Start HereOrdered learning track

Cloud Risk Register and Control Mapping

Learn AWS Security, Monitoring and Management - Part 008

Membangun cloud risk register dan control mapping di AWS: dari threat scenario menjadi preventive, proactive, detective, responsive, evidence, owner, SLA, dan remediation workflow.

22 min read4264 words
PrevNext
Lesson 0872 lesson track01–13 Start Here
#aws#security#monitoring#management+4 more

Part 008 — Cloud Risk Register and Control Mapping

Security yang matang tidak dimulai dari tool.

Ia dimulai dari kalimat seperti ini:

Apa risiko yang sedang kita kurangi?

Tanpa jawaban jelas, organisasi akan mengaktifkan banyak service tetapi tetap tidak tahu apakah posture membaik.

GuardDuty aktif. Security Hub aktif. Config aktif. Inspector aktif. Macie aktif. CloudTrail aktif. Tetapi saat auditor, incident commander, atau CTO bertanya “risiko terbesar kita apa?”, jawabannya tetap kabur.

Itu tanda sistem security masih tool-driven, bukan risk-driven.

Part ini membahas cara membangun cloud risk register dan control mapping untuk AWS environment.

Risk register bukan dokumen GRC statis. Untuk engineering, risk register adalah struktur kerja yang menghubungkan:

threat scenario -> affected asset -> impact -> control -> evidence -> owner -> remediation -> residual risk

AWS Cloud Adoption Framework menekankan pentingnya security governance, risk assessment, control framework, security assurance, dan continuous monitoring untuk mengevaluasi efektivitas kontrol. AWS Prescriptive Guidance juga membagi security controls menjadi preventive, proactive, detective, dan responsive controls. Itu memberi kita bahasa operasional untuk memetakan risiko menjadi sistem kontrol.


1. Problem: Banyak Finding, Sedikit Risk Clarity

Lingkungan AWS yang cukup besar biasanya menghasilkan banyak sinyal:

  • Security Hub findings,
  • GuardDuty findings,
  • AWS Config noncompliance,
  • Inspector vulnerabilities,
  • IAM Access Analyzer external access findings,
  • Macie sensitive data findings,
  • CloudTrail suspicious events,
  • CloudWatch alarms,
  • budget anomalies,
  • penetration test reports,
  • audit observations,
  • incident postmortems.

Tanpa risk model, semua sinyal ini menjadi noise.

Masalah klasik:

  • Critical vulnerability di instance non-routable dev dianggap sama dengan critical vulnerability di public-facing prod.
  • Public S3 bucket kosong mendapat perhatian lebih besar daripada IAM role prod dengan privilege escalation path.
  • Security team membuat finding, tetapi tidak tahu owner teknis.
  • Platform team menutup finding satu per satu tanpa memperbaiki control penyebabnya.
  • Audit meminta evidence, tetapi evidence tersebar di screenshot, spreadsheet, dan percakapan Slack.
  • Remediation SLA dibuat berdasarkan severity tool, bukan business impact.

Risk register yang baik mengubah ini menjadi sistem berpikir.


2. Risk Register untuk Engineer

Risk register bukan sekadar tabel compliance. Ia harus bisa dipakai engineer untuk mengambil keputusan.

Minimal field:

FieldMakna
risk_idIdentifier stabil, misalnya AWS-RISK-IAM-001
risk_statementPernyataan risiko dalam format sebab-akibat
threat_scenarioCara risiko terjadi secara teknis
affected_assetsAccount, workload, data, identity, network, service
business_impactDampak pada confidentiality, integrity, availability, compliance, cost, reputation
likelihoodKemungkinan sebelum kontrol
impactBesar dampak sebelum kontrol
inherent_riskRisk rating sebelum kontrol
controlsPreventive, proactive, detective, responsive/recovery controls
evidence_sourceCloudTrail, Config, Security Hub, IAM Access Analyzer, ticket, IaC scan, etc.
control_ownerTim yang menjaga kontrol
risk_ownerPemilik risiko bisnis/teknis
remediation_slaBatas waktu berdasarkan severity dan environment
exception_processCara menyetujui penyimpangan
residual_riskRisiko setelah kontrol
review_cadenceKapan risiko dievaluasi ulang

Format risk statement yang bagus:

Because <condition>, a <threat actor or failure mode> could <action>, causing <impact>.

