Description

Amazon Web Services (AWS) is a cloud computing platform that provides access to technology services, such as infrastructure as a service and emerging technology services, on an as-needed basis. AWS is comprised of over 175 different services including compute, database, storage, machine learning, data lakes, analytics, and more.

Benefits

Up-to-date asset inventory
Once you integrate your AWS accounts with Comply, Comply will display the AWS resources, such as IAM users, IAM groups, EC2 instances, S3 buckets, and RDS instances owned by that AWS account. Comply gives you visibility into your AWS resources and simplifies the process of identifying your asset inventory by automatically updating and tagging "Service Accounts", "Groups", "Compute", and "Storage" asset groups in Comply.

Automated asset-based procedures
Comply makes it easy to stay on top of your governance and compliance processes through automated asset-based procedures. You can configure procedures in Comply to automatically trigger tickets whenever it detects a new or an inactive asset. For example, Comply can automatically trigger a ticket with your data deletion procedure to ensure data is deleted from backups and snapshots within 60 days when it detects that an RDS instance has been deactivated in your AWS account.

Automatic evidence collection
Comply will scan your services such as IAM, EC2, S3, and RDS to ensure that a wide range of security measures are correctly implemented (see the Automations table below for the full scope of what evidence is automatically collected).

Automated issue detection
When a Comply scan identifies something that's against common security practices, the Automation will create an issue. These issues can be automatically tracked and have reminders to help expedite remediation.

Security

Comply's AWS integration relies on creating a role-based user in your AWS IAM account. This user requests read-only access to AWS services (you can specify which AWS services you want to allow Comply to access). Comply leverages a narrow set of read-only API calls and does not write back any information into your AWS environment.

Automations

Automation

Service

Description

Returns

Framework Mappings

Password Policy

IAM

Checks the account password policy for IAM users to see if it meets the following requirements:

  • Contains upper case, lower case, number, and symbol
  • Password length of minimum 14
  • Defined password age & defined reuse prevention values

Comply creates an issue if the account password policy does not meet the requirements.

ISO: A.9.2.4, A.9.4.2, A.9.4.3,
SOC 2: CC6.1,
HIPAA: 164.308(a)(5)(ii)(D), 164.312(d)

MFA Policy

IAM

Checks whether Multi-Factor Authentication is enabled for IAM users with access to the AWS console.

Comply creates an issue if MFA is not enabled for an IAM user.

ISO: A.9.3.1, A.9.4.2,
SOC 2: CC6.1
HIPAA: 164.312(d)

Database Backups

RDS

Checks whether database backups are enabled on RDS instances.

Comply creates an issue if backups are not enabled on RDS instances.

ISO: A.12.3.1
SOC 2: A1.2
HIPAA:164.308(a)(7)(ii)(A), 164.310(d)(2)(iv)

Database Storage Encryption

RDS

Checks whether data encryption is enabled on RDS database instances.

Comply creates an issue if encryption is not enabled on RDS instances.

ISO: A.10.1.1
SOC 2: CC6.1
HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)

Database Key Status

RDS

Checks whether

  1. a Customer Master Key (CMK) exists in AWS KMS for the RDS instance and
  2. whether the key is enabled if using customer managed CMKs (AWS managed CMKs are permanently enabled).

Comply creates an issue if the RDS instance does not have an associated KMS key or if the key is disabled.

ISO: A.10.1.2
SOC 2: CC6.1
HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)

Database Key Rotation

RDS

Checks whether automatic key rotation is enabled for the RDS key in KMS (automatic key rotation is disabled by default in KMS for customer managed CMKs; AWS managed CMKs are permanently set to rotate every 3 years).

Comply creates an issue if the key does not have automatic key rotation enabled.

ISO: A.10.1.2
SOC 2: CC6.1
HIPAA: 164.312(a)(2)(iv)

Database Key Age

RDS

Checks whether the RDS key age in KMS is less than 3 years old.

Comply creates an issue if the key age is greater than 3 years.

ISO: A.10.1.2
SOC 2: CC6.1
HIPAA: 164.312(a)(2)(iv)

Database Replica

RDS

Checks whether the RDS instance has a read replica associated with it.

Comply creates an issue if a read replica has not been created for the RDS instance.

