Compliance and Audit in the Cloud

In 2019, Capital One lost the data of 100 million customers. The cause: a misconfigured WAF and excessive IAM permissions. CloudTrail recorded everything - every API call made by the attacker. But nobody had configured alerts. Compliance is not about paperwork. It is about automated control before and after the fact.

• Netflix manages thousands of AWS accounts through a Landing Zone - each team gets an isolated account with guardrails but without bureaucracy
• Airbnb completed a SOC 2 Type II audit in 3 months thanks to a Conformance Pack with ready-made Config Rules mapped to each requirement
• Goldman Sachs uses AWS Control Tower to automatically provision new accounts for every project - from request to a ready environment in 15 minutes

AWS CloudTrail: Every Action on Record

2012. Amazon launches CloudTrail. The idea is simple: every API call in AWS is an event. Who created an EC2 instance, who changed a Security Group, who logged into the console. Everything is written to S3. This became the foundation of cloud compliance.

A CloudTrail event contains: eventTime, userIdentity (who), eventName (what), requestParameters (with which parameters), sourceIPAddress, awsRegion. JSON structure weighing about 2KB per event. A typical production AWS account generates 10-50 GB of CloudTrail logs per day.

Analyzing CloudTrail in production means Athena + S3. A query like 'who deleted an RDS instance in the last 30 days' runs in 3-5 seconds over a petabyte of logs. SIEM systems (Splunk, Elastic Security, Datadog) connect to CloudTrail through Kinesis Firehose for real-time alerting.

Management Events vs Data Events. Management: resource creation/deletion - free for the first copy. Data Events: S3 GetObject, PutObject, Lambda Invoke - paid and generate 100x more data. Enable Data Events only for critical buckets.

AWS Config: Configuration Drift Under Control

CloudTrail answers 'who did this'. AWS Config answers 'what changed and does it comply with the rules'. Config continuously records the state of every AWS resource and evaluates it against managed or custom rules.

A Config Rule is a Lambda function or a managed check. Managed rules are written by AWS: encrypted-volumes, s3-bucket-public-read-prohibited, rds-instance-deletion-protection-enabled. More than 200 managed rules available out of the box. Custom rules are written in Python/Node.js and can enforce any business logic.

Config Timeline is a chronological history of every change to a resource since recording began. Every Security Group modification, every AMI swap in a Launch Template, every tag update is visible. For a compliance auditor this is invaluable: any resource's state can be reconstructed at any point in time over the past 90 days (by default).

Conformance Pack - a bundle of Config Rules and remediation actions packaged in YAML. AWS publishes ready-made packs for SOC2, PCI-DSS, HIPAA, and NIST. Deployed with a single command across all accounts through AWS Organizations.

Guardrails: Preventive vs Detective Controls

A guardrail is a security policy applied to an organization or an OU (Organizational Unit). Two types: preventive (block an action before it happens) and detective (detect a violation after the fact).

Service Control Policies (SCP) are preventive guardrails at the AWS Organizations level. SCPs do not grant permissions - they restrict the maximum permissions possible within an account. Even the root user in an account cannot bypass an SCP from a parent OU. Examples: deny leaving a region, deny disabling CloudTrail, deny public AMIs.

Auto-remediation via Systems Manager Automation: when a Config Rule finds a violation, it triggers an SSM Document. Example: an unencrypted EBS volume is detected - automatically create an encrypted snapshot and replace the volume. No human involvement, but with a Slack notification.

Landing Zone: Multi-Account Structure

A Landing Zone is an architectural pattern for enterprise AWS. Not a single account, but a hierarchy: Management Account -> Security OU -> Production OU -> Dev OU. Each workload runs in its own account - isolation at the billing, network blast radius, and IAM level.

AWS Control Tower is a managed service for automating a Landing Zone. It deploys the account structure, configures CloudTrail, Config, and guardrails in hours instead of weeks of manual work. 65+ preventive and 25+ detective guardrails included out of the box.

Security Hub is the central compliance dashboard. It aggregates findings from GuardDuty (threat detection), Macie (sensitive data), Inspector (vulnerability scanning), and Config (compliance). One dashboard, all accounts. Integrates with Jira and PagerDuty for ticketing.

Related Topics

Compliance integrates with IAM, monitoring, and architectural frameworks:

• Well-Architected Framework — Security pillar is one of the five WAF pillars
• Observability — Audit is the compliance-specific dimension of observability

Key Ideas

• CloudTrail - API audit log, who did what. Athena for analysis, SIEM for real-time alerting
• AWS Config - resource state and compliance rules. 200+ managed rules for standard requirements
• Guardrails: SCP (preventive, before the action) + Config Rules (detective, after the fact) + auto-remediation
• Landing Zone: multi-account structure with separate Log Archive and Security Tooling accounts

Вопросы для размышления

• How do you choose between a preventive and a detective guardrail for a specific requirement?
• When is auto-remediation dangerous and is it better to stop at alerting?
• How do you enforce compliance in Sandbox accounts without blocking developer experimentation?

Связанные уроки

• cloud-14 — IAM and policies are the foundation of compliance
• cloud-16 — Well-Architected Framework includes the Security pillar
• devops-16 — Prometheus/Grafana monitoring complements compliance controls
• bt-26-observability — Application observability follows the same audit trail principle
• devops-13