Automating AWS Compliance Monitoring for Continuous Governance

Manual compliance checks are time-consuming, error-prone, and don’t scale. For Australian businesses subject to industry regulations, Privacy Act, or industry-specific regulations, automated compliance monitoring is essential for maintaining continuous governance and demonstrating ongoing compliance.

The Challenge of Manual Compliance

Traditional compliance approaches create problems:

• Point-in-Time Assessment: Compliance status changes constantly
• Manual Effort: Security teams overwhelmed with checking configurations
• Delayed Detection: Issues discovered weeks or months after introduction
• Audit Fatigue: Same checks repeated for every audit
• Inconsistency: Different interpretations of requirements
• Lack of Evidence: Difficulty demonstrating continuous compliance

Benefits of Automated Compliance

Automation transforms compliance from burden to enabler:

Continuous Monitoring: Real-time visibility into compliance status Early Detection: Identify issues immediately when introduced Consistent Evaluation: Same standards applied everywhere Audit Evidence: Automated collection of compliance artifacts Remediation Acceleration: Faster fix cycles with automation Resource Efficiency: Security teams focus on exceptions, not routine checks

AWS Config: Foundation of Compliance

AWS Config provides continuous configuration tracking and compliance evaluation.

What Config Does

Configuration Recording:

• Captures resource configurations
• Tracks changes over time
• Records relationships between resources
• Maintains configuration history

Compliance Evaluation:

• Evaluates against Config Rules
• Provides compliance timeline
• Identifies non-compliant resources
• Supports remediation

Setting Up AWS Config

1. Enable Config in All Accounts and Regions

For multi-account environments, use StackSets:

# config-stackset.yaml
Resources:
  ConfigRecorder:
    Type: AWS::Config::ConfigurationRecorder
    Properties:
      Name: default
      RoleArn: !GetAtt ConfigRole.Arn
      RecordingGroup:
        AllSupported: true
        IncludeGlobalResourceTypes: true

  ConfigRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: config.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/ConfigRole

  DeliveryChannel:
    Type: AWS::Config::DeliveryChannel
    Properties:
      Name: default
      S3BucketName: !Ref ConfigBucket
      SnsTopicARN: !Ref ConfigTopic

  ConfigBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  ConfigTopic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: Config Compliance Notifications

2. Centralise Configuration Data

Use Config Aggregator to view compliance across all accounts:

aws configservice put-configuration-aggregator \
  --configuration-aggregator-name organization-aggregator \
  --organization-aggregation-source \
    RoleArn=arn:aws:iam::MANAGEMENT_ACCOUNT_ID:role/AWSConfigRole,\
    AllAwsRegions=true

AWS Config Rules

Config Rules evaluate resource compliance automatically.

AWS Managed Rules (190+):

Common examples:

• s3-bucket-public-read-prohibited
• encrypted-volumes
• rds-encryption-enabled
• iam-password-policy
• mfa-enabled-for-iam-console-access
• vpc-flow-logs-enabled

Custom Rules: Lambda-based rules for specific requirements.

Organizational Config Rules: Deploy across entire AWS Organization:

aws configservice put-organization-config-rule \
  --organization-config-rule-name s3-encryption-required \
  --organization-managed-rule-metadata \
    RuleIdentifier=S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED,\
    Description="Ensure all S3 buckets have encryption enabled"

Config Rule Examples

S3 Public Access:

{
  "ConfigRuleName": "s3-bucket-public-read-prohibited",
  "Description": "Checks that S3 buckets do not allow public read access",
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  },
  "Scope": {
    "ComplianceResourceTypes": ["AWS::S3::Bucket"]
  }
}

RDS Encryption:

{
  "ConfigRuleName": "rds-encryption-enabled",
  "Description": "Checks that RDS instances are encrypted",
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "RDS_STORAGE_ENCRYPTED"
  }
}

Custom Rule - Specific KMS Key:

# lambda_function.py
import boto3

def evaluate_compliance(config_item, rule_parameters):
    if config_item['resourceType'] != 'AWS::RDS::DBInstance':
        return 'NOT_APPLICABLE'

    configuration = config_item['configuration']

    if not configuration.get('storageEncrypted'):
        return 'NON_COMPLIANT'

    kms_key_id = configuration.get('kmsKeyId', '')
    required_key = rule_parameters.get('RequiredKmsKey', '')

    if required_key and required_key not in kms_key_id:
        return 'NON_COMPLIANT'

    return 'COMPLIANT'

Automated Remediation

Config can automatically fix non-compliant resources:

RemediationConfiguration:
  ConfigRuleName: s3-bucket-public-read-prohibited
  TargetType: SSM_DOCUMENT
  TargetIdentifier: AWS-PublishSNSNotification
  TargetVersion: '1'
  Parameters:
    AutomationAssumeRole:
      StaticValue:
        Values:
          - arn:aws:iam::123456789012:role/ConfigRemediationRole
    TopicArn:
      StaticValue:
        Values:
          - arn:aws:sns:ap-southeast-2:123456789012:config-remediation
    Message:
      StaticValue:
        Values:
          - 'S3 bucket has public access - remediating'
  Automatic: true
  MaximumAutomaticAttempts: 3
  RetryAttemptSeconds: 60

AWS Security Hub

Security Hub aggregates findings from multiple sources and maps to compliance frameworks.

