Blog Automation & Orchestration AWS Continuous Compliance
Last updated on November 17th, 2023 at 9:39am
Organizations around the world continue to adopt the cloud at breakneck speeds. The cloud provides accessibility, but it also creates open, decentralized networks with the potential for increased vulnerability if not managed correctly.
Compliance frameworks are one of the core ways that organizations can attest to meeting or exceeding levels of security for their environments. Adopting these frameworks to new technology platforms has created a new discipline: cloud compliance. Trend Micro defines cloud compliance as:
“Cloud compliance is the art and science of complying with regulatory standards of cloud usage in accordance with industry guidelines and local, national, and international laws.”
In this guide, we will explore the process of adopting, satisfying, and attesting compliance with requirements for different frameworks in a cloud environment, specifically, Amazon Web Services (AWS), the largest public cloud provider in the world.
What Is a Compliance Standard?
For the sake of this guide, we’ll use Oracle’s definition of a compliance standard: “A collection of compliance requirements that perform a collection of checks following broadly accepted best practices to ensure that IT infrastructure, applications, business services, and processes are organized, configured, managed, and monitored correctly.”
Examples of common compliance standards include HIPAA, GDPR, ISO 27001, CSA Revision 1.4 on AWS, and others.
In summary, compliance standards are a collection of requirements mapped to controls that demonstrate that laws, rules, and regulations are being followed within the cloud environment.
How Do You Satisfy Compliance Standards and Their Requirements?
Many businesses need to comply with new standards as their business changes and grows. Perhaps you expand to have customers in the European Union and need to become GDPR compliant. Another common situation is that companies will achieve compliance with a given standard to gain new customers, like with SOC2.
To ensure compliance in the cloud, many organizations adopt a cloud governance framework that incorporates the requirements from applicable compliance standards so that compliance requirements are satisfied as the cloud environment evolves.
Whether you’re remediating non-compliance with an existing standard or adopting a new one, the process to become and stay compliant is the same:
- Understand your compliance scope
- Identify what is and is not compliant
- Triage non-compliant areas
- Remediate non-compliance
- Validate and prove remediations were successful
- Satisfy attestation and audit requirements
- Monitor drift and remediate as necessary
While these steps are simple to list, they are complicated in their execution. We’ll look at different ways you can use native cloud tools and third-party tools, like Kion, to simplify and expedite your compliance process.
Using AWS Native Tools to Help Satisfy Compliance Standards
The Shared Responsibility Model and Your Compliance Scope
The first step to satisfying compliance standards is to understand your compliance scope. When operating on AWS, security and compliance are a shared responsibility between AWS and the customer. AWS delineates its responsibilities and the customers’ through the Shared Responsibility Model. AWS helps define the responsibilities by saying AWS has the responsibility for the “security of the cloud” and the customer is responsible for “security in the cloud”. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud, while the customer responsibility will be determined by the AWS Cloud services that a customer selects.
AWS recommends the following exercises to determine how to apply the Shared Responsibility Model to your specific use case:
- Determine external and internal security and related compliance requirements and objectives, and consider industry frameworks like the NIST Cybersecurity Framework (CSF) and ISO.
- Consider employing the AWS Cloud Adoption Framework (CAF) and Well-Architected best practices to plan and execute your digital transformation at scale.
- Review the security functionality and configuration options of individual AWS services within the security chapters of AWS service documentation.
- Evaluate the AWS Security, Identity, and Compliance services to understand how they can be used to help meet your security and compliance objectives.
- Review third-party audit attestation documents to determine inherited controls and what required controls may be remaining for you to implement in your environment.
- Provide your internal and external audit teams with cloud-specific learning opportunities by leveraging the Cloud Audit Academy training programs.
- Perform a Well-Architected Review of your AWS workloads to evaluate the implementation of best practices for security, reliability, and performance.
- Explore solutions available in the AWS Marketplace digital catalog with thousands of software listings from independent software vendors that enable you to find, test, buy, and deploy software that runs on AWS.
- Explore AWS Security Competency Partners – like Kion, offering expertise and proven customer success securing every stage of cloud adoption, from initial migration through ongoing day-to-day management.
AWS Security Hub for Compliance
To help with steps 2-5 of the compliance process, you can use AWS Security Hub to give you some visibility into your compliance posture. AWS Security Hub is a security findings dashboard you can enable in your AWS account on a per-region basis that runs checks, aggregates alerts, and supports automated remediation. You can enable one of the 224 pre-defined checks that AWS supplies across one of three standards:
- AWS Best Practices
- PCI DSS
- CIS.AWS Foundational Security Best Practices v1.0.0
AWS Security Hub is also an aggregator for many AWS services and can help you view all the findings in one place.
