Automated Compliance Features
Overviewβ
CloudForge CI provides automated compliance enforcement that adapts to your selected compliance frameworks (HIPAA, SOC2, PCI-DSS, GDPR). The system automatically configures security controls, retention policies, and remediation actions based on the strictest requirements of your enabled frameworks.
Key Featuresβ
1. Compliance-Driven Configurationβ
- Automatic Policy Selection: Requirements automatically adapt based on enabled frameworks
- Strictest-Wins Logic: When multiple frameworks are enabled, the strictest requirement is applied
- Zero Manual Configuration: No need to manually configure compliance settings
2. Continuous Enforcementβ
- AWS Config Monitoring: Continuously monitors resources for compliance
- Automatic Remediation: Fixes non-compliant resources without human intervention
- Persistent Settings: Account-level settings survive stack deletion
3. Audit Trailβ
- Comprehensive Logging: All compliance actions are logged to CloudTrail
- Lifecycle Management: Automatic log retention and archival based on compliance requirements
- Version Control: S3 versioning enabled on all compliance buckets
Implemented Featuresβ
Config Recorder Auto-Startβ
What It Does: Automatically starts the AWS Config Recorder immediately upon deployment, ensuring compliance monitoring begins without manual intervention.
Why It's Required:
- SOC2: Requires continuous compliance monitoring from deployment
- HIPAA: Zero-gap compliance recording for PHI-related resources
- PCI-DSS: Immediate monitoring of cardholder data environment
- GDPR: Continuous monitoring for data protection compliance
How It Works:
- Config Recorder and Delivery Channel are created via CloudFormation
- Custom resource automatically calls
StartConfigurationRecorderAPI - Recording begins immediately upon deployment completion
- Idempotent operation - safe to re-run on updates
Technical Details:
// Auto-start implemented via AWS SDK custom resource
AwsSdkCall startRecorderCall = AwsSdkCall.builder()
.service("ConfigService")
.action("startConfigurationRecorder")
.parameters(Map.of("ConfigurationRecorderName", "cloudforge-config-recorder"))
.build();
Benefits:
- Zero Compliance Gap: No delay between deployment and monitoring
- Automatic: No manual start command required
- Idempotent: Safe to re-deploy without side effects
- Auditable: Start action logged in CloudTrail
Code Location:
S3 Lifecycle Policiesβ
What It Does: Automatically manages the lifecycle of audit logs and compliance data based on regulatory retention requirements.
How It Works:
- System detects which compliance frameworks are enabled
- Determines the strictest retention requirement
- Configures S3 lifecycle rules with appropriate transitions and expiration
Retention Requirements by Framework:
| Framework | Retention Period | Immediate Access | Archive Tiers |
|---|---|---|---|
| HIPAA | 6 years (2190 days) | N/A | Glacier (90d), Deep Archive (1y) |
| SOC2 | 2 years (730 days) | N/A | Glacier (90d), Deep Archive (1y) |
| PCI-DSS | 1 year (365 days) | 3 months | Glacier (90d) |
| Default | Based on security profile | N/A | Glacier (90d), Deep Archive (varies) |
Storage Class Transitions:
0-90 days β S3 Standard (immediate availability for PCI-DSS)
90-365 days β Glacier (cost optimization)
365+ days β Glacier Deep Archive (long-term compliance)
Delete after β Framework-specific retention period
Affected Buckets:
- CloudTrail audit logs
- AWS Config compliance data
- AWS Audit Manager evidence
- ALB access logs
Code Location:
S3 Bucket Versioningβ
What It Does: Enables versioning on all compliance-related S3 buckets to maintain immutable audit trails and prevent accidental deletion.
