I'm getting ready for an audit, and I find myself stuck in the tedious process of manually taking screenshots of AWS services like Config, IAM, and CloudTrail. This approach is not scalable at all. I'm looking for tools that could automatically gather this data on a schedule and present it as evidence for compliance frameworks such as SOC 2 or ISO 27001. Any recommendations?
5 Answers
It's a bit of a hassle, but you might want to consider switching auditors. Some have automated integrations that connect directly to an AWS account via an IAM Role, allowing you to generate compliance reports for specific controls on demand!
I haven't tried it myself, but I've heard good things about the AWS Labs Compliance Analyzer on GitHub. It seems like it could be helpful for analyzing compliance.
AWS Audit Manager is a solid choice; you can use its outcomes as your compliance evidence. For third-party options, I've had experience with feha.io, and it might serve your needs well.
Just a heads up, it might depend a lot on your auditors and what kind of evidence they are willing to accept. In my experience, they often prefer screenshots over anything else.
You should definitely check out AWS Audit Manager for a native solution. If you're also considering third-party options, Vanta and OneTrust are worth looking into as well!
Great suggestions! I'm particularly interested in Audit Manager. Do you know if either Vanta or OneTrust has better integration with AWS for ongoing evidence collection?