AWS Security Compliance Programs
How does Amazon measure its success when it comes to compliance with security best practices and regulations? Through the success of its many customers! Customers drive AWS efforts in these categories (to name just a few):
Compliance reports
Attestations
Certifications
Compliance programs and your adherence to them will help you implement excellent security at scale in AWS. This should also help you realize cost savings overall when it comes to your security implementation.
Amazon, especially once you are a customer, will communicate its security responsibilities, successes, failures, and overall efforts using the following means:
Obtaining industry certifications
Obtaining independent, third-party attestations
Publishing security information white papers and web content
Providing certificates, reports, and other documents to customers, sometimes under a nondisclosure agreement (NDA)
Amazon also provides the following to customers:
Functionality through security features
Compliance playbooks
Mapping documents
AWS also offers a robust risk and compliance program that helps with the following:
Risk management
Control environments
Information security
Amazon regularly scans all public-facing points for vulnerabilities. It even uses independent, third-party firms to perform threat assessments against its technologies and infrastructure. If you (as a customer) are interested in performing penetration (pen) testing against your resources, you may do so, but you must be careful to pen test only your resources. You are not permitted to perform penetration tests against other customers or AWS. So, for example, you can freely pen test one of your own EC2 servers, but you cannot penetration test the EC2 service itself.
Remember, as a customer of AWS, you must do the following:
Engage in a robust security lifecycle approach that includes a review phase, a design phase, and phases of identification and verification. The identification phase should include external controls that are required to secure the customer resources.
Understand the required compliance objectives.
Establish a control environment.
Understand the validation based on risk tolerances.
Consistently verify the effectiveness of the security measures deployed.
A product to help you with compliance in AWS is AWS Artifact. This service offers on-demand access to AWS compliance reports and other documentation. AWS Artifact makes it easier for customers to understand the security and compliance posture of the AWS services they use, as well as to meet their own compliance requirements.
Fortunately, there are many other services to assist with governance and compliance in your AWS solutions, including the following:
CloudWatch: This monitoring and observability service allows you to collect, analyze, and visualize data from various AWS resources and applications in real time. With features like customizable dashboards, alarms, and logs, CloudWatch enables you to gain insights into the performance, health, and operational efficiency of your AWS infrastructure, facilitating proactive management and optimization of resources.
CloudTrail: This logging service records and monitors all API calls made on the AWS platform, offering a comprehensive audit trail of activities across an AWS account. By capturing information such as the identity of the caller, the time of the call, and the parameters used, CloudTrail aids in security analysis, resource change tracking, and compliance management by providing a detailed history of account activity and resource modifications.
AWS Audit Manager: This compliance management service automates the process of assessing and managing the compliance of AWS resources against industry standards and regulations. It enables users to streamline audit preparations, conduct risk assessments, and generate comprehensive reports, helping an organization maintain a secure and compliant environment by providing a centralized tool for tracking and managing compliance controls. Figure 8-3 shows AWS Audit Manager in the AWS Management Console.
Figure 8-3 The AWS Audit Manager
AWS Config: This service allows you to assess, audit, and evaluate the configurations of your AWS resources over time. By providing a detailed inventory of resource configurations and recording configuration changes, AWS Config enables you to maintain compliance, troubleshoot issues, and gain insights into resource relationships and dependencies in your AWS environment.
For more information regarding AWS and security compliance, you can visit the AWS Compliance page at https://aws.amazon.com/compliance, which provides links to a wealth of valuable resources.
Exam Preparation Tasks
As mentioned in the section “How to Use This Book” in the Introduction, you have a few choices for exam preparation: the exercises here, Chapter 22, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 8-2 lists these key topics and the page number on which each is found.