ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Building an Audit Program for AWS

Building an Audit Program for AWS

Adam Kohnke, CISA, CCNA:Security, ITIL v3, Security+
| Published: 4/29/2019 3:06 PM | Category: Audit-Assurance | Permalink | Email this Post | Comments (0)

Adam KohnkeWhen I produced my auditing Amazon Web Services (AWS) Journal article for volume 3, I was just wrapping up my very first audit against an AWS environment. During the planning stages of my audit engagements, I do as much research as possible to determine how the in-scope technology works, how to find the configurations and if others before me have documented their findings on key risk factors, controls and areas that I can leverage as I complete audit planning. Sadly, AWS had the most readily available documentation that discussed how to go about performing a basic audit of their products and what to focus on, but nothing further existed, at least as far as my Internet searches led me.

As it was difficult to readily find one and there was not unlimited time to locate a previously documented audit program for AWS, one had to be developed from scratch. The backbone of the audit program and the article was inspired by the specific areas in the AWS Auditing Security Checklist (Governance, Network Configuration, etc.). When it came to selection of and discussing the particular controls to focus on in the article and audit program, there was the glaring challenge of not everyone using AWS in the same way or using the same services like Cognito or Glacier, so the focus of both the article and audit program were kept as basic as possible and around its core services, including S3, IAM, etc.

As I further produced the article, I wanted to very briefly touch on what I felt were the fundamental pieces of information for a given focus area and then elaborate on any tricky items that could be easily overlooked and why that is important. A prime example is the IAM root account. Without doing some research or if questions are not asked in a certain way, auditors may be unaware of this superuser account existing and the limitations that presently exist to secure it.

Find the companion to my Journal article, the AWS Audit Program, on the ISACA website.

Read Adam Kohnke’s recent Journal article:
Auditing Amazon Web Services,” ISACA Journal, volume 3, 2019.


There are no comments yet for this post.