AWS Public Sector Blog
Securing and automating compliance in the public sector with AWS
Compliance is essential, but ensuring compliance in the cloud with various regulations and standards can be challenging, especially for public sector organizations. The requirements are highly dynamic, constantly evolving, and they vary across countries. Amazon Web Services (AWS) has a number of resources to help customers meet compliance requirements, reduce their time and effort, and focus on core business objectives.
This post explains how you can use AWS tools and services to secure and automate compliance in your environment. Topics include AWS Audit Manager, AWS Config, AWS Systems Manager, and AWS Security Hub. The post also shows how these previous automation measures can be applied across accounts with AWS Organizations and AWS Control Tower.
Why automate security and compliance
There are several reasons to automate security and compliance. Doing so allows your organization to:
- Consistently implement security and compliance across different environments, Regions, and accounts, and reduce the risk of human error.
- Provision the necessary infrastructure faster and in standard format. You can reuse templates and implementations across different projects and teams.
- Keep track of changes made over time. It makes it easier to audit your infrastructure and meet regulatory requirements.
Automating the collection of compliance information
Compliance is a shared responsibility. AWS takes care of one part by peforming third-party audits and making the compliance reports available through AWS Artifact. You also need to adhere to your specific regulations’ requirements. AWS provides you with the necessary tools to achieve this. You can use Audit Manager to continuously audit your AWS usage to simplify risk and compliance assessment. With a pre-built or custom framework, it maps your compliance requirements to AWS usage data.
Take the example of the General Data Protection Regulation (GDPR): you select that framework, define the scope of the assessment, and Audit Manager automatically assesses resources in your AWS accounts and services based on the controls defined in the framework. Next, it collects the relevant evidence, converts it into an auditor-friendly format, and then attaches it to the controls in your assessment.
Audit Manager collects evidence from multiple data sources as an ongoing process once you create your assessment. It takes compliance checks from Security Hub and AWS Config, user activity from AWS CloudTrail, and configuration data from AWS API calls. You can also manually upload evidence such as documentation or other sources.
Common pre-built assessment frameworks include CIS, PCI DSS, GDPR, HIPAA, FedRAMP, and others. You can create your own framework as well and benefit from AWS operational best practices for Amazon Simple Storage Service (Amazon S3), AWS Identity and Access Management (IAM), and Amazon DynamoDB.
Creating automated security and compliance checks
As mentioned earlier, Audit Manager can take input from multiple services like Security Hub and AWS Config. In this section, we will explain how you can automatically assess security and compliance using these services.
Assessing compliance with AWS Config
AWS Config is a continuous monitoring and assessment service that provides an inventory of AWS resources and captures configuration changes. You can put rules in place to run continuous assessment checks on your resources to verify that they comply with your security policies, industry best practices, and compliance standards. AWS Config performs compliance checks based on these rules, and Audit Manager reports the results as compliance check evidence. When you create or edit a customer control, you can specify one or more AWS Config rules as a data source mapping for evidence collection. Audit Manager then captures AWS Config evaluations as evidence for audits.
AWS provides managed, pre-built rules that require minimal to no configuration. Audit Manager currently supports 326 rules managed by AWS Config. Before you start evidence collection, review your current AWS Config rule parameters. Then, validate those parameters against the requirements of your chosen framework. You can update a rule’s parameters in AWS Config so that it aligns with the framework requirements. This will help ensure that your assessment collects the right compliance check evidence for that framework.
For example, suppose you are creating an assessment for CIS v1.2.0. The framework has a control named [IAM.15] – Ensure IAM password policy requires a minimum length of 14 or greater. In AWS Config, the iam-password-policy rule has a MinimumPasswordLength parameter that checks password length. The default value for this parameter is 14 characters. As a result, it aligns with the control requirements. If you are not using the default parameter value, ensure that the value is equal to or greater than the 14-character requirement from CIS v1.2.0.
You can also write a custom AWS Config rule to codify your own corporate security policies. Custom rules are associated with an AWS Lambda function that you create and maintain.
