AWS Cloud Operations Blog
Integrate across the Three Lines Model (Part 2): Transform AWS Config conformance packs into AWS Audit Manager assessments
The Three Lines Model developed by the Institute of Internal Auditors (IIA) helps organizations identify structures and processes to facilitate strong governance and risk management. In that model, the first-line function manages risk. The second-line function oversees risk. The third-line function provides objective and independent assurance of risk management. According to Deloitte analysis, modernizing the three lines of defense model, Internal Audit (IA) functions can have the strongest impact in their organizations by automating assurance tasks and providing real-time integrations and insight into emerging risks. Internal Audit can then use the monitoring of results, perform agile testing of controls, and provide relevant assurance and advice to the organization.
AWS Audit Manager provides continuous and automated gathering of evidence related to your AWS resource usage. It helps simplify risk assessment and compliance with regulations and open standards and helps you maintain a continuous, audit-ready posture to provide a faster, less disruptive preparation process. When you apply the three lines model to AWS services, AWS Audit Manager provides the third-line function by enabling objective and independent assurance of risk management.
AWS Config conformance packs provide a general-purpose compliance framework to help you create security, operational, or cost-optimization governance checks using managed or custom AWS Config rules and AWS Config remediation actions. When you apply the Three Lines Model to AWS services, AWS Config conformance packs provide the first-line function of managing risk.
In the first post of this two-part series, I provided an automation that integrated the function that provides independent assurance (third-line function) with a function that oversees risk (second-line function). In this second post of the series, I provide a mechanism for building a custom real-time automation and integration across the Three Lines Model in AWS by integrating the independent assurance function (third-line function) with the function that manages risk (first-line function).
This solution enables AWS administrators to use any of the out-of-the box supported compliance standards in AWS Config conformance packs and create an AWS Audit Manager assessment and an AWS Audit Manager framework for that compliance standard. AWS Config conformance packs support several frequently assessed compliance standards across several verticals and geographies, such as NERC-CIP-BCSI, FDA 21 CFR Part 11, FFIEC, K-ISMS (Korea), PCI-DSS, FedRAMP (Moderate), NIST-CSF, and RBI MD-ITF (India).
Solution benefits
The solution outlined in this blog post is available for download with a detailed REAMDE. It provides three key benefits:
- Empowers you with automated assurance of evidence for compliance frameworks that might not yet be supported in AWS Audit Manager but for which AWS already offers support for compliance checks with conformance packs. In this blog post I use the NERC-CIP-BCSI compliance standard that applies to AWS customers who are North American utility owners and operators as an example of such a compliance standard.
- AWS Config conformance pack checks are already mapped by AWS to the controls of the specific compliance standard. This solution uses those existing conformance pack-based mappings to provide you with a continuous, audit-ready posture for assurance of risk management.
- AWS Config conformance packs that map to specific compliance standards are often customized with automated remediations. This enables continuous compliance with the standard. As an example, I had previously published such a repository with remediation runbooks for the entire set of PCI-DSS violations in AWS. They use custom AWS Systems Manager Automation documents, are reusable across both AWS Config findings and AWS Security Hub compliance checks, and offer a one-click deployment for continuous compliance with PCI-DSS. If you have already deployed a conformance pack with remediations, then this solution simply uses the results of that deployment in AWS Audit Manager to provide automated assurance for continuous compliance with that standard.
Solution overview
A key feature of AWS Config conformance packs is that they provide a sample mapping between a supported compliance standard and AWS Config Managed Rules. Each AWS Config Managed Rule applies to a specific AWS resource and maps to one or more controls in the supported compliance or regulatory standard. A specific control in the supported compliance or regulatory standard can map to multiple AWS Config rules.
Here’s an example of a NERC-CIP-BCSI control mapped to an AWS Config Managed rule in the conformance pack for NERC-CIP-BCSI:
Control ID: CIP-004-7-R6-Part 6.1
Control description: Each Responsible Entity shall implement one or more documented access management program(s) to authorize, verify, and revoke provisioned access to BCSI pertaining to the “Applicable Systems” identified in CIP-004-7 Table R6 – Access Management for BES Cyber System Information that collectively include each of the applicable requirement parts in CIP-004-7 Table R6 – Access Management for BES Cyber System Information. To be considered access to BCSI in the context of this requirement, an individual has both the ability to obtain and use BCSI. Provisioned access is to be considered the result of the specific actions taken to provide an individual(s) the means to access BCSI (e.g., may include physical keys or access cards, user accounts and associated rights and privileges, encryption keys). Part 6.1: Prior to provisioning, authorize (unless already authorized according to Part 4.1.) based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumstances: 6.1.1. Provisioned electronic access to electronic BCSI
AWS Config rule: iam-group-has-users-check
Guidance: AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user. Placing IAM users in groups based on their associated permissions or job function is one way to incorporate least privilege
For a complete list of controls mapped to AWS Config rules, see Operational Best Practices for NERC CIP-BCSI in the AWS Config Developer Guide.
