pressmaster - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to use AWS to meet compliance standards' requirements

Looking to make compliance an easier task? Expert Steven Weil explains how to use AWS to help meet compliance standards' requirements.

As organizations increasingly move toward the cloud, they face the challenge of ensuring cloud-based systems and data comply with various compliance standards, such as HIPAA, PCI DSS and FISMA.

This tip looks at easy-to-implement ways to use Amazon Web Services (AWS) to meet four core requirements found in multiple compliance standards.

Who can access services?

Most compliance standards require limited, role-based access control to cloud-based systems and data.

AWS' Identity and Access Management (IAM) offers a robust way to manage user access. Instead of using the AWS root account, which allows unrestricted access to AWS systems and services, security professionals should use IAM to create specific users and groups, and then assign granular roles and permissions to the users.

As Config moves from preview to a full production service, it may get even more features; it's definitely an AWS service worth keeping an eye on.

Security professionals should also use IAM to require multifactor authentication for user access to the AWS Management Console.

Once every four hours, with the click of one button, an IAM credential report can be generated and downloaded that lists all of an organization's AWS users and the status of their credentials, including passwords and access keys.

Two other useful IAM tools are the IAM policy simulator, which allows security professionals to test the effects of IAM policies before they go into production, and the AWS Policy Generator tool, which enables the creation of policies that control access to AWS services and systems.

AWS' Directory Service can also be used to manage access to AWS services and systems. It enables organizations to connect their existing on-premises Microsoft Active Directory to AWS, or to set up and manage a new directory in AWS. Directory users and groups can be given access to the AWS Management Console and AWS services using their existing credentials.

Logging users

Logging user actions is a key requirement of multiple compliance standards.

AWS CloudTrail is an application program interface (API) monitoring service that can be used to log user activity. CloudTrail generates log files containing detailed information -- such as API name, user identity, date and time, what was requested and how AWS responded to the request -- and saves these files every five minutes into an Amazon Simple Storage Service (S3) bucket. By default, CloudTrail log files are encrypted and access to the log files can be controlled via IAM or S3 bucket policies. Additionally, security professionals can configure Amazon's Simple Notification Service (SNS), a push-messaging service, to notify them when new log files have been created.

Currently in beta, AWS' Server Access Logging can be used to track requests for access to S3 buckets. The logs provide key details, such as the requester name, request time, and request action and response. By default, such logging is disabled, so be sure to enable it.

Change control

Change control is another key requirement of many compliance standards.

AWS' Config service can automatically create an inventory of an organization's AWS systems and then continuously record any configuration changes, like creation, updates or deletion, to such systems. Combined with AWS' SNS service, Config can be used to provide security professionals with a constantly updated and historical view of AWS system configurations and helps enforce strong change control and configuration management.

As Config has moved from preview to a full production service, it may get even more features; it's definitely an AWS service worth keeping an eye on.

How are virtual systems segmented from each other?

Many compliance standards require systems processing, transmitting or storing sensitive data to be segmented from systems that do not.

For Amazon Elastic Compute Cloud (EC2) servers, AWS provides easy-to-configure Security Groups that enable security professionals to define what traffic is allowed to and from one or more servers. Security group rules can be modified at any time; new rules are automatically applied to all servers that are associated with a security group. The default security group that is applied when an EC2 server is first created allows all outbound traffic from the server so it's important to create custom security groups to limit outbound traffic.


AWS continues to make steady progress in providing its customers with services and tools that can be used to meet a variety of compliance standards. Security professionals can use the above tips to quickly and easily meet core compliance requirements for cloud-based systems and data.

About the author:
Steven Weil, CISSP, CISA, CISM, CRISC, QSA, is an independent security consultant. He has 18 years of experience in information security design, implementation and assessment. He has provided information security services to a wide variety of organizations including government agencies, hospitals, universities, small businesses and large enterprises.

Next Steps

Understanding the basics of AWS and Amazon EC2 security.

Dave Shackleford looks at the security capabilities of AWS and Microsoft Azure.

Dig Deeper on Cloud Compliance: Federal Regulations and Industry Regulations

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you battle compliance with industry regulations in the cloud?
Cloud computing inherently makes it difficult to remain in compliance. We’ve had our own problems in the past and learned our lessons;
  • Don’t rely 100% on the vendor – we are not a big company but we’ve learned that you can’t assume the cloud vendor’s standards and conditions will suffice.
  • Keep an eye on new standards – today, we only look at ISO 27001 and SAS 70 Type II as guidelines, not benchmarks for compliance.
Is EC2 now available in UK or EU juristrictions? A number of Financial Institutions still want this. Definately don't like US locations. Patriot Act adds to the concern.
The biggest issue I have with regulations is that no one reads them. Instead we have this whole magical thinking industry, where we do what we always did and insist on folklore. Once you read the regs for your industry (HIPPA, FDA, etc) and build a strategy around that, many of the concerns about cloud sort of "go away."
Maintain installed Firewall to prevent cardholder data access. Do not use vendor-supplied defaults for system passwords. This will restrict access to cardholder’s data.