AWS Security Audit Work Plan - IT Audit and Governance Blog

AWS IT Security Audit Work Plan

Determine if a Cloud Adoption Office (CAO) has been established.
A CAO is an essential mechanism for successful cloud adoption.

An auditor should review:

CAO has been established,
Cloud activities within the company are managed through the CAO,
Stakeholders include infrastructure, security, compliance, finance, and HR, and.
Frameworks, policies, standards, and procedures have been defined for the cloud.

Determine if the Cloud Adoption Framework (CAF) has been developed.
CAF includes best practices and approaches to cloud computing throughout the organization.
Proper sign-offs on CAF from senior management.

The multi-account strategy is well documented and leverages tools such as AWS Organizations and AWS Control Tower to manage the multi-accounts (if applicable).
Clearly define an AWS account-creation process. Understanding who in the company is creating AWS accounts and what each account will be used for is an essential part of an AWS account. Many companies have a centralized process for creating AWS accounts; however, centralization is not required as long as the process is well-defined and allows a business to maintain an account inventory.
Define a company-wide AWS usage policy. Implement well-defined AWS usage policies and vet them with company stakeholders to align business and security requirements. This empowers CSCs to leverage AWS without internal confusion about what is or is not within policy guidelines. An AWS usage policy should include a company’s minimal security baseline requirements for how they will use AWS, such as which services are approved for use or what security or encryption features must be enabled.
Create a security account structure for managing multiple accounts. Creating a security relationship between accounts makes it even easier for companies to assess the security of AWS-based deployments, centralize security monitoring and management, manage identity and access, and provide audit and compliance monitoring services.
Leverage AWS API operations and scripts. Many CSCs leverage the AWS API operations and custom-developed scripts to automatically and consistently apply baseline configurations across multiple AWS accounts. CSCs should consider leveraging compliance-monitoring scripts to provide insight into how well a company’s accounts comply with its defined policies and standards for AWS usage.

Determine if management or an internal function performs a periodic assessment of cloud control effectiveness at a frequency consistent with the policy (for example, annually).
Inspect the risk and control assessment results to determine if the assessment included design and operating effectiveness testing of controls.
Inspected that results were communicated to those charged with governance.
Inspect that, when applicable, remediation processes took place and were followed through to resolution.

Identity and Access Management

Inquire and understand user access life cycle policies and procedures followed by management.
Inspect access provisioning and de-provisioning procedures to determine appropriate individuals authorized to grant and approve access.
Obtain and inspect a list of new user provision access during the period. Use AWS services to obtain the user list as follows:
For AWS IAM users –
Obtain user profile details from AWS Console >> IAM Service >> Credential report >> download the report.

Further, apply a filter on column “User_creation_time” in the file downloaded to obtain a specific list of users provisioned in the audit period. (This is a point in time)

Obtain and inspect CloudTrail logs to assess events related to user provisioning activity during the audit period.
For Federated users, it is based on the implemented AWS architecture.
Determine if management uses AWS Directory Service, and then obtain AD event logs from CloudWatch logs.
Determine if management uses AWS single sign-on service, then obtain the targeted logs from CloudTrail using Amazon Athena or possibly CloudWatch logs if forwarded.

iii. Determine if management manages the on-premise AD, then obtain logs from on-premises AD.

If management uses on-premise AD, Amazon Kinesis Agent for Microsoft Windows or CloudWatch agent can feed data into CloudWatch.
Perform testing over the user list to determine the completeness and accuracy of the list generated (for example, review query language to determine that no users have been inappropriately excluded).
Select a sample of individuals Based on the number of access additions/changes over the period. For the sample selected:
Inspect evidence that approval was obtained before access was granted.
Inspect evidence that the appropriate personnel approved.

Obtain and inspect the list of terminated or departmental transfer users from the Human Resource management department. Determine if the termination or transfer date from one department to another is available and accurate in the listing. Use AWS services to obtain the list as follows:
AWS users – Analyze AWS CouldTrail logs for IAM user deletion event to determine the

de-provisioned user.

Federated users – Based on implemented AWS architecture.
Determine if management uses AWS Directory Service, then obtain AD event logs from CloudWatch.
Determine if management uses AWS single sign-on service, then obtain logs from CloudWatch.

iii. Determine if management manages the AD without using AWS services, then obtain logs from on-premises AD. If management manages AD without an AWS service, Kinesis Agent for Windows (KAW) can feed data into CloudWatch.

Perform testing over the user list to determine the completeness and accuracy of the list generated (for example, review query language to determine that no users have been inappropriately excluded).
Select a sample of individuals based on the number of terminations/transfers over the period. Inspect CloudTrail logs to assess IAM user deletion events and related details such as time stamps, user IDs, etc. For the sample selected:
Determine system credentials are removed when user access is no longer authorized on a

timely basis (refer to the user list mentioned in step #2.

Obtain evidence of the periodic user access review retained by management.
Obtain an understanding of how management gains assurance over the completeness and accuracy of the review.
For example, if a query generates a list of users for review, regular expression, etc.
Inspect the review artifacts to:
Determine that it was performed by the appropriate personnel (for example, someone with sufficient understanding of the system listing and associated access types) and at the right level of precision (for example, is there enough information in the review to determine what access each user has? Is there enough information to determine who has access to generic accounts?).
Determine if the reviewer(s) requested any modifications. If so, inspect evidence that appropriate action (removal, modification) was performed.
Inspect the review artifacts to determine that the review was performed promptly, including any access modifications requested by the reviewer. Inspect the review artifacts to determine that there were no cases of self-review (that is, the reviewer is not responsible for signing off on their access). Note: The reviewer is blocked from approving their access.
Inspect the review artifacts for evidence of approval.

