| 1 |
1 |
1 |
1.1 |
Governance |
Understand what AWS services and resources are being used and ensure your security or risk management program has taken into account the use of the public cloud environment. |
Governance provides assurance that customer direction and intent are reflected in the security posture of the customer. This is achieved by utilizing a structured approach to implementing an information security program. For the purposes of this audit plan, it means understanding which AWS services have been purchased, what kinds of systems and information you plan to use with the AWS service, and what policies, procedures, and plans apply to these services. |
As part of this audit, determine who within your organization is an AWS account and resource owner, as well as the AWS services and resources they are using. Verify policies, plans, and procedures include cloud concepts, and that cloud is included in the scope of the customer’s audit program.
Approaches might include: - Polling or interviewing your IT and development teams. - Performing network scans, or a more in-depth penetration test. Review expense reports and/or Purchase Orders (PO’s) payments related to Amazon.com or AWS to understand what services are being used. Credit card charges appear as “AMAZON WEB SERVICES AWS.AMAZON.CO WA” or similar. Note: Some individuals within your organization may have signed up for an AWS account under their personal accounts, as such, consider asking if this is the case when polling or interviewing your IT and development teams. |
| 2 |
2 |
1 |
1.2 |
Governance |
Identify Assets |
Each AWS account has a contact email address associated with it and can be used to identify account owners. It is important to understand that this e-mail address may be from a public e-mail service provider, depending on what the user specified when registering. |
A formal meeting can be conducted with each AWS account or asset owner to understand what is being deployed on AWS, how it is managed, and how it has been integrated with your organization’s security policies, procedures, and standards.
Note: The AWS Account owner may be someone in the finance or procurement department, but the individual who implements the organization’s use of the AWS resources may reside in the IT department. You may need to interview both. |
| 3 |
3 |
1 |
1.3 |
Governance |
Define your AWS boundaries for review |
The review should have a defined scope. Understand your organization’s core business processes and their alignment with IT, in its non-cloud form as well as current or future cloud implementations. |
➖ Obtain a description of the AWS services being used and/or being considered for use.
➖ After identifying the types of AWS services in use or under consideration, determine the services and business solutions to be included in the review.
➖ Obtain and review any previous audit reports with remediation plans.
➖ Identify open issues in previous audit reports and assess updates to the documents with respect to these issues. |
| 4 |
4 |
1 |
1.4 |
Governance |
Assess Policies |
Assess and review your organization’s security, privacy, and data classification policies to determine which policies apply to the AWS service environment. |
➖ Verify if a formal policy and/or process exists around the acquisition of AWS services to determine how purchase of AWS services is authorized.
➖ Verify if your organization’s change management processes and policies include consideration of AWS services |
| 5 |
5 |
1 |
1.5 |
Governance |
Identify Risks |
Determine whether a risk assessment for the applicable assets has been performed. |
|
| 6 |
6 |
1 |
1.6 |
Governance |
Review Risks |
Obtain a copy of any risk assessment reports and determine if they reflect the current environment and accurately describe the residual risk environment. |
|
| 7 |
7 |
1 |
1.7 |
Governance |
Review risks documentation |
After each element of your review, review risk treatment plans and timelines/milestones against your risk management policies and procedures. |
|
| 8 |
8 |
1 |
1.8 |
Governance |
Documentation and Inventory |
Verify your AWS network is fully documented and all AWS critical systems are included in their inventory documentation, with limited access to this documentation. |
➖ Review AWS Config for AWS resource inventory and configuration history of resources.
➖ Ensure that resources are appropriately tagged and associated with application data.
➖ Review application architecture to identify data flows, planned connectivity between application components and resources that contain data.
