Auditing Security Checklist for AWS

Our friends over at Amazon Web Services have just released their Auditing Security Checklist for Use of AWS. This important document builds on the previously released Operational Checklists for AWS. AWS deserves kudos for putting this document front and center, as almost everything in the document falls into the category of customer responsibility. Amazon has gone the extra mile to help Auditors and Governance professionals understand how using AWS changes the way organizations go about Security, Audit, and Governance. (Spoiler: it shouldn’t change much) Security remains one of the primary objections to the adoption of the public cloud, but as the real-world data in Alert Logic’s own Cloud Security Report shows, this fear is unfounded. For most use cases, knowledgeable use of public clouds is more secure – but this doesn’t mean you can shortcut your security responsibilities. In the case of AWS, you need to understand and thoughtfully deploy IAM (User Directory) and EC2 Security Groups (the equivalent of a host based firewall), along with a network architecture (VPC configuration) that was designed with your security and compliance requirements in mind. AWS has a history and reputation of being a “do it yourself” environment, but this reality is changing. AWS now has a large and growing enterprise sales force, complete with the expected technical resources (Solution Architects and Professional Services) to help you design an architecture that both meets your organizations’ requirements, but also maximizes the benefits of AWS capabilities. While Amazon does an admirable job of calling out the controls that you need to address, remember that your auditor will expect more than just to see the presence of those controls, they will also want to validate the effectiveness of those controls. I have been involved in a number of large enterprise opportunities where AWS personnel added an immense amount of benefit to the architecture process. I have also seen them identify significant cost savings and performance benefits during the process. We’ve all been conditioned to be wary of the enterprise technology salesperson, but it’s important to realize that a key tenet of Amazon’s strategy is to continually cut prices (31 times in the last 7 years) and reduce the margin in these services in order to be more competitive. They have created a model where everyone’s interests are aligned. If they make it better, faster, and cheaper, you’ll use more. Amazon’s new document goes on to offer a host of control categories that you need to address (just as you would on premise or with another service provider), along with AWS specific considerations. At 21 pages, it’s a quick, meaty read. I suspect you will find yourself saying “I probably need to look at that in my legacy environment too…”.