|
AWS Audit Manager allows you to map compliance requirements to AWS usage data and continuously audit AWS usage as part of your risk and compliance assessments. Today Audit Manager introduces: common control library Provides common control using predefined and premapped AWS data sources.
The Common Controls Library is based on extensive mapping and reviews performed by AWS-certified auditors to ensure that appropriate data sources are identified for evidence collection. Governance, Risk, and Compliance (GRC) teams can use a common controls library to save time and reduce dependency on information technology (IT) teams when mapping corporate controls to Audit Manager for evidence gathering.
The Common Controls Library allows you to view compliance requirements for multiple frameworks (such as PCI or HIPAA) related to the same common controls in one place, making it easier to understand audit readiness for multiple frameworks simultaneously. This way, you avoid having to implement different compliance standard requirements separately and then review the resulting data multiple times for different compliance regimes.
Controls in this library also enable Audit Manager to automatically make improvements when you update or add new data sources, such as additional AWS CloudTrail events, AWS API calls, AWS Config rules, or map additional compliance frameworks to common controls. is inherited. This eliminates the effort required for GRC and IT teams to continually update and manage evidence sources and makes it easier for them to benefit from the additional compliance frameworks that Audit Manager adds to their library.
Let’s see how this works in practice through an example.
Using the AWS Audit Manager Common Control Library
A common scenario for an airline is to implement a policy so that customer payments, including in-flight meals and internet access, can only be made by credit card. To implement this policy, the airline develops enterprise controls for IT operations that ensure “customer transaction data is available at all times.” How can I monitor whether my applications on AWS meet these new controls?
As the compliance officer for the company, I open the Audit Manager console and select: control library In the navigation bar, the Controls library now includes new features: Common category. Each common control is mapped to a group of core controls that collect evidence from AWS managed data sources, making it easier to demonstrate compliance to a variety of overlapping regulations and standards. Take a look at the Common Control Library and search for “Availability”. Here I realized that the airline’s anticipated requirements are mapped to common controls. High availability architecture At the library.
I am High availability architecture Common Controls lets you view the basic core controls. Here we see that this control does not adequately meet all of our company’s needs since Amazon DynamoDB is not on this list. DynamoDB is a fully managed database, but since we use DynamoDB extensively in our application architecture, we want to be able to use DynamoDB tables as our workload grows or shrinks. This may not be the case if you have configured fixed throughput for your DynamoDB table.
Take another look at the common control libraries and search for “redundancy”. I am Fault tolerance and redundancy Use common controls to see how they map to core controls. From there I Enable Auto Scaling for Amazon DynamoDB Tables Core control. These core controls are related to the architecture implemented by the airline, but do not require overall common controls.
Additionally, common control High availability architecture Although we already include some core controls to ensure that Multi-AZ Replication for Amazon Relational Database Service (RDS) is enabled, these core controls are subject to AWS Config rules. This rule doesn’t work for this use case because the airline doesn’t use AWS Config. Both of these core controls also use CloudTrail events, but those events do not cover all scenarios.
As a compliance officer, I want to collect actual resource configurations. To gather this evidence, I briefly consulted with my IT partner and customer care source. I am api-rds_describedbinstances Optimize costs by calling the API and setting weekly collection frequency.
Implementing custom controls can be handled by your compliance team with minimal interaction from your IT team. If your compliance team needs to reduce reliance on IT, consider an overall second common control (Fault tolerance and redundancy) instead of just selecting the core controls related to DynamoDB. Depending on your architecture, this may be more than you need, but accelerating speed and saving time and effort for both compliance and IT teams is often a bigger benefit than optimizing controls.
I choose now framework library Create a custom framework that contains these controls in the Navigation Pane. then i choose evaluation Create an assessment with a custom framework from the navigation pane. When you create an assessment, Audit Manager begins collecting evidence about the selected AWS accounts and their AWS usage.
By following these steps, your compliance team can accurately report on enterprise controls that ensure “customer transaction data is always available” using system design and implementation based on existing AWS services.
What you need to know
The Common Control Library is available in all AWS Regions where AWS Audit Manager is currently available. There is no additional cost for using the common control library. For more information, see AWS Audit Manager Pricing.
This new feature streamlines compliance and risk assessment processes, reducing the workload on your GRC team and simplifying how enterprise controls are mapped into Audit Manager for evidence collection. For more information, see the AWS Audit Manager User Guide.
— Danilo