Organizations in regulated markets such as US Federal, Department of Defense, Public Sector, Healthcare or Financial Services have a need to meet specific regulatory and compliance standards. These standards include SOC 2, HIPAA, FFIEC, GLBA, 800-171, FISMA, FedRAMP, or PCI-DSS amongst others. stackArmor has been supporting organizations in meeting their compliance and security requirements in diverse industries and have developed an implementation methodology called Security by Design. Key elements of the Security by Design are described below.
1. Select eligible services
Being compliant means limiting your selection to specific services within the scope of the compliance framework. The services in scope site on AWS is a great resource to assist with finding eligible services. The link to the resource is https://aws.amazon.com/compliance/services-in-scope/
2. Architect for compliance
Most regulatory and compliance frameworks such as FedRAMP, FISMA, 800-171, HIPAA, FFIEC, GLBA, PCI-DSS or such require the ability to meet specific controls and control families. AWS provides a great set of ready resources to meet specific compliance requirements to meet various security requirements. The table below provides a quick overview of very common control families and corresponding AWS cloud-native services to meet those requirements.
| Control Family | AWS Cloud-Native Services |
| Access Control | IAM |
| Awareness and Training | AWS Training Courses on Security, Operations |
| Audit and Accountability | CloudWatch, CloudTrail |
| Configuration Management | Config, Service Catalog, Marketplace |
| Identification and Authentication | Cognito, Directory Service |
| Incident Response | Lambda, SNS, CloudWatch Logs & Metrics |
| Maintenance | Systems Manager, Inspector |
| Media Protection | EBS, S3 Encryption, KMS, Macie |
| Personnel Security | GovCloud: ITAR compliant service by US Persons |
| Physical Protection | AWS FedRAMP ATO |
| Risk Assessment | Trusted Advisor, Artifact |
| Security Assessment | ELK, SplunkCloud |
| System & Communication Protection | WAF, VPC, Security Groups, Sub-nets, |
| System & Information Integrity | Multi-Region, Multi-VPC, Multi-AZ, ASG, ELB |
Selecting and deploying cloud-native services reduces the maintenance burden and ensures a more cost-effective solution without the need for third-party “bolt-on’s”. The selection of AWS cloud-native services needs to be performed in the context of the regulatory framework and not every service might be eligible.
3. Document to demonstrate compliance
Many organizations do not adequately capture or create “evidentiary” documentation that adequately communicates the compliance and security architecture to auditors, third-party stakeholders or partners. Most common documentation requirements include the creation of a System Security Plan, Incident Response Plan and a Plan of Action & Milestones to capture the backlog of security work items. Depending on the specific requirements of the compliance regulation, other documentation and an independent third-party audit and assessment might be required.
