|
|
|
|
|
|
by abrookewood
531 days ago
|
|
|
So we recently had to do something like this for PCI DSS certification. The database is encrypted at rest (AWS RDS), but the data is presented as clear text to any DBA. The solution we came up with was to add field-level encryption to certain Card Holder Data (CHD) fields like Account etc. To do this, we use AWS KMS to encrypt/decrypt the data and then we only grant the rights to use this key to to an IAM Role that they database holds and explicitly prevent any Admin accounts from accessing it. End result is that Admins can manage the database, but can't see all of it in the clear. |
|
|