NERC-CIP-BCSI is supported by compliance checks in AWS with an AWS Config conformance pack, but it is not currently available for audit assurance in AWS as an out-of-the box AWS Audit Manager framework.
Solution architecture
The solution creates a custom AWS Audit Manager framework that includes custom AWS Audit Manager control sets. Custom frameworks in AWS Audit Manager help you organize controls into control sets that suit your needs.
AWS Config provides an out-of-the box integration with AWS Audit Manager where findings based on evaluations from AWS Config managed rules are sent to AWS Audit Manager. The solution requires a CSV control mapping file for the specific compliance standard. Each row of this mapping file contains a unique control ID for the compliance standard along with all the AWS Config Managed rules that map to it.
Figure 1 shows the format of the CSV mapping file for the NERC-CIP-BCSI standard. The sample mapping file for NERC-CIP-BCSI is available in the GitHub repo for this solution.
Figure 1: CSV maps control ID to AWS Config managed rules
Figure 2 shows the request flow of the solution:
Figure 2: Transform a conformance pack to an AWS Audit Manager assessment
- The out-of-box integration of AWS Config and AWS Audit Manager sends findings from AWS Config to AWS Audit Manager.
- The solution creates custom control sets in AWS Audit Manager that correspond to the controls for the compliance framework in the AWS Config conformance pack. The controls are read as a data stream from Amazon Simple Storage Service (Amazon S3) based on the control mapping file that was uploaded there. The controls in AWS Audit Manager are sourced from the mapped AWS Config Managed rules as per the conformance pack. The solution then builds custom control sets that are 1:1 mapped to the control IDs for the compliance standard (in this example, NERC-CIP-BCSI). This is how you can provide audit-ready assurance based on conformance pack rules.
- The solution creates a custom AWS Audit Manager framework that contains the custom control set from step 2. The AWS Audit Manager framework ID is stored in the AWS Systems Manager Parameter Store.
- Finally, the solution provisions a custom AWS Audit Manager assessment from the custom framework created in step 3. The assessment retrieves the framework ID from the AWS Systems Manager Parameter Store.
Solution components
The solution consists of the following components:
AWS CloudFormation templates:
- aws-auditmanager-confpack.yml: Provisions an AWS Lambda function that creates a custom AWS Audit Manager control set and custom AWS Audit Manager framework based on AWS Config managed rules mapped to the compliance standard’s control IDs from the control mapping file uploaded to Amazon S3.
- aws-auditmanager-customassessment.yml: Retrieves the framework ID from the AWS Systems Manager Parameter Store. Provisions a custom Audit Manager assessment from the framework created by the aws-auditmanager-confpack.yml template.
The AWS Lambda function, CustomAuditManagerFramework_Lambda.py:
- Reads the control mapping file for the conformance pack’s compliance standard.
- Creates custom AWS Audit Manager control sets that are sourced from the mapped AWS Config Mapping rules as per the conformance pack.
- Creates an AWS Audit Manager custom framework with the control set that uses AWS Config managed rules from the conformance pack as a data source.
- Creates an AWS Audit Manager assessment based on the custom framework.
For more information, check the readme on GitHub.
Prerequisites
Before you begin, complete the steps required to set up and deploy the solution.
- Enable AWS Config in your AWS account.
- Set up AWS Audit Manager.
- In the AWS Audit Manager console, configure your AWS Audit Manager settings.
- Create a control mapping file. This is a CSV file where each row contains a control ID for the compliance standard as the first column. The remaining columns of that row each contain one AWS Config rule that maps to the control ID. A row can have any number of columns. You can use the sample mapping file for NERC-CIP-BCSI here directly or create your own for any of the supported compliance standards. The mapping of these rules to the control ID of the compliance standard is created manually by the user from the compliance standard’s conformance pack documentation.
