Enhancing the AWS Well-Architected Tool to Provide Continuous Compliance with Trend Micro Cloud One – Conformity
By Paul Hortop, Head of Security at Trend Micro Conformity
Increasingly, Amazon Web Services (AWS) customers are seeing the benefits of adopting the AWS Well-Architected Framework. It helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads.
In this post, I will explore how to enrich the AWS Well-Architected Tool’s workload report by adding the results of definitive best practice checks. I’ll also associate the workload with specific AWS resources through the use of tags.
Once the workload is tagged, you can use Trend Micro’s Cloud One – Conformity, which allows you to create a 360-degree workload review. This provides continuous assurance that your resources are complying with the AWS Well-Architected Framework.
I will also show you in this post how to set up the AWS Well-Architected Tool, tag your workload, and produce a report. I’ll summarize how to quickly deploy Conformity, and you can then associate the best practice checks with your workload and provide a statement you can combine with the report from AWS.
Before we get into the technical detail, I want to share how one of Trend Micro’s customers, 1898 & Co., a Burns and McDonnell company, is already leveraging this integration.
“We leverage Cloud One – Conformity to assess for action, automatically and continuously checking for compliance to the best practices outlined in the Well-Architected Framework,” says Jason Cradit, Principal Cloud Architect at 1898 & Co.
“With the automatic workload data collection from the new AWS Well-Architected Tool API integration,” Cradit adds, “the visibility and actionable intelligence streamlines and eliminates weeks of work from the previous review process. This allows us to continue to rapidly innovate while still building efficient cloud architectures.”
Trend Micro’s dedication to continuous innovation in cloud security on AWS played a role in the buying decision.
“Trend Micro and AWS continue to innovate together to bring new features and integrations to customers,” says Cradit. “We know our customers want the latest and greatest from AWS, and Trend Micro helps us to help them hold up their end of the shared responsibility model.”
With insights provided by Conformity, Cradit showed his executive team a list of threats and misconfigurations that he was able to address immediately. “We saved a ton of money in the first month. Even better, those cost savings will continue every month. Our bill was reduced by 15 percent,” he says.
Meanwhile, Conformity provides Cradit with confidence in his cloud environment, supports customer security and compliance, and increases cloud maturity within his internal IT team.
Working with the AWS Well-Architected Framework
The AWS Well-Architected Framework describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.
By answering a set of foundational questions, you can learn how well your architecture aligns with cloud best practices and are provided guidance for making improvements.
The five pillars of AWS Well-Architected are:
- Operational excellence
- Performance efficiency
- Cost optimization
AWS substantially updated the Well-Architected Framework in July 2020. This update was the first major update since the framework was introduced and added new questions and support for more services. If you have workloads already in the tool, you have the option to update to the newest version and benefit from the latest best practices.
At Trend Micro Conformity, we’re seeing increasing numbers of AWS users adopting the Well-Architected Framework. This increase is primarily driven by:
- Local AWS account teams using the framework for customer reviews.
- Reviews conducted by AWS Consulting Partners who are members of the AWS Well-Architected Partner Program.
- AWS customers using the framework as their baseline.
- Financial regulation authorities.
- AWS Technical Baseline Review requirements for customer-deployed workloads. These are workloads deployed by a customer but designed by a third-party company.
- AWS Technical Baseline Review requirements for partner-hosted as a service. These are solutions hosted by a third-party company but have cross-account access to your account.
Increasingly, AWS looks to independent software vendors (ISVs) to build their workloads and architect their solutions according to the Well-Architected Framework. Building your solution to be compliant from day one, and being able to demonstrate that compliance, will result in better architecture and faster to market deployment.
I find it interesting that several financial regulators now expect to see workloads adhere to the AWS Well-Architected Framework. This adoption of the framework makes sense as it’s a simple way to ensure a financial system of record is secure, resilient, and cost-effective. While the cost would not have been a factor in a traditional security review, it’s an essential dimension for critical workloads.
Conformity has customers who will not launch a product unless it hits a 90 percent Well-Architected score in Conformity. This simple benchmark ensures infrastructure that goes into production takes full advantage of all that AWS has an offer.
For example, a production Microsoft SQL database that’s being run on Amazon Relational Database Service (Amazon RDS) will benefit from being encrypted at rest, configured to use multiple AWS Availability Zones, and have Auto Minor Upgrades enabled.
Just fixing one of these after go live could take a significant amount of time, testing, and effort to complete.
Using the Well-Architected Tool in Your AWS Account
The AWS Well-Architected Tool leads you though the process of thinking about your workload and how it’s architected. The tool asks you to define your workload and then answer questions that span the framework’s five pillars.
You can complete this tool alone or, more typically, an AWS Solutions Architect or technical expert from a validated AWS Partner will lead you through the questions capturing your answers.