➖ Review all connectivity between your network and the AWS Platform by reviewing the following:
➖ VPN connections where the customers on-premise Public IPs are mapped to customer gateways in any VPCs owned by the Customer. Direct Connect Private Connections, which may be mapped to 1 or more VPCs owned by the customer. |
| 9 |
9 |
1 |
1.9 |
Governance |
Evaluate Risks |
Evaluate the significance of the AWS-deployed data to the organization’s overall risk profile and risk tolerance. Ensure that these AWS assets are integrated into the organization’s formal risk assessment program. |
AWS assets should be identified and have protection objectives associated with them, depending on their risk profiles. |
| 10 |
10 |
1 |
1.10 |
Governance |
Incorporate use of AWS into risk assessment |
Conduct and/or incorporate AWS service elements into your organizational risk assessment processes. |
➖ Identify the business risk associated with your use of AWS and identify business owners and key stakeholders.
➖ Verify that the business risks are aligned, rated, or classified within your use of AWS services and your organizational security criteria for protecting confidentiality, integrity, and availability.
➖ Review previous audits related to AWS services (SOC, PCI, NIST 800-53 related audits, etc.).
➖ Determine if the risks identified previously have been appropriately addressed.
➖ Evaluate the overall risk factor for performing your AWS review.
➖ Based on the risk assessment, identify changes to your audit scope.
➖ Discuss the risks with IT management, and adjust the risk assessment. |
| 11 |
11 |
1 |
1.11 |
Governance |
IT Security Program and Policy |
Verify that the customer includes AWS services in its security policies and procedures, including AWS account level best practices as highlighted within the AWS service Trusted Advisor which provides best practice and guidance across 4 topics – Security, Cost, Performance and Fault Tolerance. |
➖ Review your information security policies and ensure that it includes AWS services.
➖ Confirm you have has assigned an employee(s) as authority for the use and security of AWS services and there are defined roles for those noted key roles, including a Chief Information Security Officer.
➖ Ensure you maintain documentation to support the audits conducted for AWS services, including its review of AWS third-party certifications.
➖ Verify internal training records include AWS security, such as Amazon IAM usage, Amazon EC2 Security Groups, and remote access to Amazon EC2 instances.
➖ Confirm a cybersecurity response policy and training for AWS services is maintained. |
| 12 |
12 |
1 |
1.12 |
Governance |
Service Provider Oversight |
Verify the contract with AWS includes a requirement to implement and maintain privacy and security safeguards for cybersecurity requirements. |
|
| 13 |
13 |
2 |
2.1 |
Network Configuration and Management |
Missing or inappropriately configured security controls related to external access/network security that could result in a security exposure. |
Network management in AWS is very similar to network management on-premises, except that network components such as firewalls and routers are virtual. Customers must ensure network architecture follows the security requirements of their organization, including the use of DMZs to separate public and private (untrusted and trusted) resources, the segregation of resources using subnets and routing tables, the secure configuration of DNS, whether additional transmission protection is needed in the form of a VPN, and whether to limit inbound and outbound traffic. Customers who must perform monitoring of their network can do so using host-based intrusion detection and monitoring systems. |
Understand the network architecture of the AWS resources, and how the resources are configured to allow external access from the public Internet and the customer’s private networks. |
| 14 |
14 |
2 |
2.2 |
Network Configuration and Management |
Network Controls |
Identify how network segmentation is applied within the AWS environment. |
➖ Review AWS Security Group implementation, AWS Direct Connect and Amazon VPN configuration for proper implementation of network segmentation and ACL and firewall setting or AWS services.
➖ Verify you have a procedure for granting remote, Internet or VPN access to employees for AWS Console access and remote access to Amazon EC2 networks and systems.
➖ Review the following to maintain an environment for testing and development of software and applications that is separate from its business environment:
◾ VPC isolation is in place between business environment and environments used for test and development.
◾ By reviewing VPC peering connectivity between VPCs to ensure network isolation is in place between VPCs.
◾ Subnet isolation is in place between business environment and environments used for test and development.
◾ By reviewing NACLs associated to Subnets in which Business and Test/Development environments are located to ensure network isolation is in place.
◾ Amazon EC2 instance isolation is in place between business environment and environments used for test and development.