Inspect AWS configurations and validate the system is configured to enforce multi-factor authentication for user and root accounts. Specifically:
Click on Services >> Click IAM >> Under the Access Reports, click the Credential report >> Click the Download Report button
For root and any other user, if “password enabled” = true, ensure “mfa_active” is also true
For federated Roles, include a check-in trust policy for MFA. Use eduPersonAssurance SAML Attribute. Determine rules set up in AWS Config service to monitor changes to MFA policies. If there is a change in AWS Config monitoring rules for MFA configuration, then:
Determine the applicability of the AWS SSO service. If applicable, then determine the MFA settings by accessing AWS console >> open SSO console >> choose Settings >> choose Configure. Further, verify that “Always On” or “Context Aware” fields are selected to enforce MFA.
For AWS-managed MFA, Config is set to alarm via CloudWatch if MFA is not configured.
For AWS-managed AD, CloudTrail and CloudWatch (for alarming) can be set to alarm to monitor MFA changes.

Obtain evidence of the periodic role permissions review.
Evidence could be of the review being performed in a spreadsheet, via email, and so on.
Ensure the review of policies regarding roles in the AWS console (or via API).
Obtain an understanding of how management gains assurance over the completeness and accuracy of the review (for example, does management review parameters used to generate the access listing?).

The auditor should compare change approvals with logs – Config or CloudTrail and CloudWatch (alarms) logging.

Use AWS Policy Simulator (API or console) to test the level of access granted by the policy or use IAM Access Analyzer or Advisor

Verify that role assignment follows the principle of least privilege. At least annually, definitions of role permissions are extracted and reviewed to ensure that each role is defined per this principle.

Obtain evidence of the periodic role permissions review.
Evidence could be of the review being performed in a spreadsheet, via email, and so on.
Ensure review of policies over roles in the AWS console (or via API).
Obtain an understanding of how management gains assurance over the completeness and accuracy of the review (for example, does management review parameters used to generate the access listing?).

The auditor should compare change approvals with logs – Config or CloudTrail and CloudWatch (alarms) logging.

Use AWS Policy Simulator (API or console) to test the level of access granted by the policy or use IAM Access Analyzer or Advisor.
Inspect the review artifacts to determine:
Review was performed by the appropriate personnel (for example, someone with sufficient understanding of the system listing and associated access types) and at the right level of precision (for example, is there enough information in the review to determine what access each role has?).
If the reviewer(s) requested any modifications, inspect evidence that appropriate action (removal, modification) was performed.
The review was performed promptly, including any access modifications requested by the reviewer.
Evidence of approval (for example, signature).

Inquire with management to understand preventative or detective guardrails implemented to restrict and monitor usage of root account activity.
Inspect whether guardrails are implemented per management’s expectation. If implemented, assess their status of compliance. Preventive guardrails can be either enabled or not enforced; detective guardrails can be either explicit, in violation, or not enabled.
AWS provides standard rules to enable and protect root user accounts, such as the “Guardrails rule preventing the creation of access keys for the root user.” The Auditor should look for custom guardrail rules that management has implemented.
Obtain evidence of the user access review.
Obtain an understanding of how management gains assurance over the completeness and accuracy of the review (for example, does management review parameters used to generate the access listing?).
Inspect the review artifacts to determine:
that it was performed by the appropriate personnel (for example, someone with sufficient understanding of the system listing and associated access types) and at the right level of precision (for example, is there enough information in the review to determine what access each user has? is there enough information to determine who has access to generic accounts? etc.).
If the reviewer(s) requested any modifications, inspect evidence that appropriate action (removal, modification) was performed.
that the review was performed promptly, including any access modifications requested by the reviewer.
that there were no cases of self-review (that is, the reviewer is not responsible for signing off on their access).
evidence of approval (for example, signature).
Review systems configurations to determine that the root user account is secured and has not been used over the period. Specifically, click on services >> IAM >> Credentials report >> download the report. Check if there is a last login date for the root account.

Data Security and Privacy

Understand management’s approach to data governance and how data classification is performed.
Ensure that there is an awareness and documentation of where exactly sensitive data is stored and how it is transmitted across applications, databases, servers, and network infrastructure.
Verify alignment with defined retention periods and end-of-life disposal requirements.
Data protection controls are in place to guard against unauthorized use, access, loss, destruction, and falsification.
Obtain and inspect data governance/classification policies and procedures.
Review to determine if the relevant topics identified through inquiry are covered at an adequate level of detail to allow for a practical data classification assessment.
Based on the frequency with which data classification assessments are performed, select a sample of data classification assessments performed by management. Inspect the review artifacts to determine the following:
that the sample data classification assessment(s) were performed promptly and by the appropriate personnel (based on frequency and ownership established by policy)
that the data classification assessment is for evidence that an inventory of where sensitive data is stored and transmitted was included and reviewed, and any necessary updates were documented promptly.
that data was classified per company policy.
Management reviewed the alignment with the retention period and disposal/deletion, and the items that did not align were tracked to resolution.

