AWS Security and Compliance Center
Amazon Web Services (AWS) delivers a highly scalable cloud computing platform with high availability and dependability, and the flexibility to enable customers to build a wide range of applications. In order to provide end-to-end security and end-to-end privacy, AWS builds services in accordance with security best practices, provides appropriate security features in those services, and documents how to use those features. In addition, AWS customers must use those features and best practices to architect an appropriately secure application environment. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to AWS, as is maintaining trust and confidence.
AWS provides a wide range of information regarding its IT control environment to customers through white papers, reports, certifications, and other third-party attestations. This information assists customers in understanding the controls in place relevant to the AWS services they use and how those controls have been validated by independent auditors. This information also assists customers in their efforts to account for and to validate that controls are operating effectively in their extended IT environment.
This page contains the following categories of information. Click to jump down:
Overview
At a high level, we’ve taken the following approach to secure the AWS infrastructure:
- Certifications and Accreditations. AWS has in the past successfully completed multiple SAS70 Type II audits, and as of September 30, 2011 publishes a Service Organization Controls 1 (SOC 1) report, published under both the SSAE 16 and the ISAE 3402 professional standards. In addition, AWS has achieved ISO 27001 certification, has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS), and has completed the control implementation and independent security testing required to operate at the FISMA-Moderate level. We will continue to obtain the appropriate security certifications and conduct audits to demonstrate the security of our infrastructure and services. For more information on risk and compliance activities in the AWS cloud, consult the Amazon Web Services: Risk and Compliance whitepaper.
- Physical Security. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access.
- Secure Services. Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. For more information about the security capabilities of each service in the AWS cloud, consult the Amazon Web Services: Overview of Security Processes whitepaper.
- Data Privacy. AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS. For more information on the data privacy and backup procedures for each service in the AWS cloud, consult the Amazon Web Services: Overview of Security Processes whitepaper referenced above.
The AWS Security Center provides links to technical information, tools, and prescriptive guidance designed to help you build and manage secure applications in the AWS cloud. Our goal is to use this forum to proactively notify developers about security bulletins. Such transparency is the backbone of trust between AWS and our customers.
Certifications and Accreditations
SOC 1/SSAE 16/ISAE 3402
Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies. The SOC 1 report audit attests that AWS’ control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is on-going and we plan to continue our process of periodic audits. This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report.
FISMA Moderate
AWS enables U.S. government agency customers to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). FISMA requires federal agencies to develop, document, and implement an information security system for its data and infrastructure based on the National Institute of Standards and Technology Special Publication 800-53, Revision 3 standard. FISMA Moderate Authorization and Accreditation requires AWS to implement and operate an extensive set of security configurations and controls. This includes documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure and the third-party audit of the established processes and controls. AWS has completed the control implementation and successfully passed the independent security testing and evaluation required to operate at the FISMA-Moderate level. AWS provides this control and audit documentation to government agencies that can use it to certify their systems at the FISMA-moderate level.
AWS has also been certified and accredited to operate at the FISMA-Low level.
PCI DSS Level 1
AWS has achieved Level 1 PCI compliance. We have been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can now run their applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Other enterprises can also benefit by running their applications on other PCI-compliant technology infrastructure. PCI validated services include Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC), Amazon Relational Database Service (RDS), Amazon Elastic Load Balancing (ELB), Amazon Identity and Access Management (IAM), and the underlying physical infrastructure and the AWS Management Environment.
For more information please visit our PCI DSS Level 1 FAQs.
ISO 27001
AWS has achieved ISO 27001 certification 
of our Information Security Management System (ISMS) covering our infrastructure, data centers, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This certification reinforces Amazon’s commitment to providing transparency into our security controls and practices. AWS’s ISO 27001 certification includes all AWS data centers in all in-scope regions worldwide and AWS has established a formal program to maintain the certification. A copy of our ISO certificate, available to AWS customers, describes the ISMS scope and data center listing of our ISO 27001 certification.
For more information please visit our ISO 27001 FAQs.