Why It's Required:
- HIPAA: Required for audit trail integrity
- SOC2: Required for evidence preservation
- PCI-DSS: Required for log file integrity
- GDPR: Required for data protection and accountability
How It Works:
All compliance buckets are created with .versioned(true):
Bucket bucket = Bucket.Builder.create(this, "ComplianceBucket")
.versioned(true) // Required for compliance
.encryption(BucketEncryption.S3_MANAGED)
.blockPublicAccess(BlockPublicAccess.BLOCK_ALL)
.lifecycleRules(lifecycleRules)
.build();
Benefits:
- Immutability: Previous versions cannot be overwritten
- Audit Trail: Complete history of all changes
- Recovery: Ability to restore previous versions
- Compliance: Meets regulatory requirements for data retention
Code Location:
S3 Versioning Auto-Remediation (Optional)β
What It Does: Automatically enables versioning on S3 buckets that fail the AWS Config versioning compliance check.
Configuration: This feature is optional and can be enabled via deployment context:
{
"enableS3VersioningRemediation": true,
"scopeConfigRulesToDeployment": true
}
Configuration Options:
| Parameter | Default | Description |
|---|---|---|
enableS3VersioningRemediation | false | Enable automatic versioning remediation |
scopeConfigRulesToDeployment | false | Only monitor buckets from this stack |
How It Works:
- AWS Config Rule: Monitors S3 bucket versioning (all buckets or scoped to stack)
- Detection: Config rule detects buckets without versioning enabled
- Automatic Remediation: SSM Automation enables versioning on the bucket
- Verification: Config re-evaluates and confirms compliance
Scoping Behavior:
-
Default (scopeConfigRulesToDeployment=false): Monitors ALL S3 buckets in the account
- Useful for organization-wide compliance enforcement
- May report non-compliant buckets from other projects
-
Scoped (scopeConfigRulesToDeployment=true): Only monitors buckets created by this CloudFormation stack
- Uses CloudFormation tag:
aws:cloudformation:stack-name - Only shows compliance for this specific deployment
- Useful for focused compliance reporting
- Uses CloudFormation tag:
AWS Services Used:
- AWS Config: Monitors S3 bucket versioning
- AWS Systems Manager: Executes remediation using
AWS-ConfigureS3BucketVersioning - Amazon S3: Updates bucket versioning configuration
Remediation Settings:
- Mode: Automatic (no manual approval required)
- Max Attempts: 5
- Retry Interval: 60 seconds
Important Considerations:
β οΈ Cost Implications: Enabling versioning increases storage costs as S3 retains all object versions
β οΈ Irreversible: Once enabled, versioning cannot be fully disabled (only suspended)
β οΈ Storage Growth: Versioned objects consume additional storage for each version
Best Practices:
- Enable scoping for development/testing environments
- Use organization-wide monitoring for production compliance
- Configure lifecycle policies to manage version retention
- Monitor storage costs when enabling automatic remediation
Code Location:
ComplianceFactory.java:501-536- Config rule with scopingComplianceFactory.java:721-770- Remediation configuration
Example Deployment Logs:
S3 versioning rule scoped to stack: jenkinsTSoc
S3 bucket versioning automatic remediation enabled
SSM Document: AWS-ConfigureS3BucketVersioning
Mode: Automatic (enables versioning on non-compliant buckets)
WARNING: This has cost implications - versioned objects consume additional storage
Max attempts: 5, Retry interval: 60 seconds
IAM Password Policy Auto-Remediationβ
What It Does: Automatically enforces IAM password policy requirements based on compliance frameworks using AWS Config and AWS Systems Manager.
