- Enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud
- AWS compliance enablers build on traditional programs, helping you to establish and operate in an AWS security control environment.
Overview of Compliance in AWS
- When customers move their production workloads to the AWS cloud, the IT environment is managed by both the parties.
- The environment can be set by the customers in a secure and controlled manner.
- An adequate governance can be maintained by the customers over their entire IT control environment.
Strong Compliance Governance
- Regardless of how their IT is deployed, it is still the responsibility of the customer to maintain adequate governance over the entire IT control environment.
- The customers can apply different types of controls and various verification methods by deploying to the AWS Cloud.
Evaluating and Integrating AWS Controls
- A wide range of information regarding its IT control environment is provided by AWS via white papers, reports, certifications, and other third-party attestations.
- Internal and/or external auditors validate the design and operating effectiveness of controls and control objectives.
- A strategic business plan has developed by AWS that includes risk identification and the implementation of controls to mitigate or manage risks.
- An information security framework and policies have been established by the AWS compliance and security teams based on the Control Objectives for Information and Related Technology (COBIT) framework.
- Any public-facing endpoint IP addresses are regularly scanned by the AWS security team for vulnerabilities, and these scans do not include customer instances.
- Findings and recommendations resulting from these assessments are categorized and delivered to AWS leadership.
- Customers can request permission to conduct their own vulnerability scans on their own environments.
- A comprehensive control environment, consists of policies, processes, and control activities, for the secure delivery of AWS service offerings, has been managed by AWS.
- To establish and maintain an environment that supports the operating effectiveness of AWS control framework, the collective control environment includes people, processes, and technology.
- To protect the confidentiality, integrity, and availability of customer’s systems and data, a formal information security program is used by AWS.
- Several security white papers has been published by AWS that are available on the main AWS website.
- These white papers are recommended for reading befor you should take the AWS Solutions Architect Associate exam.
- A hardware security module (HSM) is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware module.
- It helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated HSM appliances within the AWS cloud.
AWS Key Management Service
- AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
- It is integrated with other AWS services to make it simple to encrypt your data with encryption keys that you manage.
- It is also integrated with AWS CloudTrail to provide you with key usage logs to help meet your auditing, regulatory and compliance needs.
- The following management actions can be performed on master keys by using AWS KMS:
○Create, describe, and list master keys
○Enable and disable master keys
○Set and retrieve master key usage policies (access control)
○Create, delete, list, and update aliases, which are friendly names that point to your master keys
○Delete master keys to complete the key lifecycle
- The following cryptographic functions can be performed using master keys:
○Encrypt, decrypt, and re-encrypt data
○Generate data encryption keys that you can export from the service in plaintext or encrypted under a master key that doesn’t leave the service
○Generate random numbers suitable for cryptographic applications
- AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
- AWS Organizations includes all the functionality of Consolidated Billing.
- You can use your organization to create accounts and invite existing accounts to join your organization.
○Centralized management of all of your AWS accounts
○Consolidated billing for all member accounts
○Hierarchical grouping of your accounts to meet your budgetary, security, or compliance needs
○Control over the AWS services and actions that each account can access
○Integration and support for AWS Identity and Access Management (IAM)
○Data replication that is “eventually consistent”