NIST Control Family | Control ID | Control Description | Mapped AWS Service(s) | Example Use Case |
Access Control (AC) | AC-2 | Account management | IAM, AWS SSO, AWS Organizations | Enforce centralized user and role-based access |
| AC-6 | Least privilege | IAM Policies, SCPs (Service Control Policies) | Restrict IAM policies to minimum permissions |
| AC-17 | Remote access | IAM, VPN, AWS Client VPN | Control and monitor remote connections |
Audit & Accountability (AU) | AU-2 | Audit logging | CloudTrail, VPC Flow Logs, CloudWatch Logs | Log API activity and network traffic |
| AU-6 | Log review and analysis | CloudWatch, Security Hub, Splunk | Review logs, detect anomalies, trigger alerts |
System & Communications Protection (SC) | SC-12 | Cryptographic key management | AWS KMS, CloudHSM | Centralized key creation, rotation, auditing |
| SC-28 | Data at rest protection | S3 default encryption, EBS encryption, RDS encryption | Automatically encrypt stored data |
| SC-29 | Data in transit protection | TLS on ALB, CloudFront, ACM | Encrypt network traffic using TLS |
Identification & Authentication (IA) | IA-2 | User identification and authentication | IAM, Cognito, AWS SSO, MFA | Enforce IAM user auth with MFA, federated access |
| IA-5 | Authenticator management | IAM Credential Reports, Secrets Manager | Rotate credentials, store secrets securely |
Configuration Management (CM) | CM-2 | Baseline configurations | AWS Config, Service Catalog | Enforce use of secure, approved AMIs |
| CM-6 | Configuration settings | AWS Config Rules, Systems Manager | Audit for compliant instance, DB, and SG configurations |
Contingency Planning (CP) | CP-9 | Backup | AWS Backup, S3 versioning, RDS snapshots | Ensure automatic and regular backups |
| CP-10 | Disaster recovery | Route 53, Multi-AZ RDS, CloudFormation | Automate failover and recovery processes |
Incident Response (IR) | IR-4 | Incident handling | GuardDuty, Lambda, Security Hub, SNS | Detect and auto-respond to security incidents |
| IR-5 | Incident monitoring | CloudTrail, EventBridge, CloudWatch | Monitor abnormal activities and trigger responses |
System & Info Integrity (SI) | SI-2 | Malware protection | GuardDuty, Amazon Inspector | Detect infected EC2s, scan ECR for malware |
| SI-4 | System monitoring | CloudWatch, Config, Security Hub | Continuously monitor resources for integrity issues |
| SI-7 | Software updates | Inspector, Systems Manager Patch Manager | Automate vulnerability scans and patching |
📘 Notes for Use
AWS Security Hub supports mapping findings to controls from NIST 800-53, PCI-DSS, and CIS.
Use Audit Manager to automatically map evidence to controls.
Config Rules are the most flexible way to enforce technical controls (you can customize for NIST-specific checks).
✅ Example Real-World Scenario (Interview Use)
"To implement NIST AC-2 and AC-6, we used AWS IAM to define roles and policies based on least privilege, and enforced user lifecycle management through AWS SSO integrated with our IdP. AWS Config continuously monitored IAM policies against custom rules for deviations. All CloudTrail logs and IAM changes were forwarded to Security Hub and our SIEM via Kinesis for real-time analysis.
No comments:
Post a Comment