Continuous Compliance withAWS Config Rules

Achieving and maintaining compliance is a continuous process rather than a stand-alone project. With the auto-scalable and elastic nature of the cloud, monitoring the security controls and compliance becomes almost impossible to manage as your resources continuously scale up or down based on your needs and your environment evolves. For this very reason, it is worth investing in time and effort to understand the concepts of Shared Responsibility Model and Security by Design to ensure security of your entire environment and achieve compliance in the cloud. You can check our previous blog post for the brief explanation of cloud compliance concepts and basics:

Based on these concepts, how can you improve your both internal and external compliance processes? The distinct capabilities of the cloud help you automate and integrate security and compliance standards into your entire development process and embrace continuous compliance. Let’s start with DevSecOps, the principles of integrating security and compliance into the entire development cycles and then continue with ensuring infrastructure and resource compliance through AWS Config.

Continuous Compliance at Infrastructure Level

Security is no more at the final stage of development. There is no need to manually check and validate the security and compliance of each release at the end and pause the delivery lifecycle for reviews and reworks. Instead, all priorities of development, operations and security teams are defined and automatically reflected upon the product continuously. To speed up your release cycles, security should be a part of the entire cycle with clear definitions and prioritizations from all relevant stakeholders.

Once security becomes an integral part of your processes, usual compliance processes such as internal audits, documentation and monitoring also becomes much more easier and automated for greater efficiency. Without the risk of compromising security or being non-compliant, businesses can accelerate their development lifecycles and achieve more efficient releases with all standards and priorities from distinct departments defined.

AWS Config for Resource Management

AWS Config is a powerful resource configuration monitoring tool that helps you assess, audit and evaluate your resource inventory. AWS Config continuously monitors and records your AWS resource configurations and helps you automate configuration settings with your desired configuration standards. By this way, the service helps you analyse, manage the changes and troubleshoot the causes of security events when necessary.

From the compliance perspective, you can leverage the power of AWS Config to continuously monitor your resources and operational changes to ensure both organization-wide security and compliance controls are continuously followed. Additionally, the resource configuration records and aggregated data simplifies your compliance audit processes through documentation with programmatic logs of your whole resource configuration history.

AWS Config Rules for Continuous Infrastructure Compliance

AWS Config provides predefined, AWS managed rules for you to easily implement across your resource configuration standards. These rules simply help you to evaluate whether your newly created or updated resources comply with the common AWS best practices. These rules cover a wide range of main areas of cloud environment, namely compute, database, management tools, security, identity & compliance and storage.

Although you can customize these rules such as changing the rule’s scope based on your compliance requirements, you can also create your own custom rules within AWS Config with the help of Lambda functions as well.

Once you set up your chosen configuration rules, AWS Config performs an initial evaluation of your current resources against these defined rules. From the AWS Config dashboard, you can see how many of your resources comply with these rules. Following the initial evaluation, AWS Config continuously monitors your resources and flags the non-compliant resources for your consideration. These resource evaluation triggers can be performed on a configuration change basis or a preferred frequency.

What is more, AWS Config enables you to manually or automatically remediate the flagged non-compliant resources to automate and simplify your compliance workings even more with AWS System Manager Automation documents. It allows you to define the specific actions to be taken when your resources are non-compliant with your specified rules. For more information about how to set up remediation actions, check AWS documents here.

Let’s continue with very basic cases for your compliance processes before we come to the end. Consider the following requirement of PCI DSS v3.2.1:¹

Requirement 7: Restrict access to cardholder data by business need-to-know

A super simple example for this might be enforcing encryption for your EBS volume snapshots and backups to prevent unintended access to the data across your organization or from external threats. From the list of managed AWS Config rules:

ec2-ebs-encryption-by-default

You can ensure that EBS encryption is enabled across all your volumes being added or maintained as you operate. For the full list of AWS Config Managed Rules, check the AWS documentation to find and implement the most suitable ones for your business requirements here.

Last but not least, let us highlight this again: achieving compliance is a continuous process. There is always more to do and enhance your compliance processes with the help of cloud capabilities and automation.

1. https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf

   ---