AWS Cloud Operations Blog

Automated Evidence Collection for Life Sciences continuous compliance solutions using AWS Audit Manager

In the first post of this two-part series, we highlighted how Life Sciences customers can implement a controlled change management process using AWS Systems Manager Change Manager and AWS Config. The solution in our first post, highlighted how a you can follow your Standard Operating Procedures (SOP’s) by implementing approval steps in order to make resource changes. This is a common requirement for organization’s that need to maintain compliance with FDA 21 CFR Part 11. In this second post of the series, we will show you how to complete the continuous compliance cycle by detailing how to automate evidence collection for the FDA 21 CFR Part 11 framework which many Life Sciences customers are operating under. Throughout this blog post, we will refer to Good Laboratory Practices (GLP), Good Clinical Practices (GCP), Good Manufacturing Practices (GMP) as GxP.

Implementing a continuous compliance solution that is highly automated is one of the most effective ways customers can achieve compliance at scale in the cloud. To accomplish this, you need to (1) continuously monitor and evaluate resource configurations, (2) flag and remediate any non-compliant resources automatically, (3) log the changes and evidence before you then re-evaluate. In our first post, we show you how to accomplish the first two steps in the continuous compliance cycle by using AWS Systems Manager Change Manager and AWS Config to implement a change control process for non-compliant resources. In that post, if a resource is found to be non-compliant by AWS Config the remediation action will be taken by Change Manager. Change Manager will invoke an approval process before the remediation action on the resource takes place. This is done to ensure the remediation action does not have an adverse effect which will degrade operations downstream.

We will now explore the third step where we will use AWS Audit Manager to automatically collect evidence of the compliance state of our resources. AWS Audit Manager is a fully managed service that enables customers to continuously audit and evaluate their compliance with common industry standards. In this blog post, we will focus on Life Sciences and the GxP framework, the same steps will apply for other standards such as PCI-DSS, FedRAMP (Moderate), or NIST-CSF for example. You can find a list of available prebuilt frameworks in the Audit Manager Framework Library.

Overview of solution

This solution utilizes AWS Config to continuously evaluate the configurations of your resources and sends evidence of the result to AWS Audit Manager. If Config evaluates a resource that is non-compliant with your desired configuration state, it will leverage AWS Systems Manager Change Manager for remediation. Change Manager will send an email to an approver to review the change request before the remediation takes place. Once the change request is approved, the automation in the defined change template will then remediate the resource. After Change Manager has remediated the non-compliant resource, the compliance state of that resource is then updated and the evidence is automatically sent to Audit Manager for reporting.

Example architecture for implementing continuous compliance for GxP
Figure 1 – Example architecture of a continuous compliance solution that utilizes change control and AWS Audit Manager as evidence collection

Walkthrough

We will now go over the high level steps needed to implement evidence collection for the GxP framework, completing the continuous compliance cycle.

  • Create an assessment for the GxP framework to start collecting evidence.
  • Generate an assessment report.

Prerequisites

The following prerequisites need to be completed to deploy this solution:

Step 1: Create an assessment for the GxP framework

  1. Navigate to the AWS Audit Manager consoleand Select Create assessment.
  2. In the Assessment details section, enter a name for your assessment. We will use GxP 21 CFR Part 11 for this blog post.
  3. Provide a description for the assessment, we will simply add that this assessment is for GxP 21 CFR Part 11.
  4. In the Assessment report destination section, select an existing (or create new) Amazon S3 bucket where you intend to save your assessment reports. Following the steps above, you should have the following selections in your console.

    Assessment details for the GxP framework
    Figure 2 – Assessment details for GxP 21 CFR Part 11

  5. In the Frameworks search bar, search for the GxP 21 CFR Part 11 framework.
  6. If you would like to add a tag to associate with your assessment, choose Add new tag. When your done choose Next.

    7. Select the GxP framework from the search bar
    Figure 3 – GxP 21 CFR Part 11 framework selection

  7. Select the accounts you want to include in the scope of your assessment.

    You can specify multiple AWS accounts to be in the scope of an assessment. AWS Audit Manager supports multiple accounts through integration with AWS Organizations. This means that Audit Manager assessments can be run over multiple accounts, with the evidence that’s collected consolidated into a delegated administrator account.

