Deploy a mechanism to store cloud security control findings and results

Publication date: June 2022 (last update: May 2023)

The Verifiable Controls Evidence Store solution provides a mechanism to centrally store the findings and results of cloud security controls governing AWS workloads, in the form of enduring evidence records that are safeguarded against tampering. The solution is useful where such controls, and other governance systems or processes, issue evidence for immutable storage, which can later be utilized in compliance evaluation, deployment decisions, or audit processes. For example, evidence of the findings from preventative controls run from an application deployment pipeline can be stored and retrieved, in near real-time, as part of a subsequent pipeline stage, to determine if the software release meets compliance requirements, before allowing deployment.

An evidence record is a system-generated (or human-generated) digital record of a historical fact, related to one or more target entities, and is issued by an evidence provider.

The solution automatically generates unique evidence record IDs associated with the evidences provided by evidence providers.

This implementation guide describes architectural considerations and configuration steps for deploying Verifiable Controls Evidence Store in the Amazon Web Services (AWS) Cloud.

The guide is intended for IT architects and developers who have practical experience architecting in the AWS Cloud and are looking to deploy the aforementioned capabilities in their AWS environment. The guide also covers the user interface and APIs that allow users to interact with the solution, such as members of application teams, control teams, and risk, assurance, and internal audit functions.

Note

AWS does not provide compliance or regulatory advice. You should independently evaluate the suitability of Verifiable Controls Evidence Store for your use case, including for the purposes of meeting any audit, compliance, and regulatory requirements that you may have.