International Traffic In Arms Compliance
The AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to US land. AWS GovCloud (US) provides an environment physically located in the US and where access by AWS Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data under ITAR. The AWS GovCloud (US) environment has been audited by an independent third party to validate the proper controls are in place to support customer export compliance programs for this requirement.
FIPS 140-2
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, the Amazon Virtual Private Cloud VPN endpoints and SSL-terminating load balancers in AWS GovCloud (US) operate using FIPS 140-2 validated hardware. AWS works with AWS GovCloud (US) customers to provide the information they need to help manage compliance when using the AWS GovCloud (US) environment.
HIPAA
The flexibility and customer control that the AWS
platform provides permits the deployment of solutions that meet
industry-specific certification requirements. For instance, customers
have built healthcare applications compliant with HIPPA’s
Security and Privacy Rules on AWS.
Background Information
Delivering a secure cloud computing platform involves implementing numerous best practices for on-premise infrastructure as well as a host of additional considerations unique to a hosted infrastructure environment. The Amazon Web Services: Overview of Security Processes whitepaper will provide background information and an overview of the AWS philosophy in offering a secure cloud computing platform.
-
Amazon Web Services Overview of Security Processes whitepaper
(pdf)
-
Security Best Practices
(pdf)
-
Creating HIPAA-Compliant Medical Data Applications with AWS whitepaper
(pdf)
-
AWS Risk and Compliance whitepaper
(pdf)
Security Features
AWS provides a number of ways for you to identify yourself and securely access your AWS account, the AWS services you have signed up for, and the resources hosted by these services. You can find the complete list of credentials that we support on the Security Credentials page under Your Account. We also provide additional security options that enable you to further protect your AWS account and control access: Identity and Access Management (IAM), Multi-Factor Authentication (MFA), and Key Rotation.
AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM) enables you to create multiple Users and manage the permissions for each User within your AWS Account. A User is an identity (within a customer AWS Account) with unique security credentials that can be used to access AWS resources. IAM eliminates the need to share passwords or access keys and makes it easy to enable or disable a User’s access as appropriate.
IAM enables you to implement security best practices, such as least privilege, by assigning unique credentials to every User within your AWS Account and granting only the permissions Users need to access the AWS resources required for them to perform their jobs. IAM is secure by default; new Users have no access to AWS until permissions are explicitly granted.
IAM allows you to minimize the use of your AWS Account credentials. Instead, all interactions with AWS resources should occur in the context of IAM User security credentials. To learn more about AWS Identity and Access Management (IAM) visit our IAM page.
AWS Multi-Factor Authentication (AWS MFA)
AWS Multi-Factor Authentication (AWS MFA) is an additional layer of security that offers enhanced control over your AWS Account settings and the management of the AWS resources the account has subscribed to. When you enable this opt-in feature, you’ll need to provide a six-digit single-use code in addition to your standard user name and password credentials before access is granted. You get this single use code from an authentication device that you keep in your physical possession. This is called Multi-Factor Authentication because two factors are checked before access is granted to your account: you need to provide both your Amazon email-id and password (the first “factor”: something you know) and the precise code from your authentication device (the second “factor”: something you have). Multi-Factor Authentication can be enabled for your AWS Account as well as for the Users you have created under your AWS Account using IAM.
It is easy to obtain an authentication device from a participating third party provider and to set it up for use via the AWS website. More information about Multi-Factor Authentication is available here.
Key Rotation
For the same reasons as it is important to change your password frequently, AWS recommends that you rotate your access keys and certificates on a regular basis. To let you do this without potential impact to your applications’ availability, AWS supports multiple concurrent access keys and certificates. With this feature, you can rotate keys and certificates into and out of operation on a regular basis without any downtime to your application. This can help to mitigate risk from lost or compromised access keys or certificates. The IAM APIs enable a you to rotate the access keys of your AWS Account as well as for Users created under your AWS Account.
To learn more about this feature or to begin using key rotation, click here.
AWS Public PGP Key
The AWS Security Team encourages customer communication. We have established processes for reporting security vulnerabilities and for requesting penetration testing. We have also created a signed PGP key for especially sensitive communications you may need to send.
©2011, Amazon Web Services LLC or its affiliates. All rights reserved.
