Skip to main content

Compliance Frameworks

The GovTech Multicloud Platform is designed to meet government-grade security and compliance requirements:

CIS AWS Foundations

v1.4.0 BenchmarkBest practices for AWS security configuration

AWS Best Practices

Foundational SecurityContinuous monitoring of AWS security controls

FISMA Ready

Federal RequirementsGovernment-grade security controls for US agencies

FedRAMP Ready

Cloud AuthorizationCloud service provider security assessment framework

AWS Security Hub

Security Hub provides a centralized dashboard for all security findings:

Enabled Standards

Automated Checks:
  • Password policy requirements (min 14 characters, complexity)
  • MFA enabled for all users
  • Root account MFA enabled
  • No root account access keys
  • Access keys rotated every 90 days
  • Unused credentials removed within 90 days
  • IAM policies attached to groups, not users
  • CloudTrail enabled in all regions
  • CloudTrail log file validation enabled
  • S3 bucket access logging enabled
  • CloudWatch log metric filters for security events
  • VPC Flow Logs enabled
  • AWS Config enabled
  • Default security groups block all traffic
  • Security groups don’t allow 0.0.0.0/0 ingress
  • VPCs have route tables properly configured
  • No unused network ACLs or security groups
  • EBS volumes encrypted
  • RDS instances encrypted at rest
  • S3 buckets not publicly accessible
  • S3 bucket versioning enabled
  • KMS key rotation enabled

Viewing Security Hub Findings

# Get critical severity findings
aws securityhub get-findings \
  --filters '{"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}]}' \
  --query 'Findings[*].{Title:Title,Severity:Severity.Label,Status:Compliance.Status}' \
  --output table

# Get findings by standard
aws securityhub get-findings \
  --filters '{"ProductName": [{"Value": "Security Hub", "Comparison": "EQUALS"}], "ComplianceStatus": [{"Value": "FAILED", "Comparison": "EQUALS"}]}' \
  --query 'Findings[*].{Title:Title,Resource:Resources[0].Id,Status:Compliance.Status}' \
  --output table

# Get compliance score
aws securityhub get-compliance-summary-by-config-rule

CloudTrail Auditing

CloudTrail records every API call made in the AWS account for complete audit trails:

What CloudTrail Logs

User and Role Activity:
{
  "eventName": "AssumeRole",
  "userIdentity": {
    "type": "IAMUser",
    "userName": "govtech-admin"
  },
  "sourceIPAddress": "203.0.113.12",
  "eventTime": "2026-03-03T14:23:45Z",
  "requestParameters": {
    "roleArn": "arn:aws:iam::835960996869:role/govtech-eks-admin"
  }
}
Tracked Actions:
  • User login attempts
  • Role assumptions
  • Access key creation/deletion
  • Policy changes
  • MFA device changes

Common Audit Queries

# View all actions by a specific user
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=Username,AttributeValue=govtech-admin \
  --start-time 2026-03-01 \
  --end-time 2026-03-03 \
  --query 'Events[*].{Time:EventTime,Event:EventName,User:Username,IP:SourceIPAddress}' \
  --output table

GuardDuty Threat Detection

GuardDuty uses machine learning to detect threats in real-time:

Threat Categories

Backdoor Activity:
  • Pod communicating with known botnet IPs
  • Outbound traffic to cryptocurrency mining pools
  • DNS queries to malicious domains
Example Finding:
Finding Type: Backdoor:EC2/C&CActivity.B!DNS
Severity: High
Description: EC2 instance is querying a domain name associated with 
             a known command and control server.
Resource: i-0abcdef1234567890
Action: DNS request to malicious-domain.com from 10.0.1.45
Suspicious Access:
  • AWS credentials used from unusual location
  • API calls from Tor exit nodes
  • Multiple failed login attempts
  • Access keys used from multiple IP addresses simultaneously
Example Finding:
Finding Type: UnauthorizedAccess:IAMUser/TorIPCaller
Severity: Medium
Description: API call from a Tor exit node IP address
User: govtech-admin
Source IP: 185.220.101.15 (Tor)
Unusual Data Transfer:
  • Large S3 downloads to unfamiliar IP
  • RDS snapshot shared with external account
  • EBS snapshot copied to different region
Example Finding:
Finding Type: Exfiltration:S3/ObjectRead.Unusual
Severity: High
Description: S3 objects downloaded from unusual location
Bucket: govtech-application-data
Source IP: 203.0.113.45 (China)
Volume: 500GB in 1 hour
EKS-Specific Detections:
  • Privileged container launched
  • Anonymous API requests to Kubernetes API
  • ServiceAccount token abuse
  • Pod communicating with crypto mining service
Example Finding:
Finding Type: PrivilegeEscalation:Kubernetes/PrivilegedContainer
Severity: High
Description: Privileged container launched in EKS cluster
Cluster: govtech-prod
Namespace: govtech
Pod: suspicious-pod-xyz

