Auditing Amazon Web Services

As organizations increase adoption of cloud services for running enterprise architecture and applications, auditors are required to step up their game and learn new in-depth audit skills. The previous Total Administrative Services Corporation (TASC) environment consisted of a conglomeration of disparate systems, infrastructure and spaghetti-string network connectivity, leading senior management to discover a better way to conduct business and transform the organization by leveraging cloud technologies. There are valuable insights, education and audit considerations to be gained from examining the cloud transformation, security and compliance journey one organization underwent through the period of May 2017 to May 2018.

There are generalized audit approach considerations organizations can utilize to review operational, security and compliance aspects of their Amazon Web Services (AWS) offering. The generalized audit program presented here incorporates elements of the AWS Center for Internet Security (CIS) Foundation Benchmarks, published audit guidance and developer guides, which can be leveraged or tailored to other organizations needs when conducting an AWS assessment. The suggested audit topics and guidance are just that and are in no way a prescriptive set of tests an organization should or is directed to perform. The best place to start is with an overview of some of the general control considerations for AWS.

An important consideration before undertaking an AWS audit is understanding the specific AWS services the organization has purchased; the intended use of these services; the interrelationships between these services; how users, whether internal or external, are accessing the environment; and who is responsible for managing each service on a daily basis.

Documentation useful for auditing these services is available. Developer guides, user guides and white papers providing information useful for developing an AWS audit universe and specific items of risk to consider are also available.

Learn More