Inquire with responsible and accountable individuals to verify the following:
Mechanisms used to facilitate the connection from the on-premises environment to the AWS environment, including:
Access to the AWS environment via the network
Access to the AWS environment via remote connection (if applicable)

iii. Policies and procedures govern the administration of the technology identified to support connections to the AWS environment.

Obtain a list of:
Setups for infrastructure services approved by management.
Encryption implementation and changes for the period.
Obtain assurance over the completeness and accuracy of the list of encryption implementation/changes for the period (for example, no inappropriate filters, parameters, or exclusions).
For the sample selected:
Inspect that implementation and changes were designed, reviewed, approved, and tested per company policy.
Observe that there’s evidence that encryption technology is used to connect to the AWS environment both remotely and via the network.
Inspect the encryption technology configurations for evidence that the technology is configured per policies.

Inquire with management to obtain an understanding of the existing policies and standards in place for encryption key management, including the frequency with which the specification and standards document is reviewed and who is responsible for performing that review
Obtain essential management specification standards and policy documents and inspect whether key topics are incorporated and formally documented. Some of the key issues may include:
Encryption key management requirements,
Cryptographic practices,
Crypto-periods and key rotation,
Key storage and protection mechanisms for cryptographic information at rest and in transit,
Key distribution and access,
Key accountability and audit,
Key archive, backup, and recovery,
Key compromise and recovery,
Key revocation and destruction, and
Authentication mechanisms are configured and in place to ensure critical material confidentiality.
Inspect to determine whether a periodic review and updates have been performed and signed off at least annually by the authorized reviewer.

Inquire with management to obtain an understanding of the periodic review process in place, including:
Various security roles and permissions configured within AWS.

KMS that allows users to define usage policies, manage keys, and administer AWS KMS

How does management determine that the individual(s) responsible for review are sufficiently competent to understand and interpret access to key management, and how does management address the risk of self-review?
Obtain a complete population inventory of relevant KMS key policies, explicitly reviewing the last modification date. This includes identity and access management (IAM) policies where AWS KMS permissions are granted. Select a sample of AWS KMS key policies modified during the audit review period.
If the key policy was modified during the audit period, request evidence that the modification was reviewed/approved by the authorized policy owner.
For all selections, inspect the configuration to determine that it is aligned with management expectations. Some of the key considerations may include:
Are IAM policies enabled to enforce the principle of least privilege? If so, are these IAM policies configured to be consistent with management expectations? What users, groups, and roles have been attached to the customer master keys (CMK)?
Is the key policy attached to the CMK defined to limit the use and management of the key consistent with management expectations?

iii. Is the key limited to only specific AWS services?

Is access to update/change the key policy limited to authorized individuals?
Are CMK grants being used? Do these follow management policies?
Is CMK auditing enabled in CloudTrail to allow for management monitoring?

vii. Are CMK key tags being applied to enable visibility/monitoring of appropriate usage?

For any AWS KMS key policies that do not meet with management policies, obtain evidence (for example, documented risk acceptance, compensating controls, or approval) that an exception to management requirements was made.

Inquire with management to understand crypto-periods defined per specific key types and processes.
Obtain and inspect a sample of periodic reviews completed by management to determine the following:
A system-generated and complete listing of in-scope key types is included for review, including evidence of key rotation validated by management.
An authorized reviewer performs the review promptly.
The review incorporates existing key types and whether they are rotated per the defined crypto-period and rotation intervals established.
The selection of datasets is included in the review to validate that they are encrypted according to the policy.
Discrepancies identified are tracked to resolution.
Inquire with management to obtain an understanding of relevant production deployment templates for the environment.
Include inquiry to determine how management identifies relevant privacy requirements to assign the appropriate region, apply relevant encryption configurations, and manage access permissions consistent with these requirements.
Obtain company policies regarding approved configurations for the given regions.
For each relevant production deployment template type (for example, all Amazon RDS deployments, all Amazon DynamoDB deployments, and so on), select a sample (for example, CloudFormation/Terraform) for inspection.
For each sample selected, determine that the deployment templates have been set up in permissible locations, consistent with policies, to verify alignment with regulatory and legal requirements (AMI, Region, instance size, encryption models, and so on).

Obtain an understanding of management’s review (for example, level of precision, who performs, how frequently, relevant legal/regulatory requirements, and so on)
Based on the frequency of review performed by management, request a sample of reviews
Inspect the sample for the following:
Evidence that all relevant systems/services have been reviewed within the assessment period.
Evidence that the reviewer inspected the relevant configuration setups to determine their appropriateness based on legal and privacy requirements.
For misaligned instances, obtain evidence that the misalignment was researched and resolved promptly.
Evidence of sign-off by an appropriate approver

Network Management

Obtain evidence of the business requirements and network design documentation.
Obtain an understanding of how management gains assurance over the completeness and accuracy of documentation.
Inspect the review artifacts to determine:
That documentation review was performed over all relevant configurations, as defined by the company policy and by the appropriate personnel (for example, someone with sufficient understanding of the configurations subject to review), at the right level of precision and promptly.
If the reviewers requested any modifications, inspect evidence that appropriate action (configuration update) was performed.
Evidence of approval.

