How To

NIST 800-53 controls

Evaluate NIST 800-53 compliance for all your AWS accounts.

Turbot Team
5 min. read - Nov 28, 2022
Evaluate NIST 800-53 compliance for all your AWS accounts.

Turbot Guardrails includes thousands of prescriptive cloud controls to ensure cloud environments are secure and cost-optimized. These controls quickly detect issues as they occur and instantly correct misconfigurations. Customers often map Turbot Guardrails controls to their own Governance Risk Compliance (GRC) tools, and use the resulting evidence to prove continuous adherence to internal controls or external standards such as Center for Internet Security (CIS), HIPAA, PCI, SOC2, etc.

Over the last year Turbot has open-sourced, a tool that enables cloud engineers to easily query & report across their cloud, code, logs, and more, using the standard language of data: SQL. Steampipe includes thousands of ready-to-use controls and dashboards that deliver insights into your cloud data. These controls and dashboards leverage a suite of plugins that translate cloud APIs into Postgres tables. One of those plugins, by the way, translates the Turbot Guardrails v5 API into SQL-queryable tables!

Cloud teams have asked Turbot to also include industry standards within the Turbot Guardrails platform. We started by open-sourcing thousands of compliance controls, and enlisting the Steampipe community to provide feedback and contributions. Based on community feedback, we are now starting to port these control frameworks into Turbot Guardrails. Our first addition was the Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 standard for AWS, then the Health Insurance Portability and Accountability (HIPAA) standard for AWS. Note: When mapping to external standards, Turbot Guardrails leverages either the published industry standard mapping or the mapping provided by each cloud provider. We are excited to add the NIST 800-53 controls to the platform to complement our existing HIPAA, PCI & CIS Controls, along with AWS, Azure & GCP CIS benchmarks.

This post will look at how to enable NIST 800-53 controls across all your AWS accounts in Turbot Guardrails.

Traditional Workflow

There are various cloud-native and 3rd-party tools to evaluate cloud infrastructure NIST 800-53 compliance. However cloud-native tools generally work with only one cloud provider, and only do periodic scans. 3rd-party tools may support multiple cloud providers, but fall short on benchmark coverage and, again, scan and report only periodically, missing real-time changes in your environment. These tools often work on a per-account basis, without delivering resource-level granularity. And they are limited in their ability to manage the time-based exceptions that enable you to handle the nuances in your organization.

Get it done with Turbot Guardrails

In Turbot Guardrails, NIST 800-53 guardrails are readily available to control your cloud resource configurations. These guardrails work similar to others, continuously evaluating adherence as changes to your cloud resources occur. First, make sure you have the @turbot/aws-nist-800-53 mod installed and any dependent mods installed in your workspace. Then you can enable NIST 800-53 through the following Turbot Guardrails policy in just a few clicks: AWS > NIST 800-53:

Setting the configuration via the Turbot Guardrails Terraform Provider is just as simple:

After enabling this policy, Turbot Guardrails will immediately evaluate all applicable resources compliance with NIST 800-53. You can view your controls across AWS services:

Drill further into subsections:

Analyze which specific resources are impacted per control:

Make it happen

See for yourself on how easy it is to view your NIST 800-53 requirements across your cloud resources. If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!