We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
Welcome to the AWS Compliance Solutions Guide! This guide is designed to provide you with a repository of frequently used resources and processes needed to perform your compliance responsibilities on AWS.
Security at AWS is our top priority. Today, AWS protects millions of active customers around the world, from large enterprises and government organizations, to start-ups and non-profits. Through these relationships, we’ve developed best-in-class resources to allow customers from any industry to quickly understand how to achieve compliance in the AWS Cloud. AWS customers inherit all of the benefits of our experience, including best practices for security policies, architecture, and operational processes validated against external assurance frameworks.
AWS communicates its security and control environment relevant to customers by doing the following:
Industry certifications and independent third-party attestations listed below
Information about AWS security and control practices in whitepapers and web content
Certificates, reports, and other documentation provided directly to AWS customers under NDA
The best practice for accessing AWS compliance reports is through the console via AWS Artifact. AWS Artifact provides customers with on-demand self service access to the latest AWS compliance reports. When new reports are released by AWS, they are immediately made available for download in AWS Artifact. In addition to on demand access, here are three advantages to using AWS Artifact:
It does not require entry of credit card. There is no charge associated with creating an account or using the AWS Artifact portal.
It provides the ability to set up accounts for other users through IAD.
It enables the convenience of click-through NDA.
Please note that all third party attestations, certifications, Service Organization Controls (SOC) reports and other relevant compliance reports require an NDA. The exceptions are the AWS ISO 27001 certification and the AWS SOC 3 reports which are available publically.
If you have an AWS account and are ready to start utilizing AWS Artifact, you can use the resources below to familiarize yourself with this feature in the console. If you do not already have an AWS account, you can create one using these steps.
AWS Artifact Website - This website will give you the basic information about Artifact including a Getting Started Quick Guidewith step-by-step instructions on how to log into the console and download a report, as well as an AWS Artifact FAQs page with a comprehensive list of all the frequently asked questions.
Below are a few of the most common scenarios that generate questions:
Secondary AWS Customers can use AWS Artifact to sign a click-through NDA and download the AWS compliance reports. If they do not already have an AWS Account, they can create one. There is no charge associated with creating an account, and AWS Artifact is free to use. For situations in which the the customer of a customer is unable to open an account, AWS is happy to assist. You can contact your AWS Sales Account Manager and have them request a report on your behalf. This will require an extra step, as the end user of the report must have an NDA in place with AWS before a report can be sent to you. Artifact remains the fastest and easiest method to gain access to compliance reporting.
We recommend that you locate the resource on your IT team that can grant you appropriate access through AWS IAM (Identity and Access Management). Instructions on creating an IAM policy can be found here. As with the scenario above if this is not feasible, please contact your AWS Sales Account Manager to assist.
US Government agency customers can request access to the AWS FedRAMP Security Package from the FedRAMP PMO by completing a Package Access Request Form and submitting it to info@fedramp.gov, or contacting their AWS Sales Account Manager.
AWS partners and prospective customers can also request access to the AWS Partner FedRAMP Security Package by contacting their AWS Sales Account Manager.
In the event that you need assistance to complete a Security Questionnaire to document AWS security and compliance positions, AWS has a recommended approach, designed to provide you with the resources that appropriately address your security and compliance questions in the context of the cloud and AWS’s business model. This procedure ensures that all our customers are given consistent answers that have been verified by our third party auditors.
AWS Artifact is the first place to visit as it houses all compliance reports. AWS undergoes several audits throughout the year by third-party auditors, most of which are conducted in accordance with international security standards, such as ISO 27001, PCI and SOC. You can use these reports to answer questions on any security questionnaires you may receive.
In addition, there are several types of resources available online to provide answers for some of the most commonly asked questions. The two most frequently used documents for questionnaires are:
Consensus Assessments Initiative Questionnaire – The Cloud Security Alliance (CSA) is a non-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. The CSA Consensus Assessments Initiative Questionnaire provides a set of questions the CSA anticipâtes a cloud consumer and/or auditor would ask of a cloud provider. It provides a series of security, control, and process questions which can then be used for a wide range of uses, including cloud provider selection and security evaluation. This document contains the AWS answers to the CSA questionnaire.
Risk and Compliance Whitepaper – This document is intended to provide information to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment. It includes a basic approach to evaluating AWS controls and provides information to assist customers with integrating control environments. This document also addresses AWS-specific information around general cloud computing compliance questions. There are detailed descriptions of all AWS Certifications, Programs, Reports, and Third-Party Attestations. The CSA questionnaire is included in the Appendix of this document.
If you still need help answering a question, reach out to your AWS Sales Account Manager and they can help direct you to the appropriate resources.
Security Questionnaire Examples
Control
Question
Answer
AWS Reference Documents
Encryption
Do the provided services support encryption?
Yes. AWS allows customers to use their own encryption mechanisms for nearly all the services, including S3, EBS, SimpleDB, and EC2. IPSec tunnels to VPC are also encrypted. Amazon S3 also offers Server Side Encryption as an option for customers. Customers may also use third-party encryption technologies.
AWS Security Whitepaper
Physical and Environmental Controls
Are physical and environmental controls operated by the cloud provider specified?
Yes. These are specifically outlined in the SOC 1 Type II report. In addition, other certifications AWS supports such as ISO 27001 and FedRAMPsm require best practice physical and environmental controls.
FedRAMP package, ISO 27001 Report, SOC 1
Human Resources Training / Awareness
Are formal, role-based, security awareness training program provided for cloud-related access and data management issues (e.g., multi-tenancy, nationality, cloud delivery model segregation of duties implications and conflicts of interest) for all persons with access to tenant data?
Yes. In alignment with ISO 27001 standard, all AWS employees complete periodic Information Security training which requires an acknowledgement to complete. Compliance audits are periodically performed to validate that employees understand and follow the established policies.
Refer to SOC, PCI DSS, ISO 27001 and FedRAMP compliance reports
These are some of the most common challenges encountered with the HIPAA BAA. To get access to more BAA related resources including a full list of HIPAA FAQ, BAA instructional videos, whitepapers, etc. please visit the main AWS HIPAA Compliance page.
Q: Can I obtain a hard copy of my existing BAA?
A: BAA versions in Artifact and a hard-copy do not differ. And when using Artifact, you will always be able to download a copy of the BAA before and after accepting the terms. If you have an existing offline BAA, you can contact your sales rep to get a copy.
Q: I need an Exhibit A to confirm account(s) have been added to an existing BAA or I need evidence that a given account(s) is covered under BAA.
A: AWS does not issue updated Exhibit A following additional accounts being covered under an existing BAA. By using Artifact, you will be able to immediately designate new accounts self-service in the console. After a BAA has been accepted in Artifact, you can sign into the console with the account ID and confirm the status is active. If you would like to add a new account, you can do so self-service. To confirm coverage status and share the BAA with auditors or regulators, the pdf is available for download. In addition the status also serves as evidence of coverage.
Q: I don’t have the ability to enter into a BAA or I cannot check the boxes for the NDA.
A: This issue arises from an error in permissions. The individual or team handling IAM requests for your AWS account can resolve this by adjusting permissions. More information on setting up IAM accounts can be found here.
More AWS Compliance Resources
The Services in Scope Page will detail which services are currently in scope, and which are in progress. You can also contact your AWS Sales Account Manager and SA about any specific needs for a certain service.
The AWS Security Blog is a great way to keep track of all the newest updates to the AWS security programs.
For information on some of AWS current customer experiences please visit our customer testimonial page which lists case studies from our customers across all industries.
If you need more information on a specific compliance regime, please refer to the following pages for FAQs:
The AWS Auditor Learning Path is a resource designed specifically for those in auditor, compliance, and legal roles who want to learn how their internal operations can demonstrate compliance using AWS’ platform.
Have Questions? Connect with an AWS Business Representative