◾ By reviewing Security Groups associated to 1 or more Instances which are associated with Business, Test or Development environments to ensure network isolation is in place between Amazon EC2 instances.
➖ Review DDoS layered defense solution running which operates directly on AWS reviewing components which are leveraged as part of a DDoS solution such as:
◾ Amazon CloudFront configuration
◾ Amazon S3 configuration
◾ Amazon Route 53
◾ ELB configuration
◾ Usage of Amazon EC2 for Proxy or WAF |
| 15 |
15 |
2 |
2.3 |
Network Configuration and Management |
Malicious Code Controls |
Assess the implementation and management of anti-malware for Amazon EC2 instances in a similar manner as with physical systems. |
|
| 16 |
16 |
3 |
3.1 |
Asset Configuration and Management |
Manage operating system and application security vulnerabilities to protect the security, stability, and integrity of the asset. |
AWS customers are responsible for maintaining the security of anything installed on AWS resources or connect to AWS resources. Secure management of the customer’s AWS resources means knowing what resources you are using (asset inventory), securely configuring the guest OS and applications on your resources (secure configuration settings, patching, and anti-malware), and controlling changes to the resources (change management). |
Validate the OS and applications are designed, configured, patched and hardened in accordance with your policies, procedures, and standards. All OS and application management practices can be common between on-premise and AWS systems and services. |
| 17 |
17 |
3 |
3.2 |
Asset Configuration and Management |
Assess configuration management |
Verify the use of your configuration management practices for all AWS system components and validate that these standards meet baseline configurations. |
• Review the procedure for conducting a specialized wipe procedure prior to deleting the volume for compliance with established requirements.
• Review your Identity Access Management system (which may be used to allow authenticated access to the applications hosted on top of AWS services).
• Confirm penetration testing has been completed. |
| 18 |
18 |
3 |
3.3 |
Asset Configuration and Management |
Change Management Controls |
Ensure use of AWS services follows the same change control processes as internal series. |
➖ Verify AWS services are included within an internal patch management process. Review documented process for configuration and patching of Amazon EC2 instances:
◾ Amazon Machine Images (AMIs)
Operating systems
◾ Applications
◾ Review API calls for in-scope services for delete calls to ensure IT assets have been properly disposed of. |
| 19 |
19 |
4 |
4.1 |
Logical Access Control |
Identify how users and permissions are set up for the services in AWS. It is also important to ensure you are securely managing the credentials associated with all AWS accounts. |
Logical access controls determine not only who or what can have access to a specific system resource, but also the type of actions that can be performed on the resource (read, write, etc.). As part of controlling access to AWS resources, users and processes must present credentials to confirm that they are authorized to perform specific functions or have access to specific resources. The credentials required by AWS vary depending on the type of service and the access method, and include passwords, cryptographic keys, and certificates. Access to AWS resources can be enabled through the AWS account, individual AWS Identify and Access Management (IAM) user accounts created under the AWS account, or identity federation with the customer’s corporate directory (single sign-on). AWS Identity and Access Management (IAM) enables users to securely control access to AWS services and resources. Using IAM you can create and manage AWS users and groups and use permissions to allow and deny permissions to AWS resources. |
Validate permissions for AWS assets are being managed in accordance with organizational policies, procedures, and processes. |
| 20 |
20 |
4 |
4.2 |
Logical Access Control |
Access Management, Authentication and Authorization. |
Ensure there are internal policies and procedures for managing access to AWS services and Amazon EC2 instances. |
➖ Ensure documentation of use and configuration of AWS access controls, examples and options outlined below:
◾ Description of how Amazon IAM is used for access management.
◾ List of controls that Amazon IAM is used to manage – Resource management, Security Groups, VPN, object permissions, etc.
◾ Use of native AWS access controls, or if access is managed through federated authentication, which leverages the open standard Security Assertion Markup Language (SAML) 2.0.
