The initial qualification of IT infrastructure is challenging, but even more effort is required to maintain the qualified state (QS). By using the model presented here, you can ensure the QS integrity of your AWS solution to avoid any tedious requalification efforts.
AWS CloudFormation Template Qualification
Follow these steps to intelligently qualify your AWS solution and maintain it in a qualified state.
Step 1: Transform Infrastructure Requirements Into Code
Using AWS CloudFormation, you can create a template for your infrastructure. Next, test the template and turn it over to IT quality.
Step 2: Build a Continuous Qualification Framework
This continuous qualification framework can automatically deploy the template in a test environment and perform various tests to ensure all requirements are met. Test execution reports with all evidence are automatically generated and can be reviewed by IT quality, which then certifies the CloudFormation template.
Step 3: Publish the Qualified CloudFormation Template
Once the CloudFormation template is in the Service Catalog, your global teams can deploy it any number of times without worrying about qualification.
AWS Monitoring Qualification
To maintain your AWS infrastructure in a qualified state, you need to create a qualified catalog of AWS Monitoring Services, including:
- AWS Config, which continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. This will enable compliance with the qualified state and alert you if a QS drift has occurred.
- AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing. Using this service, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
- AWS Systems Manager gives you visibility and control of your infrastructure on AWS, so that you can view operational data from multiple AWS services and automate operational tasks across AWS resources.
- Amazon GuardDuty, a managed threat detection service, continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and GxP workloads.
- Amazon Inspector, an automated security assessment service, helps improve security and compliance by automatically assessing applications for vulnerabilities or deviations from best practices.
Step 4: Qualify Each Monitoring Service
Build a continuous qualification framework to automatically qualify each monitoring service in a test environment and ensure all requirements are met. After IT quality reviews the results, the service can be released for production use globally without worrying about qualification.
Going Live With Qualified AWS Infrastructure
Your IT teams can now build qualified infrastructure using CloudFormation templates from the Service Catalog as well as monitor them using qualified services to maintain the qualified state of the infrastructure.
Maintaining AWS in a Qualified State
A true cloud releases changes on a near-constant basis so the end user can leverage up-to-date innovations and increase productivity, and AWS is no exception. However, using a traditional validation process, you would need to review each and every change, then address it one way or another.
To truly embrace the cloud and all its benefits, you have to change your compliance perspective from manually reviewing every change – which is practically impossible considering the number and velocity of changes – to ensuring your requirements are met constantly through a continuous validation framework.
Monitoring for QS Drift
Even after the infrastructure is built and deployed, its health must be monitored to ensure that qualified state drift has not occurred. QS drift can occur when changes to the deployed service are made, intentionally or unintentionally, after it is qualified by bypassing the change control process.
Continuous qualification is GxP compliant and based on a sophisticated model testing framework. This approach enables cost-effective testing on a continuous basis, thus allowing deployment of GxP workloads in the public cloud.