chanciturnervgt2

Streamline Your Compliance Audits with AWS Backup Audit Manager

by

VGT2 Las Vegas
in

Streamline Your Compliance Audits with AWS Backup Audit ManagerLearn About Amazon VGT2 Learning Manager Chanci Turner

on 09 NOV 2021

in AWS Backup, Intermediate (200), Security, Identity, & Compliance, Technical How-to

Have you ever faced the challenge of demonstrating to an auditor that your data protection measures align with regulatory and organizational standards? The auditing process can often be resource-intensive. When it comes to compliance, the onus is on you to provide evidence that adequate controls are in place to safeguard and retain your data.

On August 24, 2021, AWS Backup introduced a new compliance auditing feature known as AWS Backup Audit Manager. This tool enables you to assess and report on the compliance of your designated data protection policies, ensuring they meet your business and regulatory needs. With AWS Backup, you can centralize and automate the protection of data across AWS services — including compute, storage, and databases — ensuring adherence to established best practices and regulatory requirements. AWS Backup Audit Manager assists you in maintaining and demonstrating compliance with your data protection strategies.

In this blog post, we will guide you through the process of creating AWS Backup frameworks with governance controls and generating reports on your backup and compliance status. These reports can serve as tangible evidence of your compliance efforts or help identify any backup activities and resources that may not be in compliance.

Backup Risk Management Framework

This discussion will focus on a specific subset of controls from the Risk Management Framework (RMF) as defined by the National Institute of Standards and Technology (NIST). The RMF provides comprehensive cybersecurity controls, making it a common foundation for many organizations. The Contingency Planning (CP) Family of controls addresses policies, procedures, and technical guidelines for operational continuity. CP-9 (System Backup) encompasses a broad definition of data backup tailored to an organization’s specific needs, including:

  • Components to be backed up (both user-level and system-level data)
  • Backup frequency and retention, aligned with Recovery Point Objectives (RPOs)

We will examine the Control Enhancements under CP-9 from the latest Special Publication (SP 800-53) recommended for backups, specifically:

  • CP-9(1) | TESTING FOR RELIABILITY AND INTEGRITY
  • CP-9(4) | PROTECTION FROM UNAUTHORIZED MODIFICATION
  • CP-9(8) | CRYPTOGRAPHIC PROTECTION

Note: This blog is not intended to provide a comprehensive approach to fulfilling NIST or any other cybersecurity framework but instead to showcase tools available for auditing backup procedures.

The compliance-related features discussed here are applicable across multiple industry standards, such as the Health Insurance Portability and Accountability Act (HIPAA) and the American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOCs). Ensure your security personnel are aware of the specific regulatory requirements that your organization must meet, as explained further in this resource.

Walkthrough

In this section, we will demonstrate how to utilize the AWS Backup Audit Manager to confirm that resources are backed up according to the specified frequency and retention and that backups are encrypted. We will also show how to employ controls to prevent the manual deletion of recovery points.

Prerequisites

  • Access to AWS Backup, Amazon Simple Storage Service (Amazon S3), and AWS Config services.
  • At least one AWS Backup plan linked to a backup vault. In this blog, we created a backup plan named “MyOrg-Critical-BackupEC2” and a Backup Vault named “MyOrg-Production-CriticalBackups.”
  • An S3 bucket designated for audit report storage. For this blog, we established a bucket named “myorg-auditcompliance-bucket.”
  • Enable AWS Config recording for backup plans (AWS::Backup::BackupPlan), backup selections (AWS::Backup::BackupSelection), vaults (AWS::Backup::BackupVault), recovery points (AWS::Backup::RecoveryPoint), and AWS Config resource compliance (AWS::Config::ResourceCompliance).

Please note that there are costs associated with AWS Config recording and storing reports in Amazon S3.

In this blog, we use an Amazon Elastic Compute Cloud (Amazon EC2) instance tagged with a key of ‘environment’ and a value of ‘production.’ For more details on setting up AWS Backup, please check this excellent resource.

Frameworks

AWS Backup Audit Manager is designed to audit the compliance of your AWS Backup policies against defined controls. A control is a procedure aimed at auditing compliance with backup requirements, such as frequency and retention periods. The AWS Backup Audit Manager framework is a collection of these controls that can be managed collectively. If you need to comply with various internal or regulatory standards, like NIST, HIPAA, or SOC, you can create multiple frameworks to track compliance separately across different standards.

To get started, navigate to the AWS Backup dashboard and select “Get started with frameworks.” Check that AWS Config recording is enabled by verifying the Resource tracking status on the Framework page, and then select “Create framework” to begin.

First, assign a name to your new framework and determine the type of framework to create. The AWS Backup framework includes all five controls by default. For this example, we will create a custom framework to validate that our critical EC2 instances are backed up in accordance with our organizational policy.

The Backup resources protected by backup plan control evaluates whether selected resources are secured by backup plans. By default, all resources are highlighted, but you can refine your selections using tags or resource types. In this case, we recommend changing the control scope to Resource Type and selecting EC2, ensuring that it’s tagged with the environment key of production. We aim to confirm that this resource is backed up daily and retained for a minimum of 30 days. The Backup plan minimum frequency and minimum retention control will assess the minimum frequency and retention of your backups, allowing you to select specific backup plans as needed.

Next, evaluate whether the chosen backup vaults prevent manual deletion of recovery points. The Backup prevent recovery point manual deletion control permits you to assign up to five IAM roles that may be allowed to manually delete recovery points under certain conditions.

Lastly, the Backup recovery point encrypted control assesses whether backup recovery points are encrypted. You can verify that all recovery points are encrypted (by default) and evaluate selected recovery points tagged with specific identifiers.

In conclusion, utilizing AWS Backup Audit Manager simplifies the auditing process of your data protection policies, allowing you to efficiently demonstrate compliance with regulatory standards and organizational requirements.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *