Category: Compliance

Auditing by using logs is an important capability of any cloud platform.  There are several third party solution providers that provide auditing and analysis using AWS logs.  Last November AWS announced its own logging and analysis service, called AWS CloudTrail.  While logging is important, understanding how to interpret logs and alerts is crucial.  In this blog post, Aaron Wilson, an AWS Professional Services Consultant, explains in detail how to interpret S3 logs within a federated access control context.

Introduction

Amazon S3 provides an optional feature named Server Access Logging, which records information about requests to your objects and includes details such as the requester, bucket name, request action, response status, and more.  Access logs are useful when troubleshooting applications and also complement the logs provided by AWS CloudTrail. (more…)

An important objective of analyzing OS-generated data is to detect, correlate, and report on potential security events. Several partner solutions available in AWS Marketplace provide this functionality, including Splunk.  Splunk is also used for many other use cases relevant to AWS, including devops, where developers and operations use Splunk to analyze logs for better performance and availability within AWS environments.  Splunk has been a long time AWS partner and has recently developed a CloudFormation template to make it easier to deploy Splunk Storm on AWS.  Bill Shinn, an AWS Security Solution Architect, describes how to deploy Splunk using AWS CloudFormation and then use it to analyze user activity on EC2 instances.

Introduction

One reason that customers review security and audit logs is to detect and analyze security risks—specifically, to look for evidence of unauthorized access and actions. In fact, the entire security information and event management (SIEM) market is based on log management. Collecting, correlating, and diagnosing logs based on rules prescribed by IT and security is the core function of these systems. (more…)

• How security responsibilities are shared between AWS and you, the customer
• How to define and categorize your assets
• How to manage user access to your data using privileged accounts and groups
• Best practices for securing your data, operating systems, and network
• How monitoring and alerting can help you achieve your security objectives

(more…)

We’re happy to announce the launch of the AWS Compliance Forum – a unique community designed for AWS customers interested in achieving compliance while using AWS services.

The AWS Compliance Forum was developed based on discussions with customers who wanted a community to connect with fellow AWS customers, interact with AWS compliance specialists, and access specialized industry enablers and education. This forum can support you in your efforts to achieve and maintain security assurance and compliance with your industry and regulatory standards while using AWS.

There is no additional charge for being a member of the AWS Compliance Forum – the only requirement is to take a brief entrance survey so that forum content and discussions can be catered to your industry, geography, and interests.

Take the survey and join the forum now  >> AWS Compliance Forum Entrance Survey

– Chad

We’re happy to announce the availability of the 2013 PCI Compliance Package. Along with the AWS PCI Attestation of Compliance, this package includes our independent assessor’s revised and expanded PCI Customer Responsibility Matrix, which describes the customer and AWS shared responsibility for each of the 200+ PCI Data Security Standard controls. This document will help not only those who need to effectively manage a PCI cardholder environment on AWS, but can help any customer better understand their responsibility of operating controls so you can effectively develop and operate a highly secure environment on AWS and even prepare your organization for various audits. The PCI data security standard is a globally-accepted security standard that customers use to support a wide range of sensitive workloads, including, of course, processing and storing sensitive payment card data.

What are customers saying about becoming PCI compliant with AWS?

“The underlying AWS infrastructure was PCI compliant out of the box and our QSA was happy with the AWS PCI Package and Responsibility Matrix.  This freed us to think about our system and software architecture as opposed to capital expenditure costs normally involved in finding a suitable hosting facility, equipment, sundries not to mention building, assessing and running the infrastructure.” (more…)

Based on feedback from our customers, AWS has published an Auditing Security Checklist to help you and your auditors assess the security of your AWS environment in accordance with industry or regulatory standards. The checklist builds off the recently revised Operational Checklists for AWS, which helps you evaluate your applications against a list of best practices before deployment.

The Auditing Security Checklist for AWS can help you:

• Evaluate the ability of AWS services to meet information security objectives and ensure future deployments within the AWS cloud are done in a secure and compliant way
• Assess your existing organizational use of AWS and to ensure it meets security best practices
• Develop AWS usage policies or validate that existing policies are being followed

(more…)

I’m very excited to share that AWS is now a FedRAMP-compliant cloud service provider. See the Amazon press release. This is game-changing news for our U.S. government customers and systems integrators and other companies that provide products and services to the U.S. government because:

1. It provides agencies a standardized approach to security assessment, authorization, and continuous monitoring for AWS products and services. Prior to the FedRAMP process, government security assessments of cloud providers were not standardized; each varied greatly in scope and depth and were an inefficient use of time and resources. Through FedRAMP, agencies now have a mechanism to obtain comprehensive AWS security assessment documentation and to perform an evaluation of our environment. Agencies can immediately request access to the AWS FedRAMP package by submitting a FedRAMP Package Access Request Form and begin moving through the process to evaluate our platform and authorize AWS for sensitive government workloads.
2. It demonstrates the AWS environment meets the high bar of the FedRAMP security and control requirements. This means U.S. government customers can immediately start leveraging the Authority to Operate (ATO) provided by the Department of Health and Human Services (HHS) to use the AWS cloud. Kevin Charest, HHS Chief Information Security Officer, shared that by using AWS, all of the HHS Operating Divisions can now “reduce duplicative efforts, inconsistencies, and cost inefficiencies associated with current security authorization processes.”
3. It provides agencies with the immediate ability to comply with the Office of Management and Budget’s (OMB) mandate to “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo, OMB).

(more…)

AWS is pleased to announce the immediate availability of the AWS Service Organization Control (SOC) 3 report, which you can freely distribute. This report on AWS security practices enables you and your stakeholders to validate that AWS has obtained independent auditor assurance, which attests to our alignment with the American Institute of Certified Public Accountants (AICPA) Security Trust Principles.

Moreover, we’re happy to announce the following are now in scope for all our SOC reports:

• AWS’s Sydney, Australia region
• Amazon Elastic MapReduce (EMR)
• Amazon Redshift
• AWS Identity & Access Management (IAM)

The expanding list of services and regions incorporated into our compliance program allows our customers to use a wider range of AWS services for sensitive and/or regulated workloads. (more…)