AWS Integration

Overview

The RegScale AWS integration provides comprehensive compliance automation, security findings management, and asset inventory capabilities for Amazon Web Services environments. This integration enables organizations to maintain continuous compliance monitoring, automate evidence collection, and streamline ATO (Authority to Operate) processes.

Quick Start

Prerequisites

RegScale CLI installed: pip install regscale-cli
AWS credentials configured (see Authentication)
RegScale environment initialized: regscale init
RegScale Security Plan created with controls

Basic Workflow

Create a Security Plan in RegScale and add required controls
Sync AWS Assets to populate your asset inventory
Sync Security Findings from AWS Security Hub or other services
Sync Compliance Data from AWS Audit Manager (if available)
Collect Service-Specific Evidence for targeted control assessments

Essential Commands

# View all AWS commands
regscale aws --help

# Sync AWS assets to RegScale
regscale aws sync_assets --regscale_id <PLAN_ID>

# Sync AWS Audit Manager compliance
regscale aws sync_compliance --regscale_id <PLAN_ID>

# Sync AWS Security Hub findings
regscale aws sync_findings --regscale_id <PLAN_ID>

Supported AWS Services

Compliance & Security Services

AWS Audit Manager - regscale aws sync_compliance
Syncs compliance assessments, control evaluations, and audit evidence from AWS Audit Manager. Supports custom frameworks and POAM generation.

AWS Security Hub - regscale aws sync_findings
Imports security findings and compliance checks from AWS Security Hub. Supports OCSF format and evidence generation.

AWS Config - regscale aws sync_config_compliance
Syncs configuration compliance from AWS Config rules and remediation actions.

AWS Inspector - Integrated through Security Hub findings sync

Service-Specific Compliance

AWS KMS - regscale aws sync_kms
Assesses cryptographic controls (SC-12, SC-13, SC-28) and collects key management evidence.

AWS Organizations - regscale aws sync_org
Evaluates governance and access control compliance (AC-1, PM-9, AC-2, AC-6).

AWS IAM - regscale aws sync_iam
Assesses access control and authentication controls (AC-2, AC-6, IA-2, IA-5, AC-3).

AWS GuardDuty - regscale aws sync_guardduty
Collects threat detection evidence (SI-4, IR-4, IR-5, SI-3, RA-5).

AWS S3 - regscale aws sync_s3
Evaluates storage security controls (SC-13, SC-28, AC-3, AC-6, AU-2, AU-9, CP-9).

AWS CloudTrail - regscale aws sync_cloudtrail
Assesses audit and accountability controls (AU-2, AU-3, AU-6, AU-9, AU-11, AU-12, SI-4).

AWS CloudWatch - regscale aws sync_cloudwatch
Evaluates audit review and system monitoring (AU-6, SI-4).

AWS Systems Manager (SSM) - regscale aws sync_ssm
Assesses configuration and patch management (CM-2, CM-6, SI-2, CM-3, CM-8).

Asset & Inventory

Asset Sync - regscale aws sync_assets
Collects comprehensive AWS resource inventory across compute, storage, networking, and security services.

Inventory Collection - regscale aws inventory collect
Exports AWS inventory to JSON for offline analysis and reporting.

Integration Workflows

Workflow 1: AWS Audit Manager + Security Hub (Recommended)

For organizations with AWS Audit Manager and Security Hub enabled:

# Step 1: Sync Audit Manager compliance assessments
regscale aws sync_compliance \
  --regscale_id <PLAN_ID> \
  --collect-evidence \
  --create-issues \
  --create-poams \
  --use-assessment-evidence-folders

# Step 2: Sync Security Hub findings
regscale aws sync_findings \
  --regscale_id <PLAN_ID> \
  --format ocsf

# Step 3: Sync AWS assets
regscale aws sync_assets --regscale_id <PLAN_ID>

Outcomes:

Control assessments from Audit Manager
Security findings and vulnerabilities from Security Hub
Comprehensive asset inventory
Automated POAM generation for failed controls

Workflow 2: Individual Service Assessments

For targeted compliance without Audit Manager:

# Sync assets first
regscale aws sync_assets --regscale_id <PLAN_ID>

# Collect service-specific evidence
regscale aws sync_iam --regscale_id <PLAN_ID> --collect-evidence
regscale aws sync_kms --regscale_id <PLAN_ID> --collect-evidence
regscale aws sync_cloudtrail --regscale-id <PLAN_ID> --create-evidence
regscale aws sync_s3 --regscale-id <PLAN_ID> --create-evidence
regscale aws sync_guardduty --regscale_id <PLAN_ID>

# Sync security findings
regscale aws sync_findings --regscale_id <PLAN_ID>

Outcomes:

Service-specific control assessments
Evidence attached to targeted controls
Security findings and issues
Asset inventory

Workflow 3: Compliance-Focused with Custom Framework

For custom compliance frameworks (e.g., FedRAMP, organization-specific):

# Sync with custom Audit Manager framework
regscale aws sync_compliance \
  --regscale_id <PLAN_ID> \
  --framework Custom \
  --custom-framework-name "USPTO cATO" \
  --collect-evidence \
  --use-assessment-evidence-folders \
  --create-poams \
  --force-refresh

# Sync findings with asset discovery
regscale aws sync_findings_and_assets --regscale_id <PLAN_ID>

Outcomes:

Custom framework compliance assessment
Evidence organized by assessment folders
POAMs for failed controls
Assets discovered from findings

Key Features

Evidence Collection

Automated Evidence Gathering: Collect CloudTrail events, Config snapshots, and service configurations
Evidence Attachments: Compressed JSONL.GZ files attached to control implementations
Evidence Filtering: Target specific controls with --evidence-control-ids
Customizable Frequency: Set evidence collection timeframes with --evidence-frequency

POAM Generation

Automated POAM Creation: Generate Plan of Action & Milestones from failed controls
FedRAMP Compliance: Due dates calculated per FedRAMP requirements
Remediation Tracking: Link issues to controls for traceability

Tag-Based Filtering

Resource Scoping: Filter by AWS resource tags across all commands
Multi-Tag Support: Use AND logic with comma-separated tags
Compliance Boundaries: Define ATO boundaries with tags

Custom Framework Support

Custom Audit Manager Frameworks: Support for organization-specific frameworks
Framework Name Specification: --framework Custom --custom-framework-name "Your Framework"
Assessment Evidence Folders: Organize evidence by assessment structure

OCSF Format Support

Open Cybersecurity Schema Framework: Normalize Security Hub findings to OCSF
Format Options: Native AWS format, OCSF, or both
Interoperability: Standardized format for multi-vendor integrations

What Gets Created in RegScale

Assets

AWS resources from inventory sync
ARN, type, region, account ID, tags
Linked to security findings and compliance controls

Control Assessments

Pass/fail status from Audit Manager or service assessments
Assessment date and metadata
Linked evidence and documentation

Issues

Created from failed compliance checks
Security findings from Security Hub
Remediation guidance and severity ratings

POAMs

Issues marked as Plan of Action & Milestones
Due dates and milestone tracking
Compliance requirement mapping

Vulnerabilities

CVE details from Security Hub and Inspector
CVSS scores and severity levels
Affected asset relationships

Evidence

CloudTrail events, Config snapshots, service configurations
Compressed JSONL.GZ attachments
Linked to specific control implementations

Common Use Cases

FedRAMP ATO Preparation: Complete compliance assessment and evidence collection
Continuous Compliance Monitoring: Daily automation of security checks
Multi-Region Security Posture: Monitor security across all AWS regions
NIST 800-53 R5 Evidence Collection: Comprehensive evidence for all control families
Incident Response: Security finding investigation and documentation