Amazon Web Services (AWS) is the industry-leading cloud service provider by any metric you can find doing a quick google search. The shared responsibility model is generally understood by individuals managing production workloads that are hosted on AWS and *most* auditors understand how this impacts a SOC 2 or other compliance assessment (if your auditor asks you about the physical security of an AWS data center, close your laptop, leave the conference room and run away really fast!). AWS has developed several services and features to help manage the security of an organizations’ AWS account and resources. These services, whenused effectively, can reduce evidence requirements, reduce or eliminate the risk of auditor findings, and most importantly secure your AWS account. These basic security configurations should be implemented for every organization hosted on AWS regardless of organizational maturity, industry or type. Following these below recommendations will also reduce evidence requirements and documentation for your SOC 2 audit. Auditors can leverage the reports, configuration screenshots, IAM policies, etc. to satisfy several controls. Reducing the operational disruption of your organization and the time it takes to achieve compliance. The below recommendations will result in a more secure AWS account and resources, reduction of time (and hopefully cost) of your SOC 2 examination and allows you to include some unique security controls in your SOC 2 report to differentiate yourself from your competitors.
The BasicsSecure your root account.
The root account on your AWS account has unlimited access to perform unlimited functions within your AWS account. There are very few functions th ..
Support the originator by clicking the read the rest link below.
