AWS Compliance enables our customers to understand the robust controls in place at AWS to maintain security and data protection. As you build systems on top of AWS cloud infrastructure, compliance responsibilities will be shared. AWS Compliance provides assurance related to the underlying infrastructure and your organization owns the compliance initiatives related to anything placed on the AWS infrastructure. The information provided by AWS Compliance helps you to understand our compliance posture and to assess your organization's compliance within your industry and/or government requirements.


SOC 1 (formerly SAS70) FAQs

ISO 27001 FAQs

PCI DSS Level 1 FAQs

FEDRamp FAQs

Need More Compliance Information?

Contact an Amazon Web Services Business Representative
logo-aws

DoD CSM Levels 1-2 and 3-5

FIPS 140-2

HIPAA

Multi-Tiered Cloud Security Standard Certification


suncorp-video-thumbnail
Suncorp Group Fosters a Culture of Innovation and Migrates Mission-Critical Apps with AWS

NASDAQ OMX developed FinQloud, running on AWS, to provide its clients with efficient storage and management of financial data. FinQloud helps firms meet regulatory compliance requirements without costly capital expenditures for infrastructure.


Read the Story »



It became a priority for Pegasystems to sign a Business Associate Agreement with AWS and to implement HIPAA privacy and security controls within their AWS environment in order to enable HIPAA compliance for its customers.

Read the Story »

Cognia needed to build a secure, cost-effective PCI-compliant service that could fully leverage true cloud infrastructure, for fast, simple deployment across single or multiple customer sites.

Read the Story »



Banro Corporation

Banro ulitilized Amazon Virtual Private Cloud to provide a secure, isolated environment for highly sensitive production systems.

Read the Story »

Vodafone Logo

Vodafone needed a reliable secure solution they could use to attain Level 1 compliance under the Payment Card Industry (PCI) and Data Security Standard (DSS).

Read the Story »

 



To meet a growing need for improved business continuity, Viskase was looking for an SAP disaster recovery solution that replicated its production environment.

Read the Story »

 

Cropped forum

The AWS Compliance Forum provides AWS customers a unique community forum where you can connect with fellow AWS customers, interact with AWS compliance specialists, and access specialized industry enablers and education. This forum can support you in your efforts to achieve and maintain security assurance and compliance while using AWS. There is no additional charge for being a member of the AWS Compliance Forum – the only requirement is to take a brief entrance survey so that forum content and discussions can be catered to your industry, geography, and interests.

Take the survey to join the forum now » AWS Compliance Forum Entrance Survey

The AWS cloud infrastructure has been designed and managed in alignment with regulations, standards, and best-practices including:

Customers can request the reports and certifications produced by our third-party auditors which attest to the design and operating effectiveness of the AWS environment. Report and certification requests can be made through an AWS account representative. If you do not know who your AWS account representative is or would like to be aligned with a representative, contact AWS Sales and Business Development for further assistance.

For more information about AWS Compliance, refer to the AWS Risk and Compliance whitepaper. This whitepaper provides information to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment.

  • AWS Risk and Compliance Whitepaper: provides information to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment.
  • Auditing Security Checklist for Use of AWS Whitepaper: provides a checklist to help design and execute a security assessment of an organization’s use of AWS, which may be required by industry or regulatory standards.
  • AWS HIPAA Compliance: This paper briefly outlines how companies can use Amazon Web Services (AWS) to power information processing systems that facilitate HIPAA and HITECH compliance. We will focus on HIPAA’s Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) and HIPAA’s Security Standards for the Protection of Electronic Protected Health Information (the Security Rule), and how to encrypt and protect data in the AWS cloud.
edi-what-is-cloud-computing
  • EU Data Protection: This document provides information to assist customers who want to use AWS to store content containing personal data. Specifically, this document describes how customers can use AWS services in compliance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Directive").
  • Governance in AWS Whitepaper: An often overlooked benefit of migrating workloads to AWS is the ability to achieve a higher level of security, at scale, by utilizing the many governance-enabling features offered.
  • Logging in AWS Whitepaper: provides an overview of common compliance requirements related to logging and how AWS CloudTrail can be used help satisfy these requirements.

AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure AWS environment to process, maintain, and store protected health information and AWS will be signing business associate agreements with such customers.

AWS also offers a HIPAA-focused whitepaper for customers interested in learning more about how they can leverage AWS for the processing and storage of health information. The Creating HIPAA-Compliant Medical Data Applications with AWS whitepaper outlines how companies can use AWS to process systems that facilitate HIPAA and HITECH compliance. For more information on the AWS HIPAA compliance program please contact AWS Sales and Business Development.

SOC1

Amazon Web Services publishes a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with AICPA: AT 801 (formerly SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).

This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies.

The SOC 1 report audit attests that the AWS control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively. The AWS SOC 1 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services.

SOC1

In addition to the SOC 1 report, AWS publishes a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as AWS. The AWS SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into AWS security based on a defined industry standard and further demonstrates AWS’ commitment to protecting customer data. The AWS SOC 1 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services.

SOC3

AWS publishes a Service Organization Controls 3 (SOC 3) report. The SOC 3 report is a publically-available summary of the AWS SOC 2 report and provides the AICPA SysTrust Security Seal.

