How to Achieve and Maintain AWS Compliance

For many organizations, the transition to the cloud for data storage is inevitable. 

Whether you’re shifting operations entirely to a cloud environment, or modernizing your systems using cloud-based applications, it’s important that you choose the best cloud computing platform with the best cloud security for your compliance program.

While you won’t need to manage physical servers or storage devices on the cloud, you will need to use software-based security tools to monitor and protect the flow of information both into and out of your cloud resources. 

And cloud computing is no less vulnerable to security risks than an on-premises data center. For this reason, it is important that you use a cloud service provider (CSP) that provides the best security to fit your needs.

A cloud service provider acquires and manages the infrastructure required for providing cloud services, runs the cloud software that provides the services, and delivers the cloud services through network access. 

Learn more about cloud computing security challenges and considerations here. 

Amazon Web Services (AWS)

Amazon Web Services (AWS) is one of the more secure CSPs, helping organizations protect their data, AWS accounts, applications, and infrastructure from unauthorized access. 

AWS services are constantly changing, and include identity and access management (IAM), logging and monitoring, encryption and key management, network segmentation, and standard DDoS protection. 

One advantage of the AWS Cloud is that it allows you to scale up and innovate while maintaining a secure environment and paying only for the services you need. 

AWS security also offers a number of benefits including visibility and control over services, easy integration, regular monitoring, data encryption services, and a large ecosystem of security partners. 

AWS provides a number of compliance-enabling features, allowing organizations to achieve a higher level of security at the scale they need. For CISOs, that’s appealing: cloud-based compliance offers a lower cost of entry and easier operations by providing more oversight, security control, and central automation. 

Using AWS means you get the benefit of the many security controls that it operates, which reduces the number of security controls that your organization needs to maintain. 

Ultimately, a properly secured cloud environment results in a compliant environment. 

AWS Compliance

To help customers verify cloud compliance with industry and government requirements, AWS engages with external certifying bodies and independent auditors to provide detailed information regarding the policies, processes, and controls it establishes and operates. 

AWS is certified compliant with global standard-setting bodies including CSA, ISO, PCI DSS, and SOC; as well as specific U.S. regulations including FedRAMP, FISMA, HIPAA, NIST, and more. 

This does not necessarily mean, however, that the way data is stored within AWS is compliant. Moving your IT infrastructure to an AWS cloud environment means that you must share responsibility for securing your data and information with the CSP.

The shared responsibility model reduces the burden on your organization because AWS operates, manages, and controls IT components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. 

At the same time, AWS customers must comply with regulations that apply to how they use services, consume applications, and store data in the cloud. 

Essentially, AWS is responsible for the security of the cloud. Its customers (meaning you) are responsible for security in the cloud. 

AWS customers are responsible for managing the guest operating system, including installing updates and security patches. They are also responsible for managing associated application software, as well as the configuration of the AWS-provided security group firewall. In other words, AWS provides security tools, but your enterprise must activate and configure them.

Responsibilities vary depending on the AWS services your organization chooses, how you integrate those services into your IT environment, and applicable laws and regulations. 

To securely manage your AWS resources, you need to do the following:

• Asset inventory: Know what resources you are using. 
• Secure configuration settings, patching, and anti-malware: Securely configure the guest OS and applications on your resources. 
• Change management: Control changes to the resources. 

AWS Assurance Programs are grouped into three categories:

1. 1. Certifications and attestations. Certifications and attestations are performed by a third-party independent auditor, and certifications, audit reports, or attestations of compliance are based on the result of the auditor’s work. 

• Laws, regulations, and privacy. These are specific to your industry or function. 

1. Alignment and frameworks. AWS provides security features and documents such as compliance playbooks, mapping documents, and whitepapers. 

In addition, AWS provides tools to help its customers stay compliant. For example, PCI cloud compliance requirements and tools include:

• PCI DSS Requirement 8 asks application owners to “identify and authenticate access to system components.” AWS Cognito is an authentication service that allows configuration of authentication and authorization for users and other AWS services, and is commonly used to comply with this requirement. 