How It Works:
- AWS Config Rule: Monitors IAM password policy compliance
- Detection: Config rule detects missing or non-compliant policy
- Automatic Remediation: SSM Automation document updates the policy
- Verification: Config re-evaluates and confirms compliance
Password Requirements by Framework:
| Framework | Min Length | Max Age | Reuse Prevention | Complexity |
|---|---|---|---|---|
| HIPAA | 14 characters | 90 days | 24 passwords | All requiredβ |
| SOC2 | 12 characters | 90 days | 12 passwords | All requiredβ |
| PCI-DSS | 8 characters | 90 days | 4 passwords | All requiredβ |
| Default (PROD) | 14 characters | 90 days | 12 passwords | All requiredβ |
| Default (STAGING/DEV) | 12 characters | 90 days | 12 passwords | All requiredβ |
β Complexity requirements include:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Symbols (!@#$%^&*)
AWS Services Used:
- AWS Config: Monitors password policy compliance
- AWS Systems Manager: Executes remediation using
AWSConfigRemediation-SetIAMPasswordPolicy - IAM: Updates account password policy
Remediation Settings:
- Mode: Automatic (no manual approval required)
- Max Attempts: 5
- Retry Interval: 60 seconds
- Persistence: Account-level setting survives stack deletion
Code Location:
Example Deployment Logs:
IAM password policy requirements (HIPAA):
Minimum length: 14 characters
Max password age: 90 days
Password reuse prevention: 24 passwords
Complexity: Uppercase, lowercase, numbers, symbols required
IAM password policy automatic remediation enabled
SSM Document: AWSConfigRemediation-SetIAMPasswordPolicy
Mode: Automatic (fixes non-compliant policies immediately)
Max attempts: 5, Retry interval: 60 seconds
Configurationβ
Enabling Compliance Frameworksβ
Configure compliance frameworks in your deployment context:
DeploymentContext cfc = new DeploymentContext();
cfc.put("complianceFrameworks", "HIPAA,SOC2,PCI-DSS");
Supported Values:
HIPAA- Health Insurance Portability and Accountability ActSOC2- Service Organization Control 2PCI-DSS(orPCIDSS) - Payment Card Industry Data Security StandardGDPR- General Data Protection Regulation
Multiple Frameworks: Separate multiple frameworks with commas:
cfc.put("complianceFrameworks", "HIPAA,PCI-DSS,SOC2");
When multiple frameworks are enabled, the strictest requirement is automatically applied.
Compliance Matrixβ
Feature Coverage by Frameworkβ
| Feature | HIPAA | SOC2 | PCI-DSS | Implementation |
|---|---|---|---|---|
| S3 Retention | β 6 years | β 2 years | β 1 year | Auto-lifecycle |
| S3 Versioning | β Required | β Required | β Required | Enabled by default |
| S3 Encryption | β S3-managed | β S3-managed | β S3-managed | SSE-S3 |
| Password Length | β 14 chars | β 12 chars | β 8 chars | Config + SSM |
| Password Complexity | β All | β All | β All | Config + SSM |
| Password Rotation | β 90 days | β 90 days | β 90 days | Config + SSM |
| Password Reuse | β 24 | β 12 | β 4 | Config + SSM |
| Auto-Remediation | β Enabled | β Enabled | β Enabled | AWS Config |
| CloudTrail Logging | β All events | β All events | β All events | Advanced selectors |
| ALB Access Logs | β Required | β Required | β Required | S3 bucket |
| Encryption in Transit | β TLS 1.2+ | β TLS 1.2+ | β TLS 1.2+ | ALB listener |
Monitoring and Verificationβ
Checking Compliance Statusβ
View Config Rule Compliance:
aws configservice describe-compliance-by-config-rule \
--config-rule-names $(aws configservice describe-config-rules \
--query 'ConfigRules[*].ConfigRuleName' --output text)
Check Password Policy:
aws iam get-account-password-policy
View S3 Bucket Lifecycle:
aws s3api get-bucket-lifecycle-configuration --bucket <bucket-name>
Check S3 Bucket Versioning:
aws s3api get-bucket-versioning --bucket <bucket-name>
AWS Config Dashboardβ
- Navigate to AWS Config in AWS Console
- Select Rules to view compliance status
- Click on specific rules to see:
- Compliance timeline
- Non-compliant resources
- Remediation history
CloudWatch Alarmsβ
