Compliance Controls Implementation for Auditors
This document provides detailed control implementation mappings for compliance auditors reviewing CloudForge CI deployments.
Testing Statusโ
Compliance Frameworksโ
| Framework | Status | Production Tested | Notes |
|---|---|---|---|
| SOC 2 | โ Fully Tested | Yes | Validated in production environment |
| HIPAA | โ ๏ธ Not Tested | No | Configuration complete, awaiting validation |
| PCI-DSS | โ ๏ธ Not Tested | No | Configuration complete, awaiting validation |
| GDPR | โ ๏ธ Not Tested | No | Configuration complete, awaiting validation |
Authentication Methodsโ
| Authentication Type | Status | Production Tested | Notes |
|---|---|---|---|
| No Authentication | โ Tested | Yes | Basic deployment without authentication |
| AWS Cognito | โ ๏ธ Not Tested | No | Configuration complete, awaiting validation |
| ALB-OIDC (Identity Center) | โ ๏ธ Not Tested | No | Configuration complete, awaiting validation |
| ALB-OIDC (Generic) | โ ๏ธ Not Tested | No | Configuration complete, awaiting validation |
Note: Production testing has been completed only for infrastructure controls (encryption, monitoring, AWS Config, etc.) without authentication enabled. Authentication integrations (Cognito, Identity Center, OIDC) are implemented and ready for deployment but have not been validated in production environments.
Scope and Limitationsโ
What CloudForge CI Providesโ
CloudForge CI provides infrastructure-level technical controls. This includes:
- AWS infrastructure configuration (VPC, security groups, encryption)
- Access control mechanisms (IAM, Cognito, OIDC)
- Audit logging (CloudTrail, VPC Flow Logs, ALB logs)
- Monitoring and alerting (CloudWatch, GuardDuty, AWS Config)
- Encryption at rest and in transit
- Automated remediation for configuration drift
What Organizations Must Provideโ
To achieve compliance, organizations must also implement:
- Policies and Procedures: Documented security policies, incident response procedures
- Training Programs: Security awareness training for staff
- Third-Party Audits: QSA assessment (PCI-DSS), CPA audit (SOC 2), DPA agreements (GDPR)
- Application-Level Controls: Application security, code reviews, vulnerability scanning
- Organizational Controls: HR processes, vendor management, business continuity planning
- Evidence Collection: Documentation beyond automated infrastructure evidence
Configuration Validation Rules (alwaysLoad Framework)โ
Overviewโ
Framework ID: CONFIG
Priority: 1 (runs first)
alwaysLoad: true (runs regardless of compliance frameworks specified)
File: ConfigurationValidationRules.java
Purpose: Validates basic deployment configuration requirements before compliance-specific rules run. This framework catches common configuration errors that would cause deployment failures regardless of compliance requirements.
Validation Rulesโ
CONFIG-SUBDOMAIN-DOMAINโ
- Requirement: Subdomain requires a parent domain
- Validation: Fails if subdomain is specified without domain
- Severity: FAIL (blocks deployment)
- Example Violation:
{
"subdomain": "app",
"domain": "" // โ FAIL: Subdomain requires parent domain
} - Evidence: 18 test cases in compliance-test-matrix.csv
- Test Coverage: All runtimes (EC2, Fargate), all profiles (DEV, STAGING, PRODUCTION), all frameworks
Rationale: A subdomain like "app.example.com" requires a parent domain "example.com" for DNS configuration. This is a fundamental infrastructure requirement.
CONFIG-OIDC-HTTPSโ
- Requirement: ALB OIDC authentication requires HTTPS
- Validation: Fails if authMode=alb-oidc and enableSsl=false
- Severity: FAIL (blocks deployment)
- Example Violation:
{
"authMode": "alb-oidc",
"enableSsl": false // โ FAIL: OIDC requires HTTPS
} - Evidence: 20 test cases in compliance-test-matrix.csv
- Test Coverage: All runtimes, all profiles, all frameworks
Rationale: OIDC authentication exchanges tokens over HTTP. Using OIDC without HTTPS would expose authentication tokens to network interception.
Design Pattern: alwaysLoadโ
The alwaysLoad = true attribute ensures these basic validations run even for deployments that don't specify any compliance frameworks. This prevents common configuration errors in development environments.
Example: A developer deploying to DEV without compliance can still catch the subdomain/domain mismatch before wasting time on a failed deployment.
