Sync Evidence2hyperproof

1. Objective And Value#

The purpose of this document is to detail the architecture and workflow for automatically syncing compliance evidence into Hyperproof. This process automates the “last mile” of the compliance journey: delivering collected, enriched, and verified evidence directly into the organisation’s GRC (Governance, Risk, and Compliance) platform.

business Value#

Implementing this workflow closes the loop between technical operations and compliance auditing, achieving:

Continuous Compliance: Transforms evidence collection from a periodic, manual scramble into a continuous, automated flow.
Audit Readiness: Ensures evidence is instantly available to auditors and stakeholders within Hyperproof.
End-to-End Automation: Fully automates the pipeline from code check-in (or system event) to auditor review.

2. Technical Architecture & Workflow#

The automation pipeline uses an event-driven architecture hosted on AWS to bridge Complybeacon and Hyperproof.

the Step-by-step Workflow#

Step	Component	Action	Details
Export	Complybeacon	Output	Complybeacon completes evidence collection and exports the finalized logs.
Ingestion	AWS S3	Secure Storage	The evidence logs are deposited into the designated S3 Bucket.
Trigger	S3 Event	Event-Driven	The creation of a new object in S3 automatically triggers the linked AWS Lambda Function.
Processing	AWS Lambda	Transformation/Push	The function executes a Python script that retrieves the Hyperproof secrets from AWS SSM, authenticates via the Hyperproof API, and pushes the evidence data.
Verification	AWS / Hyperproof	Validation	Inspect CloudWatch Logs for successful execution. Then, check Hyperproof to verify the evidence appears in the expected location.

3. Preparation & Prerequisites#

Before configuring the automation, the following components and credentials must be provisioned.

3.1 Hyperproof Configuration#

Provision API Credentials: Create an API client within Hyperproof to allow external access.
- Path: Administrator -> Setting -> API Client
Record Credentials: Securely note the CLIENT_ID and CLIENT_SECRET.

3.2 Aws Infrastructure Setup#

a. Iam & s3 Bucket (storage)#

Create S3 Bucket: Provision a new AWS S3 bucket for evidence ingestion. Note the Bucket Name.

Create IAM Policy: Create an IAM Policy granting write access to this specific S3 bucket (for Complybeacon).

Example Policy snippet

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::sw-s3-hyperproof/*", # Update the S3 bucket name
                    "arn:aws:s3:::sw-s3-hyperproof" # Update the S3 bucket name
                ]
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "s3:ListAllMyBuckets",
                    "s3:ListBucket"
                ],
                "Resource": "*"
            },
            {
                "Sid": "VisualEditor2",
                "Effect": "Allow",
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::sw-s3-hyperproof/*" # Update the S3 bucket name
            }
        ]
    }

Create IAM User: Create an IAM User (for Complybeacon), attach the policy, and generate the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

b. systems Manager (secrets Management)#

Create new SecureString parameters in the AWS Systems Manager (SSM) Parameter Store to securely hold the Hyperproof credentials.

/hyperproof/CLIENT_ID
/hyperproof/CLIENT_SECRET

c. lambda Function#

Create Function: Initialise a new AWS Lambda function (using Python runtime).
Configure Triggers: Add an S3 trigger linking it to the bucket from step 3.2 A, configured to fire only on s3:ObjectCreated:Put and s3:ObjectCreated:Post events(Very important).

Configure IAM Execution Role:

Attach the managed policy AmazonS3ReadOnlyAccess (to allow Lambda to read the evidence logs).
Create and attach an inline policy granting ssm:GetParameter and kms:Decrypt permission to read the specific SSM parameters (/hyperproof/CLIENT_ID, /hyperproof/CLIENT_SECRET).

Example Policy snippet

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::alex-hyperproof-test/*"  
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
      {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "kms:Decrypt",
        "Resource": "*"
      },
      {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "ssm:GetParameter",
        "Resource": [
            "arn:aws:ssm:eu-north-1:725106756198:parameter/hyperproof/CLIENT_ID",
            "arn:aws:ssm:eu-north-1:725106756198:parameter/hyperproof/CLIENT_SECRET"
        ]
      }
  ]
}

Dependencies & Layers: Create and attach a Lambda Layer containing the necessary Python libraries (requests).
Set Environment Variables: Configure the following (for the Python script to use):
- CLIENT_ID: /hyperproof/CLIENT_ID
- CLIENT_SECRET: /hyperproof/CLIENT_SECRET
Deploy Code: Deploy the actual sync code (which reads S3, retrieves secrets from SSM, and calls the Hyperproof API) into the Lambda Function editor.
Setup timeout Go to Configuration->General configuration, increase timeout value to a bigger value, for example 10s(default is 3).

4. Execution#

Once all prerequisites are complete, the pipeline is activated automatically:

The Complybeacon exports the evidence log.
The evidence log is written to the configured S3 bucket.
The S3 write event immediately triggers the Lambda function.
The Lambda function executes, pushing the evidence log to Hyperproof.

Edit this page on GitHub

Readme

C2p Openscap Manifest

Docs

ComplyTime

Title here