Database In Transit Encryption

RDS

Checks whether the RDS instance has a valid SSL/TLS certificate associated with it.

Comply creates an issue if a SSL/TLS certificate is missing, invalid, or expired.

ISO: A.10.1.1
SOC 2: CC6.7
HIPAA: 164.312(e)(2)(i)

Network Hardware Isolation

EC2

Checks whether the EC2 instance is running on single-tenant (dedicated) hardware.

Comply creates an issue if an EC2 instance was launched on shared hardware (default VPC tenancy attribute).

ISO: A.13.1.1, A.13.1.2, A.13.1.3

Ingress Rules

EC2

Checks whether ingress access to the EC2 instance is limited through the use of security groups and a specified range of IP addresses.

Comply creates an issue if the EC2 instance does not limit ingress traffic by security group rules and if the instance allows all inbound traffic (0.0.0.0/0 for IPv4 and ::/0 for IPv6).

ISO: A.13.1.2
SOC 2: CC6.6, CC7.1

Data In Transit Encryption

EC2

Checks whether a SSL/TLS server certificate is attached to the EC2’s Elastic Load Balancer (ELB) in AWS Certificate Manager (ACM).

Comply creates an issue if a SSL/TLS certificate is not attached to an EC2’s ELB.

ISO: A.10.1.1
SOC 2: CC6.7
HIPAA: 164.312(e)(2)(i)

Signed by Certificate Authority

EC2

Checks whether the SSL/TLS server certificate attached to the EC2’s ELB is issued by a certificate authority (CA).

Comply creates an issue if a SSL/TLS certificate attached to the EC2’s ELB is self-signed.

ISO: A.10.1.1
SOC 2: CC6.7
HIPAA: 164.312(e)(2)(i)

SSH Ports

EC2

Checks whether an EC2 instance has SSH enabled on port 22.

Comply creates an issue if SSH is enabled on port 22.

ISO: A.13.1.2
SOC 2: CC6.6, CC7.1

MFA Delete Policy

S3

Checks whether the S3 bucket has MFA Delete enabled (requires MFA to add, retrieve, or delete an object).

Comply creates an issue if MFA delete is disabled on the S3 bucket.

ISO: A.9.3.1, A.9.4.2,
SOC 2: CC6.1
HIPAA: 164.312(d)

Public Data Access

S3

Checks whether the S3 bucket allows public read or write access.

Comply creates an issue if the S3 bucket allows public read or write access.

ISO: A.14.1.2, A13.1.1
SOC 2: CC6.6, CC6.7

Storage Encryption

S3

Checks whether server side encryption is enabled on S3 buckets (includes replicas).

Comply creates an issue if server side encryption is not enabled on an S3 bucket.

ISO: A.10.1.1
SOC 2: CC6.1
HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)

Storage Key Status

S3

Checks whether 1) an S3-managed encryption key exists or if a Customer Master Key (CMK) exists in AWS KMS for the S3 bucket and 2) whether the CMK is enabled if using customer managed CMKs (AWS managed CMKs are permanently enabled).

Comply creates an issue if the S3 bucket does not have an associated encryption key or if the key is disabled.

ISO: A.10.1.2
SOC 2: CC6.1
HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)

Storage Key Rotation

S3

Checks whether automatic key rotation is enabled for the S3 key in KMS (automatic key rotation is disabled by default in KMS for customer managed CMKs; AWS managed CMKs are permanently set to rotate every 3 years).

Comply creates an issue if the key does not have automatic key rotation enabled.

ISO: A.10.1.2
SOC 2: CC6.1
HIPAA: 164.312(a)(2)(iv)

Storage Key Age

S3

Checks whether the S3 key age in KMS is less than 3 years old.

Comply creates an issue if the key age is greater than 3 years.

ISO: A.10.1.2
SOC 2: CC6.1
HIPAA: 164.312(a)(2)(iv)

Data Replication

S3

Checks whether replication is configured on the S3 bucket.

Comply creates an issue if replication is not configured on the S3 bucket.

Audit Logging

S3

Checks whether access logging is enabled on the S3 bucket.

Comply creates an issue if access logging is not enabled on the S3 bucket.

