Automate the sending of AWS Audit Manager assessment reports
Implementing compliance at scale is not an easy endeavor for customers as they move their workloads to the AWS cloud. Due to the challenges that are posed by cloud environments such as the more ephemeral nature of resources or the dynamic landscape of the cloud, automation is paramount to success. At an enterprise scale the need for automation in order to establish a continuous compliance solution is even more necessary.
A continuous compliance solution is one that has the ability to monitor resources for a configuration change, evaluate and report on the change, remediate if needed, record evidence of this full transaction and finally re-evaluate to update the status. Customers can simplify implementation of a continuous compliance solution on AWS by leveraging the Three Lines Model developed by the Institute of Internal Auditors (IIA). The Three Lines Model helps simplify compliance on AWS as it aligns AWS services to the areas in which they can be properly leveraged in order to establish a compliance solution on AWS.
AWS Audit Manager helps customers automate the process of evidence gathering which aligns to the second line of defense independent assurance. Audit Manager will continually collect evidence from multiple data sources in your environment and allows you to create an assessment report based on the evidence you are collecting. This assessment can be based on one of the several supported frameworks such as NIST Cybersecurity 1.1, SOC 2, or HIPAA and can also be based on a custom framework tailored to your organization.
This assessment report will be delivered to an Amazon S3 bucket of your choosing once it is created and you can then send the report to the appropriate party such as the security or compliance personas. One of the few remaining manual processes that are required when using Audit Manager is the procedure of retrieving the assessment report and getting it to the appropriate parties. In this blog post we will share a solution that will automate the process of sending a completed report to the desired parties once it has been delivered to the S3 bucket.
You must first complete the following pre-requisites to operationalize configuration for the reports:
- AWS Audit Manager needs to be deployed – Getting started with AWS Audit Manager
- Amazon S3 bucket should be set to receive the assessment report summary
- Provide email addresses of upto 3 recipients who will be emailed this assessment report. You must provide atleast 1 recipient’s email address. In this blog, we are assuming that your Amazon Simple Email Service (SES) is in a sandbox mode. Once the solution is deployed, you need to make sure to go to your email inbox and click on the validation link sent by SES
As you can see below in Figure 1, the solution outlined in this blog post demonstrates an automation of how an assessment summary report generate by AWS Audit Manager can be sent to stakeholder’s email inbox as an attachment.
The architecture workflow is described as follow:
- An assessment report summarizes your assessment and providers links to the evidences. Compliance Specialist is the persona using with AWS Audit Manager to simplify capturing evidences for be compliant with a specific framework
- For generate the assessment report refer to this documentation and it will be uploaded in the Amazon S3 bucket of your choice
- Using Event Notification on that S3 bucket, an AWS Lambda function will be trigger
- The AWS Lambda function will capture the assessment report uploaded, and sent using Amazon SES to the recipients assigned
- The email addresses used as parameters will receive the assessment report as an attachment through email
Go to AWS Cloudformation console, select With new resources (standard), select Upload a template file , upload the auditmanager-ses-notification.yaml file from our GitHub repository and follow steps in the console to launch the template The template takes the following parameters:
- Source Email Address: The sender email address that appears in the From address where the email will be sent
- Register Source Email Address: Default is true. The source email address will be registered in Amazon SES that email address will be register in Amazon SES
- Email Address 1: Email address of the 1st recipient
- Register Email Address 1: Choose true to register the email address of the 1st recipient in Amazon SES
- Email Address 2: Email address of the 2nd recipient
- Register Email Address 2: Choose true to register the email address of the 2nd recipient in Amazon SES
- Email Address 3: Email address of the 3rd recipient
- Register Email Address 3: Choose true to register the email address of the 3rd recipient in Amazon SES;
- Report S3 Bucket Name: S3 bucket name to store the assessment
Perform the actions below to test the solution:
- Navigate to the AWS Audit Manager console and select an existing assessment. Follow these steps to add evidence to an assessment report and then generate an assessment report
- Wait for the solution to capture the assessment report and in a few seconds the recipients will receive an email as shown below in Figure 4
- The email contains the assessment summary report as an attachment
To clean up your account and avoid recurring charges perform the following:
Delete the deployed AWS CloudFormation stack used to implement this solution from the AWS console.
In this blog post, we shared a solution that provides a custom automation to simplify your second line of defense. This removes some of the undifferentiated heavy lifting involved in implementing a compliance solution on AWS and can help you get your compliance reports into the hands of relevant stakeholders efficiently. If you would like to know more about AWS services and how to integrate them across the Three Lines of Defense you can read this blog post “Integrate across the Three Lines Model (Part 1): Build a custom automation of AWS Audit Manager with AWS Security Hub” to get started.
About the authors: