Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Audit Manager - ISO27001

0

Hi all,

I’ve been using AWS Audit Manager to assess an AWS Account against ISO27001 annex A compliance. I have also AWS Config and AWS Security Hub enabled.

As suggested in https://docs.aws.amazon.com/de_de/audit-manager/latest/userguide/iso-27001-2013.html I have also enabled ALL of the security hub standards (NIST, CIS, etc). At the same time it says to make sure that all of the AWS config rules to be found in the .zip file are enabled.

I have done a manual check to see whether all of the required AWS config rules are already enabled when activating all security hub standards (as suggested). It turns out that only part of the config rules are covered that way.

So if I want to do an iso27001 assessment, wouldn’t it make more sense to just enable to required config rules instead of activating all of the security hub standards? From a cost perspective and especially since not all required config rules are enabled that way?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Security HubAWS ConfigSecurity, Identity, & ComplianceAWS Audit Manager
Language
English
asked 8 months ago217 views
2 Answers
1

When using AWS Audit Manager for ISO27001 Annex A compliance assessment, you're right to consider both effectiveness and cost efficiency.

While AWS documentation recommends enabling all Security Hub standards to ensure comprehensive evidence collection for the ISO/IEC 27001:2013 Annex A framework, this approach has limitations. As you've discovered, enabling all Security Hub standards doesn't automatically enable all the AWS Config rules required for the ISO27001 assessment.

From a cost perspective, your approach to selectively enable only the specific AWS Config rules needed for ISO27001 (as listed in the AuditManager_ConfigDataSourceMappings_ISO-IEC-270012013-Annex-A.zip file) is more efficient than enabling all Security Hub standards. This targeted approach would:

  1. Ensure all necessary Config rules for ISO27001 evidence collection are enabled
  2. Avoid unnecessary costs from running irrelevant Security Hub standards and Config rules
  3. Still provide the specific evidence needed for your ISO27001 assessment

If your primary goal is ISO27001 compliance assessment, enabling just the specific AWS Config rules required for that framework would be more cost-effective while still ensuring comprehensive evidence collection for your ISO27001 audit. AWS Audit Manager will use these Config rules as data source mappings for the automated controls in the framework.

Just be aware that if you later need to assess compliance against other frameworks, you may need to enable additional Config rules or Security Hub standards at that time.
Sources
ISO/IEC 27001:2013 Annex A - AWS Audit Manager
ISO27001 assessment using AWS Config + Security Hub | AWS re:Post
Enabling the recommended features and AWS services for AWS Audit Manager - AWS Audit Manager

answered 8 months ago
EXPERT
reviewed 8 months ago
  • Tobias
    8 months ago

    Understood, thanks for the reply. Is there any way to enable all of the required aws config rules from the .zip file in a quick and automated way? It has almost 200 rules and that would be too much of an effort to enable all of them manually and one-by-one.

0

For AWS Audit Manager assessments using ISO/IEC 27001:2013, enabling all Security Hub standards is recommended to ensure comprehensive evidence collection. However, if a compliance standard is already present in Security Hub, using the fully-managed Security Hub service is the easiest way to operationalize it, and AWS Config conformance packs are not needed in this case.

Security Hub's Cloud Security Posture Management (CSPM) controls don't count towards AWS Config managed rules quotas, allowing you to enable security standards even if you've reached the AWS Config quota for managed rules. However, Security Hub CSPM can impact AWS Config configuration recorder costs when controls change compliance state, are enabled/disabled, or have parameter updates.

To optimize costs while maintaining compliance requirements, you can:

  1. Turn off recording for AWS::Config::ResourceCompliance in AWS Config if you only use the configuration recorder for Security Hub CSPM
  2. Use AWS Config conformance packs if you want to assemble your own compliance standard with specific security, operational, or cost optimization checks

The controls in AWS Audit Manager framework aren't intended to verify if systems are compliant with the international standard or guarantee passing an ISO/IEC audit. To ensure comprehensive evidence collection, both AWS Config and Security Hub need to be properly enabled and configured before creating Audit Manager assessments.

AWS Config Conformance Packs provide a way to create and deploy collections of AWS Config rules and remediation actions in a single pack that can be deployed across AWS Organizations. This allows for managing configuration compliance of AWS resources at scale, from policy definition to auditing and aggregated reporting using a common framework and packaging model. For enterprises with multiple AWS accounts managing their AWS infrastructure, Conformance Packs offer an easy way to manage compliance policy definitions across their organization. The packs can include both AWS Config rules and remediation actions, enabling automated compliance checking and correction.

References

[1] ISO/IEC 27001:2013 Annex A

[2] Enabling the recommended features and AWS services for AWS Audit Manager

[3] Which one to choose AWS Config or AWS Security hub

[4] Enabling and configuring AWS Config for Security Hub CSPM

[5] AWS Config Rules

[6] Securing and automating compliance in the public sector with AWS

AWS
EXPERT
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content