Accelerate APRA compliance coverage in the AWS Cloud with AWS Support

Introduction

Banks, insurance companies, and superannuation funds in Australia must comply with standards set by the APRA. APRA’s CPS 234 Information Security is the standard that’s most relevant to technology operations, including cloud adoption. This standard requires APRA-regulated entities to “take measures to be resilient against information security incidents, including cyber-attacks.”

This article is meant to help governing boards, risk and compliance executives, and technology leaders who are responsible for technology strategy development and compliance with APRA CPS 234. This article examines APRA’s approach to technology regulation and explores mechanisms to implement at-scale controls for APRA-regulated AWS customers.

Under the AWS shared responsibility model, AWS is responsible for securing the cloud infrastructure ('of' the cloud). Customers must implement security controls for their applications and workloads ('in' the cloud). AWS provides resources and artifacts to help customers understand and implement controls to help meet CPS 234 requirements. Customers can also use AWS Support solutions with Comprehensive security controls and operational excellence features to help them with their APRA CPS 234 compliance journey.

Understanding APRA’s approach to technology regulation

As a regulator, APRA is technology- and vendor-neutral. This means that APRA has no particular preference – or opposition – to the use of any particular technologies or vendors by their regulated entities. APRA is also open to the use of cloud for all types of systems, including critical systems, such as core banking platforms, insurance underwriting or claims management systems, or payments platforms. APRA’s key expectation is that its regulated entities understand and effectively manage the risks that come from technology usage, including cloud adoption, in their business operations.

CPS 234 is principles-based. This means that APRA describes expected, high-level risk management outcomes, but is not prescriptive about how these outcomes are achieved. For example, APRA might expect entities to maintain appropriate information security skills and capabilities, or implement controls to protect technology and information assets. There are multiple ways to achieve these outcomes. APRA-regulated customers can decide on their own approach to meet APRA’s principle-based expectations, including AWS Support solutions.

To help with understanding and implementing CPS 234, APRA has provided supporting guidance, called CPG 234. CPG 234 provides significant extra detail on the principles outlined in CPS 234. It shares APRA’s views on, and examples of, sound practices that you can use to meet CPS 234 expectations. You can use APRA’s CPG 234 guidance to identify and map individual technical controls in the AWS Cloud to help APRA-regulated entities demonstrate their compliance position against the overarching CPS 234 standard. However, not every element of the CPG 234 guidance maps to a technical control. For example, there aren’t any technical controls that measure whether an APRA-regulated customer has information security policies in place (CPG 234 8.c).

Using AWS services to accelerate your compliance posture in the AWS Cloud

The following table provides a list of specific AWS services that can help you accelerate your compliance posture in the AWS Cloud:

• AWS Well-Architected Framework (specifically, the Security pillar): Provides guidance to help you apply best practices. It also includes current recommendations in the design, delivery, and maintenance of secure AWS workloads.

• AWS Artifact: No cost, self-service portal for on-demand access to AWS compliance reports through the AWS Management Console.

• AWS Audit Manager: Helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards.

• AWS Security Assurance Services: AWS experienced auditors combined with AWS technical depth help you align with specific regulations and standards. These include DORA, GDPR, CCPA, PCI DSS, ACSC, and more.

• Amazon GuardDuty: Protects your AWS accounts and workloads with intelligent threat detection and continuous monitoring.

• AWS Config: Allows you to assess, audit, evaluate, and remediate the configurations of your AWS resources against industry-specific or custom compliance packs.

In AWS Config, AWS mapped a set of 130 technical controls in the AWS Cloud against 48 unique control objectives identified in APRA’s CPG 234 guidance. You can deploy this mapped set, known as the AWS Config APRA CPG 234 Conformance Pack, across a customer’s AWS accounts. This set provides a near real-time view of their compliance position against APRA’s CPG 234 guidance, and aligns with to the CPS 234 standard.

The AWS Config dashboard provides a collective view of the technical controls in place and displays the following information:

• The list of rules and associated AWS resources
• The resource compliance status to the AWS Config rules
• An overall compliance score

Note: This score is based on the number of rule-to-resource combinations across your accounts. This score isn’t an objective or all-encompassing “APRA compliance” score in the AWS Cloud.

To continuously monitor the compliance posture of AWS resources across all of your accounts and AWS Regions, you can set up the AWS Config Aggregator feature. To remediate a non-compliant resource in an account, you can build, associate, and execute AWS Systems Manager Automation documents.

Certain controls might not be relevant to how an APRA-regulated customer operates in the AWS Cloud. It’s a best practice to prioritize highest-risk items for remediation and demonstrate continuous improvement, more than rely on only the score.

Similarly, AWS Audit Manager is designed to streamline the audit readiness of your AWS Cloud environment, from evidence collection to report generation. You can use this service as part of your compliance management solution to automate evidence collection from multiple AWS service data sources. The following are some examples:

• AWS Config rules
• AWS CloudTrail events
• AWS Security Hub findings
• Specific AWS API calls

To leverage the Audit Manager Sample Framework to set up monitoring and evidence gathering for APRA, associate data sources that map to your specific interpretation of the CPS 234 standards. Audit Manager also supports non-technical controls so that you can centrally manage and export all evidence that proves adherence to APRA for audit purposes.

Additionally, you can use AWS Artifact, a self-service portal in your AWS Management Console, for on-demand access to AWS compliance reports. AWS customers can use AWS Artifact Reports to assess and validate the security and compliance of the AWS infrastructure and services that they use. Customers can submit AWS Artifact documents to auditors or regulators as audit artifacts.

Lastly, you can use AWS Well-Architected best practices (specifically across the Reliability, Security, and Operational Excellence pillars) to reduce your operational risk. At the same time, you also improve the compliance coverage and security in the AWS Cloud.

Leveraging AWS Support to accelerate APRA controls

It takes significant effort to set up the APRA controls, build an operating model, address non-compliant or operational risks, and continuously monitor, remediate, report, and collect evidence. Additionally, you can’t always directly map many of the people- or process-related controls necessary to achieve APRA CPS 234 compliance to automated and technical controls in AWS services. You can implement the following AWS Support solutions to broaden your capabilities across people and process controls, and accelerate your journey towards APRA CPS 234 compliance.

Using AWS Security Incident Response

To help with multiple information security and operational risk controls, activate AWS Security Incident Response. Use AWS Security Incident Response to prepare for, quickly respond to, and recover from security events in your AWS landscape. AWS Security Incident Response combines the experience of AWS people, processes, and technology to provide the following benefits:

• 24/7 proactive monitoring
• Auto-triaging
• Containment
• Reporting of security threats or events

The service uses reports received from GuardDuty and third-party detection tools through AWS Security Hub. AWS Security Incident Response adheres to the NIST Cyber Security Framework process to manage and recover from security incidents. The service also provides a comprehensive Technical Guide to help you from “Preparation” through “Recovery” within the NIST Framework. For example, the guideshows you how to conduct tabletop exercises and simulations that replicate potential scenarios, respond rapidly and recover effectively, and engage AWS security experts. Additionally, the service provides detailed post-incident reports that offer a complete summary of case activities, suggested remediation actions, and key metrics to help improve your compliance posture.

Using AMS

To further augment and enhance your APRA controls and security posture, you can use AWS Managed Services (AMS). AMS offers a comprehensive set of proactive, preventative, detective, and hands-on remediation capabilities that address many of the APRA controls without constraining your agility. This support allows you to focus on innovation.

AMS provides controls through automated deployment and remediation of 96 “AMS Accelerate” AWS Config rules. The rules are aligned with major security frameworks (PCI, NIST, HIPAA, and CIS). When you specifically map these AMS Accelerate rules to the 130 unique AWS Config rules in the AWS Config conformance pack for APRA CPG 234, AMS Accelerate covers 85 out of 130 (65.38% coverage) from the start. You can see more information about this coverage in Table 1 of the Appendix.

AMS can also help implement, monitor, report, and remediate the 45 remaining controls on demand. This provides 100% coverage against the AWS defined technical security controls. The combination of built-in and on-demand features includes:

• Continuous monitoring
• Automated remediation
• Compliance reporting capabilities

These features significantly reduce the operational overhead for financial institutions while maintaining robust security controls.

AMS as a managed service is compliant to many industry compliance frameworks such as HIPAA, SOC, ISO/IEC 27001:2022, FedRAMP, IRAP, NIST, PCI-DSS, and GDPR (refer AWS Compliance). The service comes with proactive AWS infrastructure monitoring, 24/7 incident management, 24/7 security monitoring, and incident remediation (aligned with the NIST 800-61 guide). AMS also includes built-in security and compliance guardrails, patching, backup, logging, and reporting capabilities. These capabilities help you manage operational risks, limit disruptions, and continuously improve security in the AWS Cloud.

When these capabilities are specifically mapped to the non-technical control objectives in the CPS 234 standard, AMS supports and helps customers in meeting compliance across many key compliance domains. These domains can include Information Security Capability, Policy Framework, Information Asset Identification and Classification, Implementation of Controls, Incident Management, Testing Control Effectiveness, Internal Audit, and APRA Notification. For detailed mapping, see Table 2 in the Appendix.

For Roles and Responsibilities, AMS Security experts augment your security risk and compliance team. However, APRA expects customers to clearly define the information security-related roles and responsibilities of the following:

• The Board
• Senior management
• Governing bodies
• Individuals responsible for decision-making, approval, oversight, operations, and other information security functions

Summary

To help customers continually assess, monitor, and improve their security and operational resilience posture to meet APRA’s expectations, AWS provides many services, written guidance, and managed support options. These options include AWS services such as AWS Config, Audit Manager, and AWS Detection and Response services. This support also includes AWS Well-Architected Framework, resources, specific APRA-related guidance, and other artifacts.

For people- and process-related controls that require resource augmentation, APRA-regulated entities can use AWS Support solutions such as Security Incident Response or AMS. Beyond providing security controls, AMS also extends control coverage to the operational and organizational aspects that are typically demonstrated through documentation. This coverage includes established procedures, data gathering, governance frameworks, and compliance reporting. This dual capability makes AMS valuable for organizations that are wanting to accelerate their APRA compliance journey, reduce operational risk, and improve security posture in AWS.

To learn more about the various AWS Support solutions available to help you accelerate and maintain your security and operational resilience, contact your AWS Technical Account Manager (TAM). To learn more, see AWS Enterprise Support.

