AWS Cloud Operations & Migrations Blog

Integrate across the Three Lines Model (Part 1): Build a custom automation of AWS Audit Manager with AWS Security Hub

The Three Lines Model developed by the Institute of Internal Auditors (IIA) helps organizations identify
structures and processes to facilitate strong governance and risk management. In that model, the first-line function manages risk, the second-line function oversees risk and the third-line function provides objective and independent assurance of risk management. According to a Deloitte analysis titled ‘Modernizing the three lines of defense model‘, internal audit (IA) functions can have the strongest impact in their organizations by automating assurance tasks and by providing real time integrations and insight into emerging risks. Internal Audit can then use the monitoring of results, perform agile testing of controls and provide relevant assurance and advice to achieve strong impact for the organization.

AWS Audit Manager provides continuous and automated gathering of evidence related to your AWS resource usage. It helps simplify risk assessment and compliance with regulations and open standards and helps you maintain a continuous, audit-ready posture to provide a faster, less disruptive preparation process. When you apply the three lines model to AWS services, AWS Audit Manager provides the third-line function by enabling objective and independent assurance of risk management.

AWS Security Hub is designed to give you a comprehensive view of your security posture across your AWS accounts. With Security Hub, you now have a single service that aggregates, organizes, and prioritizes your security alerts or findings from multiple AWS services. When you apply the three lines model to AWS services, AWS Security Hub provides the second-line function of overseeing risk.

In this post, the first in a two-part series, I provide an implementation of a real-time automation and integration across the three lines model in AWS. I integrate the function that provides independent assurance (third-line function) with a function that oversees risk (second-line function).

In the second post of this series, I will provide a mechanism for building a custom real-time automation and integration across the three lines model in AWS by integrating the independent assurance function (third-line function) with the function that manages risk (first-line function).

Solution architecture

The solution creates a custom AWS Audit Manager framework that includes custom AWS Audit Manager control sets. Custom frameworks in AWS Audit Manager help you organize controls into control sets that suit your unique needs.

AWS Security Hub provides an out of the box integration with AWS Audit Manager where Security Hub findings based on Security Hub security standards are sent to Audit Manager. If compliance checks from Security Hub security standards are the only data source for an Audit Manager control then the out of the box Audit Manager control set (as well as the Audit Manager framework and assessment) correspond to one of the three supported AWS Security Hub security standards – Foundational Security Best Practices (FSBP), Center for Internet Security (CIS) or Payment Card Industry (PCI).

In our solution we use compliance checks for security findings from Security Hub as the only data source for Audit Manager controls. However, the custom control set in our solution contains AWS Audit Manager controls related to AWS Security Hub findings that span across the FSBP, CIS and PCI standards.  The Audit Manager control set is not specific to the Security Hub security standard but it is specific to a security-related domain (for example, identity management or network monitoring). The Audit Manager control set includes controls from all three Security Hub security standards (FSBP, CIS or PCI) as they relate to that specific domain. This is a common use case where customers want to delegate audit assurance responsibilities to security administrators based on their subject matter expertise.

Figure 1 shows the request flow:

In step 1, Security Hub sends compliance checks to AWS Audit Manager. enecIccbibeeuihnlvbgjkbfil iljditnddjsvtunheertktep 2, the solution creates custom control sets. In step 3, the solution creates a custom framework. In step 4, the solution provisions a custom assessment from the framework

Figure 1: Building a custom integration of AWS Security Hub and AWS Audit Manager

  1. The out-of-box integration of AWS Security Hub and AWS Audit Manager sends compliance checks for security findings from Security Hub to Audit Manager.
  2. The solution creates custom control sets in Audit Manager that span AWS Security Hub CIS, FSBP, and PCI checks. These custom control sets are based on IAM-related and monitoring-related checks from AWS Security Hub.
  3. The solution creates a custom Audit Manager framework that includes the custom IAM control set and the custom monitoring control set. The Audit Manager framework ID is stored in the AWS Systems Manager Parameter Store.
  4. Finally, the solution provisions a custom Audit Manager assessment from the custom framework created in the previous step. The Audit Manager assessment retrieves the Audit Manager framework ID from the AWS Systems Manager Parameter Store.

Solution components

The solution consists of the following components:

AWS CloudFormation templates:

AWS Lambda function, CustomAuditManagerFramework_Lambda.py, that does the following:

  1. Selects several AWS Security Hub checks as a data source.
  2. Creates custom Audit Manager control sets for IAM, API, and network monitoring based on Security Hub checks across PCI, CIS, and FSBP frameworks.
  3. Creates an AWS Audit Manager custom framework with the control set that uses Security Hub as a data source.
  4. Creates an AWS Audit Manager assessment based on the custom framework.

For more information, see the readme on GitHub.

Prerequisites

Before you begin, complete the steps required to set up and deploy the solution.