Contoh:

Because production IAM roles can create new inline policies without permission boundaries,
a compromised deployment role could escalate privileges and modify security controls,
causing unauthorized access to sensitive data and loss of audit integrity.

Kalimat ini jauh lebih berguna daripada:

IAM risk high.

3. Control Taxonomy

AWS Prescriptive Guidance membagi security control menjadi empat tipe utama.

3.1 Preventive Controls

Preventive controls mencegah event terjadi.

Contoh AWS:

  • SCP menolak penggunaan region tidak disetujui.
  • IAM policy tidak memberi s3:PutBucketPublicAccessBlock sembarangan.
  • KMS key policy tidak mengizinkan decrypt lintas account tanpa syarat.
  • VPC endpoint policy membatasi akses bucket tertentu.
  • Permission boundary membatasi role yang dibuat platform team.

Preventive control bagus untuk invariant yang jelas.

Tetapi terlalu banyak preventive control tanpa exception path akan menghambat engineering dan mendorong bypass.

3.2 Proactive Controls

Proactive controls mencegah resource noncompliant dibuat, biasanya pada provisioning path.

Contoh:

  • IaC policy check menolak S3 bucket public sebelum merge.
  • CloudFormation Guard rule mencegah resource tanpa encryption.
  • Control Tower proactive control mengecek template sebelum provision.
  • CI/CD policy gate mencegah security group 0.0.0.0/0 untuk port sensitif.

Proactive control berada sebelum resource hidup.

3.3 Detective Controls

Detective controls mendeteksi, mencatat, dan memberi alert setelah event terjadi.

Contoh:

  • CloudTrail merekam API call.
  • AWS Config mendeteksi resource drift.
  • GuardDuty mendeteksi credential exfiltration pattern.
  • Security Hub mengagregasi posture findings.
  • IAM Access Analyzer mendeteksi external access.
  • CloudWatch alarm mendeteksi error rate atau unusual activity.

Detective control penting karena tidak semua risiko bisa dicegah.

3.4 Responsive Controls

Responsive controls menggerakkan remediation.

Contoh:

  • EventBridge memicu Lambda untuk memblokir public S3 bucket.
  • Systems Manager Automation mengisolasi EC2 instance.
  • Security Hub custom action membuat ticket incident.
  • Step Functions menjalankan approval + remediation workflow.
  • Incident Manager memanggil on-call dan membuat incident timeline.

Responsive control membuat detection menjadi action.

3.5 Recovery Controls

AWS Prescriptive Guidance menekankan empat tipe di atas. Dalam engineering, kita juga sering memisahkan recovery controls karena recovery adalah kemampuan berbeda dari remediation.

Contoh:

  • AWS Backup restore test.
  • Cross-region replication.
  • Immutable backup vault.
  • Disaster recovery runbook.
  • Rebuild-from-IaC capability.

Recovery control menjawab:

Setelah failure atau compromise, bisakah sistem kembali ke state aman?


4. Risk-to-Control Mapping Flow

Mapping ini memaksa kita tidak berhenti di “aktifkan service”.

Untuk setiap risiko, tanyakan:

  1. Bisakah dicegah?
  2. Bisakah dicegah sebelum provision?
  3. Kalau terjadi, bagaimana dideteksi?
  4. Setelah terdeteksi, siapa bergerak?
  5. Bagaimana dipulihkan?
  6. Evidence apa yang membuktikan kontrol berjalan?
  7. Risiko apa yang tetap tersisa?

5. Risk Register Example: Public S3 Exposure

Risk Statement

Because S3 buckets may be created or modified with public access,
an external actor could read or write sensitive objects,
causing data disclosure, integrity loss, regulatory exposure, and reputational damage.

Mapping

DimensionValue
Risk IDAWS-RISK-DATA-001
Affected assetsS3 buckets, customer data, logs, artifacts
EnvironmentProd, staging with production-like data
Inherent riskHigh
Preventive controlSCP to restrict dangerous public access mutations where appropriate; S3 Block Public Access baseline
Proactive controlIaC scan / Control Tower proactive control for bucket public access setting
Detective controlAWS Config rule for public buckets; Security Hub control; IAM Access Analyzer external access finding
Responsive controlEventBridge remediation to re-enable block public access or quarantine bucket policy
Recovery controlObject versioning, backup/replication for integrity recovery if write exposure occurred
EvidenceConfig compliance history, CloudTrail PutBucketPolicy, Security Hub finding timeline, remediation ticket
OwnerPlatform storage team + workload owner
SLAImmediate for prod sensitive data; shorter SLA for internet-exposed buckets
Residual riskApproved public static website bucket with explicit exception and monitoring

Notes

Public exposure is not always wrong. A static public website bucket may be intentional. The risk register must support exception, not pretend all public access is equal.

The correct question is:

Is this exposure intentional, approved, scoped, monitored, and free of sensitive data?


6. Risk Register Example: Long-Lived Human Access Keys

Risk Statement

Because human IAM users may possess long-lived access keys,
phishing, malware, or accidental disclosure could allow unauthorized API access,
causing privilege misuse, data access, resource manipulation, or persistence.

Mapping

DimensionValue
Risk IDAWS-RISK-IAM-002
Affected assetsIAM users, API control plane, workload resources
Inherent riskHigh
Preventive controlSCP/IAM policy preventing IAM user access key creation except approved automation accounts
Proactive controlIaC policy forbidding IAM users/access keys in workload modules
Detective controlIAM credential report, Access Analyzer unused access, CloudTrail access key usage, Security Hub IAM controls
Responsive controlDisable access key, rotate affected credentials, investigate CloudTrail activity
Recovery controlRevoke sessions where possible, rotate downstream secrets, rebuild compromised resources
EvidenceIAM credential report, CloudTrail CreateAccessKey, incident ticket, key deactivation record
OwnerIdentity platform team
SLAImmediate if key has admin access or prod usage
Residual riskDedicated service integration requiring access key with compensating controls and expiry

Design Principle

Human access should go through federation and temporary credentials. IAM users are exceptional, not default.


7. Risk Register Example: CloudTrail Disabled or Tampered

Risk Statement

Because workload administrators may be able to stop, delete, or alter audit logging,
a malicious or compromised principal could hide unauthorized activity,
causing loss of forensic evidence and audit integrity.

Mapping

DimensionValue
Risk IDAWS-RISK-AUDIT-001
Affected assetsCloudTrail, S3 log bucket, KMS log key, CloudWatch Logs
Inherent riskCritical
Preventive controlSCP denying cloudtrail:StopLogging, cloudtrail:DeleteTrail, log bucket deletion, KMS key deletion except security admin path
Proactive controlAccount baseline must include organization trail before account active
Detective controlCloudTrail event for logging changes, Config rule, Security Hub controls, EventBridge alert
Responsive controlRe-enable trail, isolate principal, create security incident, preserve evidence
Recovery controlCross-account log archive, S3 Object Lock where applicable, KMS key recovery windows
EvidenceCloudTrail event history, log archive object presence, Config timeline, incident record
OwnerSecurity operations/platform security
SLAImmediate
Residual riskAWS service outage or pre-baseline account gap mitigated by account vending process

Important Insight

Audit integrity is a tier-0 control. If logging can be disabled by the same people being monitored, the system has weak evidence integrity.


8. Risk Register Example: Unpatched Compute

Risk Statement

Because compute resources may run vulnerable packages or runtime versions,
an attacker could exploit known vulnerabilities,
causing unauthorized access, lateral movement, data exposure, or service disruption.

Mapping

DimensionValue
Risk IDAWS-RISK-VULN-001
Affected assetsEC2, container images, Lambda runtimes, AMIs
Inherent riskMedium to Critical depending exposure
Preventive controlApproved base images, restricted AMI usage, ECR pull policy
Proactive controlImage scan in CI/CD, dependency scan before deploy
Detective controlAmazon Inspector findings, ECR scan findings, runtime inventory
Responsive controlPatch Manager, rebuild image, redeploy workload, isolate vulnerable instance
Recovery controlImmutable infrastructure rebuild, known-good AMI/image rollback
EvidenceInspector finding, patch compliance, deployment record, SSM inventory
OwnerWorkload team + platform compute team
SLABased on severity, exploitability, exposure, and environment
Residual riskAccepted vulnerability due to vendor constraint with compensating controls

Severity Trap

Do not blindly use CVSS as business priority.

