HSMs are operated in PCI Mode and configured with the PCI PTS HSM security p -## HSM device physical security +### HSM device physical security @@ -40 +38 @@ All HSMs are operated in PCI Mode and configured with the PCI PTS HSM security p -Only HSMs that have device keys signed by an AWS Payment Cryptography certificate authority (CA) by the manufacturer prior to delivery can be used by the service. The AWS Payment Cryptography is a sub-CA of the manufacturer’s CA that is the root of trust for HSM manufacturer and device certificates. The manufacturer’s CA implements ANSI TR 34 and has attested compliance with PCI PIN Security Annex A and PCI P2PE Annex A. The manufacturer verifies that all HSM with device keys signed by the AWS Payment Cryptography CA are shipped to AWS’ designated receiver. +Only HSMs that have device keys signed by an AWS Payment Cryptography certificate authority (CA) by the manufacturer prior to delivery can be used by the service. The AWS Payment Cryptography is a sub-CA of the manufacturer’s CA that is the root of trust for HSM manufacturer and device certificates. The manufacturer’s CA has attested compliance with PCI PIN Security Annex A and PCI P2PE Annex A. The manufacturer verifies that all HSM with device keys signed by the AWS Payment Cryptography CA are shipped to AWS’ designated receiver. @@ -63 +61 @@ A complete chain-of-custody, with individual accountability, is maintained and m -## HSM initialization +### HSM initialization @@ -67 +65 @@ An HSM is only initialized as part of the AWS Payment Cryptography fleet after i -## HSM service and repair +### HSM service and repair @@ -71 +69 @@ HSM have serviceable components that do not require violation of the device’s -## HSM decommissioning +### HSM decommissioning @@ -75 +73 @@ Decommissioning occurs due to end-of-life or failure of an HSM. HSM are logicall -## HSM firmware update +### HSM firmware update @@ -79 +77 @@ HSM firmware updates are applied when required to maintain alignment with PCI PT -## Operator access +### Operator access @@ -102 +100 @@ All non-console access records are reviewed for process compliance and potential -## Key management +## General key management @@ -108,25 +105,0 @@ All main keys are generated by an HSM and distributed to by symmetric key distri -###### Topics - - * Generation - - * Region main key synchronization - - * Region main key rotation - - * Profile main key synchronization - - * Profile main key rotation - - * Protection - - * Durability - - * Communication security - - * Management of customer keys - - * Logging and monitoring - - - - @@ -145 +118 @@ HSM region main keys are synchronized by the service across the regional fleet w - * Identification and key protection for the distributed symmetric keys consistent with ANSI X9 TR-34 and PCI PIN Annex A1, except for asymmetric algorithms and key strengths appropriate for protecting AES 256 bit keys. + * Identification and key protection for the distributed symmetric keys is consistent with ANSI X9 TR-34 and PCI PIN Annex A1, except for asymmetric algorithms and key strengths appropriate for protecting AES 256 bit keys. @@ -253 +226 @@ HSM authentication and main key tokens are saved and may be used to restore a ma -### Communication security +### Operator access to HSM main keys @@ -255 +228 @@ HSM authentication and main key tokens are saved and may be used to restore a ma -#### External +Main keys exist only in HSM managed by the service and secured in secure AWS facilities. Main keys cannot be exported from any HSM or synchronized to an HSM that is not initialized by the manufacturer for use in the service. AWS operators cannot obtain main keys in any form that could be loaded into an HSM not managed by the service. @@ -257 +230 @@ HSM authentication and main key tokens are saved and may be used to restore a ma -AWS Payment Cryptography API endpoints meet AWS security standards including TLS at or above 1.2 and Signature Version 4 for authentication and integrity of requests. +## Management of customer keys @@ -259 +232 @@ AWS Payment Cryptography API endpoints meet AWS security standards including TLS -Incoming TLS connections are terminated on network load balancers and forwarded to API handlers over internal TLS connections. +At AWS, customer trust is our top priority. You maintain full control of your keys that you import to or create in the service under your AWS account. You retain responsibility for configuring access to keys. @@ -261 +234 @@ Incoming TLS connections are terminated on network load balancers and forwarded -#### Internal +AWS Payment Cryptography is a service provider that uses HSMs and manages keys on behalf of customers, similar to long-standing payment service providers. The service has complete responsibility for HSM physical and logical security. Key management responsibility is shared between the service and customers because the customer must provide accurate information about keys created by or imported to the service, which the service uses to enforce correct key use and management. AWS data segregation protections are used to ensure that compromise of keys belonging one AWS account cannot compromise keys belonging to another. @@ -263 +236 @@ Incoming TLS connections are terminated on network load balancers and forwarded -Internal communications between service components and between service components and other AWS service are protected by TLS using strong cryptography. +AWS Payment Cryptography has full responsibility for the HSM physical compliance and key management for keys managed by the service. This requires ownership and management of HSM main keys and protection of customer keys managed by the AWS Payment Cryptography. @@ -265 +238 @@ Internal communications between service components and between service component -HSM are on a private, non-virtual network that is only reachable from service components. All connections between HSM and service components are secured with mutual TLS (mTLS), at or above TLS 1.2. Internal certificates for TLS