Beyond compliance, AWS Security Hub is a versatile tool with multiple use cases including Cloud Security Posture Management (CSPM), Security Orchestration, Automation, and Response (SOAR) workflows, and more.
AWS provides a lot of great tools inside AWS to support the compliance process; however, more organizations desire to shift security and compliance “to the left,” meaning that security and compliance are incorporated into the architecture and as a part of the development process to minimize the compliance gap once in production. To accomplish this shift left, organizations require proactive tools.
Shifting Compliance to the Left, Using Kion’s Proactive Compliance Engine
Due to the rise in cloud adoption, many AWS environments will be subject to multiple compliance standards; however, not every part of the AWS environment will be required to comply. There will be multiple permutations. Management and remediation of these requirements and findings are a large obstacle to moving compliance to the left and being more proactive. These manual efforts mean that security teams are often in react mode, addressing compliance issues only when it is time to prepare for an audit.
Creating a unified platform where you can see all of the checks, findings, and cloud accounts that are in scope is essential to becoming proactive.
Easily Apply Compliance Permutations with Kion’s Organizational Chart
Kion’s organizational chart is more than a beautifully presented, visual representation of your AWS environment. It is also a powerful compliance tool. The organizational chart supports hierarchal inheritance, meaning if you place a cloud account in a subordinate specific project or organizational unit (OU), it will inherit the compliance controls and permissions of the parent(s). This is useful for applying compliance baselines across your entire environment quickly to set a standard for the organization. But what about when there are needs for some projects or OUs to adhere to a different standard that doesn’t apply to other parts of the cloud environment? The organizational chart makes that easy as well.
For example, many research institutions have projects that require HIPAA compliance, but their corporate applications may not. In this case, using the organizational chart to create an OU for biomedical research that contains child accounts that require HIPAA compliance can be created, and Kion’s automation will apply the HIPAA compliance standard to the child projects. In contrast, other OUs and projects will not have that standard applied.
Being able to structure your cloud environment to reflect your corporate organization can greatly assist in ensuring the entire organization is compliant with all of the required standards by applying compliance standards visually to exactly where you need them.
Select Applicable Compliance Standards and Jumpstarts
Every organization has a unique security posture and compliance requirements. To support organizations of all sizes in the compliance process in AWS, Kion has over 8,000 checks mapped to over 30 compliance standards to assist in satisfying compliance requirements.
Kion offers compliance “jumpstarts” that contain IAM policies, CloudFormation templates, compliance checks, and other resources mapped to a given compliance standard to save you enormous amounts of manual work in achieving compliance in AWS. These jumpstarts serve as an excellent place to start to satisfy your compliance requirements; however, in many cases, additional processes or documentation will be needed outside of what the jumpstarts can provide to satisfy every requirement.
Using a jumpstart in Kion is easy. Select the corresponding jumpstart for the compliance standard you wish to satisfy – HIPAA, SOC2, CIS 1.2.0 for AWS, etc., and select “load managed resources”.
These managed resources include preventative controls for configuring a new account to comply with the chosen standard(s) – networking, flow logs, preventative IAM policies, and more.
This also loads a compliance standard into Kion’s compliance engine. These checks are mapped to applicable requirements and become the basis for compliance scans to generate findings of noncompliance and opportunities for automatic remediation with Kion’s Continuous Compliance features. You can see how easy it is to apply compliance standards to your cloud environments by watching this video:
Build Custom Checks and Jumpstarts with YAML
In addition to popular compliance standards, organizations frequently have internal requirements unique to operating their business. Kion addresses these by giving you the freedom to create your own custom checks to address requirements that are outside the scope of the included jumpstarts using an open-source rules engine to easily write and run YAML policies against your AWS resources like EC2 instances, VPCs, root users, etc. These policies are deployed through our compliance checks, which runs the policy on a cloud resource to see if it matches an undesirable configuration. Here’s an example of a custom check written to stop all EC2 instances that are tagged “test”.
Understand Your Baseline with an Initial Compliance Scan
Your first compliance scan helps you determine what you have to do to become compliant with your compliance standard of choice. After importing one of our compliance jumpstarts, select where and when you would like to run the scan, then create and assign a cloud rule to perform the scan on your resources.
