Free AWS service tackles the tedium of compliance reporting

  • Liam Tung (CSO Online)
  • 08 December, 2016 09:59

Compiling a compliance report for auditors might not be the most thrilling task in security, but it’s still necessary to show that security controls meet key standards, such as ISO 27001, payment card industry (PCI) requirements, and Service Organization Control (SOC).

To make the job a little easier, Amazon Web Services (AWS) has launched a free service called AWS Artifact to give customers immediate access to automatically generated AWS compliance reports.

“The release of AWS Artifact sets the stage for AWS to transform the auditing industry, moving auditing from being time-intensive and manual to highly automated and continuous in the cloud,” said AWS director of risk and compliance, Chad Woolf.

AWS customers can generate the reports once signed the AWS Management Console. These reports can be shared with auditors, regulators or customers, or customers can give each individual third-party direct access to reports relevant to the standard under assessment. This can be done via settings in Amazon’s identity management permissions.

Another way AWS thinks Artifacts can take the cost and hassle out of compliance reporting is by ensuring the integrity of documents used in the reports.

Customers that use Artifact documents may need to agree to Amazon’s confidentiality terms in a legally binding non-disclosure agreement. After this, they will be given access to review the documents, each of which is given a unique and traceable watermark.

One advantage of giving third-party direct access to the reports is AWS’s so-called shared responsibility model. AWS is responsible for the security of documents stored on its servers, but once downloaded, the customer is responsible. AWS encourages customers to use its own document sharing service WorkDocs or other secure document sharing services, but not email.

Customers are also still responsible for having their own systems audited, as the Artifact service can only be used to demonstrate the security and compliance of AWS infrastructure and services used. However, as AWS notes, customers also use the documents as a guideline when assessing their own internal controls. The documents contain, for example, information on additional security controls to support how customers use their systems.

As per AWS’ shared responsibility model, it is responsible for infrastructure such as compute instances, storage, databases and networking, as well as its regions, availability zones and edge locations. Customers are responsible for everything “in” AWS’ cloud, ranging from the platform to firewall and OS configuration, and encryption.