SOC 2 Controls Implementation โ Testedโ
CC6.1: Logical and Physical Access Controlsโ
Implementation:
// File: cloudforge-api/src/main/java/com/cloudforgeci/api/core/security/ProductionSecurityProfileConfiguration.java
// Controls: IAM password policy, MFA enforcement, session management
| Control | Implementation | Evidence Location | Code Reference | Testing Status |
|---|---|---|---|---|
| Password Complexity | 12-char minimum, complexity requirements | AWS Config Rule: iam-password-policy | Soc2Rules.java:45-89 | โ Tested |
| Password Rotation | 90-day max age | AWS Config Rule: iam-password-policy | Soc2Rules.java:45-89 | โ Tested |
| MFA Enforcement โ ๏ธ | Required for admin access | Cognito User Pool settings | CognitoAuthenticationFactory.java:120-145 | โ ๏ธ Not Tested |
| Session Timeout โ ๏ธ | 12-hour max session duration | Cognito User Pool settings | CognitoAuthenticationFactory.java:150-165 | โ ๏ธ Not Tested |
Audit Evidence:
- โ Tested: AWS Config compliance dashboard showing password policy compliance
- โ ๏ธ Not Tested: Cognito User Pool configuration export
- โ ๏ธ Not Tested: CloudTrail logs showing MFA-authenticated sessions
Note: IAM password policy controls are production-tested. Cognito-based authentication (MFA, session management) is implemented but not yet production-validated.
CC6.6: Network Securityโ
Implementation:
// File: cloudforge-api/src/main/java/com/cloudforgeci/api/network/VpcFactory.java
// Controls: Network segmentation, security groups, NACLs
| Control | Implementation | Evidence Location | Code Reference |
|---|---|---|---|
| Network Segmentation | Private subnets for compute, public for ALB | VPC configuration | VpcFactory.java:80-150 |
| Security Groups | Least-privilege ingress/egress rules | Security Group resources | VpcFactory.java:200-250 |
| Encryption in Transit | TLS 1.2+ for all external traffic | ALB HTTPS listener | AlbFactory.java:180-220 |
Audit Evidence:
- VPC Flow Logs showing network traffic patterns
- Security Group rules export
- ACM certificate validation records
CC7.2: System Monitoringโ
Implementation:
// File: cloudforge-api/src/main/java/com/cloudforgeci/api/observability/ComplianceFactory.java
// Controls: CloudTrail, AWS Config, automated evidence collection
| Control | Implementation | Evidence Location | Code Reference |
|---|---|---|---|
| Audit Logging | CloudTrail all API calls | S3 bucket (retained 2 years) | ComplianceFactory.java:145-220 |
| Configuration Monitoring | AWS Config Rules | Config compliance dashboard | ComplianceFactory.java:350-450 |
| Automated Remediation | SSM automation documents | Config Remediation Actions | ComplianceFactory.java:1850-1950 |
| Evidence Retention | S3 lifecycle policies | S3 bucket lifecycle rules | ComplianceFactory.java:2040-2154 |
Audit Evidence:
- CloudTrail logs (2-year retention)
- AWS Config compliance reports
- S3 bucket lifecycle configuration
Auto-Start Feature (v2.0.6+): AWS Config Recorder automatically starts during deployment via custom resource, ensuring zero-gap compliance monitoring.
// ComplianceFactory.java:475-534
AwsSdkCall startRecorderCall = AwsSdkCall.builder()
.service("ConfigService")
.action("startConfigurationRecorder")
.parameters(Map.of("ConfigurationRecorderName", "cloudforge-config-recorder"))
.build();
Evidence: CloudTrail event StartConfigurationRecorder logged at deployment time.
HIPAA Controls Implementation โ ๏ธ Not Yet Testedโ
ยง164.312(a)(2)(i): Unique User Identification โ ๏ธ Authentication Not Testedโ
| Control | Implementation | Evidence Location | Code Reference | Testing Status |
|---|---|---|---|---|
| Unique User IDs โ ๏ธ | Cognito User Pool with email-based auth | Cognito User Pool | CognitoAuthenticationFactory.java:85-110 | โ ๏ธ Not Tested |
| MFA โ ๏ธ | TOTP + SMS for admin access | Cognito MFA settings | CognitoAuthenticationFactory.java:120-145 | โ ๏ธ Not Tested |
Note: Cognito authentication is implemented but not production-tested. Use authMode: "cognito" and cognitoMfaEnabled: true to enable.
ยง164.312(a)(2)(iv): Encryption at Rest โ Testedโ
| Control | Implementation | Evidence Location | Code Reference | Testing Status |
|---|---|---|---|---|
| EFS Encryption | AES-256 encryption enabled | EFS configuration | EfsFactory.java:120-140 | โ Tested |
| EBS Encryption | AES-256 encryption enabled | EC2 launch template | Ec2Factory.java:200-230 | โ Tested |
| S3 Encryption | AES-256 SSE-S3 enabled | S3 bucket configuration | ComplianceFactory.java:260-290 | โ Tested |
ยง164.312(b): Audit Controls โ Infrastructure Testedโ
| Control | Implementation | Evidence Location | Code Reference | Testing Status |
|---|---|---|---|---|
| Audit Logs | CloudTrail all API calls | S3 bucket (retained 6 years) | ComplianceFactory.java:145-220 | โ Tested |
| Log Retention | 6-year retention (2190 days) | S3 lifecycle policy | ComplianceFactory.java:2040-2154 | โ Tested |
Configuration: Set logRetentionDays: 2190 and complianceFrameworks: "HIPAA"
Note: CloudTrail logging and retention tested. HIPAA-specific log analysis and reporting not yet validated.
PCI-DSS Controls Implementation โ ๏ธ Not Yet Testedโ
Requirement 6.6: Web Application Firewallโ
| Control | Implementation | Evidence Location | Code Reference |
|---|---|---|---|
| WAF | AWS WAF v2 with managed rule groups | WAF WebACL | WafFactory.java:80-150 |
| SQL Injection Protection | AWS Managed Rules - SQL DB | WAF rule group | WafFactory.java:160-180 |
| XSS Protection | AWS Managed Rules - Core | WAF rule group | WafFactory.java:185-205 |
Configuration: Set wafEnabled: true
Requirement 10.2: Audit Trailโ
| Control | Implementation | Evidence Location | Code Reference |
|---|---|---|---|
| Access Logs | ALB access logs to S3 | S3 bucket (1-year retention) | AlbFactory.java:250-280 |
| API Audit Logs | CloudTrail all API calls | S3 bucket (1-year retention) | ComplianceFactory.java:145-220 |
Configuration: Set albAccessLogging: true, logRetentionDays: 365
Requirement 11.4: Intrusion Detectionโ
| Control | Implementation | Evidence Location | Code Reference |
|---|---|---|---|
| Threat Detection | GuardDuty monitoring | GuardDuty findings | GuardDutyFactory.java:54-97 |
| Auto-Start | Custom resource enables GuardDuty | CloudFormation custom resource | GuardDutyFactory.java:73-97 |
Configuration: Set guardDutyEnabled: true (auto-enabled with PRODUCTION security profile)
Evidence: GuardDuty findings dashboard, EventBridge rules for alerting
GDPR Controls Implementation โ ๏ธ Not Yet Testedโ
Article 25: Data Protection by Designโ
| Control | Implementation | Evidence Location | Code Reference |
|---|---|---|---|
| Encryption by Default | All storage encrypted | EFS, EBS, S3 encryption | Multiple factories |
| Minimal Data Collection | No PII in CloudTrail/Config | AWS service configuration | N/A |
Article 30: Records of Processing Activitiesโ
| Control | Implementation | Evidence Location | Code Reference |
|---|---|---|---|
| Audit Logs | CloudTrail all API calls | S3 bucket (2-year retention) | ComplianceFactory.java:145-220 |
| Processing Records | CloudTrail logs document all data processing | CloudTrail S3 bucket | ComplianceFactory.java:145-220 |
Article 32: Security of Processingโ
| Control | Implementation | Evidence Location | Code Reference |
|---|---|---|---|
| Encryption | AES-256 at rest, TLS 1.2+ in transit | Multiple resources | Multiple factories |
| Access Control | IAM, Cognito, security groups | IAM policies, Cognito config | Multiple factories |
| Monitoring | CloudWatch, AWS Config, GuardDuty | Monitoring dashboards | SecurityMonitoringFactory.java |
Configuration: Set region: "eu-west-1" for EU data residency
Cross-Framework Control Mappingโ
Encryption at Rest โ Testedโ
