Product Compliance

1. Executive Summary:

Report Period: January1, 2023–September 30,2023

AWS Account ID: 062961893548

AWS Account Name: hashcashconsultants

Report Prepared By: Pritam Roy

Date of Report Preparation: September 22, 2023

2. Scope and Objectives:

Scope of Examination: This compliance report covers the examination of controls related to AWS service use in the US West (N. California) Main Region (most services), Europe (Ireland) & Asia Pacific (Tokyo) (specific EC2 instances), and US East (N. Virginia) (SES and SNS).

Objectives: The objectives of this report are to evaluate the effectiveness of controls related to security, availability, processing integrity, confidentiality, and privacy.

3. AWS Services in Scope:

AWS Services in Scope:

  • AWS EC2
  • AWS S3
  • AWS IAM (Identity and Access Management)
  • AWS VPC (Virtual Private Cloud)
  • AWS VPN (Virtual Private Network)
  • AWS NACL (Network Access Control Lists)
  • AWS Security Groups
  • AWS KMS (Key Management Service)
  • AWS SES (Simple Email Service)
  • AWS SNS (Simple Notification Service)
  • AWS Secrets Manager
  • AWS Security Hub
  • AWS WAF & Shield
  • AWS Macie
  • AWS SSM (Systems Manager)
  • AWS Route 53
  • AWS SQS (Simple Queue Service)
  • AWS IAM Roles & Policies
  • AWS MFA (Multi-Factor Authentication)
  • AWS CloudWatch
  • AWS CloudTrail
  • AWS VPC Flow Logs

Regions:

  • US West (N. California) Main Region: Utilized for most AWS services.
  • Europe (Ireland) & Asia Pacific (Tokyo): Used for specific EC2 instances.
  • US East (N. Virginia): Utilized for SES and SNS.
AWS EC2 (Elastic Compute Cloud):

AWS EC2 provides resizable compute capacity in the cloud, allowing organizations to run virtual servers, known as instances, for various computing workloads.

AWS S3 (Simple Storage Service):

AWS S3 offers scalable and highly durable object storage. It is used for storing and retrieving data, making it suitable for backups, data archiving, and serving static website content.

AWS IAM (Identity and Access Management):

AWS IAM is a service for managing user access to AWS resources. It allows organizations to control who can access their AWS accounts and resources and what actions they can perform.

AWS VPC (Virtual Private Cloud):

AWS VPC enables organizations to create isolated network environments within the AWS cloud. It provides control over IP addressing, routing, and network connectivity, allowing for secure and private network configurations.

AWS VPN (Virtual Private Network):

AWS VPN allows secure communication between on-premises data centers or remote offices and AWS resources over encrypted connections, enhancing network security.

AWS NACL (Network Access Control Lists):

AWS NACLs are stateless firewalls that control inbound and outbound traffic at the subnet level. They can be used to add an additional layer of security to VPCs.

AWS Security Groups:

AWS Security Groups act as virtual firewalls for instances in a VPC. They control inbound and outbound traffic by specifying rules based on IP addresses, ports, and protocols.

AWS KMS (Key Management Service):

AWS KMS is a managed service for creating and controlling encryption keys. It helps organizations protect their data by enabling encryption of stored data and data in transit.

AWS SES (Simple Email Service):

AWS SES is a scalable and cost-effective email service that allows organizations to send and receive emails. It is used for transactional emails, marketing campaigns, and notifications.

AWS SNS (Simple Notification Service):

AWS SNS enables the publication and distribution of messages to a variety of endpoints, such as email, SMS, and application endpoints. It is commonly used for event-driven communication.

AWS Secrets Manager:

AWS Secrets Manager is a service for managing sensitive information, such as database credentials and API keys. It provides secure storage and automatic rotation of secrets.

AWS Security Hub:

AWS Security Hub provides a comprehensive view of security alerts and compliance status across an AWS environment. It helps organizations identify and remediate security vulnerabilities.

AWS WAF & Shield:

AWS WAF (Web Application Firewall) and Shield provide protection against web application threats and DDoS (Distributed Denial of Service) attacks, enhancing the security of web applications.