Obtain a list of permitted data flows to verify the AWS services are used according to the principle of least privilege. Obtain review evidence from the following cloud services that control data flow and network connectivity:
Amazon VPC,
Amazon CloudFront,
AWS WAF,
Amazon Route 53, and
Elastic Load Balancing.
Examine relevant AWS infrastructure service configurations. Obtain an inventory of deployed network configurations (VPCs, Subnets, security groups, NACLs, PrivateLinks, S3 access control lists, WAF, and so on) and inspect for compliance with stated company policies for network access. For example:
If AWS Firewall Manager is deployed, use that to help gather firewall configuration information.
Determine the current VPC configuration (Classless inter-domain routing [CIDR]) range, subnets, route tables, and gateways to external networks (Internet/NAT/PrivateLink/VPC Peering/AWS GlobalAccelerator).
Determine if there is an AWS Transit Gateway. If so, what other networks does it allow routing access to?
Examine other AWS services attached to the VPC as an Elastic Network Interface. These must also be in scope and have a VPC security group configuration.
EC2 instances – what is the routing configuration for their subnet? What security groups are attached to them?
Load balancers – what ingress rules do they have? What ports on the EC2 instances can they forward to?
Inspect management’s risk assessment and mitigation plan for policy deviations.

Obtain evidence of the annual configuration review.
Obtain an understanding of how management.
Gain assurance over the completeness and accuracy of the review (for example, inventory of AWS networking infrastructure, including VPCs and components like route tables, NACLS, security groups, and so on, as well as the associated configurations).
Determine the configuration requirements (for example, company security policy and the latest list of configuration setting standards) to be used in the review.
Inspect the review artifacts to determine:
That review was performed over all relevant configurations, as defined by company policy (for example, VPCs route tables, security groups, NACLS, PrivateLink endpoints, monitoring services), by the appropriate personnel (for example, someone with sufficient understanding of the configurations subject to review), at the right level of precision, and promptly, including any configuration modifications requested by the reviewer.
If the reviewers requested any modifications, inspect evidence that appropriate action (configuration update) was performed.
Evidence of approval.
Evidence of completeness – Each network security-related change recorded by AWS Config should have a corresponding configuration change review.

Obtain evidence of the quarterly AWS Config logs review.
Obtain an understanding of how management gains assurance over the completeness and accuracy of the review (for example, is AWS Config logs integrity configured? Are logs appropriately protected from change?).
Inspect the review artifacts to determine:
That the review was performed by the appropriate personnel, for example, someone with sufficient understanding of the logs and associated configurations; and at the right level of precision, for example, is there enough information in the review to determine each configuration change, and who made the change; and promptly, including investigation of unauthorized changes identified by the reviewer.
If the reviewers identified any changes made by an unauthorized user or process, inspect evidence that appropriate action (investigation, impact analysis, configuration modification, and so on) was performed.
Evidence of approval
If the reviewers identified any changes by unauthorized users or processes, inspect evidence that appropriate action (investigation, impact analysis, configuration modification, and so on) was performed.
Evidence of approval.

Verify relevant AWS services are enabled and appropriately configured.
For relevant services that are enabled, inspect a sample of activity to make sure that alerts and logs are being captured.

Obtain management’s procedure for monitoring, detecting, investigating, and resolving network incidents (Incident Response Process).
Request and inspect logs and events in Amazon CloudWatch and Amazon GuardDuty to identify whether any relevant network incidents occurred during the period. This includes AWS Flow Logs and other relevant AWS log sources, such as WAF logs.
If incidents occurred, request evidence (for example, ticket, email, and so on) of management investigation and resolution, including review and approval by an authorized owner and evidence that follow-up activities were actioned.

Obtain network architecture and understand DDoS protection and resiliency controls.
A resilient and secure DNS such as Route 53 should be used to resolve domains related to the solution. AWS Shield Advanced should be enabled for Internet-facing resources requiring DDoS protection. This includes:
Amazon CloudFront distributions,
Internet-facing Elastic Load Balancers (ELBs), and
Elastic IP addresses.
The VPC architecture should follow AWS best practices for resiliency, for example, those detailed in the Amazon VPC best practices documentation.
Multiple AWS Availability Zones (AZs) are used for high availability.
Elastic Load Balancers distribute traffic among EC2 instances across multiple Availability Zones and EC2 instances behind ELBs, configured in an auto-scaling group set to increase EC2 capacity when required.
Database components are designed to withstand network attacks, for example, by increasing capacity if there is an increased load. This can include a design that can accommodate adding read replicas, enabling multi-AZ failover, or using database caching technology to lessen database load during an attack.

Configuration Management

Obtain the most recent configuration management policies and procedures from management.
Inspect the policy documentation to determine the following:

Determine if the documentation contains the configuration requirements for all systems, services, or platforms. For example,

Assess whether AWS CloudFormation templates and stacks are used to manage and automate configuration requirements and whether there are resource tagging requirements for AWS CloudFormation.

Assess whether AWS OpsWorks is used to manage and automate configuration requirements.

You want to make sure that the CSC manages its configurations using an automated and repeatable toolset with appropriate change controls (potentially a Git workflow) for updates and inclusion of tagging requirements.