A critical CVE on an isolated dev instance may be lower operational priority than a medium CVE on an internet-facing production authentication service.

Risk priority needs context:

severity = technical severity × exposure × asset criticality × exploitability × compensating controls

9. Risk Register Example: Overprivileged Deployment Role

Risk Statement

Because deployment roles may have broad administrative permissions,
a compromised CI/CD pipeline or malicious commit could modify IAM, disable controls, or access sensitive resources,
causing privilege escalation and production compromise.

Mapping

DimensionValue
Risk IDAWS-RISK-IAM-003
Affected assetsCI/CD account, prod workload accounts, IAM roles, KMS keys, data stores
Inherent riskCritical
Preventive controlPermission boundary, SCP, scoped deploy role, separation of security-admin functions
Proactive controlIaC policy to detect wildcard admin permissions and privilege escalation actions
Detective controlCloudTrail monitoring for IAM mutations, Access Analyzer policy validation, Security Hub IAM controls
Responsive controlRevoke role trust, disable pipeline, roll back IAM changes, incident response
Recovery controlRestore known-good IAM/IaC state, rotate secrets, rebuild compromised runtime
EvidenceAssumeRole events, IAM policy change events, deployment manifest, code review record
OwnerPlatform engineering + application owner
SLAImmediate for prod admin path
Residual riskControlled deployment needs elevated rights for specific resources with explicit boundary

Design Principle

A deployment role should have enough power to deploy the workload, not enough power to become the organization administrator.


10. Building a Control Library

Risk register becomes scalable only if controls are reusable.

Control library format:

FieldExample
control_idAWS-CTRL-AUDIT-001
nameOrganization CloudTrail enabled
typeDetective + preventive
objectiveEnsure AWS API activity is recorded across accounts and regions
implementationOrganization trail in management/security account, protected S3 log archive, SCP prevents disabling
scopeAll accounts, all enabled regions
evidenceCloudTrail config, S3 log objects, Config compliance, CloudTrail events
ownerSecurity platform team
automationAccount vending baseline + Config rule + EventBridge alert
failure_modeNew account not enrolled, trail stopped, S3 bucket policy changed, KMS key inaccessible
test_methodCreate sandbox account and validate events reach log archive

A control library prevents every risk assessment from reinventing the same controls.


11. Evidence Mapping

A control without evidence is a belief.

Evidence mapping answers:

How do we prove this control exists and operated during the period in question?

Examples:

ControlEvidence SourceEvidence Type
Organization CloudTrail enabledCloudTrail configuration, S3 log archive objectsConfiguration + runtime logs
No public S3 bucketsAWS Config compliance, Security Hub findingsCompliance state
GuardDuty enabled in all accountsGuardDuty admin account, organization membershipService configuration
IAM user access keys prohibitedIAM credential report, CloudTrail CreateAccessKey eventsIdentity evidence
Production deploys via pipelineCloudTrail AssumeRole, CI/CD deployment recordChange evidence
Backups restorableAWS Backup job + restore test resultRecovery evidence
Root user not usedCloudTrail root events, alert historyActivity evidence

Good evidence has properties:

  • generated automatically,
  • timestamped,
  • hard to tamper with by workload owner,
  • linked to account/resource/owner,
  • retained long enough,
  • queryable during audit or incident.

Screenshots are weak evidence. They may be acceptable for manual exceptions, but not as primary control proof.


12. Risk Scoring That Engineers Can Use

Avoid pretending risk scoring is mathematically precise. It is a prioritization tool.

A useful scoring model:

risk_score = impact × likelihood × exposure_modifier × control_gap_modifier

Impact

ScoreMeaning
1Limited inconvenience
2Minor service or internal impact
3Customer-visible or internal operational impact
4Major customer/data/compliance impact
5Existential, regulated, widespread, or tier-0 impact

Likelihood

ScoreMeaning
1Hard to trigger, requires unusual condition
2Possible but unlikely
3Plausible in normal operation
4Likely under common failure/attack conditions
5Already observed or easy to exploit

Exposure Modifier

ModifierMeaning
0.5Isolated, non-prod, no sensitive data
1.0Internal exposure
1.5Internet-exposed or cross-account reachable
2.0Internet-exposed production with sensitive data

Control Gap Modifier

ModifierMeaning
0.5Strong preventive + detective + response controls tested
1.0Some controls exist, partially tested
1.5Mostly detective, weak response
2.0No reliable controls/evidence

This model is intentionally simple. The goal is consistent prioritization, not false precision.


