Enable AWS Config Rule for Operational Phase
This rule ensures compliance by enabling AWS Config to monitor resources.
| Rule | AWS Config should be enabled |
| Framework | GxP EU Annex 11 |
| Severity | ✔ High |
Ensuring Compliance with AWS Config for GxP EU Annex 11
The Good Manufacturing Practice (GMP) guidelines provided by EU Annex 11 establish principles for the use of computerized systems in pharmaceutical environments. For organizations within the pharmaceutical industry or those that need to comply with GxP regulations, ensuring that AWS Config is enabled is a crucial part of maintaining regulatory compliance. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
Rule Details: AWS Config for GxP Compliance
AWS Config provides the ability to:
- Record and evaluate configurations and changes.
- Determine overall compliance against the configurations specified in internal guidelines.
- Provide a detailed view of the configuration of AWS resources at a point in time.
Enabling AWS Config helps with:
- Compliance auditing and security analysis.
- Change management.
- Continuous monitoring and governance.
To comply with EU Annex 11, companies must ensure that:
- 1.AWS Config is enabled in all regions where GxP-related AWS resources are deployed.
- 2.All changes to GxP-related resources are tracked and recorded.
- 3.Configurations are compared against desired settings, and changes are reviewed to ensure they don’t introduce compliance risks.
Troubleshooting Steps
If AWS Config is not functioning as expected, follow these troubleshooting steps:
- 1.Verify that AWS Config is enabled in the AWS Management Console.
- 2.Check the permissions for the AWS Config IAM role. Ensure it has sufficient permissions to access all relevant resources and record their configurations.
- 3.Confirm that AWS Config has the correct configuration recorder settings, including all resource types selected for monitoring.
Remediation Steps
Step 1: Enable AWS Config
If AWS Config is not currently enabled, you can enable it using the AWS Management Console, or by using the AWS Command Line Interface (CLI):
aws configservice start-configuration-recorder --configuration-recorder-name default --region eu-west-1
Replace
eu-west-1Step 2: Set Up the Configuration Recorder
Ensure that the configuration recorder is configured to record all resource types:
aws configservice put-configuration-recorder --configuration-recorder name=default,roleARN=arn:aws:iam::[YOUR_ACCOUNT_ID]:role/[YOUR_CONFIG_ROLE],recordingGroup={allSupported=true,includeGlobalResourceTypes=true} --region eu-west-1
Replace
[YOUR_ACCOUNT_ID][YOUR_CONFIG_ROLE]Step 3: Specify Compliance Rules
Create and apply AWS Config rules that align with your GxP compliance requirements. This can be done through the AWS Management Console or with the following CLI command template:
aws configservice put-config-rule --config-rule '{
"ConfigRuleName": "GxP-compliance-rule",
"Description": "A description of your rule",
"Scope": {
"ComplianceResourceTypes": ["AWS::EC2::Instance", "AWS::S3::Bucket"]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "DESIRED_AWS_MANAGED_RULE"
},
"InputParameters": "{\"paramName\":\"paramValue\"}"
}' --region eu-west-1
Replace
DESIRED_AWS_MANAGED_RULEStep 4: Review Compliance
Regularly check AWS Config to ensure that all resources are compliant with your GxP-related rules. Any non-compliant resources should be addressed immediately.
Summary
By following the steps outlined above, you can enable and configure AWS Config to comply with GxP EU Annex 11 regulatory requirements. It’s essential to review and update your configurations periodically to maintain compliance as AWS services and GxP requirements evolve. By ensuring AWS Config is properly set up and managed, you’ll sustain a robust compliance posture that supports secure and reliable operations within the pharmaceutical sector.