AWS Cloud Operations & Migrations Blog

Prepare for an Audit in AWS Part 1 – AWS Audit Manager, AWS Config, and AWS Artifact

AWS customers represent a range of different verticals, locations, and sizes. Given today’s digital, global economy, customers have various governance needs based upon their geographies. Regardless of the regulations or standards, AWS provides services and resources that help our customers prepare to meet those requirements. In this post, I demonstrate how you can use AWS services to help you automate the collection of evidence used in audits (AWS Audit Manager), monitor your environment through a compliance lens (AWS Config), and gain access to AWS’ security and compliance reports (AWS Artifact). Let’s dive into these services and see how they can help.

Example

Applicable laws and regulations can vary based on several factors, such as location and number of employees. For example, AWS customers may fall under the EU’s General Data Protection Regulation (GDPR) when working with data from European Union citizens. Additional compliance needs may arise while working with PCI-DSS if processing credit cards. Other customers may want to demonstrate their operational readiness with a SOC 2 certification, regardless of legal regulations.

For illustration purposes, let’s take a healthcare technology company that aligns with the Health Insurance Portability and Accountability Act (HIPAA). This company has a platform that hosts and processes Protected Health Information (PHI). Therefore, they must have technical controls to make sure of the protection and privacy of that data. The company must also demonstrate its compliance posture and provide adequate evidence during audits. This post will walk through the details of one particular compliance control, 164.312(a)(2)(iv). HIPAA CFR 164.312(a)(2)(iv) states “Implement a mechanism to encrypt and decrypt electronic protected health information”, and we’ll be focusing on encryption at rest controls to align with this CFR.

This example will use a single AWS account for illustrative purposes, but all of the services in this post integrate well with AWS Organizations.  AWS Audit Manager allows you to gather evidence from multiple AWS accounts.  AWS Config collects data from multiple regions and multiple accounts through the use of an aggregator.  AWS Artifact allows for agreements to be accepted on behalf of member accounts within an organization, even as new reports or accounts are added.  For more information on enabling these services with AWS Organizations, see below:

Let’s look at how AWS can help this healthcare technology company prepare for any upcoming audits.

AWS Services

AWS Config

When preparing for an audit, it’s essential to know what resources fall under the scope of an audit and the state of those resources. AWS Config is a service that lets you track the resources running in your AWS environment and evaluate them against a set of defined rules. Using AWS Config rules, you can build a collection of rules to monitor the compliance state of your resources against your specific compliance requirements. This enables you to detect when a resource may be out of compliance. AWS Config rules also allow for automated remediation, such as an AWS Lambda function, that can be run when a resource is evaluated to be non-compliant against a rule.

This helps you prepare for your audit by automatically building and maintaining a list of resources within your AWS environment, and allowing you to continuously evaluate your compliance posture against the technical controls that matter to you. AWS Config also serves as a data source for Audit Manager, reporting the results of compliance checks directly from AWS Config.

Furthermore, AWS Config supports conformance packs, a collection of AWS Config rules and remediation actions expressed as a template. To help our customers evaluate their environments, AWS has provided sample conformance packs that map controls to dozens of common compliance frameworks and standards. In addition to the sample rules, each conformance pack contains a table that maps a Config rule to a specific control within the compliance framework.

Figure 1: Sample Config rule from the Operational Best Practices HIPAA conformance pack

Figure 1: Sample Config rule from the Operational Best Practices HIPAA conformance pack

The Config conformance pack sample templates can be viewed here, and installation is available through the AWS Config console. Note that the sample templates, including those related to compliance standards and industry benchmarks, aren’t designed to make sure of your compliance with a specific governance standard. They can neither replace your internal efforts nor guarantee that you’ll pass a compliance assessment.

Our example healthcare technology company is using AWS Config to monitor the state of its resources. They installed the Operational Best Practices for HIPAA Security conformance pack, which includes Config rules that verify that encryption is enabled on multiple AWS services, and is mapped to the 164.312(a)(2)(iv) CFR. As you can see above, one of the rules evaluates all Amazon Elastic Block Store (Amazon EBS) volumes and checks if they have enabled encryption. The rule will mark a resource as non-compliant if the encryption setting isn’t enabled and can be configured to alert the operations team if a resource is marked as non-compliant. This helps our healthcare organization prepare for their audits by proactively alerting them to any potential issues with resources within the environment. It is also an important step in our audit journey, because rules contained in the conformance pack will send their results to the next service we’ll discuss, Audit Manager.