The report includes the external auditor’s opinion of the operation of controls (based on the AICPA’s Security Trust Principles included in the SOC 2 report), the assertion from AWS management regarding the effectiveness of controls, and an overview of AWS Infrastructure and Services. The AWS SOC 3 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services. This is a great resource for customers to validate that AWS has obtained external auditor assurance without going through the process to request a SOC 2 report. View the AWS SOC 3 report.

PCI

AWS is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS). Customers can run applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. In February 2013, the PCI Security Standards Council released PCI DSS Cloud Computing Guidelines. These guidelines provide customers who are managing a cardholder data environment with considerations for maintaining PCI DSS controls in the cloud. AWS has incorporated the PCI DSS Cloud Computing Guidelines into the AWS PCI Compliance Package for customers. The AWS PCI Compliance Package includes the AWS PCI Attestation of Compliance (AoC), which shows that AWS has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 3.0, and the AWS PCI Responsibility Summary, which explains how compliance responsibilities are shared between AWS and our customers in the cloud. The AWS PCI DSS Level 1 certification includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services.

For more information on AWS PCI DSS compliance, please visit

PCI DSS Level 1 FAQs »

ISO

AWS is ISO 27001 certified under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.

AWS has established a formal program to maintain the certification. This certification reinforces our commitment to providing transparency into our security controls and practices. The AWS ISO 27001 certification includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services.

For more information on AWS ISO 27001 compliance, please visit

ISO 27001 FAQs »

DoD_LOGO

The Department of Defense (DoD) Cloud Security Model (CSM) provides a formalized assessment and authorization process for cloud service providers (CSPs) to gain a DoD Provisional Authorization, which can subsequently be leveraged by DoD customers. A Provisional Authorization under the CSM provides a reusable certification that attests to our compliance with DoD standards, reducing the time necessary for a DoD mission owner to assess and authorize one of their systems for operation on AWS.

For additional information on the CSM, including the full definition of the security control baselines defined for Levels 1 through 6 can be found here.

ha_ed_certification_yellow

The Multi-Tier Cloud Security (MTCS) is an operational Singapore security management Standard (SPRING SS 584:2013), based on ISO 27001/02 Information Security Management System (ISMS) standards. The certification assessment requires us to:

• Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities;
• Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks;
• Adopt an overarching management process to ensure that the information security controls meet the our information security needs on an ongoing basis.

FedRampSM_Logo

AWS has achieved two Agency Authority to Operate (ATOs) under the Federal Risk and Authorization Management Program (FedRAMP) at the Moderate impact level. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services up to the Moderate level.

All U.S. government agencies can leverage the AWS Agency ATO packages stored in the FedRAMP repository to evaluate AWS for their applications and workloads, provide authorizations to use AWS, and transition workloads into the AWS environment.

For more information on AWS FedRAMP compliance, please visit

FedRAMP FAQs »

Great_Seal_of_the_United_States_.svg

AWS enables US government agencies to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). The AWS infrastructure has been evaluated by independent assessors for a variety of government systems as part of their system owners’ approval process. Numerous Federal Civilian and Department of Defense (DoD) organizations have successfully achieved security authorizations for systems hosted on AWS in accordance with the Risk Management Framework (RMF) process defined in NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP). AWS’s secure infrastructure has helped federal agencies expand cloud computing use cases and deploy sensitive government data and applications in the cloud while complying with the rigorous security requirements of federal standards. To request more information related to AWS DIACAP and/or FISMA compliance please contact AWS Sales and Business Development.

ITAR

The AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to the US. AWS GovCloud (US) provides an environment physically located in the US and where access by AWS Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data subject to ITAR restrictions. The AWS GovCloud (US) environment has been audited by an independent third-party to validate the proper controls are in place to support customer export compliance programs for this requirement. 

FIPS

The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, the Amazon Virtual Private Cloud VPN endpoints and SSL terminations in AWS GovCloud (US) operate using FIPS 140-2 validated hardware. AWS works with AWS GovCloud (US) customers to provide the information they need to help manage compliance when using the AWS GovCloud (US) environment.

MPAA_CSA_LOGO

The flexibility and control the AWS platform provides allows customers to deploy solutions that meet industry-specific standards, including:

  • CSA: In 2011, the Cloud Security Alliance (CSA) launched STAR , an initiative to encourage transparency of security practices within cloud providers. The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. AWS is a CSA STAR registrant has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). This CAIQ published by the CSA provides a way to reference and document what security controls exist in AWS’s Infrastructure as a Service offerings. The CAIQ provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Customers can find the completed questionnaire in Appendix A of the AWS Risk and Compliance whitepaper.
  • MPAA: The Motion Picture Association of America (MPAA) has established a set of best practices for securely storing, processing, and delivering protected media and content. Media companies use these best practices as a way to assess risk and security of their content and infrastructure. AWS has demonstrated alignment with the MPAA best practices and AWS infrastructure is compliant with all applicable MPAA infrastructure controls. Customers can find mapping of AWS’s alignment with MPAA best-practices in Appendix B of the AWS Risk and Compliance whitepaper.

You can request the reports and certifications produced by our third-party auditors which attest to the design and operating effectiveness of the AWS environment. Report and certification requests can be made through an AWS account representative. If you do not know who your AWS account representative is or would like to be aligned with a representative, contact AWS Sales and Business Development for further assistance.