◾ List of AWS Accounts, Roles, Groups and Users, Policies and policy attachments to users, groups, and roles.
◾ A description of Amazon IAM accounts and roles, and monitoring methods.
◾ A description and configuration of systems within EC2. |
| 21 |
21 |
4 |
4.3 |
Logical Access Control |
Remote Access |
Ensure there is an approval process, logging process, or controls to prevent unauthorized remote access. Note: All access to AWS and Amazon EC2 instances is “remote access” by definition unless Direct Connect has been configured. |
➖ Review process for preventing unauthorized access, which may include:
◾ AWS CloudTrail for logging of Service level API calls.
◾ AWS CloudWatch logs to meet logging objectives.
◾ IAM Policies, S3 Bucket Policies, Security Groups for controls to prevent unauthorized access.
➖ Review connectivity between firm network and AWS:
◾ VPN Connection between VPC and firm’s network.
◾ Direct Connect (cross connect and private interfaces) between firm and AWS.
◾ Defined Security Groups, Network Access Control Lists and Routing tables in order to control access between AWS and the network. |
| 22 |
22 |
4 |
4.4 |
Logical Access Control |
Personnel Control |
Ensure restriction of users to those AWS services strictly for their business function. |
➖ Review the type of access control in place as it relates to AWS services.
◾ AWS access control at an AWS level – using IAM with Tagging to control management of Amazon EC2 instances (start/stop/terminate) within networks
◾ Customer Access Control – using IAM (LDAP solution) to manage access to resources which exist in networks at the Operating System / Application layers
◾ Network Access control – using AWS Security Groups (SGs) , Network Access Control Lists (NACLs), Routing Tables, VPN Connections, VPC Peering to control network access to resources within customer owned VPCs. |
| 23 |
23 |
5 |
5.1 |
Data Encryption |
Data at rest should be encrypted in the same way as on-premise data is protected. Also, many security policies consider the Internet an insecure communications medium and would require the encryption of data in transit. Improper protection of data could create a security exposure. |
Data stored in AWS is secure by default; only AWS owners have access to the AWS resources they create. However, customers who have sensitive data may require additional protection by encrypting the data when it is stored on AWS. Only the Amazon S3 service currently provides an automated, server-side encryption function in addition to allowing customers to encrypt on the customer side before the data is stored. For other AWS data storage options, the customer must perform encryption of the data. |
Understand where the data resides, and validate the methods used to protect the data at rest and in transit (also referred to as “data in flight”). |
| 24 |
24 |
5 |
5.2 |
Data Encryption |
Encryption Controls |
Ensure there are appropriate controls in place to protect confidential information in transport while using AWS services. |
➖ Review methods for connection to AWS Console, management API, S3, RDS and Amazon EC2 VPN for enforcement of encryption.
➖ Review internal policies and procedures for key management including AWS services and Amazon EC2 instances.
➖ Review encryption methods used, if any, to protect PINs at rest – AWS offers a number of key management services such as KMS, CloudHSM and Server Side Encryption for S3 which could be used to assist with data at rest encryption. |
| 25 |
25 |
6 |
6.1 |
Security Logging and Monitoring |
Systems must be logged and monitored, just as they are for on-premise systems. If AWS systems are not included in the overall company security plan, critical systems may be omitted from scope for monitoring efforts. |
Audit logs record a variety of events occurring within your information systems and networks. Audit logs are used to identify activity that may impact the security of those systems, whether in real-time or after the fact, so the proper configuration and protection of the logs is important. |
Validate that audit logging is being performed on the guest OS and critical applications installed on Amazon EC2 instances and that implementation is in alignment with your policies and procedures, especially as it relates to the storage, protection, and analysis of the logs. |
| 26 |
26 |
6 |
6.2 |
Security Logging and Monitoring |
Logging Assessment Trails and Monitoring |
Review logging and monitoring policies and procedures for adequacy, retention, defined thresholds and secure maintenance, specifically for detecting unauthorized activity for AWS services. |
➖ Review logging and monitoring policies and procedures and ensure the inclusion of AWS services, including Amazon EC2 instances for security related events.