Reviewing GuardDuty Findings

# List all active findings
aws guardduty list-findings \
  --detector-id <detector-id> \
  --finding-criteria '{"Criterion":{"severity":{"Gte":7}}}'

# Get detailed finding information
aws guardduty get-findings \
  --detector-id <detector-id> \
  --finding-ids <finding-id>

# Archive false positives
aws guardduty archive-findings \
  --detector-id <detector-id> \
  --finding-ids <finding-id>

Audit Procedures

Daily Security Checks

1

Review GuardDuty Findings

# Check for new critical/high severity findings
aws guardduty list-findings \
  --detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
  --finding-criteria '{"Criterion":{"severity":{"Gte":7},"updatedAt":{"Gte":'$(date -u -d '24 hours ago' +%s)000'}}}'
Action: Investigate any high-severity findings immediately.
2

Check Security Hub Compliance

# View failed compliance checks
aws securityhub get-findings \
  --filters '{"ComplianceStatus":[{"Value":"FAILED","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
  --max-results 10
Action: Remediate failed checks or document exceptions.
3

Review CloudTrail for Anomalies

# Check for after-hours activity
aws cloudtrail lookup-events \
  --start-time $(date -u -d '18:00 yesterday' +%Y-%m-%dT%H:%M:%S) \
  --end-time $(date -u -d '06:00 today' +%Y-%m-%dT%H:%M:%S)
Action: Verify legitimacy of after-hours access.

Weekly Security Review

  • Review all GuardDuty findings from past week
  • Check for users without MFA enabled
  • Verify no public S3 buckets
  • Review IAM access keys older than 90 days
  • Check CloudWatch alarms (any triggered?)
  • Review WAF blocked requests
  • Verify CloudTrail is logging to S3
  • Check for unused security groups
  • Review VPC Flow Logs for denied traffic
  • Validate backup procedures executed successfully

Monthly Compliance Audit

1

IAM Access Review

# List all IAM users and their group memberships
aws iam list-users --query 'Users[*].UserName' --output text | \
  xargs -I {} aws iam list-groups-for-user --user-name {}

# Check for users with direct policy attachments (violates best practice)
aws iam list-users --query 'Users[*].UserName' --output text | \
  xargs -I {} aws iam list-attached-user-policies --user-name {}
Action: Remove users no longer needing access; move inline policies to groups.
2

Network Security Audit

# Find security groups allowing 0.0.0.0/0
aws ec2 describe-security-groups \
  --filters Name=ip-permission.cidr,Values=0.0.0.0/0 \
  --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,VPC:VpcId}'
Action: Restrict overly permissive security groups.
3

Secrets and Key Rotation

# Check access key age
aws iam list-users --query 'Users[*].UserName' --output text | \
  xargs -I {} aws iam list-access-keys --user-name {} \
  --query 'AccessKeyMetadata[?CreateDate<=`'$(date -u -d '90 days ago' +%Y-%m-%d)'`].{User:UserName,KeyId:AccessKeyId,Created:CreateDate}'
Action: Rotate keys older than 90 days.
4

Generate Compliance Report

# Export Security Hub findings to CSV
aws securityhub get-findings \
  --max-results 100 \
  --query 'Findings[*].{Title:Title,Severity:Severity.Label,Status:Compliance.Status,Resource:Resources[0].Id}' \
  --output table > security-hub-report-$(date +%Y-%m).txt
Action: Share report with security team and management.

CloudWatch Alarms

The platform has automated alarms for critical security events:

Configured Alarms

Alarm: govtech-root-account-usage-prodTrigger: Root account used for any actionSeverity: CRITICALResponse:
  1. Immediate investigation required
  2. Verify legitimacy with account owner
  3. If unauthorized, rotate root credentials
  4. Enable MFA if not already active
# Check who used root account
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=Username,AttributeValue=root \
  --max-results 5

Incident Response

Security Incident Playbook

Detection & Triage

Immediate Actions:
  • Confirm incident is genuine (not false positive)
  • Assess severity (Critical, High, Medium, Low)
  • Document initial findings
  • Notify security team
Questions to Answer:
  • What resource is affected?
  • When did the incident occur?
  • What is the potential impact?
  • Is data at risk?

