Building PCI DSS-Compliant Architectures on Amazon EKS
Containers Blog
This article provides comprehensive guidance for building PCI DSS-compliant architectures on Amazon EKS, addressing whether shared tenancy infrastructure can meet compliance requirements.
- AWS supports PCI DSS compliance on EC2 shared tenancy; dedicated hosts not required by PCI DSS
- Node provisioning choice (Karpenter, Cluster Autoscaler, EKS Auto Mode, manual) doesn't affect compliance requirements
- Implement Kubernetes namespace isolation with RBAC and policy enforcement for workload segmentation
- Enforce Pod Security Standards (Restricted level for CDE workloads) with security contexts and host resource restrictions
- Configure multi-tenant scheduling using taints, tolerations, labels, and dedicated node groups per tenant
- Deploy network policies with default-deny rules and Admin Network Policies for centralized traffic control
- Implement per-tenant encrypted storage with KMS and fine-grained IAM isolation using IRSA or Pod Identity
- Enable comprehensive logging via CloudTrail, CloudWatch, VPC Flow Logs, and Kubernetes audit logs
- Deploy vulnerability scanning, Bottlerocket OS, runtime monitoring (Falco, GuardDuty), and patch management
Defense-in-depth security controls at workload and cluster levels enable PCI DSS compliance on EKS regardless of infrastructure choices or node provisioning approach.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.