There involve several steps in an audit. The first step of auditing is to prepare an audit charter that defines the rule of conduct. The charter consists of purpose, responsibility, authority, and accountability of an audit. Then the next step is adequate planning through assessing the risk associated and develop an audit program that determines the audit objective and audit procedures. The audit process involves gathering evidence, evaluating the controls based on the evidence gathered and test them. Based on the evidence and test result an audit report is prepared that included the overall process of auditing and the recommendation to mitigate the issued encountered through a risk treatment that addresses the objective of the business.

In order to demonstrate some of the steps to gather the information. Here is a scenario that has to be audited. The scenario is to audit the AWS environment in terms of security and observe whether or not the controls in the AWS demo environment meet the security compliance checklist by AWS. For this task, their instances were created through cloud formation. And the security and compliance of the AWS environment will be evaluated based on the AWS- OCIE Cybersecurity Audit Guide.

AWS has a shared responsibility model between AWS and Customer that shares the compliance and security responsibility collaboratively. As there are some constraints to investigate the controls at the physical and other control at the AWS end. So, for a demonstration of audit evidence gathering based on the AWS-OCIE Cybersecurity certain services are considered for the action.

Governance

Under the governance section of the audit, the audit will be able to determine the AWS service purchase, system and software information, governance structure, policies, procedures and plans to apply these services are discussed. The governance ensures the costumer direction and intention and security status of the AWS environment.

Table 1: Investigation of AWS governance (i)

Description

Documentation and Inventory

The main aim is to verify the documentation of all the AWS critical system and AWS network in the AWS environment as an inventory document and controlling the access. Also, to understand and review the AWS Config for AWS resource inventory and configuration history of resources AWS Organizations

It enables centrally to apply policy-based controls across multiple accounts

Evidence

Figure 1: Status of AWS Organization Configuration

Figure 2: Status of AWS Config

Findings

The AWS organization is not configured in the AWS environment so there lacks the organized units and AWS Config is also not in place. So there is the issue regarding viewing the inventory of resources and view the access logs as well.

Compliance

The AWS environment does not comply with the AWS Checklist.

Table 2: Investigation of AWS governance (ii)

Description

Similarly, to investigate the details of resource tags in AWS environment the below command was through AWS CLI

aws ec2 describe-tags

Evidence

Figure 3: Status of tags

Findings

The major finding is that all the resources of the AWS Environment are tagged well.

Compliance

It complies.

Table 3: Investigation of AWS governance (iii)

Description

The section review about the connectivity between network and the AWS platform by reviewing customer on-premise Public IPs mapped to customer gateways in VPCs through the below commands

aws ec2 describe-customer-gateways

aws ec2 describe-vpn-connections

Evidence

Figure 4: Status of gateway and VPN Connection

Findings

The above evidence shows that the customer’s gateways and VPN connections are not set up in the AWS environment.

Compliance

It does not comply.

Table 4: Investigation of AWS governance (iv)

Description

The below command investigates the direct connect private connection that may map more than 1 VPCs one by customer.

aws directconnect describe-connections

aws directconnect describe-interconnects

aws directconnect describe-connections-on-interconnect

aws directconnect describe-virtual-interfaces

Evidence

Figure 5: Status of directconnect

Findings

The direct connects are not set that does not ensure the dedicated connection between the on-premise network with AWS VPCs.

Compliance

It does not comply.

Network Configuration and Management

The audit process also focusses on the network configuration and management to understand the compliance of AWS network configuration with the standard and checklist of security assurance and review the network controls in this regard.

Table 5: Investigation of AWS network configuration and management (i)

Description

The below command also investigates the list of all customer gateways and VPN connection in the AWS environment

aws ec2 describe-customer-gateways

aws ec2 describe-vpn-connections

Evidence

Figure 6: Status of gateway and VPN Connection

Findings

The above evidence shows that the customers gateways and VPN connections is not set up in the AWS environment. And the network controls are not in place.

Compliance

It does not comply.

Table 6: Investigation of AWS network configuration and management (ii)

Description

List all Customer Direct Connect connections

aws directconnect describe-connections

aws directconnect describe-interconnects

aws directconnect describe-connections-on-interconnect

aws directconnect describe-virtual-interfaces

Evidence

Figure 7: Status of direct connections

Findings

The direct connect are not set that does not ensure the dedicated connection between the on-premise network with AWS VPCs.

Compliance

It does not comply.

Table 7: Investigation of AWS network configuration and management (iii)

Description

This section investigates the security group implementation through the CLI command.

aws ec2 describe-security-groups

Evidence

Figure 8: Status of security groups

Findings

There are three security groups in place with the inbound and outbound rule defined but there is the configuration of SSH and RDP services that are not bound to a private and authorized IP address

Compliance

It does not comply.

Asset Configuration and Management

The section of the audit focuses on verifying the application security and managing operating systems to protect the security, stability and integrity of the assets.

