pressmaster - Fotolia


How to use AWS to meet compliance standards' requirements

Looking to make compliance an easier task? Expert Steven Weil explains how to use AWS to help meet compliance standards' requirements.

As organizations increasingly move toward the cloud, they face the challenge of ensuring cloud-based systems and data comply with various compliance standards, such as HIPAA, PCI DSS and FISMA.

This tip looks at easy-to-implement ways to use Amazon Web Services (AWS) to meet four core requirements found in multiple compliance standards.

Who can access services?

Most compliance standards require limited, role-based access control to cloud-based systems and data.

AWS' Identity and Access Management (IAM) offers a robust way to manage user access. Instead of using the AWS root account, which allows unrestricted access to AWS systems and services, security professionals should use IAM to create specific users and groups, and then assign granular roles and permissions to the users.

As Config moves from preview to a full production service, it may get even more features; it's definitely an AWS service worth keeping an eye on.

Security professionals should also use IAM to require multifactor authentication for user access to the AWS Management Console.

Once every four hours, with the click of one button, an IAM credential report can be generated and downloaded that lists all of an organization's AWS users and the status of their credentials, including passwords and access keys.

Two other useful IAM tools are the IAM policy simulator, which allows security professionals to test the effects of IAM policies before they go into production, and the AWS Policy Generator tool, which enables the creation of policies that control access to AWS services and systems.

AWS' Directory Service can also be used to manage access to AWS services and systems. It enables organizations to connect their existing on-premises Microsoft Active Directory to AWS, or to set up and manage a new directory in AWS. Directory users and groups can be given access to the AWS Management Console and AWS services using their existing credentials.

Logging users

Logging user actions is a key requirement of multiple compliance standards.

AWS CloudTrail is an application program interface (API) monitoring service that can be used to log user activity. CloudTrail generates log files containing detailed information -- such as API name, user identity, date and time, what was requested and how AWS responded to the request -- and saves these files every five minutes into an Amazon Simple Storage Service (S3) bucket. By default, CloudTrail log files are encrypted and access to the log files can be controlled via IAM or S3 bucket policies. Additionally, security professionals can configure Amazon's Simple Notification Service (SNS), a push-messaging service, to notify them when new log files have been created.

Currently in beta, AWS' Server Access Logging can be used to track requests for access to S3 buckets. The logs provide key details, such as the requester name, request time, and request action and response. By default, such logging is disabled, so be sure to enable it.

Change control

Change control is another key requirement of many compliance standards.

AWS' Config service can automatically create an inventory of an organization's AWS systems and then continuously record any configuration changes, like creation, updates or deletion, to such systems. Combined with AWS' SNS service, Config can be used to provide security professionals with a constantly updated and historical view of AWS system configurations and helps enforce strong change control and configuration management.

As Config has moved from preview to a full production service, it may get even more features; it's definitely an AWS service worth keeping an eye on.

How are virtual systems segmented from each other?

Many compliance standards require systems processing, transmitting or storing sensitive data to be segmented from systems that do not.

For Amazon Elastic Compute Cloud (EC2) servers, AWS provides easy-to-configure Security Groups that enable security professionals to define what traffic is allowed to and from one or more servers. Security group rules can be modified at any time; new rules are automatically applied to all servers that are associated with a security group. The default security group that is applied when an EC2 server is first created allows all outbound traffic from the server so it's important to create custom security groups to limit outbound traffic.


AWS continues to make steady progress in providing its customers with services and tools that can be used to meet a variety of compliance standards. Security professionals can use the above tips to quickly and easily meet core compliance requirements for cloud-based systems and data.

About the author:
Steven Weil, CISSP, CISA, CISM, CRISC, QSA, is an independent security consultant. He has 18 years of experience in information security design, implementation and assessment. He has provided information security services to a wide variety of organizations including government agencies, hospitals, universities, small businesses and large enterprises.

Next Steps

Understanding the basics of AWS and Amazon EC2 security.

Dave Shackleford looks at the security capabilities of AWS and Microsoft Azure.

Dig Deeper on Cloud Compliance: Federal Regulations and Industry Regulations