  1. Follow the steps to enable AWS Security Hub in your AWS account.
  2. Follow the steps to set up AWS Audit Manager.
  3. Navigate to the AWS Audit Manager console to configure your AWS Audit Manager settings.
  4. Create an Amazon Simple Storage Service (Amazon S3) bucket with the following name: s3-customauditmanagerframework-<AccountId>-<Region> where <AccountId> is your AWS account ID and <Region> is the AWS Region where you plan to deploy the CloudFormation templates in the setup. In this bucket, create a folder named CustomAuditManagerFramework_Lambda. Follow the steps to create a directory and then upload the CustomAuditManagerFramework_Lambda.zip file there.
  5. Audit Manager works with the Boto3 1.7 libraries. AWS Lambda doesn’t ship with Boto3 1.7 by default. This implementation provides that version of Boto3 as a Lambda layer. Upload the auditmanagerlayer.zip to the top directory of the S3 bucket you created in step 4.
  6. Create an IAM user with Audit owner permissions. You can use the AWSAuditManagerAdministratorAccess policy as a starting point but please remember to scope down these permissions as needed to fit your requirements.
  7. If you have already configured an assessment reports destination in your Audit Manager settings then you can skip this step. Otherwise for our solution you can simply reuse the S3 bucket from step 4. To generate assessment reports successfully, your Amazon S3 bucket must be in the same AWS Region as your assessment. In the bucket from step 4, create another folder for e.g. evidences. Follow the steps to create a directory and your assessment reports destination will be the S3 URI for e.g. s3://s3-customauditmanagerframework-<AccountId>-<Region>/evidences/ in this case where <AccountId> is your AWS account ID and <Region> is the AWS Region where you plan to deploy the CloudFormation templates in the setup. AWS Audit Manager will save your assessment reports to this bucket.

Solution setup

The solution automates the setup and deployment in two steps:

Step 1: In the AWS CloudFormation console, create a stack to launch the aws-auditmanager-securityhub.yml template. In Parameters, enter the values for the parameters based on their descriptions in the template. The template takes the following parameter:

  • SourceBucket: The name of the S3 bucket that contains the AWS Lambda source code. This is the bucket you created in step 4 of the prerequisites. Replace <AccountID> and <Region> with the AWS account ID and Region where you are deploying this template.

Step 2: In the AWS CloudFormation console, create a stack to launch the aws-auditmanager-customassessment.yml template. In Parameters, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters:

  • AssessmentDestination: The S3 URI in which AWS Audit Manager will save your assessment reports. This is the S3 URI from step 7 of the prerequisites. Replace <AccountID> and <Region> with the AWS account ID and Region where you are deploying this template.
  • AuditOwnerArn: The ARN for the IAM user you created in step 6 of the prerequisites.

Review your findings

For AWS Security Hub, the frequency of evidence collection follows the schedule of your AWS Security Hub checks. To start evidence collection, AWS Audit Manager assesses an in-scope resource from a data source (in this case, a related Security Hub compliance check result). It converts the obtained data into an auditor-friendly format to make it easier to understand. The converted data and metadata are then saved as Audit Manager evidence and attached to each control of the control set in the assessment. Now that your deployment is complete, you can review the evidence collected from your custom assessment.

Cleanup

To avoid incurring additional charges in your account or to be able to redeploy the solution, perform the following steps:

  1. Follow the steps outlined here to delete CloudFormation stacks  for the templates that you deployed. Delete the stacks in the sequence below for the two templates :
    1. aws-auditmanager-customassessment.yml
    2. aws-auditmanager-securityhub.yml
  2. Follow the steps to  delete the custom framework  as well as to delete the custom controls that were created in Audit Manager.
  3. From the AWS Systems Manager console, choose Parameter Store from the left panel and from the My Parameters tab, delete the Audit Manager framework ID.

Conclusion

In this blog post, I shared a solution that provides an implementation of a custom real-time automation and integration across the three lines model in AWS.  When you apply the three lines model to AWS services, AWS Security Hub is one of the services that provides the second-line function of overseeing risk. AWS Audit Manager provides the third-line function by enabling objective and independent assurance of risk management.

The custom Audit Manager assessment in this solution provides continuous and automated gathering of evidence where Security Hub compliance checks are the only source for the evidence gathered in Audit Manager. However the custom Audit Manager assessment is not specific to a Security Hub security standard but is specific to a security-related domain (for example, identity management or network monitoring) and spans across controls from all three Security Hub security standards (FSBP, CIS or PCI) as they relate to that specific domain.

About the author

A picture of Kanishk Mahajan

Kanishk Mahajan

Kanishk Mahajan has been leading AWS cloud transformation, solution architecture and delivery teams for customers for several years. Currently at AWS, Kanishk specializes in the domains of management and governance, migrations and modernizations, and security and compliance. He is a Technical Field Community (TFC) member at AWS in each of those domains.