I wonder how to meet the requirements of PCI DSS (11.3) to test the segmentation controls through penetration tests in the AWS serverless architecture.
We are using components such as AWS Lambda, AWS API Gateway, AWS Cloudfront, etc., which do not have a server, so there is no operating system to which we can connect and from which we can initiate penetration tests.
I was trying to read the AWS documentation on PCI responsibilities and there is no mention of segmentation controls. Also in the PCI guide with respect to cloud computing, it is written that it is the client's responsibility to perform segmentation tests.
Is there any idea of how to accomplish this in the AWS serverless architecture?