• PCI DSS Requirement 11 discusses the tracking and monitoring of all access to network resources and cardholder data. AWS CloudWatch and AWS CloudTrail are monitoring tools that can be used to achieve this requirement. 

AWS environments are continually audited, and the infrastructure and services are approved to operate under several regulatory compliance standards and industry certifications throughout geographies and industries. 

These certifications can be used to validate the implementation and effectiveness of security controls. AWS continually adds programs. 

AWS and SOC

AWS System and Organization Controls (SOC) reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives. 

These reports help you and your auditors understand the AWS controls established to support operations and compliance. 

There are three types of AWS SOC reports: 

• SOC 1 provides information about AWS’ control environment that may be relevant to internal controls over financial reporting (ICFR), as well as information for assessment of the effectiveness of your ICFR. 
• SOC 2 provides an independent assessment of AWS’ control environment relevant to system security, availability, and confidentiality. 
• SOC 3 provides an independent assessment of AWS’ control environment and provides information about system security, availability, and confidentiality; without disclosing AWS internal information. (That is, a SOC 3 report is similar to a SOC 2, but can be widely shared.)

AWS gives your organization the control it needs to comply with regional and local data privacy laws and regulations, no matter where in the world your information is stored. 

Maintaining AWS Compliance

Typically an organization manages compliance in an IT infrastructure by taking inventory of its IT resources, reviewing the resources containing data bound by regulations, and mapping existing controls to corresponding regulatory requirements to prove compliance. 

With AWS, developers have the power to deploy new resources and make rapid changes to the infrastructure — changes that often go overlooked by security and compliance teams. 

Proving compliance one day doesn’t necessarily mean your business remains compliant the next. For this reason, the cloud makes “point in time” compliance almost irrelevant. 

Because of the transient, real-time capabilities the cloud provides, DevOps teams have coined the terms “continuous delivery” and “continuous innovation.” 

For AWS security and compliance, however, organizations also need “continuous security” and “continuous compliance.” 

AWS Config and continuous compliance

Unlike compliance management in traditional data centers, AWS infrastructure provides a method for addressing security and compliance programmatically and automatically, and the cloud provider APIs available today make possible a new era of security automation. 

AWS Config lets you use AWS application programming interfaces (APIs) to access metadata about its infrastructure in addition to continuously monitoring and measuring whether new changes introduce compliance issues. 

Here are the two ways to use AWS Config for continuous compliance:

• Simple Notification Service (SNS) for manual remediation: When something in the cloud environment changes and no longer complies with the organization’s rules, SNS will trigger an alert. This means that a problem can be manually remediated as soon as it occurs. 
• AWS Lambda to automate remediation: When something in the cloud environment changes and no longer complies with the organization’s rules, Config will automatically remediate the problem. 

With customizable, predefined rules to administer through APIs, AWS Config also allows administrators to write organization-specific config rules to build out more comprehensive compliance reporting. 

AWS and GRC

As your organization’s cloud environment grows, it will encounter more compliance challenges and need more oversight. If this is the case, you may need more detailed AWS compliance reporting. 

This is where governance, risk, and compliance tools can help. 

ZenGRC from Reciprocity helps you easily generate compliance reports as well as demonstrate your compliance posture to auditors, customers, and stakeholders with a single click. 

ZenGRC is designed to allow you to continuously monitor cloud configurations for real-time changes, enabling you to map these configurations to pre-built compliance templates for regulations including ISO, SOC 2, HIPAA, PCI DSS, NIST, and GDPR. 

If your organization does need to document multiple compliance attestations as part of your AWS cloud compliance, ZenGRC can help you store all necessary documentation in a “single source of truth” repository. 

ZenGRC also tracks compliance with all your frameworks at once, helping you to avoid duplicating tasks. 

Using color-coded dashboards to show you where your cloud security is compliant and where you fall short, ZenGRC also helps you track your workflows so you always know the status of each compliance task. 

ZenGRC also conducts unlimited, one-click self-audits so you can assess your cloud security efforts. 

Using our ZenConnect plugin, ZenGRC integrates with all your workplace applications to collect audit evidence for easy retrieval. 

Worry-free AWS cloud security compliance is the Zen way. Contact us today for a free demo and consultation.