13. Risk Register as Workflow

Risk register harus bergerak bersama engineering cadence.

Setiap risk item perlu lifecycle.

StateMakna
IdentifiedRisiko ditemukan dari threat model, finding, audit, incident, architecture review
AnalyzedImpact, likelihood, affected assets, owner dipahami
ControlMappedPreventive/proactive/detective/responsive controls ditentukan
MitigationPlannedWork item dibuat dan diprioritaskan
InProgressControl sedang dibuat/diperbaiki
ImplementedControl tersedia
EvidenceVerifiedEvidence membuktikan control berjalan
ResidualRiskReviewedRisiko sisa dievaluasi
ExceptionGrantedRisiko diterima sementara dengan expiry
ClosedRisiko selesai atau tidak relevan lagi

Tanpa lifecycle, risk register menjadi graveyard.


14. Exception Model

Security exception bukan kegagalan. Exception tanpa expiry adalah kegagalan.

Exception harus punya:

  • risk ID,
  • control yang dilanggar,
  • alasan bisnis/teknis,
  • affected account/resource,
  • compensating control,
  • approver,
  • expiry date,
  • review cadence,
  • rollback/remediation plan,
  • evidence.

Contoh exception buruk:

Allow public S3 because app needs it.

Contoh exception lebih baik:

Exception AWS-RISK-DATA-001-EX-2026-004 allows public read for bucket app-static-prod-assets.
Bucket contains only hashed static assets generated by pipeline.
S3 Block Public Access remains enabled at account level except bucket policy managed by IaC.
Macie classification confirms no sensitive objects.
CloudTrail data events enabled for object writes.
Expires 2026-10-01 or when CloudFront OAC migration completes.
Approved by Product Security and App Owner.

Exception yang jelas menjaga velocity tanpa menghancurkan governance.


15. Mapping AWS Services to Control Types

AWS CapabilityPreventiveProactiveDetectiveResponsiveRecovery
Service Control PoliciesYesNoNoNoNo
IAM policies / permission boundariesYesNoPartialNoNo
Control Tower controlsYesYesYesPartialNo
AWS ConfigNoPartialYesPartialNo
CloudTrailNoNoYesSupportsNo
GuardDutyNoNoYesSupportsNo
Security HubNoNoYesSupportsNo
InspectorNoPartial via CI integrationYesSupportsNo
MacieNoNoYesSupportsNo
IAM Access AnalyzerPartialPartialYesSupportsNo
EventBridgeNoNoRoutingYesNo
Lambda / Step FunctionsNoNoNoYesPartial
Systems Manager AutomationNoNoNoYesPartial
AWS BackupNoNoPartialNoYes
KMSYesNoCloudTrail evidenceSupportsPartial
CloudWatchNoNoYesSupportsNo

A service can support more than one control type depending on design. CloudTrail is primarily detective, but it also supports responsive workflows because events can route to EventBridge. Config is detective by default, but remediation automation can make it part of responsive control.


16. Control Coverage Matrix

Untuk setiap high-risk area, pastikan kontrol tidak hanya detective.

Risk AreaPreventiveProactiveDetectiveResponsiveRecovery
Public data exposureBlock public access, SCPIaC scanConfig, Security Hub, MacieAuto-block/quarantineVersioning/backup
Credential compromiseMFA, federation, no IAM usersPolicy lintGuardDuty, CloudTrailDisable key/session, incidentRotate secrets
Audit tamperingSCP, log bucket policyAccount baselineConfig, CloudTrailRe-enable, isolate principalProtected archive
Privilege escalationPermission boundary, SCPIAM policy validationAccess Analyzer, CloudTrailRevoke role, rollback policyRestore IAM baseline
Vulnerable computeApproved imagesImage scanInspectorPatch/redeploy/isolateRebuild from image
Data lossKMS, access controlBackup policy checkBackup job monitoringRestore workflowBackup/replication
Network exposureSG restrictions, endpoint policyIaC scanConfig, flow logsRevoke ruleRebuild safe network state

If a risk has only detective controls, you are accepting that bad states can happen and remain until response. That may be acceptable for low-risk dev scenarios. It is usually not acceptable for tier-0 production controls.


