AWS Cloud Governance Part 3: Compliance, security, & cost managementNidhin Sam
Organisational compliance, security, and cost management are complex challenges that companies have already solved for on-premises solutions. As companies continue to consume cloud services on their cloud adoption journeys, these challenges do not suddenly disappear or become irrelevant; rather, organisations must understand how cloud services can fit into or potentially re-define their overall enterprise cloud strategy.
To aid in this process, companies such as AWS have made significant investments in tools to help organisations utilise cloud services in a way that aligns with their governance strategy and fuels cloud adoption.
In part one of this series, we discussed several key foundational elements that help companies map out an overall AWS governance strategy. In part two of this series, we covered how AWS helps companies centrally manage accounts and implement organisational controls using tools like AWS Organisations and AWS Control Tower.
In this post, we're discussing a variety of AWS services that help organisations maintain compliance, support the overall cloud security posture of their AWS accounts, and manage cloud spending.
Read next: AWS Cloud Governance Part 4: Monitoring and observability
One of the major mistakes many cloud customers make is assuming cloud security and compliance is the sole responsibility of the cloud provider. However, this is a shared responsibility between the cloud provider and the customer themselves.
AWS has developed a shared responsibility model that helps customers understand what AWS is responsible for versus what the customer is responsible for. In short, AWS assumes the responsibility of the physical environment (i.e., hardware, datacentre, power, etc.) as well as the underlying components for services (compute, storage, databases, networking). The customer assumes the responsibility of all data, security configurations, operating systems, network and firewall configuration, IAM, etc.
As customers begin to consume cloud services, it’s important to understand what compliance regulations they must adhere to and ensure these regulations are kept in mind as services are deployed. Luckily, AWS provides us with tools to build these guardrails.
Introducing AWS Config & AWS Audit Manager
As companies begin to leverage cloud services, it is important to deploy and configure services in a way that meets organisational compliance requirements. But how? Introducing AWS Config, a tool to track the configuration of a majority of AWS resources and provide a detailed view of the current state, as well as a historical view of resource configuration. Config helps security and operations teams exercise AWS data governance over resources as it provides the visibility needed to know when something is misconfigured.
Additionally, AWS has partnered with industry security professionals to develop Config conformance packs, which are a set of Config rules that align to the best practices of a particular compliance framework, such as FedRAMP, HIPAA, NIST, PCI DSS, etc. These rules asynchronously monitor resources to determine compliance with the chosen framework. Although Config rules cannot 100% guarantee compliance to a particular framework, they provide a great starting point for organisations to introduce compliance guardrails for AWS resources.
In addition to the need to track and manage resource configurations, organisations also need a way to audit usage, manage overall risk, and ensure compliance with pertinent regulations and standards. Introducing AWS Audit Manager, a tool that helps organisations extend their existing audit requirements to AWS services.
Like Config, Audit Manager also has a variety of pre-built compliance frameworks, such as FedRAMP, GDPR, HIPAA, HITRUST, NIST, PCI DSS, SOC, etc. Each of these frameworks contain a set of controls that either automatically collect evidence from AWS resources or requires manual evidence to be uploaded to prove compliance. Once evidence is collected, the audit owner can review control evidence with the appropriate stakeholder and once completed, create the final audit report.
Like compliance, AWS advises that AWS cloud security is also a shared responsibility between AWS and the customer. In short, AWS manages the “security of the cloud,” while customers are tasked with managing “security in the cloud.” This means AWS ensures the physical environment and services themselves are architected with security in mind, but as customers, we must consume these services in a manner that follows best cybersecurity practices.
For example, customers should limit public access to services, encrypt data, enforce HTTPS/TLS 1.2 where possible, follow least privilege access, use MFA, etc. Maintaining good cyber hygiene can be difficult, but AWS has developed a plethora of tools to aid customers in securing services. We will discuss some of these services within identity and access management, detection, and data protection categories.
Identity & Access Management - AWS IAM
As companies begin their cloud journeys, there needs to be a central process to manage identities to cloud services. Introducing AWS IAM, a service that enables customers to manage access to AWS resources. Customers can use this service to create users and roles, assign them to groups, and create fine-grained policies that either allow or deny access to resources.
AWS IAM also grants customers the ability to enable MFA for users, can integrate with an organisation’s corporate directory (such as Active Directory) to grant federated access, and has built-in tools to analyse resources access across the environment.
Detection – AWS Cloudtrail, Guardduty, And Security Hub
In addition to identity and access management, AWS has invested in developing resources that help customers detect abnormalities within their AWS environments, both from a security and compliance standpoint. AWS CloudTrail is a core detection tool that records user activity and API usage related to AWS services and can be used to detect unusual API activity for deeper analysis. From an audit perspective, a tool like CloudTrail can also help maintain compliance with a variety of regulation frameworks.
Another key service for AWS cloud security detection is AWS GuardDuty, which is a threat detection service that monitors an AWS account and deployed services for malicious activity and generates appropriate findings. GuardDuty ingests data from a variety of sources, including CloudTrail, VPC Flow logs, and DNS logs and uses this data to detect threats to multiple AWS services, including IAM, EC2, and S3 resources. It is highly recommended to enable this service in all regions where customers have AWS resources deployed.
