[text]
This Guidance shows how you can evaluate your credit union for Federal Financial Institutions Examination Council (FFIEC) compliance. The FFIEC prescribes uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions. For example, your credit union must take the appropriate steps to mitigate cybersecurity risks. The National Credit Union Association will follow the FFIEC’s National Institute of Standards and Technology–based cybersecurity assessment approach to evaluate your compliance, but you may choose a desirable framework for individual assessments. Using this Guidance, you can evaluate the FFIEC compliance of your workloads on AWS.
Please note: [Disclaimer]
Architecture Diagram
[text]
Step 1
Use an AWS Site-to-Site VPN connection for secure communication between the on-premises corporate data center and AWS.
Step 2
AWS IAM Access Analyzer, AWS Audit Manager, AWS Security Hub, and AWS Config are applied to the AWS cloud environment. These services evaluate compliance standards for applications running on services hosted on AWS like Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Relational Database Service (Amazon RDS).
IAM Access Analyzer helps identify external access to AWS resources and validates permission policies. Audit Manager automates evidence collection by running framework assessments against AWS resources. Security Hub and AWS Config help assess whether resources adhere to compliance best practices.
Step 3
To evaluate on-premises environments, install an AWS Systems Manager agent on the on-premises servers to collect logs, which are stored in Amazon CloudWatch.
Step 4
Security Hub integrates with third-party products and aggregates security findings for centralized viewing.
Step 5
AWS CloudFormation registers the on-premises servers as custom resources in AWS. AWS Config rules and conformance packs can then be applied.
Step 6
Amazon EventBridge invokes a custom action to manage the configuration of on-premises servers and remediate any security risks that Security Hub and AWS Config find.
Step 1
Use an AWS Site-to-Site VPN connection for secure communication between the on-premises corporate data center and AWS.
Step 2
AWS IAM Access Analyzer, AWS Audit Manager, AWS Security Hub, and AWS Config are applied to the AWS cloud environment. These services evaluate compliance standards for applications running on services hosted on AWS like Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Relational Database Service (Amazon RDS).
IAM Access Analyzer helps identify external access to AWS resources and validates permission policies. Audit Manager automates evidence collection by running framework assessments against AWS resources. Security Hub and AWS Config help assess whether resources adhere to compliance best practices.
Step 3
To evaluate on-premises environments, install an AWS Systems Manager agent on the on-premises servers to collect logs, which are stored in Amazon CloudWatch.
Step 4
Security Hub integrates with third-party products and aggregates security findings for centralized viewing.
Step 5
AWS CloudFormation registers the on-premises servers as custom resources in AWS. AWS Config rules and conformance packs can then be applied.
Step 6
Amazon EventBridge invokes a custom action to manage the configuration of on-premises servers and remediate any security risks that Security Hub and AWS Config find.
Well-Architected Pillars
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
-
Operational ExcellenceRead the Operational Excellence whitepaper
This Guidance uses EventBridge and its integrations with other native AWS services to automatically respond to security events through custom actions. This alleviates the need for human intervention in response to every security finding. Systems Manager automatically collects logs and system-level metrics from your on-premises servers and stores them in CloudWatch for viewing, providing you with insights into server activity and performance.
-
SecurityRead the Security whitepaper
This Guidance uses Site-to-Site VPN to provide a strong, secure connection between your on-premises data center and your AWS resources by using an internet protocol security (IPSec) tunnel private session. Site-to-Site VPN works with CloudWatch to give you further visibility and insights into local and remote network health and help you monitor the reliability and performance of your VPN connections. AWS Identity and Access Management (IAM) lets you use fine-grain access policies and understand the accessibility of your resources. IAM Access Analyzer validates your policies against best practices, identifies resources shared externally, and generates policies based off historical AWS CloudTrail logs. AWS Config and Security Hub perform automated security checks for your AWS-hosted and on-premises workloads to verify security and compliance controls are in place.
-
ReliabilityRead the Reliability whitepaper
This Guidance increases the reliability of on-premises servers by installing Systems Manager, storing server logs in CloudWatch, and reducing the time to detect and resolve operational issues. It overlaps security and compliance checks by using other native AWS security services like Security Hub, Audit Manager, and AWS Config to capture the maximum number of vulnerabilities, reducing downtime. The use of AWS managed services alleviates manual efforts.
-
Performance EfficiencyRead the Performance Efficiency whitepaper
This Guidance closely guards access and permissions to reduce negative impacts on performance. It uses IAM Access Analyzer to reduce the number of incidents of undesirable behavior, such as accidental deletions and unnecessary resource creation. CloudFormation works with CloudWatch to monitor on-premises and AWS resource performance and provide insights. Security Hub aggregates third-party security findings into a centralized repository for an organization-wide simple monitoring solution.
-
Cost OptimizationRead the Cost Optimization whitepaper
This Guidance uses Security Hub, AWS Config, and Audit Manager in tandem to help you secure your environment and maintain FFIEC compliance. This helps you boost reliability and reduce downtime, ultimately reducing the cost of outages and helping prevent the additional costs of incident management and response. Additionally, these services perform automatic security checks and audit evidence collection, reducing manual costs.
-
SustainabilityRead the Sustainability whitepaper
This Guidance uses predefined AWS Config conformance packs, helping your developers and engineers minimize unnecessary resource provisioning and redirect their attention to more critical areas, boosting organizational efficiency and reducing waste. AWS Config and Systems Manager scale to meet requirements, minimizing the wasted consumption of electricity and other resources.
Implementation Resources
A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.
The sample code is a starting point. It is industry validated, prescriptive but not definitive, and a peek under the hood to help you begin.
Related Content
[Title]
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.