Compliance and Audits Archives - AWS Security Architect

AWS Resource Tag Recommendations

anuj varma — Fri, 14 Nov 2025 01:14:03 +0000

Recommended AWS Resource Tagging Strategy

This document provides a comprehensive tagging framework for AWS EC2 and other AWS resources, including S3, RDS,
Lambda, and networking components. Tagging improves visibility, cost allocation, governance, and automation across environments.

Core Identification Tags

Tag Key	Example Value	Purpose
Name	web-server-prod-01	Human-readable identifier for quick recognition.
Environment	dev / test / prod	Segregate resources by environment.
Application	payment-api / crm-portal	Group resources by application or service.
Project	migration-wave1 / finops-dashboard	Track resources by project or initiative.
BusinessUnit	finance / marketing / engineering	Link usage to department or cost center.
Owner	anuj.varma@company.com	Assign accountability for resource ownership.

Cost Allocation & FinOps Tags

Tag Key	Example Value	Purpose
CostCenter	CC1234	Enable billing reports and cost allocation.
BillingCode	APP567	Alternative identifier for budget association.
CreatedBy	terraform / cloudformation / manual	Identify resource provisioning source.
Purpose	frontend / backend / analytics	Categorize resources by business purpose.
Lifecycle	temporary / long-term / archive	Define expected resource duration.

Security & Compliance Tags

Tag Key	Example Value	Purpose
DataClassification	confidential / pii / public	Specify sensitivity for data handling.
Compliance	CIS / HIPAA / SOC2 / ISO27001	Associate resource with compliance framework.
BackupPolicy	daily / weekly / none	Define backup strategy for automation.
PatchGroup	linux-prod / windows-dev	Group instances for patching baselines.
Retention	30d / 90d / indefinite	Specify retention period for logs or backups.

Operations & Automation Tags

Tag Key	Example Value	Purpose
Schedule	office-hours / 24×7	Used by schedulers to manage uptime.
AutoStop	true	Flag for auto-stop of idle resources.
MaintenanceWindow	Sun-02:00-UTC	Define maintenance or patch time.
SupportTier	gold / silver / bronze	Define SLA expectations.
Monitoring	datadog / cloudwatch / prometheus	Identify monitoring tool integration.

Cloud Migration & Governance Tags

Tag Key	Example Value	Purpose
Map.Migrated	true	Identify AWS MAP migrated resources.
Map.Stage	wave1 / cutover	Track migration stage or wave.
SourceSystem	onprem-vsphere / azure / legacy	Identify source platform for migrations.
LandingZone	shared-vpc / prod-security	Specify target AWS landing zone or VPC group.

Networking & Infrastructure Tags

Tag Key	Example Value	Purpose
VPC	shared-vpc-prod	Identify VPC association.
SubnetType	public / private / isolated	Classify subnet purpose.
SecurityZone	dmz / core / restricted	Tag for segmentation and policy enforcement.

Example Tagging Policy (JSON)

You can enforce tagging consistency via AWS Organizations Tag Policies or AWS Config rules. Example baseline policy:

{
  "tags": {
    "Environment": { "tag_key": "Environment", "tag_value": ["dev", "test", "prod"] },
    "Owner": { "tag_key": "Owner", "tag_value": ".*@company.com" },
    "CostCenter": { "tag_key": "CostCenter", "tag_value": "^[A-Z]{2}[0-9]{4}$" }
  }
}

The post AWS Resource Tag Recommendations appeared first on AWS Security Architect.

AWS Audit Artifacts

anuj varma — Fri, 24 Oct 2025 15:44:17 +0000

AWS Patterns for Storing Audit Artifacts

What counts as “audit artifacts”?

Logs, configuration histories, change approvals, vulnerability & security findings, backup reports, evidence exports (e.g., screenshots/CSVs), and third-party attestation documents.

Proven Storage Pattern (Backbone)

Central S3 “evidence” bucket in a dedicated Audit/Log Archive account:
- Enable Versioning, S3 Object Lock (Compliance mode), SSE-KMS (customer-managed key), and Block Public Access.
- Route writes via VPC Gateway Endpoints (no internet); enable Server Access Logging or S3 Access Logs.
- Set Lifecycle rules to transition to Glacier / Glacier Deep Archive for long-term retention.
Integrity: Turn on CloudTrail log file integrity validation; consider Glacier Vault Lock and AWS Backup Vault Lock for immutability.
Access control: Tight bucket policies, SCPs, least-privilege IAM, and KMS key policies scoped to the audit team.