- Create an Amazon S3 bucket with the following name:
s3-customauditmanagerframework-<AccountId>-<Region>
where<AccountId>
is your AWS account ID and<Region>
is the AWS Region where you plan to deploy the CloudFormation templates. In this bucket, create a folder namedCustomAuditManagerFramework_Lambda
. Create a directory and then upload the CustomAuditManagerFramework_Lambda.zip file there. - Upload the control mapping file to the top directory of the S3 bucket.
- Audit Manager works with the Boto3 1.7 libraries. AWS Lambda doesn’t ship with Boto3 1.7 by default. This implementation provides that version of Boto3 as a Lambda layer. Upload the auditmanagerlayer.zip to the top directory of the Amazon S3 bucket you created in step 4.
- Create an IAM user with Audit owner permissions. You can use the AWSAuditManagerAdministratorAccess policy as a starting point, but scope down these permissions as appropriate for your requirements.
- If you have already configured an assessment reports destination in your AWS Audit Manager settings, you can skip this step. Otherwise, you can simply reuse the Amazon S3 bucket you created in step 4. The bucket must be in the same AWS Region as your assessment. Create another folder in the bucket for evidence and then create a directory. Your assessment reports destination will be the Amazon S3 URI (for example,
s3://s3-customauditmanagerframework-<AccountId>-<Region>/evidences/
). AWS Audit Manager will save your assessment reports to this bucket.
Solution setup
The solution automates the setup and deployment in two steps:
Step 1: In the AWS CloudFormation console, create a stack to launch the aws-auditmanager-confpack.yml template. In Parameters, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters:
- SourceBucket: The name of the Amazon S3 bucket that contains the AWS Lambda source code. This is the bucket you created in step 5 of the prerequisites. Replace
<AccountID>
and<Region>
with the AWS account ID and Region where you are deploying this template. - ConfPackControlsMappingFile: This is the full name of the control mapping file, including the .csv extension (for example,
nerc-cip-bcsimappingfile.csv)
created in in stet 4 of the prerequisites and uploaded to S3 in step 6 of the prerequisites.
Step 2: In the AWS CloudFormation console, create a stack to launch the aws-auditmanager-customassessment.yml template. In Parameters, enter the values for the parameters based on their descriptions in the template. The template takes the following parameters:
- AssessmentDestination: The S3 URI in which AWS Audit Manager will save your assessment reports. This is the S3 URI from step 9 of the prerequisites. Replace
<AccountID>
and<Region>
with the AWS account ID and Region where you are deploying this template. - AuditOwnerArn: The ARN for the IAM user that you created in step 8 of the prerequisites.
Review your findings
The AWS Audit Manager assessment is based on the conformance pack for the compliance standard and uses the AWS Config managed rules from the conformance pack as a data source for AWS Audit Manager. The frequency of evidence collection in AWS Audit Manager follows the trigger type (periodic or configuration change) for each of the mapped managed rules. To start evidence collection, AWS Audit Manager assesses an in-scope resource from a data source (in this case, a related AWS Config rule finding). It converts the obtained data into an auditor-friendly format to make it easier to understand. The converted data and metadata are then saved as evidence and attached to each control of the control set in the assessment. Now that your deployment is complete, you can review the evidence collected from your custom assessment.
Cleanup
To avoid incurring additional charges in your account or to be able to redeploy the solution:
- Delete the CloudFormation stacks for the templates you deployed. Delete the stack for aws-auditmanager-customassessment.yml first, and then delete the stack for aws-auditmanager-confpack.yml.
- Delete the custom framework and then delete the custom controls that were created in Audit Manager.
- From the AWS Systems Manager console, choose Parameter Store. On the My Parameters tab, delete the AWS Audit Manager framework ID.
Conclusion
In this blog post, I shared a solution that provides an implementation of a custom real-time automation and integration across the Three Lines Model in AWS. When you apply the model to AWS services, AWS Config conformance packs provide the first-line function of managing risk. AWS Audit Manager provides the third-line function by enabling objective and independent assurance of risk management.
The solution enables AWS administrators to use any of the supported compliance standards in AWS Config conformance packs and create an AWS Audit Manager assessment and framework for that compliance standard.
The solution provides you several benefits. It empowers you with automated assurance of evidence for compliance frameworks that might not yet be supported in AWS Audit Manager. It uses the existing conformance pack-based mappings to the compliance standard, so it provides you with a continuous, audit-ready posture for assurance of risk management. For deployed AWS Config conformance packs that are customized with automated remediations, the solution provides you automated assurance of continuous compliance.