For more information, refer to Getting Started with AWS Config.

Audit Manager

One requirement, independent of the audit type, is the process of gathering evidence. For example, screenshots of a resource, the account password policy, documentation showing the change management process and associated procedures, or anything in between. Tracking down and collecting this evidence is often a manual process, and sometimes it can create a “fire drill” when evidence may be due to the auditor, but no one knew what was required until the last minute. Audit Manager can help reduce this burden.

Audit Manager helps you continuously audit your AWS usage and simplify how you assess risk and compliance with regulations and industry standards by automating the collection of required evidence. For example, Audit Manager can automatically collect evidence specific to a particular regulatory framework or a custom framework, and then provide a location for evidence to be uploaded manually.

Walkthrough

Continuing with our example, we’ll walk through setting up an assessment in Audit Manager using HIPAA as the framework.

Prerequisites

For this walkthrough, you should have the following perquisites:

• An AWS account
• An AWS Identity and Access Management (IAM) user or role with access to Audit Manager, AWS Config, AWS Security Hub, and Amazon Simple Storage Service (Amazon S3).
• An S3 bucket where the evidence can be gathered. It’s recommended that this bucket be created in the same region where you’ll create the Audit Manager assessment.

Step 1: Set up Audit Manager

The first time that you access the Audit Manager service, you must perform the setup procedure. If you’ve previously set up Audit Manager, then you can skip to Step 2.

  1. Log in to the AWS Management Console and select the AWS Region where you would like to create an assessment.
  2. Select the Set up AWS Audit Manager button.
  3. Follow the prompts to complete the setup. This includes enabling AWS Config and AWS Security Hub.
  4. Select the Complete Setup button.

Step 2: Review the framework library

Once Audit Manager has completed the setup, you can browse the available frameworks.

  1. Select the menu on the left and select Framework library.
  2. Select any framework to see more details. For our example company, we’ll review the HIPAA framework. Select HIPAA from the Standard frameworks list.
Figure 2: HIPAA framework details

Figure 2: HIPAA framework details

The framework details include the number of controls, as well as how many are automated or manual for evidence collection, and a list of controls. The controls listed in the HIPAA framework align with the HIPAA Code of Federal Regulations (CFRs) contained within the HIPAA standard. Selecting the CFR will bring up details regarding that CFR. We’ll visit these controls in detail later, but feel free to browse the controls.

Step 3: Create an assessment

Once a framework is selected, an assessment can be created, and evidence collection can begin. Let’s create an assessment based on the HIPAA framework.

  1. While on the HIPAA framework page, select Create assessment at the top of the page.
  2. Enter an assessment name & description (optional). Select the S3 bucket created in the Perquisites section for the evidence, and select Next.
  3. Select all appropriate AWS accounts to include in this assessment, and select Next. For this example, we’ll be focusing on one AWS account, but Audit Manager supports integration with AWS Organizations to run assessments on multiple accounts. See AWS Audit Manager and AWS Organizations for details.
  4. Note that all of the services are selected on the Specify AWS services in scope page because this assessment was created from a standard framework. Select Next.
  5. Select an IAM principal as the audit owner, and select Next. This principal will be granted access to own the assessment.
  6. Review your settings, and select Create assessment when ready.

Once you create the assessment, the automated evidence collection begins. Not all of the assessment data is available immediately, so it’s recommended to wait 24 hours to review the evidence. Get a good night’s sleep, and let’s check back on the assessment tomorrow.

Step 4: Review the evidence

After 24 hours, Audit Manager will present evidence that has been gathered from the accounts in scope.

Figure 3: Assessment details showing the total evidence gathered

Figure 3: Assessment details showing the total evidence gathered

Now we’ll review the evidence and begin to add it to an assessment report. We’ll start with one control, 164.312(c)(1). This control requires you to “implement policies and procedures to protect electronic protected health information from improper alteration or destruction.” Let’s review the control and the evidence, and then create an assessment report.