ISO: A.12.4.1
SOC 2: CC7.2
HIPAA: 164.308(a)(1)(ii)(D)
164.308(a)(5)(ii)(C)
164.312(b)
164.312(c)(2)
164.312(e)(2)(i)
PCI: 3.1

Events

Our AWS integration will trigger many events immediately after the integration is connected and on an ongoing basis thereafter.

  • Adequate Password Policy - Password policy meets specific requirements.

  • Inadequate Password Policy - Password policy doesn't meet the specific requirements.

  • Unknown Password Policy - No password policy was found in IAM.

  • MFA Policy Enabled - The policy requiring IAM user with access to the AWS console have MFA enabled is turned on.

  • MFA Policy Disabled - The policy requiring IAM user with access to the AWS console have MFA enabled is turned off.

  • Unknown MFA Policy - No policy requiring IAM user with access to the AWS console have MFA enabled detected.

  • Data Backups On - Database backups are enabled on RDS instances.

  • Data Backups Off - Database backups are disabled on RDS instances.

  • Database Storage Encrypted - Data encryption is enabled on RDS database instances.

  • Database Storage Unencrypted - Data encryption is disabled on RDS database instances.

  • Database Key Enabled - A Customer Master Key (CMK) exists in AWS KMS for the RDS instance and the key is enabled if using customer managed CMKs (AWS managed CMKs are permanently enabled).

  • Database Key Disabled - A CMK doesn't exist in AWS KMS for the RDS instance OR the key is disabled if using customer managed CMKs.

  • Database Key Rotation Enabled - Automatic key rotation is enabled for the RDS key in KMS (automatic key rotation is disabled by default in KMS for customer managed CMKs; AWS managed CMKs are permanently set to rotate every 3 years).

  • Database Key Rotation Disabled - Automatic key rotation is disabled for the RDS key in KMS.

  • Adequate Database Key Age - The RDS key age in KMS is less than 3 years old.

  • Inadequate Database Key Age - The RDS key age in KMS is equal to or more than 3 years old.

  • Database Replica Enabled - The RDS instance has a read replica associated with it.

  • Database Replica Disabled - The RDS instance does not have a read replica associated with it.

  • Database In Transit Encrypted - The RDS instance has a valid SSL/TLS certificate associated with it.

  • Database In Transit Decrypted - The RDS instance does not have a valid SSL/TLS certificate associated with it.

  • Adequate Hardware Isolation - The EC2 instance is running on single-tenant (dedicated) hardware.

  • Inadequate Hardware Isolation - The EC2 instance is not running on single-tenant (dedicated) hardware.

  • Adequate Ingress Rules - Ingress access to the EC2 instance is limited through the use of security groups and a specified range of IP addresses.

  • Inadequate Ingress Rules - Ingress access to the EC2 instance is not limited to specific security groups or range of IP addresses.

  • Data In Transit Encrypted - A SSL/TLS server certificate is attached to the EC2’s Elastic Load Balancer (ELB) in AWS Certificate Manager (ACM).

  • Data In Transit Decrypted - No SSL/TLS server certificate is identified on the ELB in ACM.

  • Authority Signed Certificate - The SSL/TLS server certificate attached to the EC2’s ELB is issued by a certificate authority (CA).

  • Self Signed Certificate - The SSL/TLS server certificate attached to the EC2’s ELB is self-signed.

  • Non-default SSH Port - EC2 instances have SSH enabled on port 22.

  • Default SSH Port - EC2 instances do not have SSH enabled on port 22.

  • MFA Delete Policy Enabled - MFA Delete is enabled on the S3 bucket.

  • MFA Delete Policy Disabled - MFA Delete is disabled on the S3 bucket.

  • Storage Encrypted - Encryption is enabled on S3 buckets.

  • Storage Unencrypted - Encryption is disabled on S3 buckets.

  • Storage Key Enabled - An S3-managed encryption key exists or if a Customer Master Key (CMK) exists in AWS KMS for the S3 bucket, the CMK is enabled if using customer managed CMKs (AWS managed CMKs are permanently enabled).

  • Storage Key Disabled - An S3-managed encryption key does not exist or if a Customer Master Key (CMK) exists in AWS KMS for the S3 bucket, the CMK disabled if using customer managed CMKs (AWS managed CMKs are permanently enabled).