17. Owner Model

Every risk needs two owners:

Risk Owner

The person or group accountable for accepting or reducing business/technical risk.

Examples:

  • application owner,
  • platform owner,
  • data owner,
  • product owner,
  • CISO delegate,
  • compliance owner.

Control Owner

The team responsible for implementing and operating the control.

Examples:

  • identity platform team owns IAM Identity Center baseline,
  • security platform team owns GuardDuty/Security Hub aggregation,
  • workload team owns application-level encryption and dependency patching,
  • cloud platform team owns account vending and SCP baseline,
  • SRE team owns operational alarms and incident runbooks.

Do not confuse them.

Security team may own detection tooling, but workload owner often owns remediation.


18. SLA Model

SLA harus mempertimbangkan:

  • severity,
  • environment,
  • exposure,
  • data sensitivity,
  • exploitability,
  • business criticality,
  • compensating controls.

Contoh SLA:

Risk PriorityProd SensitiveProd Non-SensitiveStagingDev/Sandbox
CriticalImmediate / same daySame day3 days7 days
High3 days7 days14 days30 days
Medium14 days30 days45 days60 days
LowBacklogBacklogBacklogBacklog/auto-expire

SLA yang sama untuk semua environment akan gagal. Terlalu ketat untuk sandbox, terlalu longgar untuk prod.


19. Risk Register Storage Model

Risk register bisa dimulai sebagai MDX/YAML, bukan harus langsung tool besar.

Contoh file:

risk_id: AWS-RISK-IAM-003
risk_statement: >
  Because deployment roles may have broad administrative permissions,
  a compromised CI/CD pipeline or malicious commit could modify IAM,
  disable controls, or access sensitive resources.
category: identity
inherent_risk: critical
affected_environments:
  - prod
controls:
  preventive:
    - AWS-CTRL-IAM-BOUNDARY-001
    - AWS-CTRL-SCP-IAM-001
  proactive:
    - AWS-CTRL-IAC-IAM-LINT-001
  detective:
    - AWS-CTRL-CLOUDTRAIL-IAM-001
    - AWS-CTRL-ACCESS-ANALYZER-001
  responsive:
    - AWS-CTRL-IR-REVOKE-ROLE-001
owner:
  risk_owner: platform-engineering
  control_owner: identity-platform
sla:
  prod: immediate
residual_risk: high
review_cadence: quarterly

File-based risk register punya keuntungan:

  • bisa direview via pull request,
  • versioned,
  • dekat dengan engineering workflow,
  • bisa digenerate menjadi dashboard,
  • bisa dipetakan ke controls-as-code.

Nanti saat maturity naik, data ini bisa masuk ke GRC platform atau Audit Manager mapping.


20. Minimal Initial Risk Register for AWS

Mulai dengan risiko inti ini.

Risk IDRisk
AWS-RISK-ORG-001Management account compromise
AWS-RISK-ORG-002Account not enrolled in baseline controls
AWS-RISK-IAM-001Human overprivilege in production
AWS-RISK-IAM-002Long-lived access keys
AWS-RISK-IAM-003Overprivileged deployment role
AWS-RISK-AUDIT-001CloudTrail disabled or tampered
AWS-RISK-AUDIT-002Logs deleted or inaccessible during incident
AWS-RISK-DATA-001Public data exposure
AWS-RISK-DATA-002KMS key misuse or excessive decrypt access
AWS-RISK-DATA-003Production data copied to non-prod without masking
AWS-RISK-NET-001Unintended internet exposure
AWS-RISK-NET-002Uncontrolled egress and data exfiltration
AWS-RISK-VULN-001Unpatched compute or vulnerable image
AWS-RISK-SECRET-001Secret leakage in code, logs, or CI/CD
AWS-RISK-OPS-001Missing operational alarms for critical workload
AWS-RISK-OPS-002Backup exists but restore not tested
AWS-RISK-IR-001Detection exists but no response owner/runbook
AWS-RISK-COST-001Sandbox or compromised account creates uncontrolled cost

Jangan mulai dengan 200 risiko. Mulai dengan 15–25 risiko yang benar-benar bisa ditindaklanjuti.


