Introducing GRC Engineering: A New Era of AWS Compliance
AJ Yawn
fwd:cloudsec North America 2025 · Day 1 · Track 2 - Crestone
AJ Yawn, Director of GRC Engineering at Aquia and author of the "GRC Engineering for AWS" book, presented a passionate manifesto for transforming governance, risk, and compliance (GRC) from a manual, screenshot-driven, auditor-appeasement function into an engineering discipline that builds compliance directly into the cloud technology stack. The talk combined a pointed critique of the current state of **SOC 2** auditing -- which Yawn called "a joke" -- with a concrete technical walkthrough of building a self-documenting compliance system using **AWS Audit Manager**, **Security Hub**, **Config**, **CloudTrail**, and **Lambda**. The core argument: GRC professionals must become technical practitioners or face extinction, and compliance must shift from periodic manual evidence collection to continuous automated verification.
AI review
A compliance automation talk about hooking AWS Audit Manager up to Security Hub and calling it engineering. No vulnerabilities, no attacks, no technical depth beyond wiring AWS services together. The SOC 2 roast is entertaining and the career advice for GRC professionals is probably important, but there is zero offensive or defensive security research content here. Route to Heather.