Copyright 2017-2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
https://www.apache.org/licenses/LICENSE-2.0
or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Deploy a compliance-as-code engine to provide insights on the compliance status of AWS accounts and resources in a multi-account environment. In addition of the engine, several sets of Rules (or RuleSets) can be deployed and are customizable depending on your environment.
- Analyze current situation and trends from the compliance account as all data are pushed in a Datalake.
- Use your favorite analytics tool (Amazon QuickSight, Tableau, Splunk, etc.) as the data is formatted to be directly consumable.
- Classify your AWS accounts by sensitivity.
- Adapt the RuleSet to the type of environment of the application: by specifying which RuleSet during the deployment in the application account.
- Store all historical data of all the changes by storing the compliance record in a centralized and durable Amazon S3 bucket.
- Deploy easily in dozens of accounts: by having a 1-step process for any new application account via AWS CloudFormation.
- Protect the code base: by centralizing the code base of all the compliance-as-code rules in a “compliance account”.
- Make use of the AWS Config Rules Dashboard to display the details of compliance status of your AWS resources by setting up Config Aggregator.
- Notify on non-compliant resources by triggering an Amazon SNS topic.
See a demo there: https://youtu.be/VR_4209ewIo?t=40m
The engine for compliance-as-code design has the following key elements:
- Application account(s): AWS account(s) which has a set of requirements in terms of compliance controls. The engine verifies the compliance controls implemented in this account.
- Compliance account: the AWS account which contains the code representing the compliance requirements. It should be a restricted environment. Notification, Historical data storage and reporting are driven from this account.
The set of Rules depends on the parameters you set during the deployment. Three RuleSets are available:
- Security Baseline: Includes best-practices rules ordered by criticity
- PCI Guidance: Gives guidance for achieving the Payment Card Industry Data Security Standard (PCI DSS).
- High-Availability: Focuses on the reliability of your environment
See the details of each RuleSet in the "application-account-rulesets-baseline-pci-guidance-ha-setup.yaml" file.
- Define an AWS Account to be the central location for the engine (Compliance Account).
- Define the AWS Accounts to be verified by the engine (Application Accounts).
- Create a new bucket (ex. compliance-as-code-ruleset-112233445566) and note its name
- Add the content of repository named "compliance-account-rulesets-setup" directly in the S3 bucket (no folder). It is composed of 2 yaml templates and several *.py and *.zip files.
- Execute (in the same region) the CloudFormation template named: compliance-account-setup.yaml
- Note the name of the centralized bucket you selected when launching the above CloudFormation (ex. centralized-config-112233445566)
In Application Account, execute (in the same region) the CloudFormation: application-account-rulesets-baseline-pci-guidance-ha-setup.yaml
Note 1: Depending on your selection for the parameters, the template will deploy diferent rules (see details in the template).
Note 2: You can add the Compliance Account as an Application account. The compliance Account then checks the compliance of itself.
Certain resources may have a business need to not follow a particular rule. You can whitelist a resouce from being NON_COMPLIANT in the datalake, where you can query the compliance data.
To add a resource in the whitelist:
- Update the file compliance-account-rulesets-setup/compliance-whitelist.json (for model, there are dummy examples).
- Ensure that the location of the whitelist is correct in the code of the lambda function named COMPLIANCE_RULESET_LATEST_INSTALLED
The resource will be then be noted as COMPLIANT, and the flag "WhitelistedComplianceType" will be set to "True" for traceability.
Note: the resource will still be shown non-compliant in the AWS console of Config Rules.
Refer to the "datalake-for-compliance-as-code" directory, to add further analytics.
- Create an SNS topic in the Compliance Account.
- Deploy the Initial Deployment of the Compliance Account
- Modify "SecurityEpic7-Compliance_Validation" lambda function code to add the ARN of the SNS topic.
In the Resource section, add the Config rule as a CloudFormation resource (see existing Rules for guidance).
In each Application Account, update the CloudFormation stack.
In the Resource section, add a new stack with the proper configuration (see existing RuleSets).
In the Resource section, add the Config rule (examples provided in the sample RuleSet)
- Upload in the S3 bucket you initialy created (Initial deployment - 1.), the following:
- compliance-account-ruleset-setup.yaml
- rule-code/new-rule.zip
Note: the name of the code file must be the same as the zipped file, except the extension. The name defined in the yaml templates modified in Step 1 and Step 2 must be as well the same
- Update the CloudFormation stack:
- compliance-account-setup.yaml
Update the CloudFormation stack:
- application-account-rulesets-baseline-pci-guidance-ha-setup.yaml