Amazon Web Services (AWS) is an ever-evolving cloud services platform that continues on its path to remaining the market leader in cloud infrastructure. If you use AWS services, you have an idea of what we’re talking about. However, are you sure you’re using all the AWS tools possible for SOC 2 compliance? Do you know all the tools AWS offers? What AWS tools can help you prepare for a SOC 2 audit?
Our firm continually strives to simplify SOC 2 compliance in the AWS environment and native AWS tools are a great way to do this. We touched on the best practice controls for monitoring performance in AWS, and want to take a closer look at what AWS security tools are available and how effective they are in supporting a SOC 2 compliance program.
How Does AWS Security Work?
AWS offers clients a cloud computing services platform committed to protecting your system’s confidentiality, integrity, and availability through application of the AWS Well-Architected Framework. AWS enables organizations to run a wide range of applications while simplifying much of the security and availability controls. On top of that, the AWS infrastructure was designed as one of the most flexible and secure cloud computing environments available for clients at all enterprise levels today.
What Security Does AWS Provide?
The security “of” the cloud lies within the AWS infrastructure, which uses layered controls, continuous validation, and testing, and an intricate array of automated processes to monitor and protect your systems and data 24/7. Further, these practices extend to every data center or service, allowing all customers to benefit from a design built for the most security-sensitive clients of AWS.
Who is Responsible for Security in AWS?
AWS provides security for your system and data, considering that security its highest priority. Within the network architecture, AWS leadership ensures the cloud platform remains compliant with SOC 2 requirements, behaving much like the security measures used in your on-premises data centers. The best part is that you don’t have to maintain infrastructure and incur on-site operating costs. You have access to some of the best software-based security tools available, enabling you to monitor and secure a steady flow of information into and out of your system.
Ultimately, the AWS framework is considered a shared responsibility model, meaning that AWS protects the cloud environment, and you remain responsible for your security while working within the cloud.
All this means that you must remain vigilant and dutiful in protecting your content, applications, networks, systems, and platform the same as you always have. While AWS must remain SOC 2 compliant, you must also.
Is AWS SOC 2 and ISO Certified?
AWS maintains certification for compliance with several standards within the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) to ensure AWS SOC 2 compliance and much more. AWS relies on AWS audit security tools like the AWS audit manager to maintain compliance and shares audit reports through AWS Artifact.
How Do I Secure My AWS Environment?
When you place your customer, employee, and intellectual data in the cloud, it makes sense to ask whether that data can be hacked. The answer is that any system can be breached, but you can protect your data with the right tools. AWS provides secure infrastructure, but you must do your part in managing OS patches, firewalls, and controls through regular SOC 2 audits.
With the right strategy and AWS security products, you can do your part to secure your AWS environment. Before leveraging any of the tools described in this article, it is suggested you lock down your AWS environment with a few specific controls:
- Create strong passwords to access your AWS resources
- Enable multi-factor authentication.
- Devise an alias for your group emails associated with your AWS account.
- Set up AWS Identity and Access Management (IAM) user groups, roles, and groups for secure daily account access in each capacity, then delete your account’s access keys using the IAM root panel.
- Enable CloudTrail to enable governance, compliance, risk, and operational auditing for your AWS account.
- In more complex environments, consider using AWS Control Tower to properly configure multi-account environments.
Can AWS See Your Data?
AWS data security ensures that you have ownership and control over your data, using tools that allow you to determine and designate where to store your content while in transit and at rest. AWS works on a philosophy of “keeping humans away from data,” relying primarily on automation. In the few instances where human intervention from AWS is needed, AWS compliance tools come into play, tapping into robust governance controls, such as:
- Employees who have administrative access to your data must undergo advanced levels of screening.
- Employees accessing your data must use a VPN, device certificates, multi-factor authentication, and detailed logging procedures.
Each instance of administrative access to your data must undergo an evaluation to develop or improve advanced automation to prevent similar issues and the need to rely on employee access in the future.
What Are The Tools Used In AWS?
Enabling its users to implement effective security is a top priority for AWS, and with that, the cloud services giant offers various security tools and features to help its partners meet security objectives.
While there are many industry solutions for organizations to leverage when it comes to SOC 2 preparation, monitoring, and assessment in AWS environments, many organizations wish to simplify their security programs by avoiding SaaS sprawl, shunning complexity, and adopting cloud-native solutions from AWS and other cloud hosting providers. AWS has led the way by providing a robust set of tools to allow organizations to implement, monitor, and assess compliance with a variety of frameworks.
The best part is that AWS security tools mirror the SOC 2 controls deployed to monitor your business’s on-premises environments. Here are a few of the tools and features used in AWS security controls that you might want to consider while building a SOC 2-compliant environment in AWS.