Appendix

Table 1: AMS compliance mapping to CPG 234 controls

Control #	Rule	Service
36d AttachmentC_4	access-keys-rotated	AWS Identity and Access Management (IAM)
54AttachmentE_1(a)(b)(d)	acm-certificate-expiration-check	AWS Certificate Manager (ACM)
54 AttachmentE_1(a)(b)(d)	alb-http-to-https-redirection-check	Application Load Balancer
52c 54 AttachmentE_1(a)(b)(d)	api-gw-cache-enabled-and-encrypted	AWS API Gateway
67 AttachmentA_1(e) AttachmentC_7(h) AttachmentC_8	api-gw-execution-logging-enabled	API Gateway
36i36j	autoscaling-group-elb-healthcheck-required	Elastic Load Balancing
67 AttachmentA_1(e) AttachmentC_7(h) AttachmentC_8	cloud-trail-cloud-watch-logs-enabled	CloudTrail
67 67 AttachmentA_1(e) AttachmentA_1(e) AttachmentC_7(h) AttachmentC_7(h) AttachmentC_8 AttachmentC_8	cloudtrail-enabled	CloudTrail
52c 54 AttachmentE_1(a),(b),(d)	cloud-trail-encryption-enabled	CloudTrail
67 AttachmentA_1(e) AttachmentC_7(h) AttachmentC_8	cloudtrail-s3-dataevents-enabled	CloudTrail
36i 36j 67 AttachmentA_1(e) AttachmentC_7(h)	cloudwatch-alarm-action-check	Amazon CloudWatch
52c 54 AttachmentE_1(a),(b),(d)	cloudwatch-log-group-encrypted	CloudWatch
AttachmentD_1	codebuild-project-envvar-awscred-check	AWS CodeBuild
AttachmentD_1	codebuild-project-source-repo-url-check	CodeBuild
36l	db-instance-backup-enabled	Amazon Relational Database Service (Amazon RDS)
36d 36e 36f 45 52d 53	dms-replication-not-public	DMS
36l	dynamodb-autoscaling-enabled	Amazon DynamoDB
36l	dynamodb-pitr-enabled	DynamoDB
36i 36j	dynamodb-throughput-limit-check	DynamoDB
36d 36e 36f 45 52d 53	ebs-snapshot-public-restorable-check	Amazon Elastic Block Store (Amazon EBS)
52c 54 AttachmentE_1(a),(b),(d)	ec2-ebs-encryption-by-default	Amazon EC2
36a 36b 36h	ec2-instance-managed-by-systems-manager	Amazon EC2
36d 36e 36f 45 52d 53	ec2-instance-no-public-ip	Amazon EC2
36a 36b 36h 67	ec2-managedinstance-association-compliance-status-check	Amazon EC2
36a 36b 36h 40 67	ec2-managedinstance-patch-compliance-status-check	Amazon EC2
52c 54 AttachmentE_1(a)(b)(d)	efs-encrypted-check	Amazon Elastic File System (Amazon EFS)
36l	elasticache-redis-cluster-automatic-backup-check	Amazon ElastiCache
52c 54 AttachmentE_1(a)(b)(d)	elasticsearch-encrypted-at-rest	Amazon OpenSearch
36d 36e 36f 45 52d 53	elasticsearch-in-vpc-only	OpenSearch
54 AttachmentE_1(a)(b)(d)	elb-acm-certificate-required	ACM
36l 44b	elb-deletion-protection-enabled	Elastic Load Balancing
67 AttachmentA_1(e) AttachmentC_7(h) AttachmentC_8	elb-logging-enabled	Elastic Load Balancing
36d 45 47c AttachmentA_1(b)(h) AttachmentC_4	emr-kerberos-enabled	Amazon EMR
36d 36e 36f 45 52d 53	emr-master-no-public-ip	EMR
52c 54 AttachmentE_1(a)(b)(d)	encrypted-volumes	EBS
36g 36h 36i 36j 39(a)(b)(d) 52e 67 68 73 AttachmentA_1(c) AttachmentA_1(e) AttachmentC_7(h)	guardduty-enabled-centralized	GuardDuty
36g 36h 36j 39(a)(b)(d)	guardduty-non-archived-findings	GuardDuty
36d AttachmentC_4 AttachmentC_5	iam-password-policy	IAM
36c 36d 45 47c AttachmentA_1(b)(h) AttachmentC_4	iam-policy-no-statements-with-admin-access	IAM
36d 44a 44c 45 47c AttachmentA_1(b)(h) AttachmentC_4 AttachmentC_6 AttachmentC_7(c)	iam-root-access-key-check	IAM