Determine if configuration ownership is included in the documentation. Ownership may be indicated through tagging or account structures.
Determine if configuration access and change management requirements are included in the documentation. Who can update configurations (who has access), and how is that managed? How are configurations updated (for example, is there a Git workflow, formal approvals, or other processes)?

For more detailed standards and procedures, determine if standards and procedures are defined for specific AWS services that your company uses, such as AWS IAM, AWS Key Management Service (AWS KMS), Amazon Simple Storage Service (Amazon S3), Amazon EC2, and Amazon EBS. The following are examples of some of the areas you can assess.

For Amazon EC2, determine whether there are instance-sizing requirements and definitions (t2.micro, t2.medium, c4.xlarge) and whether there are auto-scaling configuration requirements.
For the Amazon S3 standard, determine whether there are requirements for allowed storage class and encryption methods (for example, encryption is required using AWS KMS). Also, determine whether requirements are defined for public access restrictions and access control list requirements.
For Amazon EBS, determine whether Amazon EBS types are allowed (magnetic, throughput optimized, GP2) and whether there are encryption requirements (for example, encryption is required using AWS KMS).
For AWS Config, determine whether there are managed rules, custom rules, and cross-account sharing requirements.

Understand relevant configuration rules management sets to automate or enforce continuous monitoring. Ensure the AWS Config service has been enabled for the services/resources in scope for the audit.
Obtain a copy of management’s policy for configuration monitoring (for example, who is responsible for review/resolution of non-compliance, what configuration thresholds/settings are required, and so on) (instructions for reviewing AWS Config reports), (procedures to be performed for all relevant rules in scope for the assessment).
Review the AWS Config reports for all relevant rules.
In the AWS Management Console, navigate to AWS Config.
In the left navigation pane, select Rules.
On the Rule page, choose the rule’s name evaluating your relevant resources.
Select the resources from the Resources evaluated table on the Rule details page.
Compare a sample of non-compliant events with the notifications received.
From the Resource actions menu, select Compliance timeline.
In the compliance timeline, evaluate the compliance of the selected rules over the observation period.
Compare non-compliant events with notifications received.
Select a sample of the non-compliance notifications and inspect evidence that instances of non-compliance were reviewed and actioned by management.

Obtain evidence of management’s change review performed before deployment based on the policy requirements.
Ensure you understand how management ensures the review’s completeness and accuracy. For example, how does management ensure that all changes are performed per their change management process?
Inspect the evidence you’ve gathered to determine the following:

The review was performed by the appropriate personnel, for example, someone with a sufficient understanding of the systems and associated configurations.
The review was performed at the right level of precision; for example, there is enough information to determine each configuration change, appropriate backout or rollback procedures, and transparent information about who made the change.
The review was performed promptly, and the unauthorized changes identified by the reviewer were investigated promptly.
Whether one or more reviewers identified any changes by unauthorized users or processes. If such changes were identified, you should inspect the evidence that the appropriate action (investigation, impact analysis, configuration modification, and so on) was performed.
Is there evidence that the review received the approval of management?

Open the AWS Management Console and navigate to AWS Config.
On the left navigation pane, select the Aggregated Rules (or select Rules if they are not aggregating AWS Config to another account).
Select the rule’s name on the Aggregated Rules or Rules page and evaluate your relevant resources.
On the Rule details page, select the Required-Tags rule.
On the Resource actions menu, select Compliance Timeline. The compliance timeline is displayed.
Obtain a population of the non-compliance events for selected rules over the audit period.
Select a sample of non-compliant events and inspect that evidence to determine that management has taken corrective action (such as tagging respective resources).

Obtain an understanding of how management has designed the tagging requirements for AWS resources, including what information is required, what types of tags are used, who is responsible for tagging, who reviews the tagging classification, what the approval process is, how policies and procedures for setup are documented, and so on.
Based on the frequency of review performance, select a sample and obtain evidence that the CSC’s management did the following:

Obtained a complete and accurate list of relevant resources for review (consider the parameters used to generate system lists, the process for adding to manual lists, and so on).
Inspected that the list is consistent with policies to determine that each resource is tagged per the resource structure and requirements.
We ensured that evidence of research and resolution existed for any non-compliance instances (instances where no tags or the wrong tag is assigned).
Evidence of authorized approval within the review period.

Vulnerability Management

Obtain an understanding of how management evaluates patches released by AWS to determine whether they are relevant and required for the environment (i.e., perform a periodic assessment).
Obtain evidence of management’s periodic assessment to identify and obtain a population of relevant security patches and updates.
Obtain an understanding of how management gains assurance over the completeness and accuracy of the population (e.g., inventory of AWS resources and the associated required patches).
Inspect evidence to determine that the assessment and application of patches were performed promptly.
Select a sample of patches applied during the period and obtain evidence demonstrating that implemented patches were appropriately tested and approved before migration to production.

Inspect the CloudWatch notification configuration to determine that:
CloudWatch is configured to generate automated notifications to management in case of non-compliant VMs.
Notification groups are appropriately configured to notify responsible personnel.
Based on the number of alerts, select a sample and inspect the evidence that management investigated and resolved them.