Assessing vulnerabilities with AWS Security Hub
AWS offers multiple monitoring and threat detection services, such as Amazon Inspector for detecting vulnerabilities at the OS level, Amazon GuardDuty for monitoring your AWS accounts and workloads for malicious activity, Amazon Macie for identifying sensitive data in Amazon S3, and many more. Security Hub sits on top of all these tools and performs security best practices checks, aggregates alerts, and enables automated remediation.
Security Hub runs automated compliance checks against industry standards and best practices, such as CIS AWS Foundations Benchmark and PCI DSS. You can use the service to view your compliance status and prioritize remediation efforts based on severity. You can define your own custom compliance checks using AWS Config and integrate them. It provides a centralized view of compliance across accounts and Regions and provides remediation guidance.
AWS Security Hub takes underlying monitoring tools such as Amazon Macie, AWS Identity and Access Management Access Analyzer, Amazon Inspector, Amazon GuardDuty, AWS Config, AWS Health, AWS IoT Device Defender, AWS Systems Manager Patch Manager, and AWS Firewall Manager, and aggregates and prioritizes the alerts arriving in the AWS environment. It consolidates the alerts across accounts, services, and even third-party products to make them accessible from a single point. It collects findings based on your security and compliance needs, to help you deal with the most pressing security issues first. It generates pre-built dashboards with summaries of key security and compliance status and trends, simplifying the process of monitoring and visualizing security issues.
While Security Hub is mainly used by DevOps engineers to continuously monitor and improve the security posture of their AWS resources, Audit Manager allows audit and compliance professionals to continuously assess AWS usage against regulations and industry standards. Both services can be used together. Audit Manager automatically collects the findings generated by Security Hub checks as a form of evidence and combines them with other sources, such as CloudTrail logs.
Automating the remediation of security and compliance issues
Once these security and compliance issues have been detected, we can have a look at automating responses to these issues. You can use different services and features for this, as described in the following sections.
AWS Systems Manager Automation documents
Systems Manager allows you to automate complex and repetitive tasks like patching, software installation, and configuration tasks. You can run them concurrently across fleets to reduce the time to push these changes separately and ensure consistency in the process. You can also maintain software compliance by defining and enforcing policies consistently across the fleet. You can define patch baselines, maintain up-to-date antivirus definitions, and enforce firewall policies.
Automation, a capability of Systems Manager, simplifies common maintenance, deployment, and remediation tasks for AWS services like Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon S3, and many more. To help you get started with automation, AWS develops and maintains predefined runbooks. You can use them to perform a variety of tasks or create your own custom runbooks.
When a vulnerability is detected, you can set automation as a target for remediation. You can use Amazon Inspector to perform continuous vulnerability scans on EC2 instances and container images stored in Amazon Elastic Container Registry (Amazon ECR). These scans assess software vulnerabilities and unintended network exposure. The new Amazon Inspector uses the Systems Manager Agent (SSM Agent) to collect software application inventory of the Amazon EC2 instances.
You can remediate Amazon Inspector software vulnerability findings on-demand using a Systems Manager Automation runbook. An Automation runbook defines Systems Manager’s actions on your managed instances and other AWS resources when an automation runs. It contains one or more steps that run sequentially or branches based on preceding steps.
AWS Config rules
AWS Config allows you to remediate noncompliant resources that are evaluated by AWS Config rules. AWS Config applies remediation using Systems Manager Automation documents. These documents define the actions to be performed on noncompliant AWS resources evaluated by AWS Config rules.
AWS Config provides a set of managed Automation documents with remediation actions. You can also create and associate custom Automation documents with AWS Config rules. To apply remediation on noncompliant resources, you can either choose a remediation action from a pre-populated list or create your own custom remediation actions using SSM documents. AWS Config provides a recommended list of remediation actions in the AWS Management Console. With all remediation actions, you can choose either manual or automatic remediation.
