In a world where change is constant, managing exceptions in your cloud environment is crucial. But what does that really mean? Let's break it down in a way that even your teenage nephew could understand.
Where did this come from?
This Control comes straight from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4 to get all the juicy details.
Who should care?
If you're a Change Manager responsible for keeping your cloud environment secure and compliant, or a Security Analyst hunting down unauthorized changes, this one's for you.
What is the risk?
Picture this - someone makes a change to your cloud config that doesn't follow the rules. Suddenly, your apps are down, data is exposed, and auditors are knocking at your door. Unmanaged exceptions are like wild animals - unpredictable and potentially dangerous.
Implementing this Control helps you:
- Prevent unauthorized changes from slipping through
- Detect deviations from your baseline config
- Manage approved exceptions so they don't come back to bite you
What's the care factor?
On a scale of "meh" to "oh sh*t", improper exception management is definitely towards the higher end. While it may not be as flashy as defending against hackers, it's a fundamental part of keeping your cloud secure and compliant. Ignore it at your own peril.
When is it relevant?
This Control is your best friend anytime you're:
- Making changes to your cloud environment
- Reviewing your configuration for compliance
- Investigating an incident (approved exceptions are handy for ruling things out)
However, if your cloud footprint is small and simple with minimal changes, you might be able to get away with a more lightweight process.
What are the trade-offs?
Controlling exceptions comes at a cost:
- Time and effort to document and approve exception requests
- Potential delays to implementing changes (no more cowboy deployments)
- Ongoing overhead of monitoring and reviewing exceptions
But compared to the risks of uncontrolled changes, it's usually a worthwhile investment.
How to make it happen?
Here's a step-by-step guide:
- Define your configuration baselines
- Identify your standard configs for things like security groups, IAM policies, logging levels etc.
- Document these in a repo like AWS CodeCommit
- Set up a change management process
- Use a tool like AWS Systems Manager Change Manager
- Define the steps for requesting, approving and implementing changes
- Make sure emergency changes are handled separately
- Monitor for drift
- Use AWS Config to track changes to your resources
- Set up alerts for unauthorized changes
- Handle exceptions
- Document exception requests, including justification and approvals
- Attach evidence like change tickets or incident reports
- Regularly review and re-approve exceptions
- Train your people
- Make sure everyone understands the process and their role in it
- Include exception management in your onboarding and ongoing training
What are some gotchas?
- Make sure you have the right IAM permissions to monitor and manage changes. You'll need things like
ssm:ListDocumentsandssm:UpdateDocumentDefaultVersionfor Systems Manager, andconfig:GetResourceConfigHistoryfor Config. - Don't forget about temporary exceptions! Set expiry dates and review them regularly.
- Watch out for "emergency" changes that bypass the normal process. Make sure they're legit and properly documented.
What are the alternatives?
If you're allergic to process, you could try:
- Yolo-ing it and hoping for the best (not recommended)
- Locking down your environment so hard that no changes are allowed (not realistic)
- Outsourcing exception management to a third-party (but you're still on the hook if something goes wrong)
Realistically, implementing this Control is your best bet for balancing agility and security.
Explore further
Want to dive deeper? Check out:
- AWS Systems Manager Change Manager: https://docs.aws.amazon.com/systems-manager/latest/userguide/change-manager.html
- AWS Config: https://aws.amazon.com/config/
- CIS Benchmark for AWS: https://www.cisecurity.org/benchmark/amazon_web_services/
And there you have it - exception management in a nutshell. Now go forth and control those changes like a boss!
