Overview
This solution provides a mechanism to centrally store evidence issued by cloud security controls governing AWS workloads, as enduring evidence records that are safeguarded against tampering. Stored controls evidence can subsequently be utilized in compliance evaluation mechanisms, deployment decisions, or audit processes.
An evidence record is a system- or human-generated digital record of a historical fact, related to one or more target entities, and issued by an evidence provider.
Note: AWS does not provide compliance or regulatory advice. You should independently evaluate the suitability of Verifiable Controls Evidence Store for your use case, including for the purposes of meeting any audit, compliance, and regulatory requirements that you may have.
What's new
Added a new (optional) S3 evidence collector to monitor a set of S3 buckets and create evidences when new objects are put into any of these buckets.
To find out more, refer to the Revisions page.
Benefits
Store and retrieve evidence in near real-time. Query evidence records to determine if software releases meet compliance requirements to help with deployment decisions, or access evidence retrospectively to assist in ad hoc audits or investigations.
Onboard AWS, third-party providers, as well as custom, system, or human evidence providers, with different data formats. Custom schemas allow support for various evidence types. Correlate historical evidence related to target entities defined for your environment, such as application releases or deployment environments.
Interact via a web application and/or APIs to manage evidence and onboard evidence providers. All actions and tasks are supported by both interfaces.
Verify the data integrity of evidence records that have been stored. The solution uses Amazon Quantum Ledger Database (QLDB) to ensure immutability and allow cryptographic verification of evidence.
Technical details
You can automatically deploy this architecture using the implementation guide.
Step 1
The AWS Cloud Development Kit (CDK) code deploys an Amazon CloudFront distribution to serve the optional UI. CloudFront delivers low latency, high performance, and secure static web hosting. An Amazon Simple Storage Service (Amazon S3) web UI bucket hosts the static web application artifacts.
Step 2
An Amazon Cognito user pool to provide customers a quick and convenient authentication mechanism to explore the solution’s functionalities without extensive configuration.
Step 3
Amazon API Gateway to expose a set of RESTful APIs. API Gateway processes HTTP requests issued by the Evidence Store consumers. It orchestrates the authentication and authorization workflows by validating the request’s credentials (signature and API key) against AWS Identity and Access Management (IAM) and its API usage plan.
Step 4
An evidence store AWS Lambda function to process the validated requests from API Gateway. This Lambda function encapsulates the solution's business logic, receiving rest requests from the user via API Gateway, validating them and storing, and retrieving data to and from the various databases.
Step 5
Amazon Quantum Ledger Database (Amazon QLDB) to track and store evidence records. Amazon QLDB ensures evidence records’ immutability and cryptographically verifiable nature. Evidence records’ content are stored in Amazon S3 with their hash values kept in Amazon QLDB.
Step 6
Amazon DynamoDB to store evidence providers and their respective evidence content schemas. The request processing Lambda function relies on this data to validate evidence content before committing to its Amazon QLDB ledger.
Step 7
A stream processing Lambda function to replicate evidence records to Amazon OpenSearch Service, which offers advanced query capabilities (full text search) across the entire evidence record data structure.
Step 8
Amazon Kinesis Data Streams to replicate records to OpenSearch Service to offer consumers a better query experience. Amazon Kinesis provides the channels for the solution to replicate and archive evidence records in near real-time.
Step 9
Amazon Kinesis Data Firehose to archive evidence records to an S3 bucket.
Step 10
Amazon CloudWatch and AWS X-Ray for logging and monitoring.
Step 11
AWS Config and AWS Security Hub to publish findings to Amazon EventBridge.
Step 12
Amazon Simple Queue Service (Amazon SQS) to provide rate-limiting capabilities to AWS Config and the Security Hub Evidence Collector.
Step 13
Evidence collector Lambda functions to invoke the Create Evidence API to record the finding. These include the Security Hub evidence collector and the S3 evidence collector.
Step 1
The AWS Cloud Development Kit (CDK) code deploys an Amazon CloudFront distribution to serve the optional UI. CloudFront delivers low latency, high performance, and secure static web hosting. An Amazon Simple Storage Service (Amazon S3) web UI bucket hosts the static web application artifacts.
Step 2
An Amazon Cognito user pool to provide customers a quick and convenient authentication mechanism to explore the solution’s functionalities without extensive configuration.
Step 3
Amazon API Gateway to expose a set of RESTful APIs. API Gateway processes HTTP requests issued by the Evidence Store consumers. It orchestrates the authentication and authorization workflows by validating the request’s credentials (signature and API key) against AWS Identity and Access Management (IAM) and its API usage plan.
Step 4
An evidence store AWS Lambda function to process the validated requests from API Gateway. This Lambda function encapsulates the solution's business logic, receiving rest requests from the user via API Gateway, validating them and storing, and retrieving data to and from the various databases.
Step 5
Amazon Quantum Ledger Database (Amazon QLDB) to track and store evidence records. Amazon QLDB ensures evidence records’ immutability and cryptographically verifiable nature. Evidence records’ content are stored in Amazon S3 with their hash values kept in Amazon QLDB.
Step 6
Amazon DynamoDB to store evidence providers and their respective evidence content schemas. The request processing Lambda function relies on this data to validate evidence content before committing to its Amazon QLDB ledger.
Step 7
A stream processing Lambda function to replicate evidence records to Amazon OpenSearch Service, which offers advanced query capabilities (full text search) across the entire evidence record data structure.
Step 8
Amazon Kinesis Data Streams to replicate records to OpenSearch Service to offer consumers a better query experience. Amazon Kinesis provides the channels for the solution to replicate and archive evidence records in near real-time.
Step 9
Amazon Kinesis Data Firehose to archive evidence records to an S3 bucket.
Step 10
Amazon CloudWatch and AWS X-Ray for logging and monitoring.
Step 11
AWS Config and AWS Security Hub to publish findings to Amazon EventBridge.
Step 12
Amazon Simple Queue Service (Amazon SQS) to provide rate-limiting capabilities to AWS Config and the Security Hub Evidence Collector.
Step 13
Evidence collector Lambda functions to invoke the Create Evidence API to record the finding. These include the Security Hub evidence collector and the S3 evidence collector.
- Publish Date