AWS Public Sector Blog

How to Achieve AWS Cloud Compliance with AWS, Allgress, and CloudCheckr

Assessing and measuring compliance requirements can be a full-time job. To mitigate risks, organizations must plan for cloud-based risk treatments, reporting and alerts, and automated responses to maintain security and compliance, as well as modernize their governance at scale.

AWS and its Amazon Partner Network (APN) security partners are developing security and compliance tools to enable customer security capabilities and architecture approaches for meeting and implementing advanced security competencies on AWS.  For example, Allgress and CloudCheckr are working together to solve security and compliance challenges and provide greater transparency of what tool, service, and partner solutions should be used to manage security, continuously treat risk, and automate cloud services.

The Regulatory Product Mapping Tool (RPM) was developed to reduce complexities, increase speed, and shorten the timeframe to develop compliant architectures on AWS. The RPM tool interactively maps FedRAMP (NIST 800-53) controls to AWS services and APN solutions. Below is an interactive visual representation of all the FedRAMP R4 Moderate controls. The inner ring displays the domains and the outer ring displays the sub-domains. By clicking on the slices within the interactive RPM tool, customers can review the AWS inherited, shared, and the associated Technology and Consulting Partner controls. Try it using the guest login here.

You can also map and align AWS Technology Partner solutions to controls and provide detailed control treatments. This can be used to document, configure, and help automate security and compliance management. Additionally, partner solutions are directly linked to the AWS Marketplace.

AC-3 Access Enforcement – Control Treatments: CloudCheckr allows you to tag AWS accounts and create groups of AWS accounts. These groups are known in CloudCheckr as Multi-Account Views. You can also create a Multi- Account View for all AWS accounts in a single view. Follow the steps here to get your Multi-Account Views up and running. Once that is completed, best practice checks will be pulled from all of the tagged AWS accounts into a single best practices report.

AU-5 Response to Audit Processing Failures – Control Treatment: AWS CloudTrail provides activity monitoring capability for the AWS management plane. CloudTrail records every call into the AWS API. Any activity in AWS is recorded into the CloudTrail logs. CloudTrail logs are written into an S3 bucket as JSON files. A separate file is written every five minutes. Additionally, a different file is created for each AWS account and each region. The CloudTrail UI provides basic functionality to look up events for up to seven days. One of the easiest ways to keep track of your CloudTrail configuration is by using the CloudCheckr best practice checks.

View the recorded webinar with AWS, Allgress, and CloudCheckr to learn how to achieve and demonstrate compliance in the cloud to satisfy the auditors, streamline reporting of technical and non-technical controls, and improve workflow across your key stakeholders.

AWS Public Sector Blog Team

AWS Public Sector Blog Team

The Amazon Web Services (AWS) Public Sector Blog team writes for the government, education, and nonprofit sector around the globe. Learn more about AWS for the public sector by visiting our website (, or following us on Twitter (@AWS_gov, @AWS_edu, and @AWS_Nonprofits).