Sunday, June 16, 2024

Introducing the AWS Audit Manager Common Control Library

What is AWS Audit Manager?

AWS Audit Manager is a service offered by Amazon Web Services (AWS) that simplifies managing risk and compliance with regulations and industry standards for your AWS usage. It does this by automating the process of collecting evidence to see if your security controls are working effectively.

Audit your AWS usage frequently to streamline the risk and compliance assessment process.

Audit Manager AWS

How it functions

Map your compliance requirements to AWS usage data using prebuilt and bespoke frameworks and automated evidence collection with AWS Audit Manager.

 AWS Audit Manager
Image credit to AWS

Use cases

Shift evidence collection from manual to automated

Automated evidence collecting eliminates the need for manual evidence gathering, evaluation, and management.

Audit continuously to evaluate compliance

Gather data automatically, keep an eye on your compliance position, and adjust your controls proactively to lower risk.

Implement internal risk evaluations

Create your own custom modifications to an existing framework, then initiate an assessment to gather data automatically.

You may continuously audit your AWS consumption as part of your risk and compliance assessment by mapping your compliance criteria to AWS usage data with AWS Audit Manager. A common control library that offers common controls with predefined and pre-mapped AWS data sources is being introduced by Audit Manager today.

The rigorous mapping and assessments carried out by AWS certified auditors, which confirm that the right data sources are identified for evidence collection, form the foundation of the shared control library. In order to reduce their reliance on information technology (IT) teams, Governance, Risk, and Compliance (GRC) teams can map corporate controls into AWS Audit Manager more quickly by using the common control library.

It is simpler to comprehend your audit preparedness across several frameworks at once when you use the common control library to view the compliance requirements for multiple frameworks (like PCI or HIPAA) associated with the same common control in one location. This eliminates the need for you to execute several compliance standard requirements one at a time and then repeatedly analyse the data that results for various compliance regimes.

Furthermore, as AWS Audit Manager updates or adds new data sources, such as extra AWS CloudTrail events, AWS API calls, AWS Config rules, or maps additional compliance frameworks to common controls, you instantly inherit improvements when you use controls from this library. This makes it easier to gain from new compliance frameworks that AWS Audit Manager adds to its library and reduces the labour that GRC and IT teams must perform to maintain and update evidence sources on a regular basis.

Let’s look at an example to understand how this functions in real life

Employing the common control library of AWS Audit Manager

An airline will frequently set up a policy requiring all customer payments, including those for in-flight food and internet access, to be made using a credit card. The airline creates an enterprise control for IT operations stating that “customer transactions data is always available” in order to carry out this policy. How can businesses keep an eye on whether their AWS applications comply with this new requirement?

Danilo Poccia launch the AWS Audit Manager console and select Control library from the menu bar in my capacity as their compliance officer. The new Common category is now part of the control library. Every common control corresponds to a set of fundamental controls that gather proof from managed data sources on AWS and facilitate the demonstration of compliance with various standards and laws that overlap. He search for the word “availability” in the common control library. He now understand how the airline’s anticipated requirements relate to common control. The library’s architecture has high availability.

He reveal the fundamental basic controls by expanding the High Availability Architecture Common Control. There, he see that because Amazon DynamoDB isn’t on this list, this control doesn’t fully satisfy all of the needs of the business. Even though DynamoDB is a fully managed database, they want their DynamoDB tables to remain accessible as their workload changes because DynamoDB is heavily utilized in their application architecture. If they set a fixed throughput for a DynamoDB table, this might not be the case.

He search for “redundancy” in the common control library once more. To illustrate how it relates to core controls, he extend the common control for fault tolerance and redundancy. He can see the core control for Enabling Auto Scaling for Amazon DynamoDB tables there. Although the airline’s architecture makes use of this core control, the entire common control is not required.

Furthermore, shared control AWS Config rule is required for the two key controls in high availability architecture, which verify that Multi-AZ replication on Amazon Relational Database Service (RDS) is enabled. Since the airline does not use AWS Config, this rule is inapplicable non this particular use instance. A CloudTrail event is also used by one of these two main controls, but it is not applicable in all circumstances.

He would like to gather the real resource configuration in my capacity as compliance officer. He have a quick conversation with an IT partner in order to get this evidence, and he use a customer-managed source to develop a custom control. To minimize expenses, he choose the api-rds_describedbinstances API call and establish a weekly collection frequency.

The compliance team can handle the implementation of the custom control with little assistance from the IT team. Instead of just choosing the core control linked to DynamoDB, the compliance team can apply the full second common control (fault tolerance and redundancy) if they need to lessen their dependency on IT. The reduction of time and effort for both the IT and compliance teams, as well as the acceleration of velocity, often outweigh the benefits of optimising the controls already in place, even though it could be more than they require given their design.

He now make a custom framework with these controls by selecting Framework library in the navigation bar. Next, he make an assessment with the custom framework by selecting Assessments from the navigation pane. AWS Audit Manager begins gathering information about the chosen AWS accounts and their AWS consumption as soon as he create the evaluation.

With an implementation in accordance with their system design and their current AWS services, a compliance team can exactly report on the enterprise control “customer transactions data is always available” by following these steps.

AWS Audit Manager Pricing

All Amazon Regions where AWS Audit Manager is accessible currently have access to the common control library. The use of the common control library is free of charge. See the price for AWS Audit Manager for further details.

Thota nithya
Thota nithya
Thota Nithya has been writing Cloud Computing articles for govindhtech from APR 2023. She was a science graduate. She was an enthusiast of cloud computing.


Please enter your comment!
Please enter your name here

Recent Posts

Popular Post Would you like to receive notifications on latest updates? No Yes