Understand how the intrusion prevention system, vulnerability detection application/software, and data loss prevention application/software have been configured to identify potential security issues in existing systems, services, or platforms.
Inspect the intrusion detection system, vulnerability detection application/software, or data loss prevention application/software configurations to determine whether they are configured to detect activity from potentially malicious code within cloud systems, services, or platforms and generate automated alerts for detected issues.
Determine whether the automated alerts are configured to notify appropriate personnel (as defined per the company’s policy) for timely investigation and resolution.

Obtain an understanding of how management evaluates patches released by AWS to determine whether they are relevant and required for the environment (i.e., perform a periodic assessment).
Inspect evidence to determine whether the population is complete and accurate (e.g., inspect the parameters used to generate the population).
Select a sample of identified events and inspect the evidence to determine that management investigated and followed up to the resolution, as applicable, in line with the Company’s policy.

Understand the vulnerability detection application/software and the configuration or rule sets to identify security issues in code changes before deployment to production.
Inspect the configuration to determine that the software requires all code to be evaluated for security issues before deployment to production and that the vulnerability detection configuration aligns with management’s requirements.
Obtain a population of all relevant security issues identified by the vulnerability application/software during the audit period.
Inspect evidence to determine whether the population is complete and accurate (e.g., inspect the parameters used to generate the population).
Select a sample of identified security issues and inspect the evidence demonstrating that management has investigated and followed up to resolve the issue.

Obtain evidence of the periodic penetration test review.
Understand how management gains assurance over the completeness and accuracy of the test (e.g., inventory of AWS infrastructure).
Inspect the penetration test review to determine whether the results review was performed overall and relevant to the customer’s AWS infrastructure.
Inspect the penetration test results, and if any security issues were noted, request evidence demonstrating that a remediation plan was implemented and assigned to an owner responsible for following it to resolution.
Inspect the penetration test results to determine whether they have been completed promptly and approved (e.g., by signature, ticket, or email) by authorized stakeholder(s).

User Device Management

Inspect AWS configurations and validate the system is configured to enforce multi-factor authentication for remote users to access the corporate network.
Click on Services >> Click IAM >> Under the Access Reports, click the Credential report >> Click the Download Report button.
For root and any other user if “password_enabled” = true, ensure “mfa_active” is also true.
Another way to check is in the AWS Management Console, open

SSO console >> choose Settings >> choose Configure >> verify Always On or Context Aware is selected.

Also use AWS Config to monitor the MFA settings.
To check the MFA status of a root user:
Sign in to the AWS Management Console with your root user credentials and open the IAM console at https://console.aws.amazon.com/iam/.
Check under Security Status to see whether MFA is enabled or disabled.

iii. If MFA has not been activated, your root user displays an alert symbol next to Activate MFA.

To check the MFA status of IAM users:
Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Users.

iii. If necessary, add the MFA column to the user’s table by completing the following steps:

Choose the settings icon above the table on the far right.
In Manage Columns, select MFA.
Choose Close to return to the list of users.
The MFA column tells you about the enabled MFA device.
If no MFA device is active for the user, the console displays Not enabled.
If the user has an MFA device enabled, the MFA column shows the type of device enabled with a value of Virtual, U2F Security Key, Hardware, or SMS.
Observe unsuccessful login attempts (each iteration of a failed attempt as determined by predefined lockout thresholds, for example, one failed attempt vs. multiple) and confirm that user lockout occurs based on the defined configuration.

Use AWS Config to obtain a population of all role modifications/creations during the coverage period.
Select a sample based on the number of role additions/changes over the period. For the sample selected:
Inspect evidence that approval was obtained before role creation or modification.
Inspect evidence that the appropriate personnel approved.

