All the FAQs, documents and statements published by AWS aside, did any Level 1 merchant actually achieve PCI compliance on AWS yet? We're evaluating moving some of our services to EC2/VPC, but our auditor is saying that AWS hadn't been cooperative when their other clients were trying to achieve compliance and had to go to Rackspace instead. The issues they ran into were,
- AWS isn't providing itemized list of controls assessed in AWS' own PCI audit, making it impossible for auditor to mark which items are covered off by AWS and which are the responsibility of the client
- AWS isn't clarifying how the hypervisor was assessed and which tests were performed to ensure tenant isolation
Update: This question was originally asked on StackExchange, but was voted down as not appropriate for that site https://stackoverflow.com/questions/6851259/has-anyone-achieved-level-1-pci-compliance-on-aws
I'd suggest not trying to solve AWS's problem yourself.
Ask your auditor if he will accept a SAS 70 Type 2 audit report of AWS regarding PCI compliance: this means that an external auditor audits AWS for PCI security concerning AWS clients and issues a report. Your auditor then basically rubberstamps it. If the auditor isn't willing to accept this report, ask his management why he isn't and whether they abide by AICPA rules (see Gotchas below though).
If AWS is not willing to undergo such a standard audit process, they basically undermine their entire market position regarding PCI Compliance=>credit card processing, so I can't imagine they wouldn't cooperate. See e.g. one of the big five... eeh four accountant firms providing SAS70 audits and Wikipedia on SAS70
Gotchas: SAS 70 type 2 does not specify what exactly to audit, so you have to make sure your auditor agrees with the scope of the audit in advance: the 2 issues the auditor has being a case in point. Note: SAS 70 type 2 is a US auditing standard that has been around for a while, there might be updated versions/standards for this. If you're in another country, there might be other requirements, but SAS 70 type 2 is very widely used internationally.
However, it might be that your auditor actually has a SAS 70 type 2 report on AWS and thinks the scope is not extensive enough, or the audit was badly done, or the resulting findings/conclusion was negative.