What Security Hub Provides

Centralised Findings:

• GuardDuty threat detections
• Inspector vulnerability findings
• Macie data discovery
• Config compliance evaluations
• Third-party integrations
• Custom findings

Compliance Standards:

• CIS AWS Foundations Benchmark
• PCI DSS
• AWS Foundational Security Best Practices
• Custom compliance frameworks

Automated Response:

• EventBridge integration
• Lambda-based remediation
• Ticket creation

Enabling Security Hub

1. Enable in Master Account:

aws securityhub enable-security-hub \
  --enable-default-standards \
  --region ap-southeast-2

2. Invite Member Accounts:

aws securityhub create-members \
  --account-details AccountId=123456789012 \
  --region ap-southeast-2

3. Enable Standards:

aws securityhub batch-enable-standards \
  --standards-subscription-requests \
    StandardsArn=arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 \
    StandardsArn=arn:aws:securityhub:ap-southeast-2::standards/aws-foundational-security-best-practices/v/1.0.0

Security Hub Standards

CIS AWS Foundations Benchmark: Industry best practices covering:

• IAM
• Logging
• Monitoring
• Networking

AWS Foundational Security Best Practices: AWS-recommended security controls across all services.

PCI DSS: For organisations processing payment card data.

Custom Compliance Frameworks

Create standards for Australian regulations:

industry regulations Controls:

# custom_compliance_controls.py
import boto3

securityhub = boto3.client('securityhub')

# Define custom compliance control
control = {
    'Id': 'CUSTOM.1.1',
    'Title': 'Information security capability',
    'Description': 'Maintain information security capability commensurate with size and extent of threats',
    'RemediationUrl': 'https://internal.wiki/compliance-requirements',
    'SeverityLabel': 'HIGH',
    'ProductFields': {
        'ComplianceFramework': 'industry regulations',
        'ControlId': '1.1'
    }
}

# Import as custom standard
securityhub.batch_import_findings(
    Findings=[control]
)

Automated Response to Findings

EventBridge Rule:

{
  "source": ["aws.securityhub"],
  "detail-type": ["Security Hub Findings - Imported"],
  "detail": {
    "findings": {
      "Severity": {
        "Label": ["CRITICAL", "HIGH"]
      },
      "Compliance": {
        "Status": ["FAILED"]
      }
    }
  }
}

Lambda Remediation:

def lambda_handler(event, context):
    for finding in event['detail']['findings']:
        finding_type = finding['Types'][0]
        resource_id = finding['Resources'][0]['Id']

        if 'S3 Bucket' in finding_type and 'Public' in finding_type:
            remediate_public_s3(resource_id)
        elif 'Security Group' in finding_type:
            remediate_security_group(resource_id)

        # Update finding status
        update_finding_status(finding['Id'], 'RESOLVED')

Compliance as Code

Define compliance requirements as code for consistency and version control.

AWS CloudFormation Guard

Policy-as-code evaluation for CloudFormation templates:

# s3-encryption-required.guard
AWS::S3::Bucket {
  Properties {
    BucketEncryption exists
    BucketEncryption {
      ServerSideEncryptionConfiguration exists
      ServerSideEncryptionConfiguration[*] {
        ServerSideEncryptionByDefault {
          SSEAlgorithm in ["AES256", "aws:kms"]
        }
      }
    }
  }
}

Validate templates:

cfn-guard validate \
  --data template.yaml \
  --rules s3-encryption-required.guard

Open Policy Agent (OPA)

For Kubernetes and multi-cloud:

# require_encryption.rego
package aws.s3

deny[msg] {
  resource := input.resource.aws_s3_bucket[name]
  not resource.server_side_encryption_configuration
  msg := sprintf("S3 bucket %v must have encryption enabled", [name])
}

Custom Policy Engine

Build organization-specific policies:

# policy_engine.py
class CompliancePolicy:
    def __init__(self, name, description, check_function):
        self.name = name
        self.description = description
        self.check = check_function

    def evaluate(self, resource):
        result = self.check(resource)
        return {
            'policy': self.name,
            'resource': resource['id'],
            'compliant': result['compliant'],
            'message': result.get('message', '')
        }

# Define policies
def check_encryption(resource):
    if resource['type'] == 's3_bucket':
        return {
            'compliant': resource.get('encryption_enabled', False),
            'message': 'S3 bucket must have encryption enabled'
        }
    return {'compliant': True}

encryption_policy = CompliancePolicy(
    'data-encryption',
    'All data must be encrypted at rest',
    check_encryption
)

