Stackarmour

Achieving Compliance and Security on AWS cloud

Organizations in regulated markets such as US Federal, Department of Defense, Public Sector, Healthcare or Financial Services have a need to meet specific regulatory and compliance standards. These standards include SOC 2, HIPAA, FFIEC, GLBA, 800-171, FISMA, FedRAMP, or PCI-DSS amongst others. stackArmor has been supporting organizations in meeting their compliance and security requirements in diverse industries and have developed an implementation methodology called Security by Design. Key elements of the Security by Design are described below.

1. Select eligible services

Being compliant means limiting your selection to specific services within the scope of the compliance framework. The services in scope site on AWS is a great resource to assist with finding eligible services. The link to the resource is https://aws.amazon.com/compliance/services-in-scope/

2. Architect for compliance

Most regulatory and compliance frameworks such as FedRAMP, FISMA, 800-171, HIPAA, FFIEC, GLBA, PCI-DSS or such require the ability to meet specific controls and control families. AWS provides a great set of ready resources to meet specific compliance requirements to meet various security requirements. The table below provides a quick overview of very common control families and corresponding AWS cloud-native services to meet those requirements.

Control Family AWS Cloud-Native Services
Access Control IAM
Awareness and Training AWS Training Courses on Security, Operations
Audit and Accountability CloudWatch, CloudTrail
Configuration Management Config, Service Catalog, Marketplace
Identification and Authentication Cognito, Directory Service
Incident Response Lambda, SNS, CloudWatch Logs & Metrics
Maintenance Systems Manager, Inspector
Media Protection EBS, S3 Encryption, KMS, Macie
Personnel Security GovCloud: ITAR compliant service by US Persons
Physical Protection AWS FedRAMP ATO
Risk Assessment Trusted Advisor, Artifact
Security Assessment ELK, SplunkCloud
System & Communication Protection WAF, VPC, Security Groups, Sub-nets,
System & Information Integrity Multi-Region, Multi-VPC, Multi-AZ, ASG, ELB

Selecting and deploying cloud-native services reduces the maintenance burden and ensures a more cost-effective solution without the need for third-party “bolt-on’s”. The selection of AWS cloud-native services needs to be performed in the context of the regulatory framework and not every service might be eligible.

3. Document to demonstrate compliance

Many organizations do not adequately capture or create “evidentiary” documentation that adequately communicates the compliance and security architecture to auditors, third-party stakeholders or partners. Most common documentation requirements include the creation of a System Security Plan, Incident Response Plan and a Plan of Action & Milestones to capture the backlog of security work items.  Depending on the specific requirements of the compliance regulation, other documentation and an independent third-party audit and assessment might be required.