Containment

Isolate Affected Resources:
# Isolate compromised EC2 instance
aws ec2 modify-instance-attribute \
  --instance-id i-xxxxx \
  --groups sg-isolated  # Empty security group

# Disable compromised IAM user
aws iam update-access-key \
  --user-name compromised-user \
  --access-key-id AKIA_XXXXX \
  --status Inactive

# Delete compromised pod
kubectl delete pod suspicious-pod -n govtech

Investigation

Gather Evidence:
# CloudTrail logs
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=Username,AttributeValue=compromised-user \
  --start-time $(date -u -d '7 days ago' +%Y-%m-%dT%H:%M:%S)

# VPC Flow Logs
aws logs filter-log-events \
  --log-group-name /aws/vpc/flow-logs \
  --filter-pattern '[version, account, eni, source="10.0.1.45", *]'

# GuardDuty findings
aws guardduty list-findings --detector-id <id>
Document:
  • Timeline of events
  • Affected resources
  • Data accessed or exfiltrated
  • Attack vector

Eradication

Remove Threat:
  • Terminate compromised instances
  • Revoke all credentials for affected users
  • Patch vulnerabilities exploited
  • Remove backdoors or malware
# Force password reset
aws iam update-login-profile \
  --user-name affected-user \
  --password-reset-required

# Terminate all sessions
aws sts revoke-session \
  --user-name affected-user

Recovery

Restore Normal Operations:
  • Deploy clean instances
  • Restore from known-good backups
  • Issue new credentials
  • Verify security controls
# Restore from RDS snapshot (pre-incident)
aws rds restore-db-instance-from-db-snapshot \
  --db-instance-identifier govtech-prod-restored \
  --db-snapshot-identifier govtech-prod-2026-03-01

Post-Incident Review

Document Lessons Learned:
  • What happened and why?
  • What worked well in response?
  • What could be improved?
  • What controls should be added?
Actions:
  • Update incident response playbook
  • Implement additional security controls
  • Provide team training
  • Share findings with stakeholders

Compliance Reporting

Generate Compliance Reports

# Security Hub compliance summary
aws securityhub get-compliance-summary-by-resource-type \
  --query 'ResourceTypeSummaries[*].{Type:ResourceType,Passed:PassedCount,Failed:FailedCount}' \
  --output table

# Export to JSON for processing
aws securityhub get-findings \
  --max-results 1000 > security-hub-findings-$(date +%Y-%m-%d).json

# CloudTrail event history
aws cloudtrail lookup-events \
  --start-time $(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%S) \
  --max-results 10000 > cloudtrail-events-$(date +%Y-%m-%d).json

Monthly Security Report Template

Executive Summary
  • Overall security posture (Green/Yellow/Red)
  • Critical incidents (if any)
  • Compliance status
Security Metrics
  • GuardDuty findings: X critical, Y high, Z medium
  • Security Hub compliance: XX% passing
  • CloudTrail events processed: XXX,XXX
  • WAF requests blocked: XX,XXX
Incidents
  • Number of security incidents
  • Mean time to detect (MTTD)
  • Mean time to respond (MTTR)
  • Lessons learned
Remediation Activities
  • Vulnerabilities patched
  • Access keys rotated
  • Users with MFA enabled
  • Security groups hardened
Compliance Status
  • CIS AWS Foundations: XX% compliant
  • AWS Best Practices: XX% compliant
  • Outstanding issues
  • Remediation plan
Recommendations
  • Short-term actions (next 30 days)
  • Long-term improvements (next quarter)

Automated Compliance Tools

AWS Config Rules

AWS Config continuously monitors configuration compliance: 
# Check compliance status
aws configservice describe-compliance-by-config-rule \
  --query 'ComplianceByConfigRules[?Compliance.ComplianceType!=`COMPLIANT`]'

# Get detailed compliance report
aws configservice get-compliance-summary-by-config-rule

Prowler (Open Source)

Prowler is an AWS security assessment tool: 
# Install Prowler
pip install prowler

# Run full security assessment
prowler aws --severity critical high

# Check specific compliance framework
prowler aws --compliance cis_1.4_aws

# Generate HTML report
prowler aws --output-modes html json

Next Steps

Security Overview

Review overall security architecture

IAM Policies

Detailed IAM policy documentation

Build docs developers (and LLMs) love

Get started for freeTalk to us