AWS Cloud Operations Blog

Prepare for an Audit in AWS Part 2 – General Best Practices

In Part 1 of this blog series, I discussed how you can use purpose-built services, such as AWS Audit Manager, AWS Config, and AWS Artifact, to help with almost any audit that you may be preparing for, with features geared specifically to what is required by an audit. But the story shouldn’t start there. Instead, it’s critical to build a cloud environment with a foundation that aligns with best practices across disciplines, including security and compliance. You can build that strong foundation using modern operational practices, such as automation and infrastructure-as-code (IaC). AWS has guidance and content for our customers to help with their cloud journey and make sure that they’re building that well-architected foundation. In this post I’ll share some of that guidance.

Shared responsibility

Security and compliance are a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer, down to the physical security of the facilities in which the service operates. As shown in the following chart, this differentiation of responsibility is commonly referred to as security “of” the cloud versus security “in” the cloud.

Figure 1: Shared Responsibility Model

Figure 1: Shared Responsibility Model

The services that we discussed in part 1 of this blog series help in both the security of, and in, the cloud. AWS Artifact contains reports that document the security of the cloud, while AWS Config and Audit Manager help understand the security and compliance in the cloud. Learn more about the AWS Shared Responsibility Model here.

Security of the Cloud

AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure comprises the hardware, software, networking, and facilities that run AWS Cloud services. AWS can also help relieve the customer burden of operational controls by managing those controls when using AWS-managed services, such as patch management within the infrastructure and services.

Security in the Cloud

The customer assumes the responsibility and management of the guest operating system (including updates and security patches), associated application software, and the AWS-provided security group firewall configuration. Customers should carefully consider the services that they choose, as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and the applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment.

The Introduction to AWS Security whitepaper is a valuable resource for customers with any level of AWS experience. This whitepaper introduces AWS’s approach to security and how customers can utilize the products and features available to help meet their security obligations.

AWS also provides an extensive content catalog dedicated to cloud security, including security and compliance offerings, data protection guides, training, security bulletins, and posts focused on security. I recommend bookmarking the AWS Cloud Security landing page to make sure that you’re up to date with all of the security content available from AWS.

Compliance resources and FAQ

I often hear the following from customers: “I don’t know what I don’t know.” To help our customers overcome this challenge, AWS has published FAQs and guides covering many compliance frameworks. I recommend starting with the AWS Compliance FAQs, which often answer customers’ questions when getting started.

Another guide that customers find helpful is the Configuration, compliance, and auditing page. This page contains links to related AWS services, customer compliance stories, and related compliance content. Additionally, there is a link to download an eBook that outlines automating compliance, risk, and audit evidence. These stories and guides are beneficial when you’re preparing for audits, as they help you build a foundation that reduces the operational burden when it’s time for the audit.

IaC

AWS provides services and architecture designs that allow customers to architect workloads that meet their compliance needs. It’s often easier to build for compliance in the cloud than in traditional on-premises environments. Through tools like IaC and event-driven architecture, customers can use robust services and automation to architect workloads with a strong compliance foundation and maintain continuous compliance.

Our example healthcare company understands that when aligning with HIPAA, a critical practice is demonstrating your compliance posture. The same services that can help architect the compliance foundation can be used to gather the necessary evidence to prove your compliance posture. For example, using IaC coupled with a software development lifecycle can demonstrate a mature change management process, and a vital compliance control. Another example is using automation to enforce encryption across various storage mediums. Customers can make sure that the entire infrastructure is deployed in a compliant configuration by implementing guardrails at the Organization or account level and within the IaC templates. Furthermore, tools such as Audit Manager and AWS Artifact turn that evidence into artifacts which you can provide to your stakeholders.

Continuing with our healthcare technology example from part 1, the healthcare platform hosts their protected health information (PHI) in both Amazon S3 as objects and Amazon Relational Database Service (Amazon RDS) in a database. Our example healthcare platform utilized the AWS Compliance FAQs and properly architected the platform to use the native encryption at rest features built into Amazon S3 and Amazon RDS. Furthermore, they used the AWS Cloud Development Kit (AWS CDK) and managed the platform with IaC. With only a single line of code, an S3 bucket was created with encryption at rest enabled:

bucket = s3.Bucket(self, "MaskCWLogsOutputBucket",
    encryption = s3.BucketEncryption.KMS_MANAGED
)

Using the AWS CDK and declaring the encryption setting will make sure that the bucket is deployed with that setting enabled, rather than relying on a setting to be selected when manually deploying a bucket. This is an example of how IaC can be used to create Controls-as-Code to help the compliance posture of an environment and help an organization prepare for an audit.

Automation

Automation allows for a continuous cycle of improvement that will help to reduce risk. You have access to APIs for every AWS service, and every API action is logged in AWS CloudTrail. Logging API activity is an essential step in audit preparation. It’s recommended to log the activity and use event-driven automation to alert if there are any potential security concerns proactively. CloudTrail Insights is a feature of CloudTrail that can help identify potentially unusual activity in your account. This detection is done automatically, and CloudTrail Insights can deliver events to the console and Amazon S3. This lets you generate an alert to the appropriate team. These automatically generated alerts and documented response procedures will be a welcome artifact when it’s time for an audit.

CloudTrail Insights is an example of using automated, event-driven architecture to improve your compliance posture and audit preparation. Another example is Amazon GuardDuty, an automated intelligent threat detection service. GuardDuty can help protect against compromised credentials, API calls from malicious IPs, and unusual data access into Amazon S3. Like CloudTrail Insights, GuardDuty also proactively alerts you when an issue is detected. This lets you respond per your documented process. The goal of all of this is to create a stronger foundation that allows for a more well-architected environment to serve your customers and better prepare you when you must prove your compliance posture during an audit.

AWS Well-Architected Framework

The AWS Well-Architected Framework (AWS WAF) is a collection of best practices grouped into specific areas, called pillars. These pillars include Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability. AWS WAF helps you learn the strategies and best practices for architecting in the cloud. By aligning with the AWS WAF, you can create a more robust foundational architecture and design for continuous improvement. Anyone who has worked in a regulated industry or has gone through an audit knows that there’s always something listed in the audit findings as a risk. A Well-Architected workload can help reduce risk, but it can also put you in a position to respond to any findings and reduce your risk profile quickly.

AWS provides the AWS Well-Architected Tool. This lets you measure your architecture against the best practices within the AWS WAF. Using the Well-Architected Tool, you can improve architectures by addressing any high-risk issues identified using improvement plans, Well-Architected Labs, etc.

Conclusion

As I said in Part 1, audit can be a scary word but it doesn’t have to be.  By following the guidance in this post, as well as utilizing the services outlined in Part 1, you can build a foundational compliance program that will not only support your compliance journey, but can also help enable a strong culture of compliance in your organization.  Audits may sound scary, but you can use the power of the cloud and AWS to help make them routine.

About the author:

Conor Colgan

Conor Colgan is a Sr. Solutions Architect on the AWS Healthcare and Life Sciences (HCLS) Startup team. He focuses on helping startups adopt AWS to help meet their business objectives and accelerate their velocity. Prior to AWS, Conor built automated compliance solutions for healthcare customers in the cloud ranging from startups to enterprise, helping them build and demonstrate a culture of compliance.