Once complete, the tool highlights your medium and high risks, and encourages you to remediate any shortcomings. You can track your progress using milestones and export a report.
Figure 1 – How to use the AWS Well-Architected Tool.
You can access the Well-Architected Tool by signing into the AWS Management Console. After accessing the tool, you can define your workload and answer questions across each of the five pillars. This is your Well-Architected Review.
The dashboard view of your workload will look like this:
Figure 2 – Workload dashboard in the AWS Well-Architected Tool.
Once you have answered the questions, you can tag your infrastructure so you can trace it in Conformity in the next stage.
To demonstrate how your tagging might look, I have chosen a key of ‘Workload’ and value of ‘WAF-1’. You could just as easily use your existing keys for resource naming, as long as they define your workload.
Figure 3 – Tagging a workload.
You’ll need to create an account with Conformity. Once you have added your AWS account and your first scan is complete, select the Browse all checks button, and then select the tab for View by Standard or Framework.
The view defaults to the AWS Well-Architected Framework, and you will see something like this:
Figure 4 – AWS Well-Architected Framework reporting in Conformity.
This is Conformity’s report for the AWS Well-Architected Framework. For each question in the Well-Architected Tool, we have identified which checks from our knowledge base are applicable. Conformity tests the resources, and provides the detailed results.
Figure 5 – SEC 8 Reporting in Conformity.
These are some of the checks Conformity uses for SEC 8 from the framework. Here is SEC 8 from the AWS Well-Architected Tool:
Figure 6 – SEC 8 Reporting in the AWS Well-Architected Tool.
You can now see how the two tools work together. We have the AWS Well-Architected Tool asking you if you have configured service and application logging. You answer yes, and Conformity checks to see if you have enabled AWS CloudTrail, Amazon CloudWatch, AWS Config, and Amazon GuardDuty.
This enhances the value of the Well-Architected Tool, as you can combine subjective answers with empirical data. You may think you have enabled these native AWS security services, but Conformity could highlight they are not all enabled or not enabled in every region.
Conformity has 18 individual checks for SEC 4 across 11 AWS services.
You can focus on your specific workload by using the tags you created earlier. In Conformity, click on the + button next to Filter Checks, and then enter your tag in the Search Tags box.
Figure 7 – Filtering Conformity results based on AWS tags.
You can then filter your results to show how your workload complies with the Conformity Well-Architected checks.
Combining the Reports and Other Benefits
Now that you have completed your workload review in both the AWS Well-Architected Tool and Conformity, you can combine them into one document. Another option is to add the summary from Conformity into the free text field of the lens in the Well-Architected Tool.
Figure 8 – Adding data from Conformity into your report using the console.
Your Conformity results will appear in your report, which you generate in the Well-Architected Tool. This enables you to combine the subjective results of the Well-Architected Review where you answered questions with the empirical data from Conformity.
For example, you may have answered ‘SEC 8 – How do you protect your data at rest?’ by saying you use encryption at rest. Conformity checks that you have enabled encryption at rest in some 49 different places.
Some of these are fairly esoteric, and it’s unlikely you would know that you had turned on encryption for AWS Comprehend Analysis Job Results, for example, or that your AWS Glue Data Catalog is encrypted at rest.
Figure 9 – Conformity data added to the AWS Well-Architected Tool report.
In Figure 9 above, you can see that I have added the results from Conformity to the output of the Well-Architected Tool. You can compare and contrast your answers with those of Conformity, which in this case shows a 75 percent pass rate for Well-Architected.
Additionally, you can use Conformity to monitor the status of your workload and send alerts via:
- Amazon Simple Notification Service (SNS)
- Microsoft Teams
With this reporting in place, you’ll be alerted the moment your infrastructure becomes non-compliant. This gives you the maximum opportunity for remediation.
Figure 10 – Enabling email notification in Conformity for a workload tagged in an AWS account.
In this post, I have shared how to define and review a workload in the AWS Well-Architected Tool, and how to identify that workload using AWS tags.
I’ve shown you how to use Trend Micro Cloud One – Conformity to review that same workload against the AWS Well-Architected Framework using empirical checks across all relevant AWS services and infrastructure.
Finally, I described how to combine the output from the Well-Architected Tool with the reporting of Conformity to provide a 360-degree view of your workload.
You can also visit these resources to learn more:
- AWS Well-Architected Tool
- Cloudy knowledge base on AWS Well-Architected best practices
- Trend Micro Cloud One – Conformity free trial
- Learn more about Cloud One – Conformity
The content and opinions in this blog are those of the third-party author and AWS is not responsible for the content or accuracy of this post.
Trend Micro – AWS Partner Spotlight
Trend Micro is an AWS Competency Partner that helps you build secure, ship fast, and run anywhere with security-as-code, continuous automation, and tools designed to secure applications across your evolving hybrid environment.
*Already worked with Trend Micro? Rate this Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.