| Framework | Requirement | Implementation | Evidence | Testing Status |
|---|---|---|---|---|
| SOC 2 | CC6.1 | AES-256 for EFS, EBS, S3 | AWS Config Rules | โ Tested |
| HIPAA | ยง164.312(a)(2)(iv) | AES-256 for EFS, EBS, S3 | AWS Config Rules | โ Tested |
| PCI-DSS | Req 3.4 | AES-256 for EFS, EBS, S3 | AWS Config Rules | โ Tested |
| GDPR | Art. 32(1)(a) | AES-256 for EFS, EBS, S3 | AWS Config Rules | โ Tested |
Code: EfsFactory.java:120-140, Ec2Factory.java:200-230, ComplianceFactory.java:260-290
Access Control โ ๏ธ Authentication Not Testedโ
| Framework | Requirement | Implementation | Evidence | Testing Status |
|---|---|---|---|---|
| SOC 2 | CC6.2 | IAM policies โ , Cognito MFA โ ๏ธ | IAM policy docs, Cognito config | Partial |
| HIPAA | ยง164.312(a)(1) | IAM policies โ , Cognito MFA โ ๏ธ | IAM policy docs, Cognito config | Partial |
| PCI-DSS | Req 7.1-7.2 | IAM policies โ , Cognito MFA โ ๏ธ | IAM policy docs, Cognito config | Partial |
| GDPR | Art. 25(2) | IAM policies โ , Cognito MFA โ ๏ธ | IAM policy docs, Cognito config | Partial |
Code: CognitoAuthenticationFactory.java:85-165
Note: IAM password policies are production-tested via AWS Config. Cognito MFA, Identity Center, and OIDC authentication are implemented but not production-tested.
Audit Logging โ Testedโ
| Framework | Requirement | Retention Period | Implementation | Testing Status |
|---|---|---|---|---|
| SOC 2 | CC7.2 | 2 years | CloudTrail + lifecycle | โ Tested |
| HIPAA | ยง164.312(b) | 6 years | CloudTrail + lifecycle | โ Tested |
| PCI-DSS | Req 10.7 | 1 year | CloudTrail + lifecycle | โ Tested |
| GDPR | Art. 30 | 2 years | CloudTrail + lifecycle | โ Tested |
Code: ComplianceFactory.java:145-220 (CloudTrail), ComplianceFactory.java:2040-2154 (Lifecycle)
Note: CloudTrail logging, S3 lifecycle policies, and log retention are production-tested.
Automated Evidence Collectionโ
AWS Audit Manager Integrationโ
When auditManagerEnabled: true, the system creates one assessment per framework:
{
"complianceFrameworks": "SOC2,HIPAA,PCI-DSS"
}
Creates:
- SOC 2 Type 2 assessment
- HIPAA assessment
- PCI-DSS v3.2.1 assessment
Evidence Sources:
- CloudTrail API logs
- AWS Config compliance data
- GuardDuty findings
- WAF logs
- VPC Flow Logs
- ALB access logs
Assessment Lifecycle:
- Created automatically via CloudFormation
- Visible in AWS Audit Manager console
- Deleted when stack is destroyed (evidence retained in S3)
Compliance Reports for Auditorsโ
How to Generate Evidenceโ
-
AWS Config Compliance Dashboard
aws configservice describe-compliance-by-config-rule \
--region us-east-1 \
--output table -
Audit Manager Assessment Export
aws auditmanager get-assessment \
--assessment-id <assessment-id> \
--region us-east-1 -
CloudTrail Log Analysis
aws s3 sync s3://cloudforge-cloudtrail-<account-id>/ ./audit-logs/ -
Security Hub Compliance Score
aws securityhub get-findings \
--filters '{"ComplianceStatus":[{"Value":"FAILED","Comparison":"EQUALS"}]}' \
--region us-east-1
Pre-Generated Reportsโ
CloudForge CI GitHub Pages includes:
- Validation Reports: Truth tables showing all tested configurations
- Coverage Reports: JaCoCo test coverage for all code
- Vulnerability Scans: OWASP Dependency-Check reports
- SBOM: Software Bill of Materials (JSON/XML)
URL: https://cloudforgeci.github.io/cfc-core/
Contact for Audit Supportโ
For audit support or questions about control implementation:
- GitHub Issues: https://github.com/CloudForgeCI/cfc-core/issues
- Documentation: https://github.com/CloudForgeCI/cfc-core/tree/develop/docs/compliance
- Sample Deployment: https://github.com/CloudForgeCI/cloudforge-sample
Last Updated: 2025-11-18 Document Version: 1.0 Scope: Infrastructure controls only - organizational controls are customer responsibility