← Back to all integrations
Automate compliance for critical infrastructure services.
Install

AWS

Services Automated

  • IAM
  • RDS
  • EC2

Automate Asset Inventories

By syncing with AWS, you'll keep your "Storage", "Compute", "Applications", "Service Accounts", and "Groups" up-to-date in Comply.  Tickets can automatically trigger whenever there are new assets detected - for example, Comply can automatically trigger your vulnerability scan procedure whenever a database is detected in AWS.

Automate asset-based procedures

Tickets can automatically trigger whenever there are new assets detected - for example, Comply can automatically trigger your vulnerability scan procedure whenever a new database is detected in AWS.

Automate evidence collection

Comply will scan your various services such as IAM, EC2, and RDS to ensure that a wide range of security measures are correctly implemented. See the Automations section for the full list.

Automate issue detection

When a Comply scan identifies something that's against common security practices the Automation will create an issue. These issues can be automatically tracked, and have reminders to help expedite remediation.

Automate remediation

When an issue is automatically identified and logged in Comply the resolution of that issue is automated by re-syncing. Simply fix the issue at the source and when the assets are synced to Comply again the issue will be resolved and removed.

Automations

Database Backups Enabled

Checks whether database backups are enabled on RDS instances.

Multi-factor Authentication

Checks whether MFA is enabled for IAM users with access to the AWS console.

Password Policy

Checks the account password policy for IAM users to see if it meets the following requirements: Contains upper case, lower case, number, symbol, password length of minimum 14, and defined password age & defined reuse prevention values.

Database Encryption

Checks whether data encryption is enabled on RDS database instances.

Database In Transit Encryption

Checks whether the RDS instance has a valid SSL/TLS certificate associated with it.

Database Key Age

Checks whether the RDS key age in KMS is less than 3 years old.

Database Key Rotation

Checks whether automatic key rotation is enabled for the RDS key in KMS (automatic key rotation is disabled by default in KMS for customer managed CMKs; AWS managed CMKs are permanently set to rotate every 3 years).

Database Key Status

Checks whether 1) a Customer Master Key (CMK) exists in AWS KMS for the RDS instance and 2) whether the key is enabled if using customer managed CMKs (AWS managed CMKs are permanently enabled).

Database Replica

Checks whether the RDS instance has a read replica associated with it.

Hardware Isolation

Checks whether the EC2 instance is running on single-tenant (dedicated) hardware.

In Transit Encryption

Checks whether a SSL/TLS server certificate is attached to the EC2’s Elastic Load Balancer (ELB) in AWS Certificate Manager.

Ingress Config

Checks whether ingress access to the EC2 instance is limited through the use of security groups and a specified range of IP addresses.

SSH Port

Checks whether an EC2 instance has SSH enabled on port 22.

Trusted Certificate

Checks whether the SSL/TLS server certificate attached to the EC2’s ELB is issued by a certificate authority (CA).

How to use Aptible and AWS

  • Automatically delegate vulnerability scans and other critical security and compliance tasks to relevant asset owners as storage, compute, application, and account statuses change.
  • Keep your asset inventory up to date with real-time updates as you add storage, compute, applications, service accounts, and groups.
  • Tag assets coming into Comply to create automations and exceptions based on the tag categorization.
  • Automatically match user access grants to authorizations during user access control reviews.
  • Automatically collect evidence and get notifications of changes in security settings on your services that put them at odds with your policies.
  • Automatically identify issues with your AWS services and initiate workflows to remediate the problems.
Assets synced
  • Storage
  • Compute
  • Service Accounts
  • Groups
Domains Automated
  • Identity & Access Management
  • Encryption and Key Management
Frameworks Automated
ISO 27001:2013
SOC 2
HIPAA
Requirements Automated
A.9.2.4
ISO 27001:2013
Management of secret authentication information of users
The allocation of secret authentication information shall be controlled through a formal management process.
A.9.3.1
ISO 27001:2013
Use of secret authentication information
Users shall be required to follow the organization’s practices in the use of secret authentication information.
A.9.4.2
ISO 27001:2013
Secure log-on procedures
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.
A.10.1.1
ISO 27001:2013
Policy on the use of cryptographic controls
A policy on the use of cryptographic controls for protection of information shall be developed and implemented.
A.10.1.2
ISO 27001:2013
Key management
A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.
A.12.3.1
ISO 27001:2013
Information backup
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.
A.13.1.1
ISO 27001:2013
Network controls
Networks shall be managed and controlled to protect information in systems and applications.
A.13.1.2
ISO 27001:2013
Security of network services
Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.
A.13.1.3
ISO 27001:2013
Segregation in networks
Groups of information services, users and information systems shall be segregated on networks.
A1.2
SOC 2
Additional Criteria for Availability
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
CC6.1
SOC 2
Logical and Physical Access Controls
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
CC6.7
SOC 2
Logical and Physical Access Controls
The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
CC7.1
SOC 2
System Operations
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
164.308(a)(5)(ii)(D)
HIPAA
Password Management (A)
Implement procedures for creating, changing, and safeguarding passwords.
164.308(a)(7)(ii)(A)
HIPAA
Data Backup Plan (R)
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
164.310(d)(2)(iv)
HIPAA
Data Backup and Storage (A)
Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
164.312(a)(2)(iv)
HIPAA
Encryption and Decryption (A)
Implement a mechanism to encrypt and decrypt electronic protected health information.
164.312(d)
HIPAA
Standard: Person or Entity Authentication (R)
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
164.312(e)(2)(i)
HIPAA
Integrity Controls (A)
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
164.312(e)(2)(ii)
HIPAA
Encryption (A)
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Integration scopes
  • Read: People
  • Read: Groups
  • Read: Compute
  • Read: Storage
  • Permission: Role-based IAM user