Relevant users
User Role
|
Can Access
|
Technical Team member
|
![]() |
DevOps Team member
|
![]() |
Security Analyst
|
|
Security Engineer
|
![]() |
Compliance Manager
|
|
Project Manager
|
|
Security Team Management
|
![]() |
Consultant
|
![]() |
Example
- My company recently became responsible for an existing cloud project, I want to ensure that it is secure and best practice compliant.
- Our AWS project has grown to a size that makes it difficult to ensure its security posture manually hence I want a more scalable solution.
Cloud Conformity Solution
Before you start
![]() |
NotePrioritize the account or group of
accounts to assess, for example, a production account.
|
Part 1 - Creating a report to assess your current security posture
Step 1. Select the account or group of accounts to assess your security posture and
generate an All
checks report.
Step 2. Filter the 'All Checks' report by failed checks.
Step 3. Create a report by filtering failed checks further to narrow down results
based
on your organization's priority, for example, you can filter by Well-Architected Framework
category, resource tags, resource titles, and risk level or severity of failed checks.
For example, applying the following filters will result in a basic security report,
which
is easier to focus and remediate as compared to multiple failures at once.
Procedure
- Category > Security
- Tags > "public"
- Standards and Frameworks > AWS Well-Architected Framework
- Optional: generate and download a PDF or CSV failed checks report to share with your stakeholders.
Part 2 - Creating a remediation plan based on your report
Step 1. Analyze the report to estimate the effort and availability of team members
to
resolve failures for different rules.
Step 2. Divide failures into different groups for prioritization.
For example, when grouping failures, you can prioritize the lowest effort rules, the
highest severity rules, and rules by a particular service or category. This will help
you
segregate and resolve failures based on your priorities.
We recommend prioritizing high impact services, EC2, RDS, S3, IAM, VPC, and Load
Balancers and then continue on to other Extreme or Very High failed checks.
![]() |
TipExample remediation scenario:
|
Step 3. Use filters to generate reports for each group of failures and share them
with
your team members. Each member can follow remediation
steps for each rule failure sent as a part of the report.
Optional: You can create a recurring
report to keep stakeholders updated with the effort and progress.
Use communications
channels, for example, Slack, Jira, SMS, and Microsoft
Teams to notify failures to relevant team members in your organization.