Continuous Compliance Pipeline

Integrate compliance into CI/CD:

Pre-Deployment Validation

1. Template Scanning:

# .github/workflows/compliance.yml
name: Compliance Check

on: [push, pull_request]

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: CFN Guard
        run: |
          cfn-guard validate \
            --data infrastructure/*.yaml \
            --rules policies/*.guard

      - name: Checkov Scan
        run: |
          checkov --directory infrastructure/ \
            --framework cloudformation \
            --output json > checkov-results.json

      - name: Upload Results
        uses: actions/upload-artifact@v2
        with:
          name: compliance-results
          path: checkov-results.json

2. Prevent Non-Compliant Deployments: Use Service Control Policies and Permission Boundaries to enforce compliance.

Post-Deployment Validation

Config Rules trigger immediately on resource creation.

Security Hub aggregates findings within minutes.

Custom Scanners run on schedule or event-driven.

Compliance Reporting

Automated Compliance Reports

# generate_compliance_report.py
import boto3
from datetime import datetime

config = boto3.client('configservice')
securityhub = boto3.client('securityhub')

def generate_report():
    # Get compliance summary from Config
    compliance = config.describe_compliance_by_config_rule()

    # Get Security Hub findings
    findings = securityhub.get_findings(
        Filters={
            'ComplianceStatus': [{'Value': 'FAILED', 'Comparison': 'EQUALS'}]
        }
    )

    report = {
        'generated_at': datetime.now().isoformat(),
        'config_rules': {
            'total': len(compliance['ComplianceByConfigRules']),
            'compliant': sum(1 for r in compliance['ComplianceByConfigRules']
                           if r['Compliance']['ComplianceType'] == 'COMPLIANT'),
            'non_compliant': sum(1 for r in compliance['ComplianceByConfigRules']
                               if r['Compliance']['ComplianceType'] == 'NON_COMPLIANT')
        },
        'security_hub': {
            'critical_findings': len([f for f in findings['Findings']
                                    if f['Severity']['Label'] == 'CRITICAL']),
            'high_findings': len([f for f in findings['Findings']
                                if f['Severity']['Label'] == 'HIGH'])
        }
    }

    return report

# Generate and publish
report = generate_report()
# Send to stakeholders, upload to S3, etc.

Dashboard Visualization

Use QuickSight, Grafana, or custom dashboards to visualize compliance status.

Australian Compliance Frameworks

industry regulations

Key Requirements:

1. Information security capability
2. Clearly defined information security roles
3. Implementation of controls
4. Systematic testing and assurance
5. Incident management

Config Rules for CPS 234:

• CloudTrail enabled (audit)
• MFA enabled (access control)
• Encryption enabled (data protection)
• GuardDuty enabled (threat detection)
• Backup configured (resilience)

Essential Eight

Map Essential Eight to AWS Controls:

Application Control: Lambda execution role restrictions Patch Applications: Systems Manager Patch Manager Configure Macro Settings: Not applicable to AWS infrastructure Application Hardening: Security group restrictions, disabled features Restrict Admin Privileges: IAM least privilege, no root usage Patch Operating Systems: Systems Manager Patch Manager MFA: IAM MFA required Regular Backups: AWS Backup, automated snapshots

Cost Optimisation

Compliance monitoring has costs:

AWS Config:

• $0.003 per configuration item
• $0.001 per Config Rule evaluation
• S3 storage for configuration snapshots

Security Hub:

• $0.0010 per finding ingested per month
• $0.00003 per security check (CIS, FBS)

Optimisation strategies:

• Focus rules on production accounts
• Disable redundant managed rules
• Use organizational rules to reduce costs
• Archive old findings
• Limit scope to critical resources

Implementation Roadmap

Week 1: Foundation

• Enable Config in all accounts
• Set up Config Aggregator
• Enable essential managed rules
• Configure centralised logging

Week 2: Security Hub

• Enable Security Hub
• Configure member accounts
• Enable compliance standards
• Set up finding aggregation

Week 3: Automation

• Implement automated remediation
• Set up EventBridge rules
• Create Lambda remediations
• Test response workflows

Week 4: Reporting

• Build compliance dashboards
• Create automated reports
• Train teams on tools
• Document processes

Conclusion

Automated compliance monitoring transforms compliance from a periodic checkbox exercise into a continuous, embedded practice. For Australian businesses navigating industry regulations, Privacy Act requirements, and industry-specific regulations, automation provides confidence in your security posture and dramatically reduces audit burden.

CloudPoint specialises in implementing automated compliance monitoring tailored to Australian regulatory requirements. We can assess your current compliance processes, design an automation strategy, and implement continuous governance across your AWS environment.

Contact us for a compliance automation consultation and start your journey to continuous governance.

---

Need Help with Compliance Monitoring?

CloudPoint implements automated compliance monitoring as part of security reviews and landing zone implementations. Get in touch to discuss your compliance requirements.

Learn more about our Security Review service →