Finally, as AWS has continued to develop a variety of distributed security services, they invested in a centralised tool that enables customers to view the overall security state of their AWS accounts. Introducing AWS Security Hub - a cloud security posture management service that helps customers see alerts from a variety of sources, as well as deviations from best practices, all in a single place.
Security Hub displays data from a variety of native solutions, including GuardDuty, Inspector, Macie, etc. as well as integrates with third-party solutions in the AWS ecosystem. Furthermore, Security Hub has a variety of pre-built industry standards that can be implemented to automatically assess AWS resources and provide a high-level “security score” of the AWS account.
Data protection – AWS Macie & Kms
As more cloud applications are developed, naturally these workloads will continue to generate or ingest large amounts of data. As a result, data protection in the cloud should be a key concern to customers, and luckily AWS provides us with a variety of services to help.
AWS Macie is a data security and privacy service that uses a variety of methods to discover and protect sensitive data in AWS. Macie has both managed and custom data identifiers that customers can use for assessments against S3 buckets to locate potential sensitive data. In the event data exists in database services (RDS, Redshift, etc.) customers can export the data to S3 first, and then run the Macie assessment against that S3 bucket. This is a very powerful tool that allows AWS customers to maintain any compliance regulations regarding sensitive data.
In addition to Macie, AWS also provides us with a tool to manage cryptographic keys for a variety of use cases, including encrypting and decrypting data, signing messages, etc. Introducing Key Management Service (KMS) - a fully managed service from AWS that customers can leverage to centrally manage keys. This service is FIPS 140-2 compliant, allows users to define granular permissions for keys, and integrates with CloudTrail so customers can audit key usage.
Historically, organisations have needed to make significant budget decisions related to the capital expenses (CapEx) for strategic technology decisions. As companies shift to the cloud, these financial decisions shift from a CapEx model to an operating expenses (OpEx) model as technology costs become part of the day-to-day expenses to run a business. This shift provides significant flexibility to organisations but can be dangerous if cloud costs are not managed appropriately. To support customers, AWS has developed a variety of cloud financial management tools that help customers maximize their return on investment (ROI).
Cost allocation tags
One of the easiest ways to track costs is to develop a tagging taxonomy, which is simply a list of key or value pairs that captures metadata an organisation wants to track (i.e. application, environment, cost centre, etc.). In addition to user-defined tags, AWS has a set of AWS-defined cost tags that can also be automatically applied to all AWS resources.
Once an overall tagging taxonomy is developed, these tags can be activated in the billing and management console and applied to all AWS resources. By doing so, administrators can filter resources based on these tags, as well as create cost allocation reports that breakdown resources by these tags. Cost allocation tags are a great way to segment costs according to organisational requirements, whether that is to show or charge back costs to the appropriate business units.
AWS provides customers with another tool to manage costs called AWS Budgets. This service can be used to track and take specific actions against AWS cost and/or usage. For example, customers can use Budgets to set monthly cost budgets, both for actual and forecasted costs, create alerts when cost thresholds have been met, and even create custom budget actions, if necessary. This is a very powerful tool for cloud administrators to help govern consumption, especially when multiple business units are all consuming AWS services.
AWS Cost Explorer
One of the most powerful tools AWS provides to customers is called AWS Cost Explorer. This tool allows customers to see real-time and historical costs, as well as see forecasts for predicted costs for the next 12 months.
Cost Explorer gives users the ability to see month-to-date costs, as well as see forecasted costs for the entire month. Furthermore, Cost Explorer allows users to filter costs based on a variety of values, including region, availability zone, service, tag, etc. By doing so, cost administrators can quickly see which services are consumed the most, which regions are predominantly utilised, etc. If a tagging taxonomy that includes cost tags has been developed and implemented, cost data can be filtered and displayed leveraging these tags as well.
Moving forward: Cloud security, compliance, & cost management
As companies undertake their respective cloud adoption journeys, there can often be a lot more unknowns than knowns. Although there may be a clear business need to leverage cloud services, how can this be done in a way that adheres to compliance regulations? How can organisations make sure these services are implemented in a way that aligns with organisational cloud security standards? While using cloud services may require the organisation to transition from a CapEx to OpEx model, how can the organisation still ensure costs are managed appropriately?
AWS has thought through these questions (and many more!) already. As seen throughout this blog post, AWS has made significant investments in services that help customers achieve their cloud security, compliance, and cost goals.
How we can help
Credera is passionate about helping organisations foster cloud enablement that drives successful cloud adoption and valuable business outcomes. Our unique expertise in corporate strategy, innovation, and application development enables us to bring a holistic approach to your cloud adoption journey. To learn more, please get in touch with a member of our team.
AWS Cloud Governance Part 4: Monitoring and observability
AWS Cloud Governance Part 1: Three keys to starting your AWS governance journey
AWS Cloud Governance Part 2: Centralised account management and organisation controls