Preparing to Audit your AWS Resources

Auditing AWS Resources used in your Organisation

One of the requirements of an Information Security Management System is to maintain a register of assets.

Purpose is to assess security of AWS assets in use (or not in use) and also consider budget aspects.

Define which AWS assets are being used

Identify assets:

  • Instances
  • Data stores
  • Applications
  • Data

Operational Checklists

1.       Basic operational checklist

2.       [Enterprise Operations Checklist]( https://d0.awsstatic.com/whitepapers/aws-security-at-scale-governance-in-aws.pdf )

3.       [Auditing Security Checklist]( https://d0.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf )  

Auditing Security

Pre-audit tasks

  1. Poll/interview IT/development teams

2.       Review AWS expense reports

3.       Understand what services are being used

  •     This will help define scope and focus of audit

4.       Define audit objectives to align with Audit Program, Annual Plan, Charter

Define Boundaries of Audit

  • Understand core business processes and their alignment with IT
  • Description of AWS services being used
  • Determine which services will  be reviewed
  • Obtain previous audit reports and remediation plans for review

Pre-audit Risk Assessment

  • Identify Risks – has risk assessment been done for assets?
  • Review Risks – review previous risk assessment reports
  • Assess whether these reports reflect current environment and adequately describe residual risks

Review Risk Documentation

Assessment plans and reviews should be reviewed against Risk Management Policies and Procedures

  • Include – identification of risks associated with AWS
  • Identification of business owners and stakeholders
  • Review of previous audits of AWS services
  • Evaluation of overall risk factor in performing AWS services review

Auditing AWS Environment

Framing of Questions to be Asked

  • Governance: what AWS  services are in use? Are these services included in Risk Management Plan?
  • Assess Configuration Management: what is the management process used to manage operational integrity of assets?
  • Logical Access Control: Do you know how users and permissions are set up for AWS?
  • Data Encryption: Where is data and how is it protected?
  • Network Configuration and Management: Does the business understand the network architecture of its AWS services?
  • Security Logging and Monitoring: Are systems logged and monitored?
  • Security Incident response:  Is AWS environment part of Incident Response Management Plan and Procedures?
  • Disaster recovery: Does DR Plan include AWS systems?

Of course much of the hard work can be taken care of by [AWS Config](https://aws.amazon.com/config/), a managed service that audits and manages a register of assets and configurations and rules. Don't forget to audit your team's use of AWS Config though especially for completeness and timeliness!                              

References for Security Audit Preparation

  [AWS Auditing Security Checklist](https://d0.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf)

Sybex  CISA Certified Information Systems Auditor Study Guide

comments powered by Disqus