For many organizations and teams today, Governance, Risk, and Compliance Challenges are at the top of already long lists.
Governance, Controls, and compliance may be needed and specific to the ones below just to name a few.
- HIPPA
- PCI-DSS
- GDPR
- SOC 2
I will walk you through some native AWS security services, that when bundled together can help you achieve compliance.
Before we go deeper into each AWS Security service, it may be helpful to first map the AWS services to lines of defense.
The first one up is managing our risks, below are the AWS services we can leverage.
As an example, you may have AWS S3 buckets, whether the S3 buckets are existing or are new ones created, you want to ensure the s3 buckets dont have public access enabled. You can use an AWS config managed rule, its created to evaluate and check whether the S3 bucket is compliant or not. If the S3 bucket does go out of compliance, the incident is logged and alert can also be configured.
- AWS Config
- AWS CloudTrail
- AWS Systems Manager
- AWS Control Tower
- AWS License Manager
The second one up is overseeing our risks, below are the AWS services we can leverage.
By enabling security standards from AWS, CIS, or PCI DSS, you can quickly view the security score and the specific results of your environments when evaluated against the standard(s) you have enabled.
- AWS Security Hub
- Amazon CloudWatch
The third one, and maybe even the most important for audits and when asked, being able to prove you are in fact doing what you need to for compliance and regulation. For example, collecting the evidence needed to support an audit, this includes your controls, policies, and procedures.
For some organizations you may need to select the NIST, ISO or SOC2 framework for example. There is a framework library which allows you to easily search and select the framework you need for an audit.
- AWS Audit Manager
Top comments (0)