Obtain management’s procedure for monitoring, detecting, investigating, and resolving network incidents (Network Incident Management Process).
Request and inspect logs and events in Amazon CloudWatch and Amazon GuardDuty to identify whether any relevant network events occurred during the period. This includes Amazon CloudWatch Logs and other relevant AWS log sources, such as AWS WAF logs.
If incidents occurred, request evidence (for example, ticket, email, etc.) of management investigation and resolution, including review and approval by an authorized owner and evidence that follow-up activities were actioned.
Obtain an understanding of device issuance and user assignment process.
Obtain a list of devices issued to users from the device inventory system and confirm that all active devices are maintained within the inventory system with unique device IDs, issue dates, and individual user IDs.
Inspect the device issue log to determine that each device is assigned to an active user ID only by reconciling to the active user listing (if any discrepancies are noted, determine if there is a valid business rationale).
Select a sample of devices from the log and obtain associated service tickets. Inspect the tickets for evidence of device ID, issue date, and user ID, and compare them to the system log.
Obtain an understanding of the device registration process. Observe a new device registration and validate that network access is denied without registration of the user’s network credentials.
Obtain an understanding of how management evaluates patches released by AWS to determine whether they are relevant and required for the environment (that is, perform a periodic assessment).
Obtain evidence of management’s periodic assessment to identify and obtain a population of relevant security patches and updates.
Obtain an understanding of how management gains assurance over the completeness and accuracy of the population (for example, inventory of AWS resources and the associated required patches).
Inspect evidence to determine that the assessment and application of patches were performed promptly.
Select a sample of patches applied during the period and obtain evidence demonstrating that implemented patches were appropriately tested and approved before migration to production.
Obtain an understanding of how management evaluates patches released by AWS to determine whether they are relevant and required for the environment (that is, perform a periodic assessment).
Obtain evidence of management’s periodic assessment to identify and obtain a population of relevant security patches and updates.
Obtain an understanding of how management gains assurance over the completeness and accuracy of the population (for example, inventory of AWS resources and the associated required patches).
Inspect evidence to determine that the assessment and application of patches were performed promptly.
Select a sample of patches applied during the assessment period and obtain evidence demonstrating that implemented patches were appropriately tested and approved before migration to production.
Obtain the CSC’s most recent user device security configuration management policies and procedures.
Inspect the policies’ documentation to determine whether they include:
Security configuration requirements for devices used,
Security configuration ownership, and
Security configuration access and change management requirements.
Inspect if the policies are reviewed/approved within one year (i.e., current policy).
Inspect the policies to determine if the reviewer was appropriate to perform the review (i.e., sufficiently competent).
Obtain an understanding of relevant rules set by management to automate/enforce scans and periodic monitoring of issued devices.
Obtain a copy of management’s policy for compliance monitoring (for example, who is responsible for reviewing/resolving non-compliance, what configuration thresholds/settings are required, etc.).
Inspect AWS IoT Device Defender to check all relevant automated configurations and determine that computerized alerts are sent to AWS IoT Console, Amazon CloudWatch, and Amazon SNS.
Obtain a complete list of all alerts for the period and select a sample. For a sample of notifications, inspect evidence that management reviewed and actioned instances of non-compliance according to the policy’s defined criteria.
Obtain an understanding of relevant rules set by management and inspect configuration to determine how alerts have been set up for each instance of non-compliance of the user devices (i.e., at a device level).
Obtain the security management policy and review the predefined thresholds/time frames in place (for example, the priority level dependent on instances of non-compliance).
Obtain a population of alert notification logs for the period. Select a sample of the non-compliance notifications and inspect evidence that management reviewed and promptly took action on non-compliance as per the security management policy in place.
For any long-standing alerts noted, confirm understanding of why resolution has not occurred and inspect evidence that management is doing follow-up.

Logging and Monitoring

Obtain management’s policies and procedures over logging and monitoring.
Inspect the policy documentation to determine whether it includes:
logging and resolution requirements for different systems/services/platforms used,
logging and monitoring ownership, and
logging and monitoring configuration access and change management requirements.
Inspect if the policy:
It is reviewed/approved at the company’s required frequency.
Is reviewed by the appropriate reviewer.
Understand how management determines the required configuration.
Obtain the policy and procedure documentation and the build document that outlines the expected configuration definition.
Inspect logging configuration is set in CloudTrail and VPC Flow Logs to monitor events.
Request and inspect the Amazon S3 bucket:
configuration to determine if it is configured to store log files.
retention policy to determine that S3 is configured per the policy and procedure requirements.
Evaluate logging of systems/services/platforms that are appropriately set as outlined in the company’s policy.
Obtain evidence of a periodic configuration review related to the collection and retention of logs.
Understand how management:
gains assurance over the completeness and accuracy of the review.
determined the configuration requirements to be used in the review.
Inspect the review artifacts to determine that the review was performed:
over all relevant configurations
as defined by the company policy,
by the appropriate personnel
at the right level of precision
in a timely manner
And has evidence of approval
Understand how the management configures log and monitoring data to forward to a central location.
Request and inspect the data store to determine that logs and monitoring data are collected in compliance with company policy.
Understand how management defines events that require logging and analysis. If a formal policy or build document has been created to outline the expected logging and alerting definition, obtain a copy for comparison.
Inspect the logging and alerting configurations within AWS Config, CloudWatch, and GuardDuty to determine that they are consistent with inquiries/policies.
Inspect the threshold configurations to determine that appropriate thresholds/triggers are established in line with company policy.
Based on the number of threshold scenarios, select a sample and inspect that management was notified of events and management performed remediation actions such as clean-up or analysis without exceptions.
Obtain management’s procedure for investigation and resolution of incidents.
Request and inspect Amazon CloudWatch, AWS Config, or GuardDuty logs to identify whether any relevant events or incidents occurred during the period.
If events requiring corrective action occurred, based on the number of the incidents, select a sample and inspect that management performed investigation and resolution, including review and approval by an authorized owner.

Incident Response

Obtain the Incident Management policy.
Inspect the policy for evidence of approval and distribution to all employees consistent with management requirements.
For example, if the policy supports a Sarbanes-Oxley (SOX) control, the auditor would expect it to be reviewed/distributed at least annually. This may be more or less frequent if the policy supports a compliance requirement.
Validate AWS configurations
If AWS service configurations are not already validated with another control, ensure that the monitoring tool and service configurations mentioned in the policy are correctly configured. For example, logging should be enabled on monitored services, and alerts and notifications should be set up correctly.
Obtain evidence of the periodic (for example, quarterly) incidents review.
Obtain an understanding of how Management gains assurance over the completeness and accuracy of the review (for example, does the reviewer inspect parameters used to generate the Incidents log from GuardDuty, CloudTrail, etc., to determine if no relevant data is excluded?).
Inspect the review artifacts to determine
That the review was performed by the appropriate personnel (for example, someone with sufficient understanding of the incident response procedures) and at the right level of precision (i.e., is there enough information in the review to determine which attributes were evaluated by the reviewer: root-cause analysis, response, and resolution in line with the AnyCompany Restaurant’s policy?).
Was the review performed in a timely manner, including investigating and resolving deviations from the incident?

