Compliance
Leveraging AWS Trusted Advisor for Security and Compliance
This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. Please see the latest on this topic here.
The benefits of undergoing mandatory or voluntary cybersecurity compliance assessments are well known throughout the cybersecurity industry. These benefits include improving the security posture of the organization, enabling sales to move faster through the sales lifecycle, addressing regulatory compliance requirements, and many more. Despite the benefits, compliance assessments can be labor-intensive and painful.
This pain is often due to the complexities associated with understanding the security posture of the environment being assessed, as well as collecting this information in a timely and efficient manner. Amazon Web Services (AWS) offers a number of services that provide flexibility, scalability, and reliability in the cloud. AWS also offers services to assist cybersecurity professionals with understanding their security environment and demonstrating compliance to auditors to ease the pain of cybersecurity assessments.
One of those services is AWS Trusted Advisor, which provides real-time best practice guidance to help provision, monitor, and maintain AWS resources. These best practice recommendations span five categories: cost optimization, performance, security, fault tolerance, and service limits.
In this article, we’ll provide a snapshot of how AWS Trusted Advisor works and how your organization can utilize the tool to reduce compliance pain points.
Each category of the service as shown in the image above provides relevant checks comparing the organization’s infrastructure to AWS best practices. Once the checks are performed, the console displays an overview of the check, which includes the status and the action recommendation. The action recommended area provides hyperlinks to the services in the AWS Management Console, where administrators can take remedial action on the recommendations. The Trusted Advisor homepage also provides a detailed dashboard highlighting the overall status of each category (see Figure 2).
Figure 2: AWS Trusted Advisor Example Dashboard Overview
While each category has a relevant impact on the organization, the security checks can specifically help strengthen an organization’s security and compliance program. Every AWS customer has access to seven core Trusted Advisor checks and recommendations to assist with monitoring the security and performance of their AWS environment. These seven checks are:
- S3 Bucket Permissions
- Security Groups – Specific Ports Unrestricted
- IAM Use
- MFA on Root Account
- EBS Public Snapshots
- RDS Public Snapshots
- Service Limits
Beyond the seven checks above, there are additional checks (over 60 total) under each category available to AWS Business or Enterprise support customers. Cloud administrators are encouraged to explore what level of support they have to determine how many Trusted Advisor checks are available to their organization.
Organizations can monitor the status of Trusted Advisor checks through the use of Trusted Advisor notifications. Administrators have the ability to enable recurring weekly email notifications of the status of the Trusted Advisor checks, create alerts, and automate remedial actions using Amazon CloudWatch. These notifications can be enabled directly in the AWS Trusted Advisor Console; see Figure 3.
Figure 3: Notification Setup
For organizations hosted on AWS, Trusted Advisor is a service that can be considered an integral component of any security and compliance program. There are several security checks, including core checks and additional checks available under the business or enterprise support plans, which should be monitored on a recurring basis, as they provide insight into key security best practices. Below is an overview of the recommended security checks, as well as example controls related to each check that can be included in an organization’s SSAE 18 attestation reports or other attestation reports. Each control is mapped to relevant AICPA SOC 2 Trust Service Criteria (TSC) and NIST Special Publication 800-53 controls.
Three Core Trusted Advisor Security Checks to Monitor and Add to Your Compliance Program
Trusted Advisor Check: Security Groups – Specific Ports Unrestricted
AWS Description: This check will monitor for and notify organizations of permissive access to Elastic Compute Cloud (EC2) instances.Specifically, this check will monitor security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, and loss of data).
Example Control
Relevant SOC 2 TSC
NIST SP 800-53 Control ID
AWS security groups are used and configured to prevent unauthorized access.
CC6.6
SC-7, AC-3
Trusted Advisor Check: S3 Bucket Permissions
AWS Description: This check searches for buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions. Bucket permissions that grant list access to everyone can result in higher-than-expected charges if objects in the bucket are listed by unintended users at a high frequency. Bucket permissions that grant Upload/Delete access to everyone create potential security vulnerabilities by allowing anyone (potentially unauthorized users) to add, modify, or remove items in a bucket. This check examines explicit bucket permissions and associated bucket policies that may override the bucket permissions.
Example Control
Relevant SOC 2 TSC
NIST SP 800-53 Control ID
The company restricts upload, modify and delete access to production S3 buckets to administrators with a legitimate business need.
CC6.1, CC6.7
AC-2, AC-6
Trusted Advisor Check: MFA on Root Account
AWS Description: This check scans the root account and warns if multifactor authentication (MFA) is not enabled. For increased security, AWS recommends that accounts are protected using MFA, which requires a user to enter a unique authentication code from their MFA hardware or virtual device when interacting with the AWS Management Console and associated websites.
Example Control
Relevant SOC 2 TSC
NIST SP 800-53 Control ID
The company enforces multifactor authentication on the root AWS account to protect the root account from unauthorized access.
CC6.1
AC-6, AC-17, IA-2
Three Business/Enterprise Support Plan Trusted Advisor Checks to Monitor and Add to Your Compliance Program
Trusted Advisor Check: Amazon RDS Multi-Availability Zone (AZ)
AWS Description: This check monitors for database (DB) instances that are deployed in a single AZ. Multi-AZ deployments enhance DB availability by synchronously replicating to a standby instance in a different AZ. During planned DB maintenance or the failure of a DB instance or AZ, Amazon RDS automatically fails over to standby so that DB operations can resume quickly without administrative intervention.
Example Control
Relevant SOC 2 TSC
NIST SP 800-53 Control ID
Amazon RDS DB instances are deployed in a multi-availability zone configuration to permit the automatic resumption of operations in the event of a DB failure.
A1.2
CP-6, CP-9, CP-10
Trusted Advisor Check: Exposed Access Keys
AWS Description: This check searches popular code repositories for access keys that have been exposed to the public and for irregular Amazon EC2 usage that could be the result of a compromised access key. An access key consists of an access key ID and the corresponding secret access key. Exposed access keys pose a security risk to multiple accounts, which could lead to potential data breaches as well as excessive charges from unauthorized activity or abuse and violate the AWS Customer Agreement.
Example Control
Relevant SOC 2 TSC
NIST SP 800-53 Control ID
The company monitors popular code repositories and checks for irregular EC2 usage to verify that access keys have not been compromised.
CC6.6
SC-7
Trusted Advisor Check: AWS CloudTrail Logging
AWS Description: This check monitors the use of AWS CloudTrail. CloudTrail provides increased visibility into activity in an AWS account by recording information about AWS API calls made on the account. These logs can be used to determine, for example, what actions a particular user has taken during a specified time period or which users have taken actions on a particular resource during a specified time period. Because CloudTrail delivers log files to an Amazon S3 bucket, CloudTrail must have write permissions for the bucket.
Example Control
Relevant SOC 2 TSC
NIST SP 800-53 Control ID
AWS CloudTrail is enabled to log user activity in the production AWS account that may have a potential impact on the company's ability to achieve its system security objectives.
CC2.1, CC6.1
AU-3, AU-4, AU-6, AU-11, AU 12
Conclusion
AWS offers a number of services that can enhance an organization’s security and compliance program. These services were built specifically for organizations on AWS to improve the security of their AWS resources. Trusted Advisor is a great example of one of these services, specifically for its security checks. Each security check is built on AWS best practices for organizations to identify and remediate security configuration flaws. While this article focused on security checks, cloud administrators are encouraged to explore all five categories. Coalfire has a team of assessors that can assist organizations in leveraging Trusted Advisor as an integral part of their compliance program.