Has anyone achieved Level 1 PCI compliance on AWS?

Solution 1:

I'd suggest not trying to solve AWS's problem yourself.

Ask your auditor if he will accept a SAS 70 Type 2 audit report of AWS regarding PCI compliance: this means that an external auditor audits AWS for PCI security concerning AWS clients and issues a report. Your auditor then basically rubberstamps it. If the auditor isn't willing to accept this report, ask his management why he isn't and whether they abide by AICPA rules (see Gotchas below though).

If AWS is not willing to undergo such a standard audit process, they basically undermine their entire market position regarding PCI Compliance=>credit card processing, so I can't imagine they wouldn't cooperate. See e.g. one of the big five... eeh four accountant firms providing SAS70 audits and Wikipedia on SAS70

Gotchas: SAS 70 type 2 does not specify what exactly to audit, so you have to make sure your auditor agrees with the scope of the audit in advance: the 2 issues the auditor has being a case in point. Note: SAS 70 type 2 is a US auditing standard that has been around for a while, there might be updated versions/standards for this. If you're in another country, there might be other requirements, but SAS 70 type 2 is very widely used internationally.

However, it might be that your auditor actually has a SAS 70 type 2 report on AWS and thinks the scope is not extensive enough, or the audit was badly done, or the resulting findings/conclusion was negative.