AWS Cloud Operations & Migrations Blog

Harness the power of control automation to reduce operational risk and improve compliance

As Financial Service Industry (FSI) customers plan their migration to AWS, a common question is whether there is an easy approach for automating common technology controls to support nearly continuous compliance monitoring. The good news is that AWS provides a number of flexible and powerful capabilities to not only address compliance automation, but to also reduce operational risk for our customers.

About this blog post
time to read 6 minutes
Learning level Intermediate (300)

In fact, an often-overlooked benefit of cloud migration is the increased level of transparency into usage activity and changes in the environment. With that transparency, customer risk and control teams are empowered with additional capabilities to automatically enforce controls during development and production operations.

Application development teams are often familiar with the automation potential in the cloud. However, for the majority of risk and control teams, the capabilities and breadth of available detective controls is still fairly new. As we have learned from our engagements with customers, there is a significant opportunity to benefit from these new capabilities. When implemented, control automation can provide our customers with the confidence that their cloud environment can be effectively governed.

Complimentary workshops to review and implement cloud controls

To support our customers in expanding their automated control environment, the AWS Management and Governance business development team conducts a complimentary Management and Governance Industry Compliance (MAGIC) workshop. Recognizing that effective governance encompasses both implemented cloud control solutions and insights into control assessment and identification, MAGIC workshops combine control process reviews alongside AWS services guidance. The control process review is designed to help customers identify industry and regulatory expectations. It also helps define the suite of preventative, detective, and corrective controls customers use to satisfy internal and external requirements.

That control process review is followed by a deep dive into AWS Management and Governance service capabilities, including:

In the suite of AWS Management and Governance services, one key enabler for achieving technology control automation is AWS Config. Powerful capabilities of AWS Config include a selection of AWS Config managed rules, which are predefined, customizable rules. You can use AWS Config managed rules to detect changes in your AWS environment, and with that detection, identify areas of potential non-compliance. AWS Config conformance packs extends that capability by allowing AWS Config managed rules and remediation actions to be grouped into a single pack that can be easily deployed across multiple AWS accounts. You also have the option to use AWS Systems Manager to automate common and repetitive operational and management tasks within your AWS environment.

MAGIC workshops are designed to apply across all industries. Customers in public sector, financial services, and other industries with higher levels of regulation find it extremely valuable. The workshops are conducted by a cross-functional AWS team that includes governance expertise from FSI Business Development, a seasoned Solutions Architect, and a Business Development Manager from the AWS Management and Governance team, working closely with the customer account team. The primary objective of the workshop is on raising awareness with customer representatives from security operations, production management, and technology risk teams on the control automation potential of AWS Management and Governance services. Additionally, as part of MAGIC, you are offered technical guidance from the AWS Management and Governance team to implement a complimentary proof of concept to implement an AWS Config conformance pack for an identified compliance or control use cases. The most effective workshops have been those where key customer stakeholders, including engineers, cloud operations, security, and internal audit stakeholder all attend. The power of this interactive workshop approach is that it provides a venue for customer teams to collaborate and align on how to use automation to address specific compliance concerns, and how to strengthen their AWS control environment.

New and improved AWS Config and AWS Config conformance packs

AWS Config is a key service that can be used to establish a long-term foundation for increased control automation. AWS Config conformance packs provide a simple mechanism to group managed rules. If necessary, you can associate automated remediation actions into packaged sets of related checks that can be used to validate best practices for specific AWS services, such as Amazon S3, or broad control categories that encompass multiple AWS Services, for example, NIST CSF. These nearly continuous automated checks and remediation actions establish the foundation of compliance-as-code workflow, giving customers confidence in their ability to evidence ongoing compliance in the cloud.

As an example, one conformance pack we recommend to our customers is the Operational Best Practices for AWS Identity and Access Management, given its broad applicability. This conformance pack checks a selection of access management best practices checks, including password complexity, MFA enablement, and unused credential checks to give transparency into foundational controls and usage.

AWS Config conformance packs can be a key element in a compliance-as-code framework. Following is a sample architecture diagram for how this might be achieved:


Contact us to learn how Management and Governance Services can support your control automation efforts

MAGIC workshop modules have been designed to work backward from your needs, with the objective of helping you design and implement a set of controls to automate control monitoring and remediation.

As an incentive for being an early participant in a MAGIC workshop, you are provided with AWS credits to support a complimentary proof of concept to address compliance use cases. Along with these AWS credits, you will also receive control expertise and direct technical support from AWS to introduce you to a selection of AWS Config managed rules and the implementation of an AWS Config conformance pack.

The MAGIC team looks forward to working with you and exploring how we can help to streamline and automate even the most challenging controls. Contact for more information or to schedule an information session.

About the authors:

Mike ( is a Global Business Development Manager for AWS. Mike helps AWS customers implement controls for continuous compliance to internal, regulatory, and industry frameworks using the powerful capabilities of AWS Config and other AWS Management and Governance services. Mike is passionate about working backwards with early adopter customers, and supporting product teams in taking new service offerings from concept to market. Mike enjoys traveling globally and making new friends.

Mike’s LinkedIn Profile

Jen ( is a principal technical program manager with AWS. In her role, she supports financial services organizations in understanding how to streamline control processes and leverage automation to govern their most sensitive workloads. She lives in New York City with her husband and daughter, and is looking forward to when we can once again safely travel and explore the world.

Jen’s LinkedIn Profile


Andres ( is a Principal Specialist Solutions Architect with the Management Tools team at AWS. He has been working with AWS technology for more than 9 years. Andres works closely with the AWS Service teams to design solutions at scale that help customers implement and support complex cloud infrastructures. When he is not building cloud automation, he enjoys skateboarding with his 2 kids.

Andres’ LinkedInProfile