That could be what they had in mind. Our PCI guy tends to frown on that, though, because the purpose of restricting outbound access is so that if the machine does get compromised the bad guy can't ship off credit card information. If the outbound restriction is implemented on the machine, the bad guy might simply be able to turn them off.

It's possible that we've got an overly strict PCI guy.

Anyway, this particular issue appears dead now, as these new EC2 features add outbound filtering.

I don't think your PCI guy is overly strict. It's pretty clear that the intentions of the requirements are what you described. What might have worked, though, is to have virtual machines inside the EC2 instances in your VPC, and use this to filter traffic through a separate virtual machine.

Still, it's unnecessarily complicated and as you say, a resolved issue now. :) The new features announced fits PCI needs quite well. I haven't looked into the IDS issue you mentioned in your first post yet, but I hope it's possible to resolve somehow or get around with compensating controls.

(Disclaimer: I'm no PCI DSS expert, just an unlucky engineer trying to make a compliant system.)