  1. In the Audit Manager console, select the menu, select Assessments and the assessment you created above.
  2. Under Control sets, expand 164.312 Technical Safeguards and select 164.312(c)(1).
  3. On the control details page, you can see the control name and description, and details of the testing information used by the Audit Manager. As you can see in the following image, Audit Manager uses data gathered directly from a service (e.g., Display Amazon CloudFront TLS settings) as well as AWS Config rules (e.g., ENCRYPTED_VOLUMES).
Figure 4: HIPAA Control 164.312(a)(2)(iv) details

Figure 4: HIPAA Control 164.312(a)(2)(iv) details

  1. Scroll down to the evidence folders and select the most recent folder.
  2. Select one piece of evidence within the folder to review.
Figure 5: Evidence detail

Figure 5: Evidence detail

This detail shows that one resource was included, and the evidence was gathered from a rule in AWS Config that checked if an Amazon EBS volume is encrypted. The check also informs us that this resource is marked as “Compliant,” which means that the resource included does have encryption enabled.

  1. Select View JSON to see the details of the resource. This contains the raw evidence gathered by Audit Manager.
  2. Once you’ve reviewed the evidence, select Add to assessment report at the top of the page. Select Add to assessment report again when prompted to add this evidence to a new assessment report. Repeat this process for any other evidence that you’d like to add to the assessment report.

Step 5: Generate the assessment report

Now that you reviewed the evidence and selected the appropriate evidence to add to a report, let’s generate the assessment report. An assessment report is a collection of evidence that can be submitted to the auditor as an artifact.

  1. Select the assessment name at the top of the page from the evidence details page to go back to the assessment details.
  2. Select the Assessment report selection in the tab selection.
Figure 6: Assessment report selection

Figure 6: Assessment report selection

  1. Review the selected evidence in the list, and when ready, select the Generate assessment report button. Enter a name and description for the report and select Generate assessment report again.
  2. You’ll be taken to the Assessment reports page, and your new report will be displayed in the list.
Figure 7: Assessment report list

Figure 7: Assessment report list

  1. Select the radio button for your report and select Download. The report will be downloaded in a zip archive containing a report summary file and folders for all of the evidence that you added to the assessment. The report summary page includes details about the assessment, including the framework, scope, and controls. The table of contents contains links that will open the evidence from the included folders, so keeping the folder structure intact is essential.
  2. Submit the assessment report to your auditors.

Our example healthcare company has now successfully generated automated evidence showing that they have implemented the necessary controls for HIPAA, completed an assessment collecting the evidence generated, and created an assessment report that contains all of the evidence that has been submitted to their auditor.

Refer to Getting Started with AWS Audit Manager and the post AWS Audit Manager Simplifies Audit Preparation for more information.

AWS Artifact

AWS Artifact is a resource available in the AWS Management Console that contains on-demand access to AWS’ security and compliance reports. Reports available for our customers to download and view include Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies. This can be across geographies and compliance verticals, which validate the implementation and operating effectiveness of AWS security controls.

These reports will help you prepare for an audit when you must produce evidence for specific controls for which AWS is responsible, such as data center physical security. You can also use the responsibility guidance provided by some of the AWS audit artifacts to design your cloud architecture. This guidance helps determine the additional security controls that you should implement to support your system’s specific use cases.

For more information, refer to Getting Started with AWS Artifact.

Conclusion

Audit can be a scary word. Organizations can hear that their audit renewal is about to occur. The auditor will be here next week. They’re against a deadline to submit evidence tomorrow and countless other scenarios that generate an “all hands-on deck” effort. This doesn’t need to be the case. In this post, I showed you how to prepare for your audit using AWS services, such as AWS Config, Audit Manager, and AWS Artifact that can help make audit a less scary word. In Part 2 of this series I will share some general best practices that you can use to build a strong compliance foundation that will support your compliance journey now and in the future.

About the author:

Conor Colgan

Conor Colgan is a Sr. Solutions Architect on the AWS Healthcare and Life Sciences (HCLS) Startup team. He focuses on helping startups adopt AWS to help meet their business objectives and accelerate their velocity. Prior to AWS, Conor built automated compliance solutions for healthcare customers in the cloud ranging from startups to enterprise, helping them build and demonstrate a culture of compliance.