How to Generate & Ingest the Artifacts

Artifact type	AWS producer service(s)	Where to store	Audit-helpful notes
API activity logs	AWS CloudTrail (org-level trail + data events as needed)	S3 evidence bucket (+ optional CloudTrail Lake)	Enable integrity validation; retain for your policy (e.g., 7 years).
Config snapshots & change history	AWS Config (recorder + conformance packs)	S3 evidence bucket	Conformance pack results map cleanly to frameworks.
Network traffic logs	VPC Flow Logs, ALB/NLB logs, CloudFront, WAF	S3 evidence bucket	Partition prefixes for Athena (account/region/service/date).
OS/app logs	CloudWatch Logs (EC2/EKS/Lambda)	Export to S3 (subscription/export)	Use OpenSearch for investigations; S3 for durable retention.
Security findings	Security Hub, GuardDuty, Inspector, Macie, IAM Access Analyzer	Export to S3 (EventBridge/Lambda)	Store raw findings + rolled-up Security Hub reports.
Changes/approvals/runs	SSM Change Manager, SSM Automation, CodePipeline	Export execution records/artifacts to S3	Change tickets tied to runbook executions.
Backups & reports	AWS Backup + Backup Audit Manager	S3 + Backup Vault Lock	Immutable compliance reports + job histories.
Kubernetes audit logs	EKS audit log categories → CloudWatch Logs	Export to S3	Include control-plane & authenticator logs.
Database activity	RDS/Aurora logs; CloudTrail data events (S3/DynamoDB)	S3 evidence bucket	Enable enhanced monitoring / Performance Insights as required.
Third-party attestations	AWS Artifact (SOC/ISO/PCI)	Upload PDFs to S3	Alongside each PDF, store a JSON metadata sidecar (hash, date, owner).
Manual evidence	AWS Audit Manager (manual uploads)	Stored by Audit Manager (backed by S3)	Automatically ties evidence to controls/assessments.

Make It Audit-Friendly (Controls & Integrity)

Immutability

S3 Object Lock – Compliance mode (per bucket/object).
Glacier Vault Lock (if using separate vaults).
AWS Backup Vault Lock for backup immutability.

Encryption

SSE-KMS with customer-managed keys.
Separate keys for logs vs sensitive evidence.
Tight KeyPolicy + grants; rotate per policy.

Provenance

Org-level CloudTrail + digest files (integrity).
Bucket policies restricting PutObject to AWS services with aws:SourceArn / aws:SourceAccount.
Deny direct writes from the internet; require VPC endpoints.

Retention

S3 lifecycle tiers → Glacier/Deep Archive.
Use Object Lock retention and legal holds when required.

Discoverability

Glue Data Catalog tables over S3 prefixes.
Query with Amazon Athena.
Optional Lake Formation for fine-grained read perms.

Automate Evidence Collection & Mapping

AWS Audit Manager: Build assessments mapped to CIS/ISO/NIST/PCI; ingests evidence from CloudTrail, Config, Security Hub; attach manual artifacts; export assessment reports to S3.
EventBridge rules + Lambda: Nightly/weekly exports (Security Hub, Backup reports, IAM credential report) into dated S3 prefixes, e.g.:
s3://evidence/org=acme/svc=securityhub/yr=2025/mo=10/dy=21/…

Reference Target Architecture (Quick Steps)

Create Log Archive/Audit account; centralized S3 evidence bucket with versioning + Object Lock.
Enable org-level CloudTrail to that bucket; turn on integrity validation.
Turn on AWS Config (all regions/accounts) with delivery to the bucket.
Aggregate security signals with Security Hub (org level) and export findings to S3.
Standardize CloudWatch Logs → S3 exports for app/OS/EKS audit logs.
Enable AWS Backup + Backup Audit Manager; enforce Vault Lock.
Stand up Audit Manager assessments mapped to frameworks; schedule evidence exports.
Add Glue + Athena for queries; apply Lake Formation permissions.
Apply SCPs that prevent disabling CloudTrail/Config; deny S3 deletes that bypass Object Lock.
Document owners, retention, retrieval SOP; run quarterly restore/query drills.

Copy-Paste Checklist

The post AWS Audit Artifacts appeared first on AWS Security Architect.