[tryeng]

I don't think your PCI guy is overly strict. It's pretty clear that the intentions of the requirements are what you described. What might have worked, though, is to have virtual machines inside the EC2 instances in your VPC, and use this to filter traffic through a separate virtual machine.

Still, it's unnecessarily complicated and as you say, a resolved issue now. :) The new features announced fits PCI needs quite well. I haven't looked into the IDS issue you mentioned in your first post yet, but I hope it's possible to resolve somehow or get around with compensating controls.

(Disclaimer: I'm no PCI DSS expert, just an unlucky engineer trying to make a compliant system.)