AWS Partner Network (APN) Blog

Enhancing Governance, Risk, and Compliance Programs with AWS Audit Manager and MetricStream CyberGRC

By Neha Singh Rajpurohit, Sr. Technical Product Manager – AWS
By Larry Im, Sr. Solutions Architect – AWS
By Joy Bhowmick, Head of Product Development and Engineering – MetricStream
By Raghu Srinivas, Sr. Vice President, Product Management – MetricStream

MetricStream-AWS-Partners-2023
MetricStream
MetricStream-APN-Blog-CTA-2023

Governance, risk, and compliance (GRC) programs often require extensive custom controls that address a range of compliance standards and internal governance objectives. Many organizations want a centralized dashboard to view compliance evidence collection from their on-premises or multi-cloud environments.

AWS Audit Manager helps to continuously audit Amazon Web Services (AWS) usage to simplify risk assessment and compliance with regulation and industry standards. It automates evidence collection in AWS to make it easier to assess that controls are operating effectively. For a complete GRC perspective from on-premises and multi-cloud environments, a GRC application is needed.

AWS has collaborated with MetricStream, an AWS Partner and AWS Marketplace Seller with capabilities in GRC, to facilitate the controls and evidence collection hand-off between AWS Audit Manager and MetricStream CyberGRC. Without having to switch between multiple tools and maintaining the same context everywhere, this integration allows for definitions and access controls in a centralized GRC environment.

In this post, we will demonstrate how to configure GRC evidence collection between MetricStream CyberGRC and AWS Audit Manager.

Solution Overview and Architecture

MetricStream CyberGRC is a complete solution to proactively manage, measure, and mitigate cyber risks across the enterprise. CyberGRC helps you gain visibility into cyber risks and reduce security incidents to remain in compliance with standards like NIST-CSF, ISO27001, HIPAA, and PCI. Risks are reduced and the cost of audits are managed with built-in controls, frameworks, and autonomous control testing.

Using Amazon Cognito User Pools, you’re onboarded into MetricStream’s multi-tenant instance. Cognito User Pools store machine users and a JSON Web Token (JWT) containing your information. JWTs can be obtained by authenticating with Cognito using a machine’s client ID and client secret. This authentication is handled by CyberGRC on your behalf.

Figure 1 – CyberGRC on AWS deployment architecture.

Once authenticated, requests are routed through an Amazon API Gateway, which verifies and decodes the JWT token using an Amazon API Gateway Lambda Authorizer. Your context is then passed to the requested service, which uses AWS Security Token Service (STS) to obtain temporary credentials for the Audit Manager delegated administrator. Those credentials are used to access Audit Manager and perform the requested actions.

Collecting Evidence with MetricStream CyberGRC

To collect GRC evidence from AWS Audit Manager, you’ll need to define your control mappings and assessment scope, and then review the collected evidence. In this section, you’ll learn how to do this within CyberGRC.

Step 1: Define and Review Control Mapping

Begin by establishing the relationships between GRC controls and AWS controls. After establishing the mappings, you can define the GRC controls assessments and CyberGRC will manage the assessments in AWS on your behalf.

Figure 2 – Establish control mappings in CyberGRC.

After establishing the control mappings, you can define the GRC controls assessments and CyberGRC will manage the assessments in AWS on your behalf.

Figure 3 – Define controls assessment.

Step 2: Define Assessment Scope

Using the Assessment Creation form, you can scope the AWS accounts and the GRC controls for assessment and continuous monitoring.

Figure 4 – Manage controls and assets assessments from AWS Audit Manager.

You can review all of your assessments and the detailed scope by accessing the Assessments Overview report.

Figure 5 – Review assessments from controls.

Step 3: Review Evidence and Results

Once the assessment has been successfully submitted in CyberGRC, a corresponding assessment will be created in AWS, and evidence collection begins by executing the related controls automatically. The control execution results are automatically imported into CyberGRC and aggregated against the mapped GRC controls.

You can then view these results from the Assessments Management dashboard or as a report.

Figure 6 – Review assessments from a centralized dashboard.

Set Up Evidence Collection

For this post, here are the prerequisites:

  • Complete the prerequisites for setting up AWS Audit Manager.
  • Access to a CyberGRC account, which can be acquired from MetricStream by visiting AWS Marketplace.

To get started with collecting evidence from AWS Audit Manager, these are the steps you’ll need to follow:

  1. Create or choose an existing AWS Organization with at least one member account you can use as a delegated administrator. Enable the all features setting in Organizations. Use the same delegated administrator for AWS Config, AWS Security Hub, and AWS Audit Manager. You cannot use an organization management account as a delegated administrator.
  2. From the organization management account, enable Audit Manager for every AWS region where assessments will be run. Use the same delegated administrator in each AWS region. If using an AWS Key Management Service Customer Managed Key in Audit Manager, the delegated administrator must have access to that key.
  3. From your chosen delegated administrator account, enable Evidence Finder in every AWS region where assessments will be run.
  4. Enable AWS Config in every AWS account and region where assessments will be run. In each account and region, enable recording for all the resource types you want to collect evidence.
  5. From the organization’s management account, enable trusted access for AWS Config and register the same delegated administrator used for Audit Manager. It’s optional, but you can enable AWS Security Hub from the organization’s management account and in every account and region you plan to run assessments. When prompted, select the same delegated administrator you used for Audit Manager and AWS Config. Next, disable consolidated findings and enable all security standards when enabling Security Hub.
  6. Create an AWS CloudFormation stack in your chosen delegated administrator account using the cybergrc-auditmanager-integration.json template provided by MetricStream. This stack creates an AWS Identity and Access Management (IAM) role in the delegated administrator account with least-privilege permissions that enable CyberGRC to connect to Audit Manager and related services using STS.
  7. In CyberGRC, go to “Continuous Control Monitoring” and enable the integration by providing your chosen delegated administrator account ID and the AWS region in which you deployed the CloudFormation Stack.

Conclusion

Integrating AWS Audit Manager and MetricStream CyberGRC will simplify compliance management for governance, risk, and compliance (GRC) customers by providing a centralized platform for managing compliance requirements and controls for on-premise and multi-cloud environments.

In this post, we demonstrated how you can integrate AWS Audit Manager and MetricStream CyberGRC. You can learn more about MetricStream in AWS Marketplace.

.
MetricStream-APN-Blog-Connect-2023
.

MetricStream – AWS Partner Spotlight

MetricStream is an AWS Partner and leader in enterprise and cloud applications for governance, risk, compliance (GRC) solutions.

Contact MetricStream | Partner Overview | AWS Marketplace