How to start with compliance on AWS

Learn how to achieve compliance on AWS with a clear and defined path to your first audit. This guide shows Rocketleap’s learnings of supporting other companies in achieving continuous and automatic monitoring of AWS resources for compliance.

Starting to do compliance on AWS is not only about tooling. You will need business alignment and cultural integration of compliance into your business. We have identified 9 phases a company typically goes through when starting to do compliance on AWS. By being aware of these phases, you go through each phase logically and smoothly.

Preparing the scope of governance

1. Identify workloads in all AWS Accounts.

Start by cataloging all workloads in your AWS environment to build a comprehensive overview.

Accounts and workloads can be totally mixed up using the following patterns or a combination:

• Multiple workloads to a single AWS root account
• Multiple workloads to an AWS account per development environment
• A single workload to a single AWS account for all environments
• A single workload to a single AWS account per environment.

This phase uncovers workloads that your company is not actively managing. These unidentified workloads are often not maintained and cause serious risks.

2. Assign ownership of all workloads.

The second phase is to assign the responsibility of maintaining the workload. Assigning ownership ensures that later on, it is clear who is responsible for fixing non-compliant resources. It has the additional benefit of making clear responsibility for the availability, security, and cost optimization. A team can handle ownership if it has decision-making power and maintenance capacity for a workload.

This phase reveals workloads no one feels responsible for and starts discussions in a company. These discussions are what make this phase so important. When no one feels responsible for a service, it is often poorly maintained, resulting in serious risk. The risks range from security threats to threats of having to rebuild complete services due to neglect.

Governance seeks to prevent these risks. Having these responsibilities clear avoid serious problems in a later audit.

A major challenge is workloads with unclear business cases and little company priority while being crucial for small groups or even single individuals to perform their work. The effort might be too much to fix these workloads for the benefit gained, but the workloads are too painful to turn off, yet are violating the compliance controls.

3. Limit the scope of AWS resource types

A governance system should cover all AWS resources used in your environment to ensure you govern all resources appropriately. However, there are over 400 resource types in AWS, while developers typically use only a fraction. Only governing the resources used reduces the scope significantly. Additionally, limiting AWS resources ensures developers use no new resources without governance.

4. Create compliance controls for every AWS Resource Type

Internal policies should align with clear compliance controls for every AWS resource type. These clear controls are easy to automate and check continuously.

An example is data protection policies requiring encryption at rest. So, for every approved data storage resource type, e.g., RDS Database and S3, a compliance control should require data to be encrypted at rest.

Preparing the Compliance Controls

5. Ensure acceptance of compliance controls

Acceptance of the compliance controls is vital to ensuring developers implement the controls. Incorrect controls will hugely damage acceptance. Discussions of resources that are not compliant will drift to discussions about incorrect controls. So, any controls should be verified to work correctly, and known exceptions should be removed.

The compliance controls should be realistic and describe an achievable level of quality. If the compliance controls are too far from the current state, a company will not accept the controls. The compliance controls should provide a path to the next step in quality. However, controls should always prevent unacceptable risks.

6. Align on the importance of all compliance controls

Creating new quality standards often causes discussions inside a company about importance and priority.

Governance is there to prevent quality issues in the product and process. So, new standards cause friction with the development of new infrastructure. It sets the quality bar that infrastructure needs to pass before being acceptable. So it is beneficial if an agreement is made that that developers are no longer allowed to deploy new infrastructure with compliance issues to production environments. This agreement can cause immediate problems with current projects but prevents business owners from forcing projects to be done quickly and dirty.

Additionally, there should be clarity on the priority of fixing non-compliant resources. The first question is whether delaying is acceptable for a particular control or if the team should drop current work and fix the problem. The second question to answer is how long it is acceptable for a team to delay a fix.

Completing this phase requires solid commitment and agreement to the business priority of achieving compliance. You need agreement on the new level of quality set by the compliance controls for new and existing infrastructure. This results in work that can impact the current roadmap, so an update is often necessary.

7. Share compliance controls with developers

Developers and business owners often require a little help in adopting the compliance controls and priority. The best way to do this is to give demos of the infrastructure they are responsible for. The demo should cover the current state, how they can see what is non-compliant, and how to resolve these issues. Ultimately, explaining priority and when developers should resolve issues gives clarity to your organization.

Continuous Compliance

8. Fix problems based on priority

Developers start to fix issues in their infrastructure and make sure it is compliant. Getting to a baseline where most compliance controls are fixed is essential. Having a good baseline helps start a journey of continuously improving and reacting quickly to deviations in compliance.

9. Continually improve compliance controls

Compliance and Developers now add additional controls to the compliance controls. If new AWS resource types are necessary, new controls help govern the resource type.

Preferably, the developers actively regulate and add new controls themselves. It should feel like a tool in their toolbox, and compliance is there for them to improve quality. Developers should use the controls to help them create the time necessary to develop quality software in a feature-rich environment. The compliance controls are an agreed-upon standard.

Conclusion

Getting compliant on AWS seems like a daunting task. While you should invest heavily in automation, otherwise, you are drowned in manual work; tech only solves some things. Company alignment is just as important.

Rocketleap helps you achieve compliance on AWS. We both provide all the compliance tooling you need with the Rocketleap Landing Zone. Our compliance tooling has helped customers automate their compliance work and pass audits.

We help you pass your first audit and get certified. Contact us to start the conversation.