The AWS Lambda service is approved for PCI compliant workloads. Users may use the IOpipe libraries within PCI compliant workloads as well. Our libraries are designed to collect metadata about serverless applications, and designed to NOT collect sensitive data such as customer or billing information by default.
Three features may potentially send sensitive information to the IOpipe service:
- Logging plugin - if a developer logs information to STDOUT or STDERR, data here may be captured and stored on the IOpipe service. Developers requiring PCI Compliance are recommended to not log sensitive customer information. The logging plugin is optional and may be disabled.
- Heap profiler - if a developer enables the heap profiling feature, memory segments of the application will be captured, which may contain sensitive customer information. We advise not using the heap profiler with PCI Compliant applications. The CPU profiler should not be affected in the same way and may be used for PCI Compliant workloads. The heap profiler feature is optional and is disabled by default.
- Event-information - the IOpipe libraries automatically capture information about an invoked function's incoming event (its arguments) when the incoming event originates from a recognized AWS event source. The IOpipe service will, by default, capture the URL of requests originating from API Gateway; it is advised that developers of PCI Compliant workloads not develop APIs whereby sensitive customer information is passed via URL. The event-info feature is optional and may be disabled.