and mTLS are managed by Amazon Certificate Manager using an AWS Private Certificate Authority. Internal VPCs and the HSM network are monitored for unexpected activities and configuration changes. +### Customer key space separation @@ -267 +240 @@ HSM are on a private, non-virtual network that is only reachable from service co -### Management of customer keys +AWS Payment Cryptography enforces key policies for all key use, including limiting principals to the account owning the key, unless a key is explicitly shared with another account. @@ -269 +242 @@ HSM are on a private, non-virtual network that is only reachable from service co -At AWS, customer trust is our top priority. You maintain full control of your keys that you upload or create in the service under your AWS account and responsibility for configuring access to keys. +AWS accounts provide complete environment segregation between customers or applications analogous to non-cloud implementations in different data centers. Each account provides isolated access control, networking, compute resources, data storage, cryptographic keys for data protection and payment transactions, and all AWS resources. AWS services like Organizations and Control Tower enable enterprise management of separate application accounts, analogous to cages or rooms within an enterprise data center. @@ -271 +244 @@ At AWS, customer trust is our top priority. You maintain full control of your ke -AWS Payment Cryptography has full responsibility for the HSM physical compliance and key management for keys managed by the service. This requires ownership and management of HSM main keys and storage of protected customer keys within the AWS Payment Cryptography key database. +### Operator access to customer keys @@ -273 +246 @@ AWS Payment Cryptography has full responsibility for the HSM physical compliance -#### Customer key space separation +Customer keys managed by the service are stored protected by partition main keys and can only be used by the owning customer account or account the owner has specifically configured for key sharing. AWS operators cannot export or perform key management or cryptographic operations with customer keys using manual access to the service, which is managed by AWS manual operator access mechanisms. @@ -275 +248 @@ AWS Payment Cryptography has full responsibility for the HSM physical compliance -AWS Payment Cryptography enforces key policies for all key use, including limiting principals to the account owning the key, unless a key is explicitly shared with another account. +Service code that implements customer key management and use is subject to AWS secure code practices as assessed per the AWS PCI DSS assessment. @@ -277 +250 @@ AWS Payment Cryptography enforces key policies for all key use, including limiti -#### Backup and recovery +### Backup and recovery @@ -279 +252 @@ AWS Payment Cryptography enforces key policies for all key use, including limiti -Keys and key information for a region is backed up to encrypted archives by AWS. Archives require dual control by AWS to restore. +Keys and key information stored internally by the service for a region is backed up to encrypted archives by AWS. Archives require dual control by AWS to restore. @@ -281 +254 @@ Keys and key information for a region is backed up to encrypted archives by AWS. -#### Key blocks +### Key blocks @@ -283 +256 @@ Keys and key information for a region is backed up to encrypted archives by AWS. -All keys are stored in ANSI X9 TR-31 format key blocks. +All keys are stored and processed in ANSI X9.143 format key blocks. @@ -287 +260 @@ Keys may be imported into the service from cryptograms or other key block format -#### Key use +### Key use @@ -291 +264 @@ Key use is restricted to the configured KeyUsage by the service. The service wil -#### Key exchange relationships +### Key exchange relationships @@ -293 +266 @@ Key use is restricted to the configured KeyUsage by the service. The service wil -PCI PIN Security and PCI P2PE require that organizations that share keys that encrypt PINs, including the KEK used to share those keys, not share those keys with any other organizations. It is a best practice that symmetric keys are shared between only 2 parties, including within the same organization. This minimizes the impact of suspected key compromises that force replacing impacted keys. +PCI PIN Security and PCI P2PE require that organizations that share keys that encrypt PINs or carddata, including the key exchange keys (KEK) used to share those keys, not share the same keys with any other organizations. It is a best practice that symmetric keys are shared between only 2 parties for a single purpose, including within the same organization. This minimizes the impact of suspected key compromises that force replacing impacted keys. @@ -301 +274 @@ For example, KEK and BDK for different key injection facilities can by identifie -#### Key deletion +### Key deletion @@ -309 +282,15 @@ Keys belonging to closed AWS accounts are marked for deletion. If the account is -### Logging and monitoring +## Communication security + +### External + +AWS Payment Cryptography API endpoints meet AWS security standards including TLS at or above 1.2 and Signature Version 4 for authentication and integrity of requests. + +Incoming TLS connections are terminated on network load balancers and forwarded to API handlers over internal TLS connections. + +### Internal + +Internal communications between service components and between service components and other AWS service are protected by TLS using strong cryptography. + +HSM are on a private, non-virtual network that is only reachable from service components. All connections between HSM and service components are secured with mutual TLS (mTLS), at or above TLS 1.2. Internal certificates for TLS and mTLS are managed by Amazon Certificate Manager using an AWS Private Certificate Authority. Internal VPCs and the HSM network are monitored for unexpected activities and configuration changes. + +## Logging and monitoring