Amazon Braket now included in AWS SOC-2 Security, Availability, Confidentiality & Privacy Report

Today, we’re excited to announce that Amazon Braket, the quantum computing service of AWS, is included in the latest AWS System and Organization Controls (SOC-2) report, published on May 15, 2023. Braket has now, for the first time, completed security control validation from an external auditor, adding it to the list of services covered by our semi-annual SOC-2 compliance audit. The full list of services can be found here.

At AWS, security is “job zero”: that means that securing and protecting customer data is more important than any number-one priority. AWS customers need to have confidence in the security, confidentiality, and privacy of the AWS services they use. Quantum computing is still an experimental technology, but since its inception, we have taken the stance that Braket should be assessed against the same security and operational standards as all other AWS services.

Our most security conscious customers expect all AWS services to meet certain compliance requirements before they can be used with sensitive data. We know those mandates can prevent you from experimenting with advanced technology, including services like Amazon Braket.

So, in this post describing this launch, we’re reinforcing our commitment to security, privacy, and data protection for you, and removing a barrier that might prevent you from adopting this emerging technology.

Background

The AWS System and Organization Controls (SOC) reports are a description of the AWS controls environment, and the results from an independent audit against those controls, in support of security, availability, confidentiality, and privacy trust services criteria defined by the American Institute of Certified Public Accountants (AICPA).

Security and compliance are a shared responsibility between AWS and our customers. That means AWS is responsible for protecting the global infrastructure that runs the AWS Cloud. Customers are responsible for maintaining control over their content that they host on this AWS infrastructure. This includes the security configuration and management tasks for the AWS services they use.

In the case of Braket, there’s an additional component of the shared responsibility model associated with accessing quantum hardware. This is because Braket provides access to third-party quantum hardware where quantum hardware providers (QHPs) process quantum circuits and the associated data outside of facilities operated by AWS.

The Amazon SOC-2 audits explicity cover only the components of the model that are fully under Amazon’s control, and therefore we exclude Braket QHPs in our SOC-2 validation. In order to give customers the confidence they need, we supplement our standard SOC-2 validation with a custom set of controls and audits designed for our QHPs, which are themselves derived from the SOC-2 list of controls.

These additional, QHP-specific controls cover a number of areas, including the following:

• Data Privacy: To protect data privacy, we only send QHPs anonymized information necessary to process a customer circuit. Customer data like AWS account information is not transmitted to QHPs without prior customer consent.
• Data Security: We prohibit QHPs from storing or using customer circuits for purposes other than processing the results. Once the circuit completes, QHPs return the results to Braket, where they are securely stored in customer-defined Amazon Simple Storage Service (Amazon S3) buckets.
• Incident Response: We work closely with QHPs to quickly react to emergent threats, like the recent remote code execution vulnerability in Apache’s Log4j library, through secure and independent communications channels. Braket requires QHPs to engage rapidly to mitigate and remediate any risks and threats as our security teams and other industry groups discover them.

Finally, we require all of our QHPs to undergo periodic security audits to assess personnel and system controls, and regularly perform comprehensive penetration testing to ensure that they meet standards for network security, access control, data protection, and physical security.

Conclusion

AWS strives to continuously raise our own security bar and that of our hardware partners.

To learn more about security best practices when using Amazon Braket, refer to our documentation. For an up-to-date list of compliance information for Amazon Braket, check out the AWS Services in Scope by Compliance Program page. For general information, see AWS Compliance Programs. You can download third-party audit reports using AWS Artifact.