Review Compliance Scan Findings
Once you have completed your first scan, you can begin to triage the findings by severity to plan how you will be able to remediate these findings and bring your AWS environment into compliance. These findings are how you can perform step 3 of triaging your compliance findings, but also help in steps 6 and 7 where you can demonstrate your compliance and monitor drift with regular scans throughout the entire compliance lifecycle.
Configure Automatic Remediations to accelerate compliance and prevent drift
One of the most powerful features of Kion is its ability to bring your environment into compliance by automatically remediating compliance findings. Many of the cloud rules in our jumpstarts already have remediation actions configured, and we allow you to configure your own auto-remediations in a similar way to building compliance checks.
After deploying a cloud rule with a remediation action, you can check to see if the remediation action is working by looking at your compliance findings. For example, if you deploy the NIST 800-53 cloud rule (which already has a remediation action configured) into an AWS account, AWS GuardDuty is enabled. As a result, you should no longer have compliance findings for the nist-800-53-account-with-guardduty-disabled check.
With automatic remediations enabled, you can rest easy knowing that Kion will automatically prevent drift by stopping these findings from occurring again and maintaining your compliance posture.
Kion Enhances Other Tools in Your Security Stack
Kion integrates with tools in your stack to enrich data found on other platforms and to give more context to your complete security posture. As an AWS Security Competency designee and Security Hub Partner (under our former name, cloudtamer.io), Kion offers unique capabilities in securing an AWS environment.
AWS Security Hub Integration
There are four different ways Kion can integrate with AWS Security Hub:
- Post and update findings on any resource type to AWS Security Hub (action: post-finding). This will send a new finding to both Kion and AWS Security Hub when it's detected, so if you're using AWS Security Hub, you won't have to do double work by adding detection both there and in Kion.
- Query with filtering of resources based on findings. This policy will query findings from AWS Security Hub instead of the resources themselves and then perform an action (filter: finding). This is useful if you are sending findings into AWS Security Hub from multiple tools and want to set up easy, automated remediations using Kion on select items.
- Create a lambda (lambda execution mode) that triggers on ingestion of AWS Security Hub findings (mode: hub-finding). This sets up a listener so you can trigger remediations as soon as a finding is added to AWS Security Hub from any ingestion source including Kion. This is the quickest way to remediate findings.
- Create a lambda (lambda execution mode) that can be triggered manually in the AWS Security Hub UI. These custom actions, which you define, work with both findings and insights (mode: hub-action). This lets you build a customized action you would like to take whenever a user triggers it on a finding or insight within AWS Security Hub.
The native integration within Kion allows you to automatically send and receive findings and trigger remediation actions via Security Hub. This integration simplifies the threat-monitoring process by allowing Kion to interact with Security Hub and provide a “single-pane-of-glass” view of up-to-the-minute compliance without duplicating efforts.
Tenable.sc
The Tenable.sc integration can be used to keep track of your Tenable.sc vulnerabilities in Kion. This allows you to pull in all your compliance info, in one place. It enhances your Tenable.sc findings with the additional context that Kion holds relating to your AWS accounts and organizational chart arrangements; helping you to identify what needs to be remediated and where it exists in your AWS environment.
Splunk
Splunk lets you search, monitor, and analyze big data for easy visualization. You can use Splunk’s integration with AWS CloudWatch to analyze your Kion data. You can also leverage a Cloud Custodian utility to send compliance notifications from Kion to Splunk.
We integrate with Splunk using a Cloud Custodian utility that lets you send Kion compliance notifications through Splunk. This helps us support your continuous compliance goals without disrupting your established work flows. Pairing Splunk with Kion makes it easy to visualize, manage, and remediate compliance concerns.
Manage the Full Compliance Lifecycle on AWS
As you can see, Kion can enhance, expedite, and automate tasks across every stage of the compliance lifecycle. If you would like to see a step-by-step case study of what this looks like in a large, complicated enterprise AWS environment, you can see how a Federal Government agency used Kion to become compliant with a new standard and receive an ATO here: Golden Ticket to an ATO on AWS
Kion is the best way to establish and scale a well-governed, multi-account AWS environment and can assist you with much more than compliance. As a cloud enablement platform, we want to help you go farther, faster in AWS by helping you to accomplish meaningful work across every facet of developing and managing your AWS platform.
Automation & Orchestration tools make configuring financial, security, and compliance guardrails across multiple accounts easy and reduce what usually takes weeks of manual configuration to hours.
Financial Management features help you visualize your AWS spend and understand where and why money is being spent. Also, you can receive recommendations for rightsizing resources and identifying zombie instances to stop wasting your cloud spend.