What is Continuous Compliance?
Continuous compliance is the continuous monitoring of IT assets to ensure compliance with regulatory security benchmarks. It continuously scans networks to detect risks in a non-stop approach.
Continuous compliance entails creating a culture and strategy within your organisation that constantly evaluates your compliance position to ensure you are meeting industry and regulatory requirements while maintaining secure systems.
In short, continuous compliance aims to shift IT teams away from reactively responding to audit requests and attacks and toward being proactive in their preparation for future threats and data reporting requirements.
Why AWS Continuous Compliance and what are AWS Native Compliance Tools
AWS Continuous Compliance helps customers understand the robust controls in place at AWS to ensure data security and privacy in the AWS Cloud. AWS and customers share compliance responsibilities when systems are built in the AWS Cloud.
AWS computing environments are constantly audited and certified by accreditation bodies across geographies and verticals, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001/ISO 27001, FedRAMP, DoD SRG, and PCI DSS Level 1. i.
AWS also has assurance programmes that provide templates and control mappings to assist customers in establishing the compliance of their AWS-hosted environments.
AWS Native Compliance Tools
- AWS CloudTrail
- AWS Config & Config rules
- AWS Systems Manger
AWS CloudTrail
AWS CloudTrail is a service provided by AWS that allows you to enable governance, compliance, operational and risk auditing of your AWS account. Events in CloudTrail are actions taken by a user, role, or AWS service. Events include AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs actions.
AWS Config
AWS Config is a fully managed service that gives you an AWS resource inventory, configuration history, and configuration change notifications to help with security and governance. Existing AWS resources can be discovered, exported as an inventory of AWS resources with all configuration details, and used to determine how a resource was configured at any point in time using AWS Config.
AWS Config rules
A Config Rule represents desired configurations for a resource and is compared to configuration changes recorded by AWS Config on the relevant resources. A dashboard displays the results of comparing a rule to the configuration of a resource. Config Rules can be used to assess overall compliance and risk status from a configuration standpoint, view compliance trends over time, and pinpoint which configuration change caused a resource to drift out of compliance with a rule.
AWS Systems Manger
AWS Systems Manager (formerly SSM) is an AWS service that allows you to view and control AWS infrastructure. The Systems Manager console allows you to view operational data from multiple AWS services and automate operational tasks across AWS resources. The Systems Manager contributes to security and compliance by scanning managed nodes and reporting (or correcting) any policy violations discovered.
Use Case Scenario
Considering a use case scenario of a particular IAM user where the user changes the configuration of the S3 Bucket to allow all access to the public. AWS Native Compliance Tools such as AWS CloudTrail, AWS Config & Config Rules assist in automatically remediating the S3 Bucket and bringing the resources into compliance.
- A user changes the configuration of an S3 bucket which allows all public access & these changes are tracked via AWS CloudTrail
- The configuration change across S3 Buckets is recorded and tracked in the AWS Config resource timeline.
- Using the S3-bucket-level-public-access-prohibited AWS Config rule, AWS Config will auto-remediate the blocking of S3 public access.
- By the implementation of the AWS Config rule, S3 public access is blocked, and the resources come under the complaint state.
AWS Compliance solutions using Systems Manager
- Using Systems Manager, for instance, software or agents can be upgraded, and the output of the version can be seen as mentioned below
If you have any questions or suggestions, please reach out to us at contactus@1cloudhub.com
Written by : Sriram Narayanan and Umashankar N