Overview: AWS Compliance
The AWS Marketplace offers a large variety of commercial and open source offerings to augment compliance within the AWS ecosystem. Sumo Logic’s AWS Marketscape looks at the pros and cons of the most common compliance tools and solutions from the Amazon Marketplace.
Businesses in every industry confront a regulatory environment that is much more stringent and complex than at any time in the past. These circumstances don’t have a single root cause: instead, they’re the logical outcome of a diverse collection of unrelated events. These include the financial crisis, major security breaches, and a general growing desire to shield information from external entities.
The resulting directives are being driven by internal corporate policies along with numerous externally defined requirements from standards bodies and government agencies, including PCI, FISMA, SOX, HIPAA, and NIST—just to name just a few. By mandating extensive, ongoing audits, today’s rigorous regulations go far beyond mere recordkeeping. Responding to investigatory requests is a distracting, time-consuming, and error-prone chore, but the cost of non-compliance or oversights is significant and can range from civil to even criminal penalties.
Simultaneously, enterprises are continuing their relentless migration toward cloud computing. Unfortunately, the flexibility, ease-of-use, and speed that make cloud-based software development and delivery so attractive also exposes these organizations to much greater risks.
For example, a developer may upload sensitive information as part of a routine software testing process, or an administrator may provision and populate a new storage instance in a region with different, more draconian information standards. Both of these of mistakes were inadvertent, yet they both breached regulations.
Maintaining continuous compliance in a cloud environment like AWS requires a thorough understanding of compliance requirements and the tools available to you.
AWS Compliance Solutions and Tools
The Amazon Marketplace offers two solutions to help customers keep track of their cloud computing resources and streamline compliance efforts: AWS CloudTrail and AWS Config.
AWS CloudTrail captures AWS API calls across all regions—including those invocations related to services such as compute, database, and storage—and places them in an encrypted log that is saved to S3. It works with AWS CloudWatch logs and can be configured to issue SNS notifications when logs are created.
AWS Config supplies a detailed view of the specific configuration of all AWS assets, how they’re related, and how they’ve been set up in the past. Administrators may also request AWS Config to generate alerts when changes occur, which may indicate an incipient regulation violation.
By blending the Amazon technologies that safeguard the operating system and hardware resources with internally driven oversight of the technology stack, Amazon Web Services user can implement a shared responsibility model for security and compliance.
AWS Compliance Pricing
Amazon offers a free tier for AWS CloudTrail that enables customers to define one trail per region at no cost. For higher volumes or broader geographical reach, pricing is set at $2 per 100,000 recorded events.
AWS Config charges are determined by the the number of resources with recorded configurations, along with the number of defined active rules. Each recorded configuration is charged at a fraction of a cent per month; each active rule incurs a $2 per month fee. In addition, Amazon supplies 20,000 free evaluations per active rule each month, with additional evaluations costing 10 cents per thousand.
AWS Compliance Limitations
While AWS tools furnish some of the raw data necessary to assess compliance deviations, they still place a heavy burden on administrative staff. For example, most organizations operate a hybrid environment, with some systems running on AWS and many others deployed on-premise or on other cloud platforms. This means that gaining insight into regulatory exposure requires labor-intensive, manual correlation across all IT assets. This major shortcoming has opened the door for specialized third party solutions.
Third Party Solutions for AWS Compliance
Providers of these cloud-hosted systems—which serve IT staff, compliance analysts, and auditors—take a much more holistic view of identifying and correcting potential problems. They consume foundational data (like what AWS logs produce), but they also go much further and offer a collection of audit-ready, pre-built dashboards, reports, and other resources that incorporate an extensive, up-to-date knowledge base.
Enterprises that deploy these applications are able to focus on core business operations while being much better prepared to avoid regulatory infringements.
Third Party Compliance Features
|End-to-end compliance visibility across all technologies||Monitor user and process activities in real time||Able to consume all AWS logs|
|Demonstrate continuous compliance||Automated compliance violation notifications||Built-in analytics and reporting knowledge base|
Third Party Compliance Software and Apps
|Antivium||Real time change monitoring of cloud infrastructure combined with powerful configuration management analytics.|
|CloudCheckr||CloudCheckr complements the existing AWS service to enable deploying a comprehensive security architecture and a more seamless experience across cloud and on-premises environments.|
|Evident.io||The Evident Security Platform streamlines and optimizes vulnerability and risk management. It continuously monitors the AWS cloud, automatically identifies security misconfigurations and enables rapid mitigation of risk through guided remediation.|
|Splunk||A single platform to automate compliance for a wide range of government and industry regulations, governance frameworks and internal requirements.|
|Sumo Logic||Sumo Logic makes it easy to address regulations and frameworks that require centralized collection/logging, continuous monitoring such as PCI DSS Requirement 10, and retention of security events with immutability across the entire infrastructure. Quickly search through massive amounts of security log data to accelerate incident investigations or satisfy ad hoc requests from auditors.|