Figure 1 describes the workflow of AWS Config rules and remediation actions. In the example, there is an AWS Config rule that checks whether security groups that are in use disallow unrestricted incoming SSH traffic. If the AWS Config rule detects a security group that allows unrestricted incoming SSH traffic, the rule will show as non-compliant. AWS Config will also automatically evaluate any changes to the configuration to keep the compliant status up to date. When the status becomes noncompliant, a remediation action can be triggered, such as sending a notification to the CISO or executing a function that makes the rule compliant again. In this case, you could use the Systems Manager Automation runbook AWS-DisablePublicAccessForSecurityGroup, which disables default SSH and RDP ports that are opened to all IP addresses.
Remediation of findings in AWS Security Hub
You can use Security Hub in conjunction with other services to automate your response to system events such as application availability issues or resource changes. Events from AWS services are delivered to Amazon EventBridge in near real time and on a guaranteed basis. You can write simple rules to indicate which events you are interested in and what automated actions to take when an event matches a rule. Security Hub automatically sends all new findings and all updates to existing findings to EventBridge as EventBridge events. You can also create custom actions to send selected findings and insight results to EventBridge. Figure 2 shows an example of this workflow.
A set of templates for cross-account automated response and remediation is available in AWS Solutions. The templates use EventBridge event rules and Lambda functions. You deploy the solution using AWS CloudFormation and Systems Manager. The solution can create fully automated response and remediation actions. It can also use Security Hub custom actions to create user-triggered response and remediation actions.
For example, take two affected packages, curl
and libcurl
, for CVE 2017-8816. When the user invokes the custom action for this finding, AWS Systems Manager Patch Manager updates both packages on the target managed instance. Amazon Inspector will automatically close all of the findings associated with these affected packages after the vulnerability is patched. The Security Hub delegated administrator account can trigger the Automation runbook and target EC2 instances in member accounts in a multi-account, multi-Region scenario.
Securing and automating compliance in a multi-account strategy
Customers often work with a multi-account strategy on AWS. The benefits of working with multiple accounts go beyond automating compliance. You can group resources for categorization and discovery, improve your security posture with a logical boundary, limit the damage in case of unauthorized access, and easily manage user access to different environments. If one of your accounts gets compromised, the resources in your other accounts remain safe. These customers often work with AWS Organizations and AWS Control Tower.
Audit Manager integrates with AWS Organizations to allow running an assessment over multiple accounts and consolidating evidence into a delegated administrator account. Audit Manager provides an AWS Control Tower guardrails framework to assist you with your audit preparation, imports guardrails logs from AWS Control Tower, and performs additional analysis.
You can implement your own compliance checks and rules at scale with AWS Config conformance packs. Conformance packs allow you to package and deploy a collection of rules and remediation actions, both managed and custom. This feature is especially interesting for AWS Organizations, where you can build one set of checks for all accounts in your organization. When using AWS Config custom rules in a multi-account environment, be aware that they depend on the AWS account you used for Audit Manager.
If you want to assess vulnerabilities with Security Hub in an organization, the master account can designate the Security Hub administrator account. The Security Hub administrator account has access to all of the accounts in the organization and determines which organization accounts to enable as member accounts. See Managing accounts with AWS Organizations to learn more. These member accounts cannot disassociate themselves from the administrator account.
Lastly, you can run Systems Manager automations across multiple AWS Regions and AWS accounts or AWS Organizations organizational units (OUs) from a central account.
All of the preceding guidance on how to automate security and compliance can also be applied in a multi-account structure, allowing you to automate reporting, collection, detection, and remediation.
Conclusion
In this post we explained how you can use AWS tools and services to secure and automate compliance in your environment. We discussed how Audit Manager helps you with the collection of compliance information, how AWS Config and Security Hub can help you assess security and compliance, and how you can automate remediation of security and compliance issues using AWS Config remediation rules and Systems Manager Automation documents. Lastly, we discussed how this setup scales to a multi-account environment.
Read more about security and compliance in the public sector:
- Announcing the Landing Zone Accelerator for Education to support customers in education and research
- Alzheimer’s disease research portal enables data sharing and scientific discovery at scale
- What is a cloud center of excellence and why should your organization create one?
- New IDC whitepaper: How cloud drives government outcomes at scale and supports compliance with security requirements