Introduction
AWS tends to generate a significant amount of data and logs that clients are often manually retrieving for their audits. Manually configuring AWS and it's many services to gather the right compliance evidence for each control can be time-consuming and prone to errors. That’s where the Complyance AWS integration comes in!
Complyance integrates with a huge number of AWS resources (S3, CloudTrail, GuardDuty, Inspector, IAM and many more) to provide real-time continuous monitoring and automated evidence collection. The integration automates evidence collection by pulling the latest logs, configurations, and reports directly from AWS services. This process runs automatically and ensures evidence is refreshed before it expires, reducing manual effort and improving audit readiness.
Configuration
Step 1: Create a role
Create an IAM role in the AWS account that can be assumed by the Complyance AWS integration account. Use the following trust relationship policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::529088279688:root"
}
}
]
}
Step 2: Update permissions
When enabling a new AWS integration service, update the role's permissions to include any additional policies required for data collection.
- Click into the new role you’ve created
- Go to the permissions tab and add a new permission for each of the services we’re setting up.
- Your Complyance implementation lead will share the relevant permissions for each of the checks required within the AWS resources.
Step 3: Share with Complyance
Securely share the following information with your Complyance point of contact:
- Applicable region(s)
- Role ARN
Step 4: Agree which pre-built and custom checks you need
We have pre-built connectors with major providers and the services that sit underneath. Leveraging these connectors, we have a number of off-the-shelf checks to continuously monitor compliance. We also frequently build configured and custom checks that are tailored to our clients - please reach out to your implementation lead if you have a specific check.