21. How to Review Risk Register

Review risk register secara periodik dan event-driven.

Periodic Review

  • monthly untuk high-risk open items,
  • quarterly untuk full risk register,
  • annually untuk risk model dan compliance mapping.

Event-Driven Review

Review saat:

  • account baru dibuat,
  • workload baru masuk prod,
  • incident terjadi,
  • audit finding muncul,
  • major AWS service/control berubah,
  • data classification berubah,
  • new public endpoint ditambahkan,
  • new third-party integration dibuat,
  • acquisition/reorg mengubah ownership.

Risk register yang tidak berubah saat arsitektur berubah berarti tidak lagi merepresentasikan realita.


22. Anti-Patterns

Anti-Pattern 1 — Risk Register sebagai Spreadsheet Mati

Spreadsheet yang hanya diperbarui sebelum audit bukan risk management. Itu audit theater.

Anti-Pattern 2 — Semua Risiko Diberi Rating High

Kalau semua high, tidak ada prioritas.

Anti-Pattern 3 — Severity Tool Sama dengan Risk Priority

Tool severity penting, tetapi tidak cukup. Tambahkan context environment, exposure, data, dan business criticality.

Anti-Pattern 4 — Control Tanpa Owner

Control tanpa owner akan drift.

Anti-Pattern 5 — Evidence Manual sebagai Default

Screenshot dan manual attestation tidak scale. Automate evidence wherever possible.

Anti-Pattern 6 — Exception Tanpa Expiry

Exception tanpa expiry adalah policy baru yang tidak diakui.

Anti-Pattern 7 — Remediate Finding, Bukan Control Gap

Jika public bucket muncul sepuluh kali, masalahnya bukan sepuluh bucket. Masalahnya provisioning path tidak punya proactive/preventive control.


23. Practical Implementation Plan

Week 1 — Build Initial Register

  • Ambil top 20 AWS risks.
  • Tulis risk statement yang jelas.
  • Mapping affected account/environment.
  • Tentukan risk owner dan control owner.

Week 2 — Map Existing Controls

  • SCP apa yang sudah ada?
  • Config rule apa yang aktif?
  • CloudTrail/GuardDuty/Security Hub sudah coverage account mana?
  • Evidence apa yang tersedia otomatis?
  • Remediation apa yang masih manual?

Week 3 — Identify Control Gaps

Untuk setiap risk:

  • Apakah hanya detective?
  • Apakah preventive terlalu longgar?
  • Apakah response tidak punya owner?
  • Apakah evidence tidak cukup?
  • Apakah exception tidak punya expiry?

Week 4 — Prioritize Engineering Backlog

Buat backlog:

  • baseline account vending,
  • SCP hardening,
  • CloudTrail/log archive protection,
  • GuardDuty/Security Hub organization aggregation,
  • Config conformance pack,
  • IAM Access Analyzer rollout,
  • remediation automation untuk top 5 risks,
  • evidence dashboard.

24. Kesimpulan

Cloud risk register adalah jembatan antara security architecture dan daily engineering.

Tanpa risk register, Anda hanya punya banyak tools dan banyak finding.

Dengan risk register, Anda punya sistem:

risk -> control -> evidence -> owner -> remediation -> residual risk

Prinsip utama:

  1. Risk harus ditulis sebagai scenario sebab-akibat.
  2. Control harus dipetakan ke preventive, proactive, detective, responsive, dan recovery capability.
  3. Evidence harus otomatis, timestamped, queryable, dan sulit dimanipulasi oleh workload owner.
  4. Owner harus jelas: risk owner berbeda dari control owner.
  5. SLA harus mempertimbangkan environment, exposure, data sensitivity, dan business criticality.
  6. Exception harus punya expiry dan compensating control.
  7. Finding berulang adalah sinyal control gap, bukan sekadar backlog remediation.

Dengan Part 008, fase fondasi selesai. Part berikutnya mulai masuk ke AWS Organizations Deep Dive, yaitu bagaimana struktur organisasi AWS menjadi control plane untuk semua account, OU, delegated administrator, SCP, dan governance inheritance.


References

Lesson Recap

You just completed lesson 08 in start here. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.