AWS Cloud Operations Blog

Automate the sending of AWS Audit Manager assessment reports

Implementing compliance at scale is not an easy endeavor for customers as they move their workloads to the AWS cloud. Due to the challenges that are posed by cloud environments such as the more ephemeral nature of resources or the dynamic landscape of the cloud, automation is paramount to success. At an enterprise scale the need for automation in order to establish a continuous compliance solution is even more necessary.

A continuous compliance solution is one that has the ability to monitor resources for a configuration change, evaluate and report on the change, remediate if needed, record evidence of this full transaction and finally re-evaluate to update the status. Customers can simplify implementation of a continuous compliance solution on AWS by leveraging the Three Lines Model developed by the Institute of Internal Auditors (IIA). The Three Lines Model helps simplify compliance on AWS as it aligns AWS services to the areas in which they can be properly leveraged in order to establish a compliance solution on AWS.

AWS Audit Manager helps customers automate the process of evidence gathering which aligns to the second line of defense independent assurance. Audit Manager will continually collect evidence from multiple data sources in your environment and allows you to create an assessment report based on the evidence you are collecting. This assessment can be based on one of the several supported frameworks such as NIST Cybersecurity 1.1, SOC 2, or HIPAA and can also be based on a custom framework tailored to your organization.

This assessment report will be delivered to an Amazon S3 bucket of your choosing once it is created and you can then send the report to the appropriate party such as the security or compliance personas. One of the few remaining manual processes that are required when using Audit Manager is the procedure of retrieving the assessment report and getting it to the appropriate parties.  In this blog post we will share a solution that will automate the process of sending a completed report to the desired parties once it has been delivered to the S3 bucket.

Prerequisites

You must first complete the following pre-requisites to operationalize configuration for the reports:

  • AWS Audit Manager needs to be deployed – Getting started with AWS Audit Manager
  • Amazon S3 bucket should be set to receive the assessment report summary
  • Provide email addresses of upto 3 recipients who will be emailed this assessment report. You must provide atleast 1 recipient’s email address. In this blog, we are assuming that your Amazon Simple Email Service (SES) is  in a sandbox mode.  Once the solution is deployed, you need to make sure to go to your email inbox and click on the validation link sent by SES

Architecture

As you can see below in Figure 1, the solution outlined in this blog post demonstrates an automation of how an assessment summary report generate by AWS Audit Manager can be sent to stakeholder’s email inbox as an attachment.

Figure 1. Solution architecture to automate assessment report generation by AWS Audit Manager

Figure 1. Solution architecture to automate assessment report generation by AWS Audit Manager

The architecture workflow is described as follow:

  1. An assessment report summarizes your assessment and providers links to the evidences. Compliance Specialist is the persona using with AWS Audit Manager to simplify capturing evidences for be compliant with a specific framework
  2. For generate the assessment report refer to this documentation and it will be uploaded in the Amazon S3 bucket of your choice
  3. Using Event Notification on that S3 bucket, an AWS Lambda function will be trigger
  4. The AWS Lambda function will capture the assessment report uploaded, and sent using Amazon SES to the recipients assigned
  5. The email addresses used as parameters will receive the assessment report as an attachment through email

Walkthrough:

Go to AWS Cloudformation console, select With new resources (standard), select Upload a template file ,  upload the auditmanager-ses-notification.yaml file from our  GitHub repository and follow steps in the console to launch the template The template takes the following parameters:

  • Source Email Address: The sender email address that appears in the From address where the email will be sent
  • Register Source Email Address: Default is true. The source email address will be registered in Amazon SES that email address will be register in Amazon SES
  • Email Address 1:  Email address of the 1st recipient
  • Register Email Address 1: Choose true to register the email address of the 1st recipient in Amazon SES
  • Email Address 2: Email address of the 2nd recipient
  • Register Email Address 2: Choose true to register the email address of the 2nd recipient in Amazon SES
  • Email Address 3: Email address of the 3rd recipient
  • Register Email Address 3: Choose true to register the email address of the 3rd recipient in Amazon SES;
  • Report S3 Bucket Name: S3 bucket name to store the assessment
Figure 2. Parameters provided to our CloudFormation stack deployment

Figure 2. Parameters provided to our CloudFormation stack deployment

Sample output

Perform the actions below to test the solution:

Figure 3. Email containing assessment report generated by AWS Audit Manager

Figure 3. Email containing assessment report generated by AWS Audit Manager

Clean-up:

To clean up your account and avoid recurring charges perform the following:

Delete the deployed AWS CloudFormation stack used to implement this solution from the AWS console.

Conclusion:

In this blog post, we shared a solution that provides a custom automation to simplify your second line of defense. This removes some of the undifferentiated heavy lifting involved in implementing a compliance solution on AWS and can help you get your compliance reports into the hands of relevant stakeholders efficiently. If you would like to know more about AWS services and how to integrate them across the Three Lines of Defense you can read this blog post  “Integrate across the Three Lines Model (Part 1): Build a custom automation of AWS Audit Manager with AWS Security Hub” to get started.

 

About the authors:

Matheus Arrais

Matheus Arrais is a Partner Solutions Architect. His focus is on multi-account strategy and management and governance services. He works closely with partners helping them to walk a successful journey within the AWS partnership and deliver the best solution for their customers. Outside work, Matheus has a passion for reading, drumming, and traveling.

Craig Edwards

Craig Edwards is a Cloud Operations Specialist Solutions Architect with the Cloud Foundations team at AWS. He specializes in AWS Config, AWS CloudTrail, AWS Audit Manager and AWS Systems Manager. When he is not building cloud solutions, he enjoys being a Father and electric vehicles.

John Chao

John is a Sr. Solutions Architect in Amazon Web Services (AWS) Public Sector and is based in Charlotte, NC. His primary focus is on helping Independent Software Vendors (ISV) partners learn and apply best practices to their cloud journey. – especially managing and governance, regulations and compliance (GRC) cloud environments at scale. At AWS, he’s helped global ISVs achieve FedRAMP ATO on AWS. Prior to joining AWS, he led global enterprise IT operations and infrastructure teams.