AWS Macie:

AWS Macie is a security service that uses machine learning to discover, classify, and protect sensitive data. It helps organizations identify and prevent data breaches.

AWS SSM (Systems Manager):

AWS SSM allows organizations to manage and automate operational tasks on AWS resources. It includes capabilities for configuration management, patching, and automation.

AWS Route 53:

AWS Route 53 is a scalable and highly available domain name system (DNS) web service. It translates domain names into IP addresses, ensuring reliable and fast domain name resolution.

AWS SQS (Simple Queue Service):

AWS SQS is a fully managed message queuing service that enables decoupling of components in distributed systems. It helps improve application scalability and reliability.

AWS IAM Roles & Policies:

AWS IAM Roles and Policies define permissions and access controls within an AWS account. Roles are assumed by AWS services or users, and policies specify what actions are allowed or denied.

AWS MFA (Multi-Factor Authentication):

AWS MFA adds an additional layer of security to AWS accounts by requiring users to provide two or more forms of authentication before gaining access.

AWS CloudWatch:

AWS CloudWatch is a monitoring and observability service that collects and tracks metrics, collects and monitors log files, and sets alarms. It helps organizations gain insights into AWS resources and applications.

AWS CloudTrail:

AWS CloudTrail records AWS API calls and related events, providing visibility into user and resource activity. It assists in auditing and compliance monitoring.

AWS VPC Flow Logs:

AWS VPC Flow Logs capture information about IP traffic within network interfaces of VPC resources. They provide visibility into network traffic for security analysis and troubleshooting

AWS VPC Flow Logs:

AWS VPC Flow Logs capture information about IP traffic within network interfaces of VPC resources. They provide visibility into network traffic for security analysis and troubleshooting.

4. Infrastructure Overview:

Our AWS infrastructure is designed to ensure security, availability, and data protection. It comprises multiple data centres across the Mumbai Main Region, Singapore (specifically for some EC2 services), and North Virginia (for SES and SNS). Key aspects of our infrastructure include:

Network Architecture: We utilize Amazon Virtual Private Cloud (VPC) to create isolated network environments. VPC peering and VPNs are employed for secure communication.

Data Centres: Our data centres are distributed to enhance availability and disaster recovery capabilities. Redundancy and failover mechanisms are implemented.

Security Measures: Security groups, Network Access Control Lists (NACLs), and AWS WAF & Shield protect against unauthorized access and DDoS attacks. Key management is handled through AWS Key Management Service (KMS).

5. Control Objectives:

Our control objectives encompass various aspects of security, availability, data protection, and compliance for the AWS services within scope:

Security: Ensure that all AWS resources are securely configured and monitored for any suspicious activity.

Availability: Maintain high availability by employing redundancy and failover mechanisms.

Data Protection: Safeguard sensitive data through encryption, access controls, and regular backups.

Compliance:Adhere to industry-specific compliance requirements and best practices.

6. Control Activities:

We have implemented the following control activities and policies for each control objective:

Security:: Regularly review and update security group rules and NACL configurations. Conduct security audits and vulnerability assessments.

Availability:Utilize AWS Auto Scaling for dynamic resource provisioning. Implement Elastic Load Balancers (ELBs) for distributing traffic.

Data Protection: Enforce encryption-at-rest and in-transit using AWS KMS and SSL/TLS. Data is backed up to Amazon S3 with versioning enabled.

Compliance: Periodically review AWS compliance reports and ensure our environment aligns with relevant compliance standards.

7. Control Testing:

Control testing was conducted using a combination of automated tools and manual assessments. Methodologies included vulnerability scanning, penetration testing, and reviewing AWS CloudTrail logs.

Sampling was performed on a representative subset of AWS resources. Test results indicated that controls were effectively configured and monitored.

8. Control Effectiveness:

Controls were evaluated for their effectiveness in mitigating risks. Results showed that controls are achieving their intended objectives and providing a robust security posture.

9. Control Exceptions:

No control exceptions were identified during testing. All controls were found to be in compliance with defined policies.

10. Conclusion:

In conclusion, our AWS infrastructure demonstrates a strong commitment to security, availability, data protection, and compliance. Control testing indicates that our controls are robust and effective.