The reviewer identified the response policy.

Whether approval was evident.
Understand how management determines required configuration (for example, triggering events and remediation responses). Obtain a policy and build document (should management maintain standalone build documents) that outlines the expected configuration definition.
Inspect the configuration of auto-remediation setup (i.e., AWS Config rules definitions) within AWS Config to determine that they are consistent with inquiries/policies.
Inspect the threshold configurations (for example, in Amazon CloudWatch) to ensure that appropriate thresholds/triggers are established by policy.
Based on the number of threshold scenarios, select a sample and inspect that auto-remediation (for example, through AWS Lambda) is triggered as configured without exceptions.
Based on the frequency of the reviews, select a sample and obtain evidence of management’s configuration reviews.
Obtain an understanding of how management
Gains assurance over completeness and accuracy of the review (types of incidents configured, thresholds, etc.).
Determined the configuration requirements to be used in the review.
Inspect the review artifacts to determine
That review was performed over all relevant configurations, as defined by policy, by the appropriate personnel (for example, someone with sufficient understanding of the configurations subject to review), at the right level of precision, and promptly, including any configuration modifications requested by the reviewer.
If any modifications were requested by the reviewer(s). If such requests were made, inspect evidence that appropriate action (configuration update) was performed.
Whether approval was evident.

Business Continuity and Contingency Planning

Understand how the BIA process is carried out, including but not limited to:
Frequency of performance/refresh
Who is involved in performing the assessment
Who are the key stakeholders (for example, RACI)
Who is responsible for final approval
What essential requirements are captured as part of the BIA?
Obtain a complete listing of business units in scope for the BIA.
Select a sample of relevant business units to determine
Whether BIAs are completed and requirements are appropriately captured within the template.
Whether it defines and prioritizes business processes based on the impact of downtime, including requirements surrounding critical facilities, key personnel, key technology and technology services, and critical vendors.
How were the impact thresholds determined, and did they align with overall enterprise risk management thresholds (for example, financial, regulatory, contractual, reputational, and so on)?
Whether RTOs and RPOs are documented, correlated to the BIA, and agreed upon by IT, the business, and senior management.
Whether BIAs have been formally approved and signed off by key business and IT management stakeholders.
First, obtain the BIA list and maintenance criteria, including the established frequency.
Obtain a complete listing of BIAs in place and the corresponding refresh schedule, including the frequency.
Select some refreshed BIAs to
Inspect the evidence of review and updates made to the existing BIAs, including evidence of agreement on any significant changes with the business and IT stakeholders.
Obtain approval evidence showing that the corresponding business continuity plan was appropriately updated and approved to reflect any significant updates from the BIA refresh.
Document findings
Obtain an in-scope list of AWS services.
Review the scope of AWS service level agreements (SLAs) to understand the service dependencies, availability, and design goals to align with the business requirements.
Review the architecture design, including DR architecture, and calculate SLA to validate that the application architecture meets the RTO and RPO defined by the BIA process.
Inquire with management to understand:
The formal process and framework (for example, template) in place for completing the DR plan.
The process periodically reviews existing DR plans so that critical changes to IT infrastructure, architecture, and dependent systems are tracked and updated in the respective DR plans.
Assess the plan development process to determine how stakeholders are involved, including reviewing plans for completeness (e.g., including assumptions, timelines, contacts, and so on).
Obtain a population of relevant systems/platforms/infrastructure, select a sample, and inspect DR plans to determine whether one is in place and formally documented.
If the plans were updated during (for example, annually). For changes requested as a result of the review, inspect the plans to determine whether changes were made according to the updates from the business and IT stakeholders and ensure that final sign-off and approvals on agreement of the changes are documented.
For a selection of DR plans, inspect to determine:
It adequately defines the procedures and requirements to activate, run, and support the recovery of dependent systems and IT assets.
Whether appropriate stakeholders’ input was captured and final approval and sign-off are documented for each DRP document.
Whether DR plans include failback procedures.
Identify all stakeholders who need to be updated during disruption. In addition to stakeholders involved in the recovery (such as engineers, technical support, and executives), CSCs should also pinpoint members of their public relations and marketing teams, vendors, third-party suppliers, and even key customers.
Inquire with management to understand the testing plan, strategy, and method (for example, tabletop, simulation, parallel testing) adopted by management to periodically test and validate business continuity plans such as disaster recovery, business continuity, pandemic, and crisis management.
Obtain a test schedule maintained by management
Select a sample of documented test results during the period to assess whether recovery tests were performed as planned, including completeness of scenarios, complexity, depth, and scope as per management requirements.
Obtain the test results document to determine whether a review of the testing was carried out and whether final sign-off from authorized stakeholders is documented.
Inquire management about the post-mortem process in place and the activities carried out by management after each testing exercise.
Obtain a test schedule maintained by management and select a sample of post-mortem reports completed during the period.
Obtain and inspect after-action reports to identify gaps and remediation actions tracked by management.
For a selection of remediation actions identified, inspect evidence to determine:
If remediation has been carried out per the agreed-upon plan and gaps have been appropriately closed.
If the testing exercise resulted in BCP and testing program updates, validate whether management has updated and approved subsequent changes.

Return to TOC