AWS Security & Compliance Programme

Overview

At Tallence AG, I lead the design and implementation of an enterprise-wide AWS security and compliance programme. The programme establishes a structured, auditable security posture across Tallence AG's cloud infrastructure by implementing three internationally recognised frameworks: CIS (Center for Internet Security) Controls, ISO 27001, and the BSI C5 (Cloud Computing Compliance Criteria Catalogue) — the German federal standard for cloud security.

The programme is ongoing and covers 500+ individual security controls spanning identity and access management, data protection, threat detection, logging, and incident response. It is the foundation for Tallence AG's C5 attestation readiness.

Challenge

Tallence AG operates cloud infrastructure that serves enterprise clients with strict regulatory and contractual security requirements. As the company's cloud footprint grew, the need for a formalised, auditable security programme became a business-critical requirement — not just a technical best practice.

The challenge was threefold: mapping 500+ controls across three overlapping frameworks (CIS, ISO 27001, BSI C5) without duplicating effort; implementing those controls in a way that was both technically enforceable and auditor-readable; and doing so without disrupting existing workloads or development velocity.

An additional complexity was the BSI C5 attestation requirement. C5 is a German-specific standard with nuanced requirements around data residency, key management, and supply chain transparency that go beyond what CIS and ISO 27001 cover alone.

Role

As Senior Cloud Architect, I own the technical design and delivery of the security programme. My responsibilities include:

• Designing the control framework mapping across CIS, ISO 27001, and BSI C5
• Implementing detective controls via AWS Security Hub, GuardDuty, Config, and CloudTrail
• Defining preventive controls through IAM policies, SCPs, and KMS key management
• Deploying Amazon Inspector for continuous vulnerability assessment across EC2 and container workloads
• Configuring AWS Macie for sensitive data discovery and classification
• Writing Terraform modules for all security infrastructure to ensure reproducibility and auditability
• Coordinating with external auditors and Tallence AG's compliance team on C5 attestation evidence

The team of 6 includes cloud engineers, a compliance specialist, and a security analyst.

Process

The programme follows a structured, phased delivery model:

Phase 1 — Control Inventory and Gap Analysis: Mapped all 500+ controls across the three frameworks, identified overlaps, and produced a unified control catalogue. Each control was classified by implementation type: preventive, detective, or corrective.

Phase 2 — Detective Controls Baseline: Deployed AWS Security Hub with CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices standards enabled. Activated GuardDuty across all accounts, centralised CloudTrail to a dedicated log archive account, and configured Config rules for continuous compliance evaluation.

Phase 3 — Preventive Controls and Data Protection: Hardened IAM policies and implemented SCPs to enforce least-privilege access. Deployed KMS customer-managed keys for data at rest across S3, RDS, and EBS. Configured Macie for sensitive data classification across S3 buckets.

Phase 4 — Vulnerability Management and C5 Readiness: Deployed Amazon Inspector for continuous CVE scanning. Produced C5 attestation evidence packages covering all required control domains. Ongoing remediation and evidence refresh cycles are now part of the standard operating rhythm.

Decisions

AWS Security Hub as the central aggregation layer: Rather than building a custom SIEM integration, we chose Security Hub as the primary control plane for findings aggregation. This reduced integration complexity and provided out-of-the-box mappings to CIS and NIST standards that aligned directly with our framework requirements.

Customer-managed KMS keys over AWS-managed keys: For C5 attestation, demonstrating key management sovereignty is a hard requirement. We implemented customer-managed KMS keys with explicit key policies and CloudTrail logging for all key usage — providing the audit trail required by BSI C5 and ISO 27001 Annex A.10.

Terraform for all security infrastructure: All security controls are codified in Terraform. This ensures that the security configuration is version-controlled, peer-reviewed, and reproducible — which is essential for audit evidence and for preventing configuration drift between environments.

Unified control catalogue over framework-by-framework implementation: Implementing CIS, ISO 27001, and C5 sequentially would have created redundant work and inconsistent coverage. We built a unified control catalogue upfront that maps each technical control to all applicable framework requirements, allowing a single implementation to satisfy multiple standards simultaneously.

Results

The programme has delivered measurable progress toward Tallence AG's security and compliance objectives:

• 500+ security controls implemented and mapped across CIS, ISO 27001, and BSI C5 frameworks
• C5 attestation readiness achieved across all required control domains — the German federal cloud security standard
• ISO 27001 control coverage established as the foundation for formal certification
• AWS Security Hub aggregating findings across all accounts with CIS Foundations Benchmark compliance score tracked continuously
• Amazon GuardDuty providing 24/7 threat detection across all AWS accounts
• 6-person team delivering the programme while maintaining existing development velocity
• Centralised CloudTrail and Config providing a complete, tamper-evident audit trail for all infrastructure changes