    Select which accounts are in scope for this assessment
    Figure 4 – Accounts in scope for GxP assessment

  8. Review the AWS services in scope and choose Next

    9. Prebuilt frameworks will already have the AWS services in scope selected for you. If you create a custom framework you can define the services that will be in scope for your assessment.

    Select which Services are in scope for your assessment
    Figure 5 – Services in scope for GxP assessment

  9. Specify the audit owners for your assessment. Audit owners are the individuals in your workplace—usually from GRC, SecOps, or DevOps teams—who are responsible for managing the Audit Manager assessment.
  10. Choose Create assessment.

    11. Specify audit owners for your assessment
    Figure 6 – Selecting audit owners for the GxP assessment

Step 2: Create an assessment report for the GxP framework

It may take some time for Audit Manager to gather evidence for your assessment. If you are not seeing evidence in your controls, allow some time for the evidence to be collected and then proceed to the next steps.

  1. From the AWS Audit Manager console, select Assessments from the left panel menu. Then select the GxP framework assessment that we created.

    2. Select the GxP assessment to create an assessment report from
    Figure 7 – Selecting the GxP Framework assessment to review

  2. The Controls tab displays a summary of the controls in the assessment, along with a full list of those controls. Each assessment can contain multiple control sets, and each control set contains multiple controls.
  3. Choose the “+” to expand the list for the first control set (Controls for closed systems).

    4. Controls tab showing the controls status summary
    Figure 8 – Review the controls tab

  4. Select the first control which should be 11.10.

    5. We will add the evidence collected for this control to our assessment report. The Evidence folders tab lists the evidence that is automatically collected for this control. It’s organized into folders on a daily basis.

    Control 11.10, controls for closed systems
    Figure 9 – Expand Controls for closed systems to view control 11.10

  5. Select the latest evidence folder and choose add to assessment report.
  6. Repeat steps 3-5 with any other controls you want to add to your assessment report.

    7. Add evidence to the assessment report
    Figure 10 – Select evidence folders to add to your assessment report

    Now that we have selected the evidence to be added to our assessment report, we will now generate and download the report.

  7. Choose View evidence in assessment report from the top banner displayed.

    8. View assessment report selection
    Figure 11 – View evidence in assessment report after making selections

  8. In the Assessment report selection tab in the bottom panel select Generate assessment report.


    9. Figure 12 – View evidence in assessment report after making selections

  9. Provide the report with a name and description, we will give ours the name GxP_controls.
  10. Select Generate assessment report.
  11. From the Audit Manager console choose Download center, which you can find in the left panel menu.
  12. You can now select and download the assessment report.

Cleaning up

To avoid incurring future charges, delete the resources.

Conclusion

In this blog post, we detailed the steps to start automating evidence collection for GxP CFR 21 part 11. Leveraging AWS Audit Manager to automate evidence collection not only streamlines the compliance process but also help organizations demonstrate their adherence to regulatory standards. By using Audit Manager you can quickly get started on gathering evidence for the controls in your selected framework. Automated evidence collection is an essential piece of a continuous compliance solution when operating in the cloud. In highly regulated environments organizations must make changes using approvals in order to ensure resource changes do not introduce unintended issues to their applications. Our first post of this series outlined how Life Sciences customers can adhere to their SOP’s by implementing a defined change control process. By combining this post with the previous of this series we created a solution for continuous compliance and highlighted the art of the possible for Life Sciences customers.

About the authors

Craig Edwards author photo

Craig Edwards

Craig Edwards is a Cloud Operations Specialist Solutions Architect with the Cloud Foundations team at AWS based out of Boston Massachusetts. He specializes in AWS Config, AWS CloudTrail, AWS Audit Manager and AWS Systems Manager. Craig is a United States Air Force Veteran and when he is not building cloud solutions, he enjoys being a Father and electric vehicles.

Nereida Woo author photo

Nereida Woo

Nereida is a Cloud Operations Specialist Solutions Architect focusing on Centralized Operations Management on AWS. When she isn’t working, she enjoys attending music concerts and traveling.

Randy Woo author photo

Randy Woo

Randy Woo is a United States Air Force veteran and is now a Solutions Architect simultaneously solving challenges in the Windy City…