AWS Cloud Operations Blog
Introducing AWS Audit Manager Common Controls Library
AWS Audit Manager introduced the AWS common controls library to help Governance, Risk and Compliance (GRC) teams efficiently map their enterprise controls into Audit Manager for evidence collection. The common controls library provides customers with a simpler way to collect evidence that supports overlapping controls across multiple compliance standards, streamlining the evidence collection process, reducing the work and time required for enterprise customers to onboard to Audit Manager, and start collecting evidence across their portfolio of compliance needs.
AWS Audit Manager enables customers to efficiently manage compliance assessments and audits. The service automates evidence collection, reducing manual effort often required during audits. Prebuilt frameworks map AWS resources to compliance requirements, streamlining audit preparation. This simplifies gathering evidence, generating reports, and managing assessments. With today’s global digital economy, customers frequently have multiple compliance needs based on industry, geography, and other factors. Since various frameworks share common controls, customers can create enterprise controls to eliminate duplicative work across frameworks. Overall, AWS Audit Manager scales audit capabilities as business grows in the cloud.
Previously customers were unable to review AWS Audit evidence in the context of their enterprise controls that span multiple compliance frameworks. In this blog post, we will learn about Audit Manager’s common controls library, which is comprised of resource-specific controls (e.g., Data encryption at rest) that will provide a collection of out-of-the-box AWS data sources for evidence collection, developed by compliance experts within AWS Security Assurance Services, LLC. (AWS SAS). Customers can easily understand the rationale for using various data sources and identify commonality across their compliance requirements for evidence collection.
Addressing challenges in reviewing evidence across diverse enterprise common controls
Compliance professionals in established organizations are constantly developing and maintaining enterprise controls to consolidate requirements that may be present in multiple compliance, risk, and governance standards. Until now, compliance professionals were unable to easily review their cloud-based audit evidence in the context of these enterprise common controls. Customers had to either review evidence on a framework-by-framework basis or manually map their custom controls to individual data sources to view their evidence in the context of their enterprise common controls. The previous process required manual audit and compliance tracking along with multiple evidence collection processes.
The AWS common controls library enables customers to efficiently map enterprise controls to relevant AWS data sources for streamlined evidence gathering. By mapping controls to logical groupings of data sources (e.g., Config rule “ec2-ebs-encryption-by-default”) using industry standard compliance terminology, customers can retrieve evidence on-demand to demonstrate compliance across multiple audit requirements. For example, a financial institution could map internal controls to AWS data sources just once, then leverage that mapping to readily supply evidence for SOC 2, CIS Benchmarks, PCI DSS, and other audits as needed. This consolidated approach reduces audit fatigue by eliminating redundant, manual data source mapping.
When mapping controls in Audit Manager, customers can view a hierarchical list of AWS common controls grouped into standardized domains that they can leverage to identify the available AWS data sources for their enterprise control.
Customer benefits
Customers will experience the following benefits with the introduction of Audit Manager common controls library:
• Easier custom control creation: Customers can now create custom controls that use AWS common controls for evidence collection, instead of individually identifying data sources (e.g., Config rules, API calls) to use for evidence collection.
• Removal of manual work: Customers can now map enterprise controls to AWS data sources using pre-defined data source mappings, instead of manually identifying these data sources.
• Automatic updates: Data sources for common controls will continuously update as Audit Manager’s common controls library improves and as cloud compliance requirements change, so that compliance professionals don’t have to worry about manually editing their controls with each change.
How it works
The AWS common controls library is developed by compliance experts within AWS SAS. These compliance experts are developing a proprietary set of AWS common controls to de-duplicate requirements across commonly used audit frameworks, and to identify data sources across AWS services that will demonstrate compliance with these controls.
A common control is a guideline that’s not specific to any framework or AWS resource. Instead, it’s designed to collect evidence for various control sources for a domain (e.g. Data Protection). Although common controls are not specific to a framework, they are mapped to frameworks such as NIST 800-53, Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA). As a result, you can use these controls to collect evidence for multiple frameworks across your portfolio of compliance needs.
Each common control is comprised of one or more underlying core controls. A core control is a type of AWS managed evidence source (e.g. a specific AWS Config rule). For example, the common control Encrypt data at rest is comprised of core controls such as Enable encryption on CloudWatch log group and Enable encryption for AWS CloudTrail trails.
With the launch of common controls, customers can create custom controls in Audit Manager using common controls as data source. This makes it easy even for non-technical users to create controls. If needed, customers can also specify additional data sources such as AWS managed core controls or customer managed data sources like API call, CloudTrail event, Config custom rule etc. For example, you can take common control Encrypt data at rest and common control Encrypt data in transit to create a single custom control for data encryption. Often, customers that have several compliance obligations already have a custom framework in place or would like to create one. Creating custom controls with common controls enables customers to create custom controls and frameworks to match pre-existing custom frameworks and/or create new custom frameworks. When creating custom controls, customers can use common controls, core controls, and customer managed sources.
Exploring common controls
1. Open the Audit Manager console and select Control library from the left navigation pane.
Figure 1: Audit Manager Console
2. Under the common tab, type encrypt in the search bar. Select Encrypt data at rest.
3. The overview section provides a description of the control. The evidence sources tab lists the core controls that the encrypt data at rest common control is comprised of. The data source types are listed next to each core control. The related requirements tab shows the common control’s mapping to different frameworks.
Figure 2: Common Controls mapping
Creating a custom control
For this example, suppose you have an enterprise control for data encryption. The enterprise control includes encryption at data and encryption at rest. You’d like to create the same enterprise control in AWS.
1. From the left navigation pane, select Control library.
2. Select create custom control and give the control a name, for example, Data Encryption. Populate the remaining fields with the description, testing information, and tags, as appropriate and select next.
Figure 3: Create Custom Controls
3. Under AWS managed sources, there will be two check boxes. The first check box for common controls will be checked by default. Open the dropdown for common controls and type encrypt, then select Encrypt data at rest and Encrypt data in transit.
4. Select the second check box for usage of core control and open the dropdown. Type TLS and select Configure custom TLS policies for listeners on AWS Elastic Load Balancers, then select Next.
Figure 4: Configure evidence sources for custom control
5. If applicable, type in the action plan to remediate findings. Select next, then select create custom control.
When you create a custom control in Audit Manager, you get an option to leverage Customer managed source to collect automated evidence from a business-specific resource, such as custom AWS Config rule. You would mainly use this option if you want to add manual evidence to your custom control.
To use the custom control, you’ll need to add it to a custom framework and create an assessment from the framework.
Conclusion
In this blog post, we’ve demonstrated how you can leverage common controls to build custom framework for mapping your enterprise controls with Audit Manager. The ability to create custom controls is now available in all AWS Regions supporting Audit Manager. To get started, visit the common control library in the AWS Audit Manager console.
To get started, visit the common control library in the AWS Audit Manager console here