AWS Trusted Advisor
AWS Trusted Advisor is a service that knows the cloud security industry's best practises and tells you what you do to run more efficiently, securely, and cost-effectively.
For each category, Trusted Advisor gives you a list of recommended actions and additional resources on best practices:
- Cost optimisation
- Fault tolerance
- Service limits.
Some checks are free and are included in your AWS account, and others are available depending on the level of your support plan.
Some examples of checks are:
- Whether you have multi-factor authentication turned on for your root user
- Whether you have underused EC2 instances that you can turn off to save money
- Whether you have EBS volumes that haven't been backed up in some time
Note that AWS Compliance is not a standalone service by AWS! It's more like a set or resources and best practice tips to help you with compliance.
For every industry, there are specific standards that need to be followed, and you will be audited or inspected to make sure you meet those standards.
- At restaurants, health inspectors visit to check that everything is up to code and sanitary. Similarly, businesses could be audited for taxes to see that you have run the back office correctly and have followed the law.
- You rely on documentation, records and inspections to pass audits and compliance checks as they come along.
This is the same in the world of computing:
- Software that deals with consumer data in the EU needs to be compliant with GDPR, a data regulation.
- Healthcare applications in the US will need to meet regulations under the HIPAA, a health insurance regulation.
AWS and its users (that's us) follow a shared responsibility.
- AWS has built out very secure data centres and networking infrastructure that meets best practices.
- This means the underlying platform is secure. AWS even gives us evidence on what types of compliance requirements they meet, which you can read through AWS Artifact (you'll learn about Artifact below).
- But, beyond that, what you build on AWS is up to you. You control the architecture of your applications and the solutions you build, so it's your responsibility that they're compliant and secure too.
To help you with your compliance responsibilities, AWS gives you a whole range of resources. We'll focus on the two main ones:
1. Compliance documentation - guides and whitepapers* that detail the requirements for different compliance standard and how AWS services can be used to met them. You can find all of these in the AWS Compliance Center.
*Whitepapers are helpful guides written by AWS that provide clear explanations and solutions for complex topics, making them easier for people to grasp. There are whitepapers for all the services in AWS!
2. The Shared Responsibility Model - this model clearly defines what AWS is responsible for vs the the customer. We'll be diving deep into this later in the course!
Compliance tips from AWS
- The AWS Region you choose might help you meet compliance regulations!
- If you can only legally store data in the country that the data is from, you can choose a Region that makes sense for you tell AWS not to replicate that data to other Regions.
- You have complete control over the data that you store in AWS.
- You can use different encryption tools to keep your data safe, which varies from service to service.
- So, if you need specific standards for data storage, you can build tools yourself on top of AWS or simply use built-in data protection features.
AWS Compliance Center
The AWS Compliance Center has resources to help you learn more about AWS compliance.
- You can read customer compliance stories to learn how companies in regulated industries solve all kinds of compliance, governance, and audit challenges.
- You can access resources on topics like:
- AWS' answers to key compliance questions
- An overview of AWS risk and compliance
- An auditing security checklist
- You can also study an auditor learning path. This helps people in auditing, compliance, and legal jobs to learn how their companies can demonstrate compliance using the AWS Cloud.
AWS Artifact is the place to find important AWS security and compliance documents. So, if you need to follow certain rules and pass an audit, AWS Artifact can help you find the agreements and reports you need.
AWS Artifact has two main sections: AWS Artifact Agreements and AWS Artifact Reports.
- In AWS Artifact Agreements, you can check out and handle different types of agreements related to AWS services. This is helpful if your company must comply with specific regulations like the GDPR or HIPAA.
- In AWS Artifact Reports, you can access compliance reports that verify AWS meets all kinds of security standards and regulations.
- These standards and regulations can be global, regional or industry-specific.
- The reports are made my third-party auditors, meaning AWS didn't make this up themselves!
- These reports are great evidence to show your auditors or regulators that AWS has compliant security controls in place.
AWS Audit Manager
AWS Audit Manager helps you continuously audit your AWS usage. This makes risk management and compliance much simpler!
The AWS Audit Manager:
- Automates the collection of evidence for audits.
- Provides pre-built frameworks for common standards.
- Allows customisation for specific requirements.
- Generates audit reports to track compliance.
- AWS Config is your configuration tracker. It takes stock of all the current configurations you have across your AWS resources and tracks any changes.
- It helps you understand resource relationships (e.g. which security groups are linked to which EC2 instances) and makes sure your configurations are compliant with any rules you've set up.
A handy heads up
There are two services, AWS CloudTrail and Amazon CloudWatch, that are also part of AWS' family of governance and compliance services. But we're saving them for later! They are the star monitoring services in AWS, which we'll learn later in the course. Here's a quick summary of what they do:
- CloudWatch can provide near real-time understanding of how your system is behaving, including being alerted to anything unusual that require your attention.
- CloudTrail lets you know exactly who did what, when, and from where. It answers all of your AWS auditing questions, only except explaining why a user performed an action.