1 – Logging and Monitoring in AWS
More of a group of tools than a single tool, AWS understands the importance of monitoring your system and data when in use within another environment. AWS provides tools such as AWS Cloud Trail, Amazon CloudWatch, and Amazon GuardDuty, providing you with the insights you need to catch issues before they become problems that could negatively impact your business.
Organizations must make sure relevant logs are collected and analyzed for anomalous events or other indicators of compromise. Ensuring all of the appropriate logs are being collected and retained can be its own challenge! Here is an excellent guide for best practices behind logging and monitoring of various AWS services.
2 – AWS Trusted Advisor
AWS Trusted Advisor offers you real-time guidance when you need to provision your resources when following best practices. By using Trusted Advisor, you can optimize your AWS infrastructure to enhance performance and security. Trusted advisor covers the most basic security configuration checks for users with Basic or Developer Support. For users with Business or Enterprise Support, a broad spectrum of configuration checks is available. To learn more about Trusted Advisor, take a look at the best practices for Trusted Advisor.
From an auditing standpoint, much of what Trusted Advisor addresses is considered baseline in terms of information security controls, and the minimum an organization should have in place as an organization stands up a new environment within AWS.
3 – Amazon Inspector
Amazon Inspector is a tool that provides automated security assessment services for security and compliance for AWS-deployed applications. Using Amazon Inspector you can schedule assessments that focus on Common Vulnerabilities and Exposures, CIS Benchmarks, and other security considerations including network reachability and more. Amazon Inspector can also be integrated into AWS Security Hub.
Inspector builds upon the basics evaluated by Trusted Advisor and is beneficial from the standpoint that it allows an organization to assess the organization against specific vulnerabilities and benchmarks.
4 – AWS Security Hub
AWS Security Hub gives you insights into your security with a comprehensive view of your security alerts and position across all your AWS accounts. One of the main benefits of AWS Security Hub is that it integrates with numerous other AWS services to provide an aggregated view of the security posture of an AWS environment. Once an organization has stood up the most basic security capabilities of AWS, Security Hub is an ideal way to monitor security and compliance.
Security Hub is certainly a more advanced tool and requires a greater level of configuration and expertise to fully leverage the power behind Security Hub. For example, using Security Hub and Cloud Watch, it is possible to implement automated response and remediation functions.
5 – AWS Audit Manager
The AWS Audit Manager tool helps you audit and manage your AWS usage to detect and assess risks while ensuring regulatory compliance with industry standards including SOC 2, PCI DSS, HIPAA, HITRUST, FedRAMP, GDPR, and others. Audit Manager excels at helping organizations navigate the challenges associated with demonstrating compliance with specific framework controls in the AWS ecosystem. To implement Audit Manager, the organization first must select an existing framework (i.e. SOC 2) or develop a custom framework.
Once a framework has been selected the organization will define the scope for the assessment to include relevant systems, services, and resources. Lastly, the organization activates the assessment which begins the data collection process. Once data has been collected, the organization can conduct reviews, delegate responsibility for control monitoring and generate reports which are audit-ready. If you’ve already implemented basic security controls in AWS, you may be ready to start automating the audit process with Audit Manager.
These tools and others from AWS help you monitor your organization’s presence within the AWS platform, equipping you with the means and power to protect your interests while working confidently with AWS. Even better, these tools help you when it comes to preparing for SOC 2 audits.
Where Is AWS Data Stored?
Cloud environment storage is one of the many services AWS offers, allowing you to store, access, process, govern, transfer, analyze, and delete your data with increased security and agility while reducing costs and enjoying peak innovation as it becomes available.
With cloud storage in AWS, you have many choices for storing your data securely in the cloud. Amazon Simple Storage Service, or S3, offers storage that scales with your needs to ensure data collection, backup, and analytics.
We understand that, for many clients, placing data in the cloud still seems like an enormous risk and leap of faith. Our Linford & Company service auditors will work with you to understand what falls under the AWS umbrella of security responsibility and what you must do to keep your data safe while housed and used in the AWS cloud platform.
We are available to help ensure that your controls meet the SOC 2 requirements that remain your responsibility. Please contact us at Linford & Company to learn more about SOC 2 compliance, audits, and more.
For a deep dive into AWS security and assessment tools, check out these favorite resources from the author:
Richard Rieben is a Partner and HITRUST practice lead at Linford & Co., where he leads audits and assessments covering various frameworks including HITRUST, SOC, CMMC, and NIST. With over 20 years of experience in IT and cybersecurity and various certifications including PMP, CISSP, GSNA, and CASP+, Richard is skilled in helping growing organizations achieve their information security and compliance goals. He holds a Bachelor of Science in Business Management and an MBA from Western Governors University.