Policies for resource management To ensure that cloud resources (particularly when using IaaS and PaaS services) align with operational and security policies, it’s often necessary to leverage technical policies to enforce these within a cloud environment. These technical policies allow organizations to configure a technical template of standards that the cloud resources are either configured […]
Performing changes – Financial Resource and Change Management Controls
Performing changes Beyond using policies and tags to control compliant management of resources, these same features, along with others, may be used to restrict changes. Each of the cloud providers offers a way of grouping resources together for ease of classification. Both at a group and individual level, settings can be applied to lock the […]
Change history – Financial Resource and Change Management Controls
Change history As an auditor, one method that may be used to correlate processes and procedures that mitigate risk is to review activity logs. In cloud environments, these logs may be made up of separate sign-in and event logs that are capturing change history and actions performed by user accounts, service accounts, or workload identities. […]
Financial billing and cost controls – Financial Resource and Change Management Controls
Financial billing and cost controls In a cloud environment, setting up services can be as easy as providing a credit card number. Although this provides the benefit of making cloud services easy to enable and consume, this also adds risk in terms of business continuity (what if the credit card holder leaves the company?), as […]
Common pitfalls – Tips and Techniques for Advanced Auditing
Common pitfalls With the scale, speed, and flexibility of the cloud comes complexity. This complexity leads to inherent pitfalls. We will review two broad areas that are common pitfalls for organizations that the IT auditor should be aware of. The first area involves administrative pitfalls that include not managing resource usage, an inability to control […]
Example resource management controls – Financial Resource and Change Management Controls
Example resource management controls As mentioned in Chapter 2, Effective Techniques for Preparing to Audit Cloud Environments, several frameworks can be used as guidelines for a list of applicable controls and test procedures when defining the scope of your audit. As a reference for this chapter, we’ll highlight a few example controls from the Center […]
Avoiding automation – Tips and Techniques for Advanced Auditing
Avoiding automation Many organizations execute processes in the cloud manually, including installation processes, configuring virtual servers, setting up a network, storage volumes, or other cloud resources. Manual processes are time-consuming, error-prone, and hard to scale. Automation encompasses solutions and tools that help eliminate repetitive aspects managed by one or more manual processes in the cloud. […]
Overly permissive access – Tips and Techniques for Advanced Auditing
Overly permissive access Cloud environments usually include both human and non-human identities. Cloud environments are often created with overly broad permissions that allow unregulated access to cloud resources. Threat actors who have managed to get initial entry into a cloud environment might be able to leverage these broad permissions to escalate access and move laterally […]
Overly permissive access 2 – Tips and Techniques for Advanced Auditing
To get a snapshot of the AWS security posture, we can use AWS Security Hub. According to the AWS documentation, “AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.” To use AWS Security Hub, we first have to enable the service. We […]
AWS Trusted Advisor – Tips and Techniques for Advanced Auditing
AWS Trusted Advisor AWS Trusted Advisor provides real-time best practice guidance to help provision, monitor, and maintain AWS resources. You can then follow AWS Trusted Advisor recommendations to optimize your services and resources. These best practice recommendations span five categories: To launch AWS Trusted Advisor, search for the service in the AWS console, as seen […]