36c 36d 45 47c AttachmentA_1(b)(h) AttachmentC_4	iam-user-group-membership-check	IAM
36d 45 AttachmentC_4 AttachmentC_7(j)	iam-user-mfa-enabled	IAM
36d 45 47c AttachmentC_4 AttachmentC_5	iam-user-no-policies-check	IAM
36d 45 AttachmentA_1(b)(h) AttachmentC_4 AttachmentC_7(i)	iam-user-unused-credentials-check	IAM
36c 36f 45	restricted-ssh	Security Groups
36d 36e 36f 45 52d 53	ec2-instances-in-vpc	Amazon EC2
36d 36e 36f 45 52d 53	internet-gateway-authorized-vpc-only	Internet Gateway
44c AttachmentE_4 AttachmentE_1(a)(b)(d)	kms-cmk-not-scheduled-for-deletion	AWS Key Management Service (AWS KMS)
36i	lambda-concurrency-check	AWS Lambda
36i 36j	lambda-dlq-check	Lambda
36d 36e 36f 45 52d 53	lambda-function-public-access-prohibited	Lambda
36d 36e 36f 45 52d 53	lambda-inside-vpc	Lambda
36d 45 AttachmentC_4 AttachmentC_5 AttachmentC_7(j)	mfa-enabled-for-iam-console-access	IAM
67 AttachmentA_1(e) AttachmentC_7(h) AttachmentC_8	multi-region-cloudtrail-enabled	CloudTrail
36i 36j	rds-enhanced-monitoring-enabled	RDS
36d 36e 36f 45 52d 53	rds-instance-public-access-check	RDS
36l	rds-multi-az-support	RDS
52c 54 AttachmentE_1(a)(b)(d)	rds-snapshot-encrypted	RDS
36d 36e 36f 45 52d 53	rds-snapshots-public-prohibited	RDS
52c 54 AttachmentE_1(a)(b)(d)	rds-storage-encrypted	RDS
52c 54 67 AttachmentE_1(a)(b)(d)	redshift-cluster-configuration-check	Amazon Redshift
36b 36h 40	redshift-cluster-maintenancesettings-check	Amazon Redshift
36d 36e 36f 45 52d 53	redshift-cluster-public-access-check	Amazon Redshift
54 AttachmentE_1(a)(b)(d)	redshift-require-tls-ssl	Amazon Redshift
36c 36f 45	restricted-common-ports	Security Groups
36d 44a 45 AttachmentC_4 AttachmentC_5 AttachmentC_6 AttachmentC_7(j)	root-account-hardware-mfa-enabled	IAM
36d 44a 45 AttachmentC_4 AttachmentC_5 AttachmentC_6 AttachmentC_7(j)	root-account-mfa-enabled	IAM
67 AttachmentA_1(e) AttachmentC_7(h) AttachmentC_8	s3-bucket-logging-enabled	Amazon S3
36d 36e 36f 45 52d 53	s3-bucket-public-read-prohibited	Amazon S3
36d 36e 36f 45 52d 53	s3-bucket-public-write-prohibited	Amazon S3
36l	s3-bucket-replication-enabled	Amazon S3
52c 54 AttachmentE_1(a)(b)(d)	s3-bucket-server-side-encryption-enabled	Amazon S3
54 AttachmentE_1(a)(b)(d)	s3-bucket-ssl-requests-only	Amazon S3
44b	s3-bucket-versioning-enabled	Amazon S3
52c 54 AttachmentE_1(a)(b)(d)	sagemaker-endpoint-configuration-kms-key-configured	Amazon SageMaker
52c 54 AttachmentE_1(a)(b)(d)	sagemaker-notebook-instance-kms-key-configured	SageMaker
36d 36e 36f 45 52d 53	sagemaker-notebook-no-direct-internet-access	SageMaker
36e AttachmentC_4	secretsmanager-rotation-enabled-check	AWS Secrets Manager
36e AttachmentC_4	secretsmanager-scheduled-rotation-success-check	Secrets Manager
36g 36h 36i 36j 39(a)(b)(d) 52e 67 68 73 AttachmentA_1(c) AttachmentA_1(e) AttachmentC_7(h)	securityhub-enabled	Security Hub
52c 54 AttachmentE_1(a)(b)(d)	sns-encrypted-kms	Amazon Simple Notification Service (Amazon SNS)
36f 45	vpc-default-security-group-closed	Amazon VPC
67 AttachmentA_1(e) AttachmentC_7(h) AttachmentC_8	vpc-flow-logs-enabled	Amazon VPC
36c 36f 45	vpc-sg-open-only-to-authorized-ports	Amazon VPC
36l	vpc-vpn-2-tunnels-up	Amazon VPC

