Episode 5: Preparing For A Compliance Audit

Created in conjunction with a five-part Twitch mini-series (March 28 – April 25), these weekly blog posts provide resources and guidance to support the live, 60-minute broadcasts. To sign up and learn more about the series, click here.

As we wrap up our five-part blog series on building secure applications, we conclude with one of the most critical steps before your application is available for use: the compliance audit.

Many organizations inside and out of the public sector face compliance certifications approval, so it is important to know how to plan and prepare for one. From FedRAMP to HIPAA, and everything in between, these compliance certifications help applications meet the standards relevant to the data it is storing and collecting.

This blog post walks through resources to prepare for an audit, and equips an application to protect its customers (and your data) from external variables:

1. Understanding Security and Compliance at AWS

A properly secured environment results in a compliant environment. Amazon Web Services (AWS) has many compliance-enabling features for managing regulated workloads in the AWS Cloud. These features allow a higher level of security at scale. Cloud-based compliance offers a lower cost of entry, easier operations, and improved agility, by providing more oversight, security control, and central automation. It is important that development teams have a firm understanding of the AWS shared responsibility model.

Assurance Programs

The AWS environment is continuously audited, with infrastructure and services that are approved to operate under several compliance standards and industry certifications across geographies and industries, including those shown below. These certifications help validate the implementation and effectiveness of AWS security controls. As programs are continuously added, the most current list can be found on the AWS Compliance Programs website.

AWS Artifact: Review and download reports and details about more than 2,500 security controls by using AWS Artifact, an automated compliance reporting tool available in the AWS Management Console. AWS Artifact provides on-demand access to security and compliance documents, also known as audit artifacts. Artifacts demonstrate the security and compliance of AWS infrastructure and services to auditors or regulators. Examples of audit artifacts include System and Organization Controls and Payment Card Industry reports, as well as certifications from accreditation bodies across regions and compliance verticals. These entities validate the implementation and operational effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum and the Non-disclosure Agreement.

2. Building Your Compliance Framework 

Users can incorporate AWS-provided risk and compliance information into their compliance frameworks. AWS uses thousands of security controls to monitor our own compliance with global standards and best practices. Services such as AWS Config then monitor the security and compliance of a user’s environment.

The following AWS services are some of the tools available to help with these activities:

AWS Config: AWS Config is a fully-managed service that offers an AWS resource inventory, configuration history, and configuration change notifications to enable security and regulatory compliance. Discover existing and deleted AWS resources, determine overall compliance against rules, and dive into configuration details of a resource at any point in time. AWS Config enables compliance auditing, security analysis, resource change tracking, and troubleshooting.

AWS Service Catalog: AWS Service Catalog makes it possible to create and manage catalogs of IT services that are approved for use on AWS, including virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog enables central management of commonly deployed IT services, and helps achieve consistent governance in a way that meets compliance requirements, while enabling users to quickly deploy the approved IT services they need.

Amazon GuardDuty: Amazon GuardDuty offers threat detection and continuous security monitoring for malicious or unauthorized behavior to help protect AWS accounts and workloads. The service monitors for activity that could indicate a possible account compromise, potentially compromised instances, and reconnaissance by attackers or intellectual property. It also continuously monitors data access activity for potential threats.

3. Securing Your Content

AWS is vigilant about privacy. Users always own their content, including the ability to encrypt it, move it, and manage retention. AWS provides tools that facilitate data encryption – in transit and at rest – to make certain that only authorized users can access it.

AWS also provides the control a user needs to comply with regional and local data privacy laws and regulations. The AWS Cloud global infrastructure empowers users to retain complete control over the locations in which their data is physically stored, helping them meet data residency requirements.

To reduce risk and enable growth, AWS offers an activity monitoring service that can help detect configuration changes and security events across a system. It integrates with a user’s existing solutions to simplify operations and compliance reporting.

These AWS services can help with securing content:

AWS CloudHSM: AWS CloudHSM arms users with the ability to protect their encryption keys within hardware security modules (HSMs) designed and validated against government standards for secure key management. Securely generate, store, and manage cryptographic keys such that they are accessible only by you.

Server-Side Encryption: Amazon S3 Server Side Encryption (SSE) is an option in which Amazon S3 manages the encryption process for the user. Data is encrypted with a key generated by AWS, or with a key supplied by the user, depending on their requirements. With Amazon S3 SSE, users can encrypt data and upload it by adding an additional request header when writing the object. Decryption happens automatically when data is retrieved.

AWS Identity and Access Management: Identity and Access Management (IAM) enables securely managed access to AWS services and resources. Using IAM, administrators can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. Federation allows IAM roles to be mapped to permissions from central directory services.

Amazon Macie: Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data. Macie recognizes sensitive data, such as personally identifiable information or intellectual property, and continuously monitors data access activity for anomalies that might signal unauthorized access or inadvertent data leaks.

AWS CloudTrail: AWS CloudTrail records AWS API calls and delivers log files that include caller identity, time, source IP address, request parameters, and response elements. Call history that CloudTrail provides to enable security analysis, resource change tracking, and compliance auditing.

Amazon Inspector: Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.

4. Security Through Automation

Automating security tasks on AWS enables greater security by reducing human configuration errors and by giving teams more time to focus on other work that is critical to the business. Security teams can use security automation and API integration to become more responsive and agile, making it easier to work closely with developer and operations teams to create and deploy code faster and more securely.

By automating infrastructure and application security checks whenever new code is deployed, a user can continually enforce security and compliance controls to uphold confidentiality, integrity, and availability at all times. Users can choose to automate in a hybrid environment with AWS information management and security tools, and integrate seamlessly as a secure extension of on-premises and legacy environments.

5. Prepare Your Security Documentation 

As you begin to prepare your documentation, consider several AWS resources that can help guide this process:

• AWS Compliance Solutions Guide: a repository of frequently used resources and processes needed to complete compliance responsibilities
• AWS Auditor Learning Path: pathways designed for those in auditor, compliance, and legal roles who want to learn how their internal operations can demonstrate compliance using AWS.
• Review AWS Guides and Workbooks: resources organized by compliance needs and regions to provide support for specific compliance needs.

For more tips and techniques on automating DevSecOps practices, read on about DevSecOps and AWS Quick Starts.

And for reference deployment, check out the AWS NIST Quick Start, which sets up a standardized AWS Cloud environment to help support: NIST SP 800-53 (Rev. 4), NIST SP 800-122, NIST SP 800-171, FedRAMP TIC Overlay (pilot), and DoD Cloud Computing SRG.