Amazon Web Services Cloud Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of AWS cloud infrastructure, compliance responsibilities will be shared. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS Compliance enablers build on traditional programs; helping customers to establish and operate in an AWS security control environment.
AWS was the clear choice in terms of security and PCI DSS Level 1 compliance compared to an on-premises or co-location datacenter solution. From a technical perspective, when we evaluated the ease of implementation and management, we believed that AWS would dramatically reduce the time to market as well as the cost of infrastructure.Stefano Harak Online Senior Product Manager, Vodafone
This level of control and granularity was not possible with our previous system. When we combine IAM with CloudTrail for audits, we exceed the levels of governance which we had previously.Adrian Hodgkinson Head of IT, Exeter Family
AWS is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS). Customers can run applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. In February 2013, the PCI Security Standards Council released PCI DSS Cloud Computing Guidelines. These guidelines provide customers who are managing a cardholder data environment with considerations for maintaining PCI DSS controls in the cloud.
AWS has incorporated the PCI DSS Cloud Computing Guidelines into the AWS PCI Compliance Package for customers. The AWS PCI Compliance Package includes the AWS PCI Attestation of Compliance (AoC), which shows that AWS has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 3.1, and the AWS PCI Responsibility Summary, which explains how compliance responsibilities are shared between AWS and our customers in the cloud. The AWS PCI DSS Level 1 certification includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Frankfurt), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services.
Amazon Web Services publishes a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with AICPA: AT 801 (formerly SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies.
The SOC 1 report audit attests that the AWS control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively. The AWS SOC 1 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Dublin), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) that support in-scope services.
In addition to the SOC 1 report, AWS publishes a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as AWS.
The AWS SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA's Trust Services Principles criteria. This report provides additional transparency into AWS security and availability based on a defined industry standard and further demonstrates AWS’ commitment to protecting customer data. The AWS SOC 2 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Dublin), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) that support in-scope services.
AWS publishes a Service Organization Controls 3 (SOC 3) report. The SOC 3 report is a publically-available summary of the AWS SOC 2 report.
The report includes the external auditor's opinion of the operation of controls (based on the AICPA's Security Trust Principles included in the SOC 2 report), the assertion from AWS management regarding the effectiveness of controls, and an overview of AWS Infrastructure and Services. The AWS SOC 3 report includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Dublin), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) that support in-scope services. This is a great resource for customers to validate that AWS has obtained external auditor assurance without going through the process to request a SOC 2 report.
ISO 9001:2008 is a global standard (published certificate) for managing the quality of products and services. The 9001 standard outlines a quality management system based on eight principles defined by the International Organization for Standardization (ISO) Technical Committee for Quality Management and Quality Assurance. They include:
- Customer focus
- Involvement of people
- Process approach
- System approach to management
- Continual Improvement
- Factual approach to decision-making
- Mutually beneficial supplier relationships
The key to the ongoing certification under this standard is establishing, maintaining and improving the organizational structure, responsibilities, procedures, processes, and resources in a manner where AWS products and services consistently satisfy ISO 9001 quality requirements.
AWS is ISO 27001 certified (published certificate) under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.
AWS has established a formal program to maintain the certification. This certification reinforces our commitment to providing transparency into our security controls and practices. The AWS ISO 27001 certification includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services.
ISO/IEC 27018 is a code of practice published by the International Organization for Standardization (ISO). It is based on ISO 27002 and designed to give cloud service providers security control implementation guidance to protect Personally Identifiable Information (PII). In addition to implementation guidance specific to existing ISO 27002 controls, ISO 27018 also provides additional security controls not addressed by ISO 27002 to further protect PII. AWS obtained an independent external audit against the controls and guidance contained within the 27018 code of practice to further demonstrate our commitment to our customer’s data privacy. While ISO 27018 is targeted for PII, AWS applies this same high bar to all customer content.
Alignment with the ISO 27018 code of practice provides assurance that:
• Customers control their content
• Customer content will not be used for any unauthorized purposes
• Physical media is destroyed prior to leaving AWS data centers
• AWS provides customers the means to delete their content
• AWS doesn’t disclose customer content unless we’re required to do so to comply with a legally valid and binding order
Aligning our security controls that protect the privacy of our customers with the measures outlined in ISO 27018 demonstrates our ongoing commitment to operate securely and to protect the privacy of all customer content.
