Auditing AWS Resources used in your Organisation
One of the requirements of an Information Security Management System is to maintain a register of assets.
Purpose is to assess security of AWS assets in use (or not in use) and also consider budget aspects.
Define which AWS assets are being used
- Data stores
1. Basic operational checklist
2. [Enterprise Operations Checklist]( https://d0.awsstatic.com/whitepapers/aws-security-at-scale-governance-in-aws.pdf )
3. [Auditing Security Checklist]( https://d0.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf )
- Poll/interview IT/development teams
2. Review AWS expense reports
3. Understand what services are being used
- This will help define scope and focus of audit
4. Define audit objectives to align with Audit Program, Annual Plan, Charter
Define Boundaries of Audit
- Understand core business processes and their alignment with IT
- Description of AWS services being used
- Determine which services will be reviewed
- Obtain previous audit reports and remediation plans for review
Pre-audit Risk Assessment
- Identify Risks – has risk assessment been done for assets?
- Review Risks – review previous risk assessment reports
- Assess whether these reports reflect current environment and adequately describe residual risks
Review Risk Documentation
Assessment plans and reviews should be reviewed against Risk Management Policies and Procedures
- Include – identification of risks associated with AWS
- Identification of business owners and stakeholders
- Review of previous audits of AWS services
- Evaluation of overall risk factor in performing AWS services review
Auditing AWS Environment
Framing of Questions to be Asked
- Governance: what AWS services are in use? Are these services included in Risk Management Plan?
- Assess Configuration Management: what is the management process used to manage operational integrity of assets?
- Logical Access Control: Do you know how users and permissions are set up for AWS?
- Data Encryption: Where is data and how is it protected?
- Network Configuration and Management: Does the business understand the network architecture of its AWS services?
- Security Logging and Monitoring: Are systems logged and monitored?
- Security Incident response: Is AWS environment part of Incident Response Management Plan and Procedures?
- Disaster recovery: Does DR Plan include AWS systems?
Of course much of the hard work can be taken care of by [AWS Config](https://aws.amazon.com/config/), a managed service that audits and manages a register of assets and configurations and rules. Don't forget to audit your team's use of AWS Config though especially for completeness and timeliness!
References for Security Audit Preparation
Sybex CISA Certified Information Systems Auditor Study Guide