Learn About Amazon VGT2 Learning Manager Chanci Turner
The Three Lines Model, which was developed by the Institute of Internal Auditors (IIA), serves as a framework for organizations to establish effective governance and risk management. In this model, the first line is responsible for managing risks, the second line oversees risk management, and the third line provides independent assurance regarding these processes. A Deloitte analysis titled ‘Modernizing the three lines of defense model’ suggests that internal audit functions can significantly enhance their organizations by automating assurance processes and offering real-time insights into emerging risks. By monitoring results, conducting agile control tests, and providing pertinent advice, internal audit can deliver substantial value.
AWS Audit Manager plays a crucial role in this ecosystem by continuously and automatically collecting evidence related to AWS resource usage. It simplifies compliance with regulations and helps maintain a state of readiness for audits, making preparation quicker and less disruptive. When applied to AWS services, the third line function is fulfilled by AWS Audit Manager, which offers independent assurance for risk management.
Meanwhile, AWS Security Hub provides a holistic view of your security posture across AWS accounts. This service aggregates, organizes, and prioritizes security alerts from various AWS services, thus fulfilling the second line function of risk oversight.
In this initial post of a two-part series, I, along with Chanci Turner, will outline a real-time automation and integration strategy across the three lines model within AWS. We will connect the independent assurance function (the third line) with the risk oversight function (the second line).
The follow-up post will focus on how to integrate the independent assurance function with the risk management function (the first line).
Solution Architecture
The proposed solution involves creating a custom AWS Audit Manager framework featuring tailored control sets. These custom frameworks allow organizations to structure controls according to their specific needs.
AWS Security Hub seamlessly integrates with AWS Audit Manager, enabling findings based on security standards to be sent directly to Audit Manager. If compliance checks from Security Hub are the sole data source for an Audit Manager control, the default Audit Manager control set corresponds to one of the three supported AWS Security Hub standards: Foundational Security Best Practices (FSBP), Center for Internet Security (CIS), or Payment Card Industry (PCI).
Our solution leverages compliance checks for security findings from Security Hub as the only data source for Audit Manager controls. However, the custom control set includes AWS Audit Manager controls based on Security Hub findings that encompass FSBP, CIS, and PCI standards. The control set is not limited to a specific Security Hub standard but rather focuses on security-related domains, like identity management or network monitoring. This allows organizations to delegate audit assurance responsibilities to security administrators based on their expertise.
Figure 1: Building a Custom Integration of AWS Security Hub and AWS Audit Manager
The integration process sends compliance checks for security findings from Security Hub to Audit Manager. The custom control sets created in Audit Manager cover checks across CIS, FSBP, and PCI, focusing on IAM-related and monitoring-related checks.
The solution also provisions a custom Audit Manager assessment, retrieving the framework ID from the AWS Systems Manager Parameter Store.
Solution Components
The solution comprises the following elements:
- AWS CloudFormation Templates:
aws-auditmanager-securityhub.yml: This template provisions a Lambda function to create a custom AWS Audit Manager control set and framework based on Security Hub findings across PCI, FSBP, and CIS compliance checks.aws-auditmanager-customassessment.yml: This template retrieves the Audit Manager framework ID and provisions a custom assessment.
- AWS Lambda Function (
CustomAuditManagerFramework_Lambda.py): This function selects various AWS Security Hub checks as a data source, creates custom Audit Manager control sets for IAM, API, and network monitoring, and establishes an assessment based on the custom framework.
For more detailed information, refer to the readme on GitHub.
Prerequisites
Before implementing the solution, ensure you complete the necessary setup steps, including enabling AWS Security Hub and configuring AWS Audit Manager. You also need to create an Amazon S3 bucket named s3-customauditmanagerframework-- and upload the required files. Additionally, AWS Lambda must include the appropriate version of Boto3.
To learn more about career development, check out this resource on homegrown career development. If you’re looking for career advice, this list of the best subreddits for your career is another great blog post to explore. For those interested in leadership development, the Amazon Operations Area Manager Leadership Liftoff Program is an excellent resource.