Table 8: Investigation of AWS asset configuration and management

Description

The below command lists the details of the instance created in the AWS environment along with some basic details like machine ID, Image location, operating system and version. There are available of a wide variety of operating systems offered by AWS that can be selected by the user as per their requirement.

aws ec2 describe-images --owners self

Evidence

Figure: Status of Instance and Operating System (CLI)

Figure 9: Status of Instance and Operating System (GUI)

Findings

There are three instances, but the command failed to show the details. However, the proof of instances is shown from the AWS environment with the status of instance state, key and security details.

Compliance

It complies.

Logical Access Control

The logical access control focuses on to identifying access management, authentication and authorization. It ensures the users, groups, roles configuration and credentials associated with the AWS account.

Table 9: Investigation of AWS logical access control (i)

Description

The AWS accounts, roles groups and users, associated with certain policies are investigated through the commands below. It also investigates the documentation of the use and configuration of AWS access controls.

aws iam list-roles

aws iam list-groups

aws iam list-users

Evidence

Figure 10: Status of IAM Roles

Figure 11:Status of IAM Groups

Figure 12: Status of IAM Users

Findings

There is only one role assign with AWS service-role-of-support, two groups with admin and read-only privilege and two users only. This meets the access management but does not comply with the security standards.

Compliance

It does not comply.

Table 10: Investigation of AWS logical access control (ii)

Description

The personnel controls ensure the restriction of users to AWS services for their business function so to investigate the compliance of policies assigned to Groups/Roles/Users with the standard the following command are in place.

aws iam list-attached-role-policies --role-name

aws iam list-attached-role-policies --role-name XXXX

aws iam list-attached-group-policies --group-name XXXX

aws iam list-attached-user-policies --user-name XXXX

Evidence

Figure 13: Status of Policy in IAM Roles

Figure 14: Status of IAM Groups and Users

Findings

This shows that policies are implemented in the roles and group that bind the users into the policy but it is inadequate of policy in each group and roles. However, it complies with the requirement.

Compliance

It complies

Data Encryption

The section studies the encryption of data at rest in AWS environment and motion at AWS network and private connection network. Here to ensure the data protection the encryption controls are in review through KMS Keys.

Table 11: Investigation of AWS data encryption

Description

Encryption controls ensure the appropriate control of encryption in place. To understand the situation of AWS environment the below command shows the key management services in place

aws kms list-aliases

Evidence

Figure 15:Status of KMS

Findings

AWS ensures the key management services for various services like dynamodb, s3, ebs and other to ensure encryption of data and information.

Compliance

It complies

Security Logging and Monitoring

The system logging and monitoring should be in the place that avoids unauthorized access to the system and to investigate and review the state of the logging and monitoring policies and procedures. There are various tools in AWS environment like VPCs Flow logs AWS Config, AWS Cloudtrail, AWS Cloudfront.

Table 12: Investigation of AWS security logging and monitoring

Description

The section investigates the AWS IAM credential report for unauthorized access through the below command.

aws iam generate-credential-report

aws iam get-credential-report

Evidence

Figure 16: Status of credential report

Findings

The security credential report is generated but the security monitoring and logging tools like VPCs Flow logs AWS Config, AWS Cloudtrail, AWS Cloudfront are not maintained in the AWS Environment.

Compliance

It does not comply.

Security Incident Response

This section reviews the security events monitored and logged in the security monitoring and logging that are done through various AWS services like Cloudtrial, Cloudfront, AWS config. But due to these services not in the place there is not any tools and controls in place to response any incidents

Disaster Recovery

Disaster recovery plan is to address the disaster recovery scenario that could result in serious impact on the system and business. There is a review of SLAs, OLAs, business continuity place, Backup and Storage Controls.

Table 13: Investigation of AWS data recovery

Description

The investigation was made on the review of periodic testing of Backup of AWS services. The below command shows the status of Snapshot and Backup of EBS volume.

aws ec2 create-snapshot --volume-id XXXXXXX aws ec2 describe-snapshots --filters “Name=volume-id,Values=

Evidence

Figure 17: Status of EC2 volume details and EBS Backup

Findings

The result shows that there is no any backup or snapshot.

Compliance

It does not comply.

Once, sufficient evidences are gathered and evidences are evaluated. The conclusion and recommendation are drawn based on the consultation with other auditors and experts and the risk assessment performed that meets the audit objective.

My next blog will cover about risk based auditing and risk assessment.

Bibliography

Amazon Web Services, Inc. or its affiliates. (2015, October). Amazon Web Services – Introduction to Auditing the Use of AWS. Retrieved from AWS_Auditing_Security_Checklist: https://d1.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf

Glossary. (2020). Retrieved from ISACA: https://www.isaca.org/Pages/Glossary.aspx?tid=1098&char=A

Information Systems Audit and Control Association, Inc (ISACA). (2016). Information Systems Auditing: Tools and Techniques. USA: Information Systems Audit and Control Association, Inc. (ISACA).

ISACA. (2016). CISA Review Manual 26th Edition. USA: ISACA.