AWS Security Audit Framework

As customers migrate to cloud, it is very important to audit security foundation and Framework before migration. This blog will give an approach that will help in security audit in AWS projects.

There are many phases of project where Security has to be Audited. Below are the recommended approach at each phases.

Cloud Foundation phase:

1.Review existing cloud Foundation architecture.

2.Identify gaps for security and compliance.

3.Recommend landing zone and multi-account strategy

4.Recommend improvements in Foundation Architecture

5.Support to create target cloud foundation architecture.

6.Support to get sign off from various stakeholders in client, EBA, regulators, vendors etc.

7.Support Implement cloud foundations.

8.Recommend foundation architecture for target cloud in cloud exit plan.

Cloud Migration Phase:

1.Review migration approach.

2.Review migration architecture, tools and processes

3.Conduct gap analysis for security and compliance

4.Support to create recommended migration approach, architecture, tools, processes

5.Review Data transfer strategy and approach.

6.Support to create migration plan.

Network Security:

1.Create network policy that meets client, EBA, country laws and AWS Well architected framework.

2.Works with client team, SaaS vendor, regulators to create overall network architecture between client, AWS, EBA, SaaS vendors.

3.Review network architecture for security and compliance.

4.Gets signoff from various stakeholders

5.Review implementation at various stages

6.Use VPC end points to keep traffic private.

7.Resource policies to allow access only through the VPC endpoint

8.Monitor network traffic

9.Monitor Instance traffic

10.Monitor VPC flow logs

11.Use VPC traffic mirroring

SaaS Security:

1.Work with SaaS team to review product architecture.

2.Review network architecture

3.Review Data architecture

4.Review integration points.

5.Review Security architecture

6.Review Backup and monitoring

7.Review encryption.

8.Identify gaps for security and compliance.

9.Recommend target state architecture

IAM Security:

1.Review IAM policies and create gap analysis.

2.Recommend IAM policies that meets compliance standards, Industry best practices, AWS well architected framework.

3.Principles of least privilege

4.Mitigate privilege escalation

5.Use service control policies

6.Segregation of duties as part of IAM role design

7.Setup alerts for IAM config. Changes and perform audits

8.Enable MFA

9.Detective controls with AWS config.

10.Detective controls for IAM user credentials usage

11.Use IAM roles and federation for 3rd party access.

12.Protect integrity and security of logs

Data Security:

1.Create data policy that meets client, compliance and country laws.

2.Review Data classification guidelines.

3.Reviews existing cloud Data architecture for any gaps in security and compliance.

4.Recommend target state data architecture.

5.Review data encryption at rest and in transit in every architecture.

6.Create Data sovereignty policy.

7.Recommend preventive and detective controls for data security, EBA, GDPR and PII compliance.

8.Recommend automation for data compliance, data security, data encryption.

9.Review tagging guidelines based on data classification

10.Restrict access to data based on data classification

11.Automate detection of confidential data and PII.

Security by Design:

1.Recommend and guide all teams to follow Security by design practices.

2.Apply security at all layers

3.Segregate account environment

4.Strong identity foundation

5.Enable traceability

6.Automated security best practices

7.Encrypt data (in transit and at rest)

8.Preventive and detective controls

9.Least privilege access

10.Threat intelligence

11.Anomaly detection

12.Automated response to non-compliance

13.Encrypted backups and snapshots

14.Template security framework (CloudFormation, Terraform etc)

15.Enable continuous and real-time auditing

16.Monitor configuration changes for compliance

17.Automate remediation of common vulnerabilities and exposures.

18.Conduct regular penetration test

19.Enable and analyse logs

20.Incident detection and response

Compliance:

1.PII detection and protection

2.GDPR compliance matrix

3.Business continuity plans

4.Data protection at rest and in transit

5.Applicable security standards

6.CSP Health dashboard

7.Traceability and logs

8.Concentration risk score card

9.Cloud score — data protection risk, data location risk, security risk and concentration risk

10.Cloud compliance matrix for regulatory and national laws.

11.Exit plan at group level.

12.Legal and regulatory compliance matrix

13.Risk management framework

14.Data processing as per regulation

15.Is service provider authorised by competent authority

16.client’s definition of “critical and important function” for outsourcing

17.Get risk profile or internal control framework for client and map to functions. Identify critical and imp functions and don’t outsource. If outsourced, proper monitoring and controls are in place.

18.Risk assessment and risk monitoring of outsourcing to service provider

19.Risk score card, risk monitoring and risk management, risk mitigation for outsourcing.

20.client’s Control matrix for outsourcing on risk, quality, performance

21.client governance matrix and guidelines for outsourcing (Critical and non critical functions)

22.client internal control framework

23.Data protection and data management

24.client recovery and resolution planning

25.Continuity of critical functions

26.Audit and access rights for competent authorities

Well-Architected Review:

1.Define cloud operating model

2.Automated infrastructure and application deployment

3.Automated governance — Account management, security and compliance.

4.Data masking or tokenization for PII.

5.Data catalog with fine grained access control

6.Data encryption at rest and in transit

7.Define risk and compliance roles

8.Operational risk assessment

9.Enterprise cloud risk plan

10.Assess workload against compliance and regulatory needs

11.Prevent configuration drift

12.Enhanced monitoring

With above approach, one can ensure and provide assurance to customer that the team is meeting security requirements.

Below are various AWS tools in Security:

Detective controls:

1.AWS Security Hub

2.Amazon Guard Duty

3.AWS Config

4.Amazon Inspector

5.AWS CloudTrail

6.Amazon CloudWatch

7.VPC Flow logs

Identity and Access Management:

1.AWS Identity and Access Management

2.AWS Single Sign-On

3.AWS Directory Service

4.AWS Organization

5.AWS Secret Manager

6.AWS Resource Access Manager.

Infrastructure Protection:

1.AWS Shield

2.AWS WAF

3.AWS Systems Manager

4.AWS Firewall Manager

5.Amazon Inspector

6.Amazon virtual private cloud

Data Protection:

1.AWS KMS (Key Management System)

2.AWS CloudHSM

3.Amazon Macie

4.AWS Certificate Manager

5.Server-side encryption

6.AWS Secrets Manager

Incident response:

1.AWS Config rules

2.AWS Lambda

3.AWS Systems Manager

4.Amazon CloudWatch events

5.Amazon Detective

Governance, Risk and compliance:

1.Amazon Inspector

2.AWS License Manager

3.AWS Config rules

4.AWS Systems Manager