January 29, 2022

VMware Site Recovery for VMware Cloud on AWS is now PCI DSS Certified

The VMware Site Recovery for VMware Cloud on Amazon Web Services (AWS) DRaaS offering now supports PCI-DSS compliance.VMware Site Recovery recently received the highest level of PCI certification (PCI DSS Level 1 provider status).

By being certified as PCI DSS compliant level 1 service provider, VMware Site Recovery service operates in compliance with PCI DSS compliant security measures and controls, thereby potentially addressing the needs of a broad range of customers and workloads that need to store, process, or transmit cardholder or sensitive authentication data. PCI compliance will be enabled in the AWS regions that support VMware Cloud on AWS where SDDCs are configured for compliance hardening for PCI.

VMware Site Recovery implements a shared responsibility model that defines distinct roles and responsibilities of the three parties involved in the offering: Customer, VMware, and Amazon

Customer Responsibility

On-premises Security - The customer is responsible for installation, configuration, and continuous operations of all the on-premises software components and hardware in compliance with PCI-DSS requirements. This includes the network connection over which communication between on-premises and cloud components occurs. This could include but is not limited to using encryption where applicable, having processes for regular software security patching, credential rotations, auditing, and user access controls.

Security in the Cloud – Customers are responsible for the configuration of the DR protection of their sites, via the Service UI and API interfaces. This includes but is not limited to the configuration of network firewall rules, VPNs, Site pairing, replications, protection groups, inventory mappings, and recovery plans.

VMware Responsibility

Security of the Cloud – VMware is responsible for protecting the software and systems that make up the VMware Site Recovery and VMware Cloud on AWS

AWS Responsibility

Security of the Infrastructure – AWS is responsible for the physical facilities, physical security, infrastructure, and hardware underlying the entire service.

Shared Responsibility Matrix

Details on the shared responsibility model employed by VMware Site Recovery can be found in the table below.

Much of the low-level operational infrastructure is handled by the VMware Site Recovery and VMware Cloud on AWS Engineering and Operations teams, allowing the customer to focus on managing their workloads.


Responsibility / Activity


  • Deploying Software-Defined Data Centers (SDDCs) – Recovery Site
    • Host Type & Count / Cluster Config
    • Connected AWS Account (Cloud)
    • Management Network Range
  • Configuring SDDC Network & Security
    • Network Segments
    • Public IP addresses
    • NAT
    • Firewalls
    • Access Control
  • Protected Site(s)
    • Firewalls
    • Network Segments
    • Role-Based Access Control
  • VMware Site Recovery
    • Protection Groups
    • Protected Site vCenter Configuration
    • Recovery Plans
    • Role-based access control / Authentication
  • SRM & VR Lifecycle (On-premises)
    • Software deployment, updates, and upgrades
  • Physical Infrastructure (On-premises)
    • Compute / Network / Storage
    • Network Connection to AWS Cloud


  • SRM & VR Lifecycle (Cloud)
    • Software updates and upgrades
  • VMC on AWS SDDC Lifecycle
    • vSphere
    • vSAN
    • NSX
  • Monitoring & Operations of SRM & VR (Cloud)

AWS – Amazon Web Services

  • Physical Infrastructure
    • AWS Regions
    • AWS Availability Zones
    • Physical security of AWS facilities
  • Compute / Network / Storage
    • Rack and Power Bare Metal Hosts (i.e. i3.metal and i3en.metal)
    • Rack and Power Network Equipment

This is great news for customers looking for DRaaS that supports PCI certification. For more detail see the VMware Site Recovery Shared Responsibility Model whitepaper.

@Cato Grace

Filter Tags