➖ Verify that logging mechanisms are configured to send logs to a centralized server, and ensure that for Amazon EC2 instances the proper type and format of logs are retained in a similar manner as with physical systems.
➖ For customers using AWS CloudWatch, review the process and record of the use of network monitoring.
➖ Ensure analytics of events are utilized to improve defensive measures and policies.
➖ Review AWS IAM Credential report for unauthorized users, AWS Config and resource tagging for unauthorized devices
➖ Confirm aggregation and correlation of event data from multiple sources using AWS services such as:
◾ VPC Flow logs to identify accepted/rejected network packets entering VPC.
◾ AWS CloudTrail to identify authenticated and unauthenticated API calls to AWS services.
◾ ELB Logging – Load balancer logging.
◾ AWS CloudFront Logging – Logging of CDN distributions. |
| 27 |
27 |
6 |
6.3 |
Security Logging and Monitoring |
Intrusion Detection and Response |
Review host-based IDS on Amazon EC2 instances in a similar manner as with physical systems. |
Review AWS provided evidence on where information on intrusion detection processes can be reviewed. |
| 28 |
28 |
7 |
7.1 |
Security Incident Response |
Security events should be monitored regardless of where the assets reside. The auditor can assess consistency of deploying incident management controls across all environments, and validate full coverage through testing. |
Under a Shared Responsibility Model, security events may by monitored by the interaction of both AWS and the AWS customer. AWS detects and responds to events impacting the hypervisor and the underlying infrastructure. Customers manage events from the guest operating system up through the application. You should understand incident response responsibilities and adapt existing security monitoring/alerting/audit tools and processes for their AWS resources. |
Assess existence and operational effectiveness of the incident management controls for systems in the AWS environment. |
| 29 |
29 |
7 |
7.2 |
Security Incident Response |
Incident Reporting |
Ensure the incident response plan and policy for cybersecurity incidents includes AWS services and addresses controls that mitigate cybersecurity incidents and aid recovery. |
➖ Ensure leveraging of existing incident monitoring tools, as well as AWS available tools to monitor the use of AWS services.
➖ Verify that the Incident Response Plan undergoes a periodic review and changes related to AWS are made as needed.
➖ Note if the Incident Response Plan has notification procedures and how the customer addresses responsibility for losses associated with attacks or impacting instructions. |
| 30 |
30 |
8 |
8.1 |
Disaster Recovery |
An unidentified single point of failure and/or inadequate planning to address disaster recovery scenarios could result in a significant impact. While AWS provides service level agreements (SLAs) at the individual instance/service level, these should not be confused with a customer’s business continuity (BC) and disaster recovery (DR) objectives, such as Recovery Time Objective (RTO) Recovery Point Objective (RPO). The BC/DR parameters are associated with solution design. A more resilient design often utilizes multiple components in different AWS availability zones and involve data replication. |
AWS provides a highly available infrastructure that allows customers to architect resilient applications and quickly respond to major incidents or disaster scenarios. However, customers must ensure that they configure systems that require high availability or quick recovery times to take advantage of the multiple Regions and Availability Zones that AWS offers. |
Understand the DR and determine the fault-tolerant architecture employed for critical assets. |
| 31 |
31 |
8 |
8.2 |
Disaster Recovery |
Business Continuity Plan (BCP) |
Ensure there is a comprehensive BCP, for AWS services utilized, that addresses mitigation of the effects of a cybersecurity incident and/or recover from such an incident. |
Within the Plan, ensure that AWS is included in the emergency preparedness and crisis management elements, senior manager oversight responsibilities, and the testing plan. |
| 32 |
32 |
8 |
8.3 |
Disaster Recovery |
Backup and Storage Controls |
Review the customer’s periodic test of their backup system for AWS services. |
Review inventory of data backed up to AWS services as off-site backup. |
