Integration & Automation

Automate security compliance and remediation across organizations

This post is written with Pablo Santamaria Zarate from Fortra.

Fortra, a leading provider of security and compliance solutions, partnered with AWS to develop an innovative approach for automating security compliance checks and remediation across complex, multi-account, multi-Region organizations. This blog post explores Fortra’s compliance automation framework which uses AWS Config, AWS CloudFormation, HAQM DynamoDB, AWS Lambda, AWS Organizations, AWS Security Hub, and AWS Systems Manager to significantly reduce manual effort while enhancing overall security posture.

The post provides a detailed overview of the solution’s architecture, key features, and implementation process. It covers topics such as centralized security tooling, automated AWS Config rule deployment, custom remediation using Lambda and AWS Systems Manager, tagging-based exception handling, and comprehensive compliance reporting and visibility. Additionally, we share valuable lessons learned and best practices gathered during the implementation journey.

Problem statement

Managing security compliance for large organizations with thousands of AWS accounts can be challenging. As a leading security company, Fortra uses AWS Security Hub, AWS Config, and Systems Manager to identify and remediate risks within their environment. However, scaling these compliance and remediation processes had become resource- and time-intensive.

While Security Hub can suppress security findings based on specific suppression rules, the automated remediations performed by AWS Config and Systems Manager operated independently of these rules. This led to resources intended to be exempt from automatic remediation based on Security Hub’s suppression rules, still being targeted by the remediation processes.

To address this, Fortra recognized the necessity for a more comprehensive and centralized approach to managing security compliance and automating remediation across their complex, multi-account AWS infrastructure. The company aimed to develop an innovative solution that would leverage AWS services to streamline this critical process while enhancing visibility and control. By integrating suppression rules with resource tags into their automated remediation workflows, Fortra sought to ensure that only non-exempt resources were subject to remediation actions, thereby minimizing unnecessary disruptions and improving overall efficiency.

Solution overview

The solution uses several AWS services to create a robust, scalable automation framework:

This architecture, as illustrated in the following diagram, spans multiple accounts, with a centralized security tooling account serving as the hub for compliance management.

The solution contains the following key features:

  • Centralized security tooling account – A dedicated account manages compliance rules, exceptions, and reporting across the organization.
  • Automated AWS Config rule deployment – Using AWS CloudFormation StackSets, AWS Config rules are consistently deployed across all accounts and specified AWS Regions
  • Custom remediation using Lambda and Systems Manager – When AWS Config rules detect non-compliant resources, it performs an auto remediation action that will run a custom Systems Manager automation document to perform remediation actions
  • Tagging-based exception handling – A flexible tagging strategy allows for exceptions to compliance rules, balancing security requirements with business needs
  • Compliance reporting and visibility – A custom dashboard provides real-time insights into compliance status across the organization

Fortra has successfully implemented this solution in their organization with an architecture that scales efficiently to support thousands of AWS accounts.

Solution implementation

The solution uses several key AWS services to create a comprehensive compliance automation framework. Enabling Security Hub (as shown in the screen shot below) and integrating with AWS Config rules serve as the foundation. The Systems Manager Automation for AWS Config evaluates resources against predefined compliance standards.

DynamoDB tables manage data in two tables: the suppression rules table, which manages compliance exceptions, and the organization inventory table, which maintains the current AWS Organizations structure. Information including AWS account ID and Resource ID from both of these tables is used to enable intelligent decision-making about resource remediation and exception handling.

The following screenshot shows the DynamoDB table showing resources inventory.

The following screenshot shows the DynamoDB table showing a list of resources to include.

These rules are consistently deployed across all accounts using CloudFormation StackSets.

Lambda functions orchestrate the automation workflow. When AWS Config identifies a non-compliant resource, it starts a Systems Manager document containing a Lambda function as displayed in the following screenshot. This function verifies exceptions by checking resource tags against the suppression rules table. Resources either proceed to remediation if no exception exists, or their information is collected and sent to HAQM S3 for reporting if an exception applies.

Based on the findings data stored in HAQM S3, a custom HAQM QuickSight dashboard gives insight into compliance status. This dashboard offers filtering capabilities by organizational units, accounts, Regions, and Security Hub control IDs. The dashboard tracks both remediated and excluded resources while providing trend analysis of compliance improvements. This real-time visualization helps security teams manage and prioritize compliance at scale across large multi-account organizations in AWS Organizations.

The whole solution relies on a strong approach to tagging. Tags play multiple crucial roles, from identifying compliance-exempt resources to associating assets with business units and facilitating cost allocation. To maintain consistency, tag policies are implemented at the organization level, enforcing standardized tagging practices across all accounts.

Lessons learned and best practices

This solution has streamlined auto-remediation while eliminating hours of manual engineering work. Throughout the implementation journey, the Fortra team gathered several valuable insights that can benefit organizations embarking on similar compliance automation initiatives. Organizations should start with a core set of critical compliance rules and gradually expand the scope, allowing better control and validation of the automation. Early collaboration with application teams proved crucial in developing an effective tagging strategy that balances security requirements with business objectives. When architecting the solution, teams should focus on scalability to accommodate future growth in AWS accounts, Regions, and compliance rules. While automation improves efficiency, maintaining manual approval gates for high-risk changes remains essential for proper security controls.

Fortra automated the management of security controls across 200+ AWS accounts and 15+ Regions, significantly reducing the manual effort required. The solution also decreased the mean time to remediate security findings from 72 hours to minutes, allowing Fortra to remediate findings quickly after the Config rule is actioned with no additional human intervention required. Additionally, the team achieved 100% accuracy in applying security controls while respecting legitimate exceptions through the use of the tagging-based exception handling approach. These strategic approaches help build a robust and sustainable compliance automation framework that continues to evolve with organizational needs.

Future enhancements

The Fortra team continues to enhance the solution’s capabilities across several key areas. Fortra is partnering with the AWS Account team to broaden coverage of AWS Config rules, making the automation framework more comprehensive. Simultaneously, the team is streamlining the AWS Config deployment process throughout the organization to maintain smoother adoption and management. To better handle compliance workflows, Fortra is developing integrations with ticketing systems to improve tracking of manual approvals and exception management. Additionally, the team is fine-tuning reporting features to deliver detailed compliance trend analysis, helping organizations make informed decisions about their security posture. These improvements reflect Fortra’s commitment to delivering robust, enterprise-grade security automation solutions.

Conclusion

Maintaining security compliance across a large AWS footprint requires significant effort. This solution shows how AWS services create an effective compliance automation framework. By combining centralized management, tag-based control, and clear reporting, organizations can strengthen security while reducing manual work.

To get started with protecting your AWS environment, visit Security, Identity, and Compliance on AWS.

About the authors

Pablo Andres Santamaria Zarate is a Senior Cloud Admin Architect at Fortra, bringing over eight years of diverse experience across various roles, including System Administrator, DevOps Engineer, and Site Reliability Engineer (SRE). He specializes in designing and building cloud solutions on AWS, leveraging a wide array of services and technologies. Pablo is passionate about developing innovative solutions and automations to address various security challenges, demonstrating a strong commitment to enhancing operational efficiency and security in cloud environments.

Krutarth Doshi is a Senior Technical Account Manager at AWS with over 10 years of industry experience, including 3 years supporting Independent Software Vendor (ISV) customers at AWS. He specializes in developing and guiding customers to build custom solutions to enhance security and resiliency postures, as well as building HAQM QuickSight dashboards for improved visibility. Krutarth is passionate about helping customers solve complex technical challenges and leverage AWS services to drive innovation and achieve their business goals.