Auditors need to stay abreast of the latest updates in the cloud security space. As cloud service providers continuously improve their security services, these updates can help streamline audits and improve the overall security posture of their clients’ environment. A few weeks ago, AWS published a blog is showing how to auto-remediate internet-accessible ports with AWS Config and AWS System Manager. This blog post is great for companies and also for auditors to leverage during SOC 2 examinations.
At ByteChek, we talk a lot about how SOC 2 reports should include controls that address cloud security-specific concepts such as publicly accessible S3 buckets or access keys in public code repositories. While most SOC 2 reports do not have these controls, you will find a security group control in most of these reports. Security groups act as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. When launching a new EC2 instance, users must configure security groups before launch.
During your SOC 2 audit, your auditors will examine your security groups when evaluating the CC6.6 criterion, which states, “The entity implements logical access security measures to protect against threats from sources outside its system boundaries.” We covered what the typical tests are for security groups in our everything you need to know article on CC6.0 article and below:
Typical evidence requests: Screenshots from the AWS Console showing security groups from each applicable region or a txt file dump of all SGs using the ‘describe-security-groups’ command. Suppose you are fortunate enough to have an auditor that understands AWS. In that case, they will ask for your Trusted Advisor report and send follow-up questions after reviewing any SGs that are populated with a RED or YELLOW warning.
With ByteChek, we integrate with AWS and assess all security groups in your AWS account to determine if any security group rules allow unrestricted access (0.0.0.0/0) to specific ports or unrestricted access to a specific resource. Yes, another control that is entirely automated and does not require anything from you except the integration setup with AWS.
The critical point here is that your auditors will ask you to prove that your security groups are not allowing unrestricted access to EC2 instances over sensitive ports such as ports 22, 3389, 1433, 20, 21, etc. This proof will vary depending on your auditor or the technology you are using (*cough cough* ByteChek). One key component of building a successful security program is ensuring that the controls you are putting in place are scalable and not just in place for an audit. Any areas that you can automate the control operation will make things easier for your auditor and ensure that the control passes each audit.
What does this update mean for SOC 2 audits?
Whether you are using an automated compliance tool like ByteChek or going through a SOC 2 manually, you should leverage AWS Config and AWS Systems Manager to automate any security groups that allow unrestricted access. If you’re undergoing a traditional manual audit, auto remediating non-compliant security groups will dramatically change and reduce the evidence your auditor requests to satisfy this requirement. Instead of asking to prove security group configurations across multiple regions and accounts, you can share the AWS Config rule and auto-remediation configurations. Along with eliminating evidence requests, your engineers, systems administrators, or other personnel no longer need to worry about whether or not a developer has opened up another security group. Automating security can help individuals avoid mundane, repetitive tasks and get time back to think and improve their organization’s overall security posture critically. Similarly, automation helps auditors ensure that their testing goes beyond status quo auditing. A SOC 2 or another cybersecurity audit should improve the security of your environment.
If you’re an auditor who performs SOC 2 examinations, you should consider this update in your testing of AWS security groups. An auditor that operates as a partner and advisor should be providing continuous updates that will help improve the security posture of their clients' environment irrespective of the timing or current audit. For organizations subject to annual SOC 2 examinations, you should ask your auditor how this update will impact your audit. Ideally, your auditor understands AWS and how these services affect the controls in your SOC 2 examination. If this is not the case, find a new auditor.
It is always great to see the continuous investment in security from AWS. Security groups are the customer’s responsibility under the shared responsibility model. Still, I believe the cloud service provider has a responsibility to make it easier for customers to secure their resources.