  • Storage Key Rotation Enabled - Automatic key rotation is enabled for the S3 key in KMS (automatic key rotation is disabled by default in KMS for customer managed CMKs; AWS managed CMKs are permanently set to rotate every 3 years).

  • Storage Key Rotation Disabled - Automatic key rotation is disabled for the S3 key in KMS (automatic key rotation is disabled by default in KMS for customer managed CMKs; AWS managed CMKs are permanently set to rotate every 3 years).

  • Adequate Storage Key Age - The S3 key age in KMS is less than 3 years old.

  • Inadequate Storage Key Age - The S3 key age in KMS is equal to or more than 3 years old.

  • Data Replication Enabled - Replication is enabled on the S3 bucket.

  • Data Replication Disabled - Replication is disabled on the S3 bucket.

  • Public Data Access Disabled - Public read and write access is disabled on the S3 bucket.

  • Public Data Access Enabled - Public read and write access is enabled on the S3 bucket.

  • Audit Logging Enabled - Logging is enabled on the S3 bucket.

  • Audit Logging Disabled - Logging is disabled on the S3 bucket.

Setup

  1. Navigate to the Integrations Configuration section: Automations > Integration Configuration
  2. Click Add Integration, and select AWS.
  3. Follow the instructions in the Comply app to create a new AWS IAM role in the AWS console. Comply uses cross account role based authentication to access your AWS account.
    a. Log into the AWS IAM console.
    b. Create a new AWS role.

c. Select “Another AWS Account” for trusted entity type.
d. Enter 517294851430 in the account number field (this number is provided in the AWS integrations setup page in the Comply app).
e. Enter the value provided in the AWS integrations setup page in the Comply app in the external ID field.
f. Attach the policy from the Comply app to the IAM role.
g. Follow the prompts in the IAM console to finish setting up the role.

  1. Once the role is created in the AWS console, copy the role’s ARN and paste it in the Role ARN in the Comply app.
  2. Specify the AWS region where your resources live by default. If your resources are deployed in multiple AWS regions, you will need to set up a separate Comply-AWS integration for each region.

IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:GetGroup"
            ],
            "Resource": [
                "arn:aws:iam::*:user/*",
                "arn:aws:iam::*:group/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:GenerateCredentialReport",
                "iam:GetAccountPasswordPolicy",
                "rds:DescribeDBInstanceAutomatedBackups",
                "s3:GetLifecycleConfiguration",
                "ec2:DescribeInstances",
                "s3:GetBucketTagging",
                "s3:GetBucketLogging",
                "s3:GetBucketPolicy",
                "elasticloadbalancing:DescribeLoadBalancers",
                "s3:GetEncryptionConfiguration",
                "elasticloadbalancing:DescribeListeners",
                "kms:GetKeyRotationStatus",
                "rds:DescribeDBInstances",
                "kms:DescribeKey",
                "iam:GetCredentialReport",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketVersioning",
                "s3:GetBucketAcl",
                "ec2:DescribeSecurityGroups",
                "s3:GetReplicationConfiguration",
                "rds:ListTagsForResource",
                "s3:ListAllMyBuckets",
                "acm:DescribeCertificate",
                "ec2:DescribeVpcs",
                "elasticloadbalancing:DescribeTargetHealth",
                "iam:ListUsers",
                "iam:ListGroups",
                "rds:DescribeCertificates",
                "rds:DescribeDBClusters",
                "iam:ListUserTags"
            ],
            "Resource": "*"
        }
    ]
}

Troubleshooting

Common integration set-up issues include:

  1. Configuring the AWS role incorrectly in the AWS console. [Fix: verify that you used 1) the correct AWS account number, and 2) the external ID listed in the set-up screen in Comply.]
  2. Configuring the AWS integration incorrectly in Comply. [Fix: verify that you used the full role ARN provided in the IAM console, not just the role name.]
  3. Using an incorrect IAM policy. [Fix: please use the IAM policy from above when setting up your new IAM role.]
  4. Misspelling the AWS region. [Fix: please use the following format: us-east-1.]

If you receive an error message when trying to sync your integration, please check the above items and contact [email protected] if the problem persists.


Did this page help you?