Table 2: APRA CPS 234 controls mapping to AMS service features

APRA CPS234 Reference	Category	Comments (mapping to AMS features)
13	Roles and responsibilities	Customer responsibility
14	Roles and responsibilities	Customer responsibility
15	Information security capability	Customer responsibility
16	Information security capability	AMS has been certified within multiple industry leading compliance programs that are validated by third party independent auditors such as SOC2, PCI, ISO, NIST. These audit reports are available for free on AWS Artifact for customer assessment in support this requirement.
17	Information security capability	AMS provides 24/7 security monitoring and response and patch management as a service to support this requirement.
18	Policy Framework	Customer responsibility
19	Policy framework	AMS provides detailed roles and responsibility matrix to support customers to meet this requirement.
20	Information asset identification and classification	Primarily a customer responsibility. However, AMS supports monitoring of the Amazon Macie service findings 24/7. Amazon Macie is a data security service that uses machine learning (ML) and pattern matching to discover and help protect your sensitive data. The service finding types can help customers meet this requirement.
21	Implementation of controls	Customer responsibility for customer side of shared responsibility model. For the AWS side of the shared responsibility model, AMS design and implementation of controls is tested within multiple industry leading compliance programs. These programs are validated by third-party independent auditors such as SOC2, PCI, ISO, and NIST. These audit reports are available for free on AWS Artifact for customer assessment in support of this requirement.
22	Implementation of controls	Customer responsibility for customer side of shared responsibility model. For the AWS side of the shared responsibility model, AMS design and implementation of controls is tested within multiple industry leading compliance programs. These programs are validated by third-party independent auditors such as SOC2, PCI, ISO, and NIST. These audit reports are available for free on AWS Artifact for customer assessment in support of this requirement.
23	Incident management	AMS provides 24/7security monitoring and response to support customers to meet this requirement.
24	Incident management	AMS follows a NIST Cyber Security Framework (CSF) oriented incident response plan to support customers to meet this requirement.
25	Incident management	AMS incident response plan can be integrated with customer response plans to support customers to meet this requirement.
26	Incident management	AMS conducts Security Game Days regularly with the customer teams to support customers to meet this requirement.
27	Testing control effectiveness	Customer responsibility for the customer side of the shared responsibility model. For the AWS side of the shared responsibility model, AMS controls effectiveness is tested within multiple industry leading compliance programs. These programs are validated by third-party independent auditors such as SOC2, PCI, ISO, and NIST. These audit reports are available for free on AWS Artifact for customer assessment in support of this requirement.
28	Testing control effectiveness	Customer responsibility for the customer side of the shared responsibility model. For the AWS side of the shared responsibility model, AMS controls effectiveness is tested within multiple industry leading compliance programs. These programs are validated by third-party independent auditors such as SOC2, PCI, ISO, and NIST. These audit reports are available for free on AWS Artifact for customer assessment in support of this requirement.
29	Testing control effectiveness	Customer responsibility
30	Testing control effectiveness	Customer responsibility
31	Testing control effectiveness	Customer responsibility
32	Internal audit	AMS has been certified within multiple industry leading compliance programs that are validated by third-party independent auditors such as SOC2, PCI, ISO, and NIST. These audit reports are available for free on AWS Artifact for customer assessment in support of this requirement.
33	Internal audit	AMS staff are skilled and certified along with the mandatory trainings on the job to support this requirement.
34	Internal audit	AMS has been certified within multiple industry leading compliance programs that are validated by third-party independent auditors such as SOC2, PCI, ISO, and NIST. These audit reports are available for free on AWS Artifact for customer assessment in support of this requirement.
35	APRA notification	AMS notifies customers in the event of a material security incident within a defined service level agreement (SLA). Customers can use this as a basis for APRA notifications.
36	APRA notification	AMS notifies customers in the event of a material security incident within a defined SLA. Customers can use this as a basis for APRA notifications.

Note: The use of AWS services, such as Audit Manager, sample AWS Config compliance packs, or AWS Support solutions, including others related to compliance standards and industry benchmarks such as CPS 234, is designed to accelerate your compliance with a specific governance standard. These services and solutions don’t replace your internal efforts, and don’t guarantee that you will pass a compliance assessment.

About the authors

Nitin Verma

Nitin is a Principal Solutions Architect who specializes in cloud operations and AWS Support solutions. He helps customers achieve operational excellence in the AWS Cloud. He has over a decade of experience in cloud migration, modernization, and DevSecOps. You can follow him on LinkedIn.

Julian Busic

Julian is a Security Solutions Architect for AWS with a focus on regulatory engagement. He works with our customers, their regulators, and AWS teams to help customers raise the bar on secure cloud adoption and usage. Julian has over 15 years of experience working in risk and technology across the financial services industry in Australia and New Zealand.