IT Audit Performing IT Audits as Part of Accounting Audits in AWS: Identifying EC2 and RDS Instances Guide
23-04-06
본문
Amazon Relational Database Service (RDS) and Amazon Elastic Compute Cloud (EC2) are two popular services offered by AWS, each with their own use cases and capabilities. When performing an IT audit as part of an accounting audit, it is important to identify financially impacted EC2 and RDS instances. Since these instances directly or indirectly impact an organization's financial reporting and controls, let's first take a closer look at these services and then discuss how IT auditors can scope them.
First, let's take a quick look at RDS and EC2.
1) Amazon Relational Database Service (RDS):
Amazon RDS is a managed relational database service that simplifies the process of setting up, operating, and scaling relational databases in the cloud. With RDS, you can easily deploy and manage databases such as MySQL, PostgreSQL, Oracle, SQL Server, and Amazon Aurora. Key features of RDS include
- Automated backups:
RDS can automatically perform backups to restore your database to a specific point in time.
- Scalability:
RDS supports vertical and horizontal scaling, so you can easily adjust the capacity of your database as needed.
- High availability:
RDS Multi-AZ deployments automatically replicate databases across multiple availability zones for increased availability and durability.
- Security:
RDS supports encryption at rest and in transit, and you can use AWS Identity and Access Management (IAM) to control access to your RDS instances.
2) Amazon Elastic Compute Cloud (EC2):
Amazon EC2 is a web service that provides scalable compute capacity in the cloud. With EC2, you can launch and manage virtual servers, called instances, that you can use to run applications and workloads. Key features of EC2 include
- Instance types:
EC2 offers a wide range of instance types for different workloads, from general-purpose instances to instances optimized for compute, memory, storage, or GPU processing.
- Scalability:
EC2 instances can be scaled up or down as demand changes, and features like Auto Scale Groups and Elastic Load Balancing can be used to distribute traffic between instances.
- Security:
EC2 instances can be deployed within a virtual private cloud (VPC) for network isolation, and you can use security groups and network access control lists (ACLs) to control traffic between instances. EC2 also supports encryption at rest and in transit.
- Monitoring:
You can monitor your EC2 instances using Amazon CloudWatch, which provides metrics, alarms, and logs to help you track performance and troubleshoot issues.
Do you understand what RDS and EC2 are and what they offer? Let's take a look at what steps to identify when scoping from an IT auditor's perspective.
1. Map instances to business processes:
You need to understand what each EC2 and RDS instance is managed for. Identify instances that process, store, or transmit financial data, or instances that support key financial applications and systems.
2. Assess application dependencies:
Analyze the dependencies between applications running on EC2 instances and RDS databases to identify instances that host applications used for financial processes, such as invoicing, payroll, and financial reporting systems.
3. Review access to financial data:
Scrutinize access control settings on EC2 and RDS instances to identify instances that have access to sensitive financial information. Focus on instances where users and applications have high privileges or direct access to financial data.
4. Assess data classification:
Review your organization's data classification policies and identify EC2 and RDS instances that process data classified as financially important or sensitive. This might include instances that store or process customer billing information, financial transactions, or confidential financial forecasts.
Let's look at a couple of simple examples
Example 1: If a particular EC2 instance hosts an application that is responsible for processing customer orders and generating invoices, you should consider including that EC2 instance in your IT audit scope because it has a direct financial impact.
Example 2: A particular EC2 instance hosts a human resources application that manages employee compensation and payroll data. Because payroll data impacts your organization's financial reporting, you should consider including that EC2 instance in your IT audit scope.
Example 3: A particular RDS instance stores data for an inventory management system that is tightly integrated with the organization's financial reporting system. You should consider including that RDS instance in your IT audit scope because the inventory data impacts your financial statements.
IT auditors can use steps like these examples to identify financially impacted EC2 and RDS instances within their AWS environment. This approach enables a comprehensive and accurate assessment of the impact of an organization's cloud infrastructure on financial reporting and controls.