Compliance-related alarms are created with SNS notifications:
- ALB 5xx errors
- ALB 4xx errors
- High response times
Subscribe to the SNS topic to receive alerts:
aws sns subscribe \
--topic-arn arn:aws:sns:region:account:alb-alarms-production \
--protocol email \
--notification-endpoint your-email@example.com
Troubleshootingβ
Password Policy Not Appliedβ
Symptom: IAM password policy Config rule shows NON_COMPLIANT
Possible Causes:
- SSM Automation role lacks permissions
- Remediation configuration not created
- Manual policy changes override automation
Solution:
-
Check SSM Automation execution:
aws ssm describe-automation-executions \
--filters Key=DocumentName,Values=AWSConfigRemediation-SetIAMPasswordPolicy -
Manually trigger remediation:
aws configservice start-remediation-execution \
--config-rule-name <rule-name> \
--resource-keys resourceType=AWS::Account,resourceId=<account-id>
S3 Lifecycle Not Appliedβ
Symptom: Buckets don't have lifecycle rules
Possible Causes:
- Compliance frameworks not configured
- Bucket created before lifecycle implementation
Solution:
- Verify compliance frameworks are set in deployment context
- Redeploy stack to apply lifecycle rules to existing buckets
- Check deployment logs for lifecycle configuration messages
Config Rules Not Createdβ
Symptom: AWS Config rules missing after deployment
Possible Causes:
- AWS Config not enabled in the account
- Config recorder not created
- Insufficient IAM permissions
Solution:
-
Verify AWS Config is enabled:
aws configservice describe-configuration-recorders -
Check deployment logs for Config-related errors
-
Verify IAM role has
config:PutConfigRulepermission
Cost Optimizationβ
S3 Storage Costsβ
Lifecycle policies automatically optimize storage costs:
Example Cost Savings (1 TB of logs):
- Month 1-3 (S3 Standard): $23/month
- Month 3-12 (Glacier): $4/month
- Year 2-6 (Deep Archive): $1/month
Annual Savings: ~$200/TB compared to keeping all data in S3 Standard
AWS Config Costsβ
- Rule Evaluations: $0.001 per evaluation
- Configuration Items: $0.003 per item
- Estimated Monthly Cost: $20-50 for typical deployment
Cost Reduction Tips:
- Use periodic evaluation instead of continuous where acceptable
- Disable rules in DEV environments
- Archive Config snapshots to S3 Glacier
Security Considerationsβ
Least Privilege Accessβ
All remediation actions use dedicated IAM roles with minimal permissions:
Role ssmAutomationRole = Role.Builder.create(this, "RemediationRole")
.assumedBy(new ServicePrincipal("ssm.amazonaws.com"))
.inlinePolicies(Map.of(
"RemediationPermissions",
PolicyDocument.Builder.create()
.statements(List.of(
PolicyStatement.Builder.create()
.effect(Effect.ALLOW)
.actions(List.of("iam:UpdateAccountPasswordPolicy"))
.resources(List.of("*"))
.build()
))
.build()
))
.build();
Audit Trailβ
All compliance actions are logged:
- CloudTrail: API calls and account activity
- Config Timeline: Resource configuration changes
- SSM Automation: Remediation execution history
Data Protectionβ
- Encryption at Rest: S3-managed encryption (SSE-S3)
- Encryption in Transit: TLS 1.2+ for all data transfer
- Access Control: Bucket policies and IAM policies restrict access
- Versioning: Immutable audit trail
Best Practicesβ
- Enable All Relevant Frameworks: Configure all compliance frameworks your organization must meet
- Monitor Regularly: Subscribe to Config rule notifications and review compliance dashboard weekly
- Test Before Production: Deploy to staging environment first to verify compliance settings
- Document Exceptions: If manual overrides are needed, document them for auditors
- Regular Audits: Review Config rule compliance quarterly
- Cost Monitoring: Track AWS Config and S3 storage costs using AWS Cost Explorer
Additional Resourcesβ
- AWS Config Developer Guide
- AWS Systems Manager Automation
- S3 Lifecycle Configuration
- IAM Password Policy
Supportβ
For issues or questions:
- GitHub Issues: cfc-core/issues
- Documentation: docs/compliance/
- Contact: support@cloudforgeci.com