View a markdown version of this page

Maintaining compliance - Using AWS in the Context of NHS Cloud Security Guidance
Secure practicesAWS CloudFormation drift detectionAWS ConfigAWS Systems ManagerAWS Security Hub CSPMThird-party tools

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Maintaining compliance

Having achieved compliance with the expected controls for a given risk classification, it is essential to maintain compliance, since changes to workload requirements, operating system patches, changes to configuration, and so on, all give rise to configuration drift away from the ideal established at the implementation stage. Securing a system deployed to the cloud is not a one-off activity; it is an ongoing process. This section describes the approach and the available AWS services to help with this process.

Secure practices

Before considering the tools available to implement secure practices, it is essential to ensure that good security methodology and processes exist and are adhered to within your organization. There is useful advice on what to establish in this regard within the following resources:

AWS CloudFormation drift detection

AWS resources deployed and managed through the CloudFormation service (described in Section 5.1: Configuration and change management in this document) can benefit from a feature called drift detection, which discerns configuration changes to AWS resources outside this service’s agency upon request. For more information, see Detecting unmanaged configuration changes to stacks and resources.

AWS Config

Included within the Landing Zone solution, this service tracks configuration settings of AWS resources over time against a desired-state baseline, and raises alerts (and optionally triggers remedial action) when changes are detected.

The service also enables configuration to be audited, in order to demonstrate compliance (or otherwise) against a baseline. See the AWS Config Developer Guide for a detailed description of how to use it.

AWS Systems Manager

To minimise the possibility and impact of unauthorised or erroneous configuration changes being made to the operating systems of Amazon EC2 instances and the applications on them, as well as other AWS resources, use the AWS Systems Manager suite of services.

AWS Security Hub CSPM

This service brings together the variety of security tools available within the AWS environment, providing automated compliance checks and aggregated security findings from disparate security tools in a standardised format. For more information, see AWS Security Hub CSPM.

Third-party tools

A variety of AWS Partners offer tools that complement the capabilities of AWS Config and provide configuration management for the resources in the cloud, such as software running on Amazon EC2 instances. See the Infrastructure Configuration Management Solution Brief for more information.