AWS Audit Manager comes pre-built with a number of frameworks and standards including HIPAA, HITRUST v9.4 - level 1, PCI DSS V3 2.1, and SOC 2. I was really excited to dive into the SOC 2 framework as that's what we specialize in here at ByteChek.
Let's dive into the SOC 2 Framework on AWS Audit Manager:
First things first, you can find SOC 2 under the "Framework Library", here you can see the other frameworks available and some metadata associated with each framework.
Once you open up "SOC 2", you'll see the below screen that outlines some additional details associated with the SOC 2 framework in AWS Audit Manager:
You can see here that AWS Audit Manager estimates that there are 56 total controls in SOC 2 and this service can automate 21 of these controls. Compare this to a tool like ByteChek, where we estimate automating 42 controls in a SOC 2 examination.
Now once you dive into each control set, you'll see the individual criterion associated with one of the SOC 2 Trust Services Criteria.
When you dive into each criterion, you'll see individual criterion and the services that would be used to automate the testing or if manual evidence is required. In the screenshot above, AWS outlines that manual evidence will be required for two criteria and the remaining will be automated.
Let's dive into two specific examples here that present challenges:
The criteria here states "Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized."
Below is what AWS Audit Manager is using to "automate" the testing of this criterion:
While those Config rules will help with addressing other criteria in CC6.0, those services and rules are not critical to address CC6.2. CC6.2 is about access requests, access removal, and access reviews. While some of the services checked by AWS Audit Manager can help administrators perform relevant controls here, users of this service should expect to provide additional evidence to their auditors beyond these automated checks.
Let's look at another example:
The criterion here states "The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives."
This criterion is typically carved out of the SOC 2 report - this means that a subservice organization is responsible for the controls required to successfully address this criterion. For organizations hosted on AWS, this means that AWS is responsible for addressing CC6.4
The only requirement here for the Company undergoing an audit is to review AWS's SOC 2 report to determine that they are meeting CC6.4 and other relevant criteria. Since AWS Audit Manager is an AWS service, one would assume the SOC 2 report would be readily available for users to download, review, and document their review directly in the platform, right?
AWS Audit Manager informs you to navigate to AWS Artifact to download the report. The action plan here is similar to the action plan throughout the SOC 2 framework - blank. While the AWS SOC 2 report not being in the dashboard to be easily downloaded and reviewed is a minor gripe. The blank action plan is a significant gap - this information should be displayed for every control area. The idea behind a tool like this should be to give the user the answers outlining how to fix any gaps and what would be expected of the company to address the control.
There are plenty of examples of automated checks being performed that don't address the mapped criterion in the console. This article won't review each criterion in AWS Audit Manager and compare it to what is typically evaluated in a SOC 2 examination. If you're using AWS Audit Manager and want to know what you should expect in each criterion - you can find additional information about each criterion in SOC 2 and the evidence you should expect to provide below:
Security Trust Service Category
It is clear that the SOC 2 framework in AWS Audit Manager could use some improvement to better help address SOC 2 criteria and evidence requirements. SOC 2 is a framework that offers the benefits of flexibility, adaptability, and quality. AWS Audit Manager could significantly help organizations address SOC 2 criteria and take advantage of the unique framework with some minor tweaks.
We pride ourselves on being SOC 2 experts at ByteChek. If you're trying to figure out ways to make SOC 2 suck less, reach out to us. If you'd like to learn more about SOC 2, we wrote a 42-page whitepaper outlining everything we know about SOC 2.
Download it here without giving up your email.