Security policies for an AKS regulated cluster for PCI DSS 4.0.1

This article describes security policy considerations for an Azure Kubernetes Service (AKS) cluster that's configured in accordance with the Payment Card Industry Data Security Standard (PCI DSS 4.0.1).

This article is part of a series. Read the introduction.

Maintain an information security policy

Requirement 12: Maintain an information security policy for all personnel

Microsoft completes an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). This assessment covers all aspects of infrastructure, development, operations, management, support, and in-scope services. For more information, see Payment Card Industry (PCI) Data Security Standard (DSS).

PCI DSS 4.0.1 requires organizations to establish, maintain, and regularly review a comprehensive information security policy. This policy must address roles, responsibilities, acceptable usage, and security objectives for all personnel, including third parties and cloud providers handling cardholder data. The policy should be reviewed at least annually and updated as risks evolve.

Cloud and container considerations:

• Define shared responsibility for security between your organization and the cloud/container provider in your policy.
• Ensure policies enforce inventory tracking of assets and services, including ephemeral resources like containers and cloud services.
• Communicate the policy to all personnel and relevant stakeholders, including those managing cloud and container environments.

Here are some general suggestions:

• Maintain thorough and updated documentation about processes and policies. Consider using Microsoft Purview Compliance Manager to assess your risk.
• In the annual review of the security policy, incorporate new guidance delivered by Microsoft, Kubernetes, and other third-party solutions that are part of your CDE. Use resources such as Microsoft Defender for Cloud, Azure Advisor, Azure Well-Architected Review, AKS Azure Security Baseline, and CIS Azure Kubernetes Service Benchmark.
• When establishing your risk assessment process, align with a published standard where practical, for example NIST SP 800-53. Map publications from your vendor's published security list, such as the Microsoft Security Response Center guide, to your risk assessment process.
• Keep up-to-date information about device inventory and personnel access documentation. Use device discovery capabilities, such as Microsoft Defender for Endpoint, and cloud-native inventory tools. For tracking access, use Microsoft Entra logs and cloud IAM logs.
  • Device discovery
  • Entitlement management in Microsoft Entra ID Governance
• As part of your inventory management, maintain a list of approved solutions deployed as part of the PCI infrastructure and workload, including VM images, databases, and third-party solutions. Automate this process with a service catalog for self-service deployment using approved solutions in a specific configuration. For more information, see Establish a service catalog.
• Make sure that a security contact receives Azure incident notifications from Microsoft. These notifications indicate if your resource is compromised and enable your security operations team to rapidly respond to potential security risks. Ensure administrator contact information in the Azure enrollment portal includes contact information that will notify security operations directly or rapidly through an internal process. For details, see Security operations model.

For more information about planning for operational compliance, see the following resources:

• Cloud management in the Cloud Adoption Framework
• Governance in the Microsoft Cloud Adoption Framework for Azure

Next steps

Implement targeted risk analysis procedures for custom approaches and security assessments.