The Multi-Tier Cloud Security (MTCS) is an operational Singapore security management Standard (SPRING SS 584:2013), based on ISO 27001/02 Information Security Management System (ISMS) standards. The certification assessment requires us to:
• Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities;
• Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks;
• Adopt an overarching management process to ensure that the information security controls meet the our information security needs on an ongoing basis.
AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure AWS environment to process, maintain, and store protected health information. Additionally, AWS, as of July 2013, is able to sign business associate agreements (BAA) with such customers.
AWS also offers a HIPAA-focused whitepaper and HIPAA FAQ for customers interested in learning more about how they can leverage AWS for the processing and storage of health information. The "Architecting for HIPAA Security and Compliance on AWS" outlines how companies can use AWS to process systems that facilitate HIPAA and HITECH compliance. For more information on the AWS HIPAA compliance program please contact AWS Sales and Business Development.
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18, or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
AWS enables covered entities and their business associates subject to FERPA to leverage the secure AWS environment to process, maintain, and store protected education information.
AWS also offers a FERPA-focused whitepaper for customers interested in learning more about how they can leverage AWS for the processing and storage of educational data. The "FERPA Compliance on AWS Whitepaper" outlines how companies can use AWS to process systems that facilitate FERPA compliance. For more information on the AWS FERPA compliance program please contact AWS Sales and Business Development.
The AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to the US. AWS GovCloud (US) provides an environment physically located in the US and where access by AWS Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data subject to ITAR restrictions. The AWS GovCloud (US) environment has been audited by an independent third-party to validate the proper controls are in place to support customer export compliance programs for this requirement.
In 1998, The Congress of the United States of America amended the Rehabilitation Act to require Federal agencies to make their electronic and information technology accessible to people with disabilities. Inaccessible technology interferes with an individual's ability to obtain and use information quickly and easily. Section 508 was enacted to eliminate barriers in information technology, to make available new opportunities for people with disabilities, and to encourage development of technologies that will help achieve these goals.
The law applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology. Under Section 508 (29 U.S.C. ' 794d), agencies must give disabled employees and members of the public access to information that is comparable to the access available to others.
AWS offers the Voluntary Product Accessibility Template (VPAT) upon request.
AWS has achieved two Agency Authority to Operate (ATOs) under the Federal Risk and Authorization Management Program (FedRAMP) at the Moderate impact level. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services up to the Moderate level.
All U.S. government agencies can leverage the AWS Agency ATO packages stored in the FedRAMP repository to evaluate AWS for their applications and workloads, provide authorizations to use AWS, and transition workloads into the AWS environment.
For more information on the AWS FedRAMP compliance program please contact AWS Sales and Business Development.
AWS enables US government agencies to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). The AWS infrastructure has been evaluated by independent assessors for a variety of government systems as part of their system owners' approval process. Numerous Federal Civilian and Department of Defense (DoD) organizations have successfully achieved security authorizations for systems hosted on AWS in accordance with the Risk Management Framework (RMF) process defined in NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP).
AWS's secure infrastructure has helped federal agencies expand cloud computing use cases and deploy sensitive government data and applications in the cloud while complying with the rigorous security requirements of federal standards. To request more information related to AWS FISMA, RMF and DIACAP compliance please contact AWS Sales and Business Development.
In June 2015 The National Institute of Standards and Technology (NIST) released guidelines 800-171, "Final Guidelines for Protecting Sensitive Government Information Held by Contractors". This guidance is applicable to the protection of Controlled Unclassified Information (CUI) on nonfederal systems.
AWS is already compliant with these guidelines, and customers can effectively comply with NIST 800-171 immediately. NIST 800-171 outlines a subset of the NIST 800-53 requirements, a guideline under which AWS has already been audited under the FedRAMP program. The FedRAMP Moderate security control baseline is more rigorous than the recommended requirements established in Chapter 3 of 800-171, and includes a significant number of security controls above and beyond those required of FISMA Moderate systems that protect CUI data. A detailed mapping is available in the NIST Special Publication 800-171, starting on page D2 (which is page 37 in the PDF).
AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available for storing criminal justice information. Our architecture provides an extremely scalable, highly reliable platform enabling customers to deploy applications and data quickly and securely in support of a wide variety of security and regulatory requirements, to include Criminal Justice Information Services (CJIS) workloads according to the CJIS Security Policy.
Additionally, in the spirit of a shared responsibility philosophy AWS has created a Criminal Justice Information Services (CJIS) Workbook in a security plan template format aligned to the CJIS Policy Areas. This Workbook is intended to support our partners documenting their alignment to CJIS security requirements. Furthermore, the template provides our partners and customer agencies a systematic approach to documenting their implementation of CJIS security requirements for review and authorization. The workbook provides an overview of CJIS, AWS and AWS services, and the AWS/Customer applicability of CJIS requirements.
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, SSL terminations in AWS GovCloud (US) operate using FIPS 140-2 validated hardware.
The Department of Defense (DoD) Cloud Security Model (SRG) provides a formalized assessment and authorization process for cloud service providers (CSPs) to gain a DoD Provisional Authorization, which can subsequently be leveraged by DoD customers. A Provisional Authorization under the SRG provides a reusable certification that attests to our compliance with DoD standards, reducing the time necessary for a DoD mission owner to assess and authorize one of their systems for operation on AWS. AWS currently holds provisional authorizations at Levels 2 and 4 of the SRG.
Additional information of the security control baselines defined for Levels 2, 4, 5, and 6 can be found here.
IT-Grundschutz Compliance on Amazon Web Services is a new customer certification workbook that was developed and published by TÜV TRUST IT, an independent certification body. Unlike other certification credentials that apply exclusively to AWS, this workbook is a customer-focused certification enabler, providing a documentation framework to enable our customers to become certified for IT-Grundschutz on AWS.
The German Federal Office for Information Security known as ‘BSI’ developed a program to provide organizations with a methodology to build effective information security procedures. This IT Baseline Protection (IT-Grundschutz) methodology is supported by four standards documents that provide organizational guidance for building an Information Security Management System, the methodology for the implementation and evaluation of IT-Grundschutz, information on how to perform risk analysis against the IT-Grundschutz requirements, and business continuity management program development.
This certification workbook provides information about implementing the requirements of the BSI Standards 100-1 and 100-2, as well as the requirements on IT-Grundschutz certifications of outsourced components. This allows implementation of projected certifications based on the existing AWS ISO 27001 Certification.
The Motion Picture Association of America (MPAA) has established a set of best practices for securely storing, processing, and delivering protected media and content. Media companies use these best practices as a way to assess risk and security of their content and infrastructure.
In 2011, the Cloud Security Alliance (CSA) launched STAR, an initiative to encourage transparency of security practices within cloud providers. The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. AWS is a CSA STAR registrant and has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). This CAIQ published by the CSA provides a way to reference and document what security controls exist in AWS’s Infrastructure as a Service offerings. The CAIQ provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Customers can find the completed questionnaire in Appendix A of the AWS Risk and Compliance Whitepaper.
Cyber Essentials Plus is a UK Government-backed, industry-supported certification scheme introduced in the UK to help organizations demonstrate operational security against common cyber attacks.
It demonstrates the baseline controls AWS implements to mitigate the risk from common Internet-based threats, within the context of the UK Government's "10 Steps to Cyber Security". It is backed by industry, including the Federation of Small Businesses, the Confederation of British Industry and a number of insurance organizations that offer incentives for businesses holding this certification.
Cyber Essentials sets out the necessary technical controls; the related assurance framework shows how the independent assurance process works for Cyber Essentials Plus certification through an annual external assessment conducted by an accredited assessor. Due to the regional nature of the certification, the certification scope is limited to AWS EU Dublin region.
You can request the reports and certifications produced by our third-party auditors which attest to the design and operating effectiveness of the AWS environment. Report and certification requests can be made through an AWS account representative. If you do not know who your AWS account representative is or would like to be aligned with a representative, contact AWS Sales and Business Development for further assistance.