AWS Security Blog

Auditing Security Checklist for AWS Now Available

July 15, 2020: The whitepaper Operational Checklists for AWS that’s described in this post has been replaced by a Cloud Audit Academy course.

August 28, 2019: The whitepaper Operational Checklists for AWS that’s described in this post has been deprecated due to outdated content.

If we create an updated version of the whitepaper, we’ll add a notification about it here.


Based on feedback from our customers, AWS has published an Auditing Security Checklist to help you and your auditors assess the security of your AWS environment in accordance with industry or regulatory standards. The checklist builds off the recently revised Operational Checklists for AWS, which helps you evaluate your applications against a list of best practices before deployment.

Image showing AWS Operations and Auditing Checklists

The Auditing Security Checklist for AWS can help you:

  • Evaluate the ability of AWS services to meet information security objectives and ensure future deployments within the AWS cloud are done in a secure and compliant way
  • Assess your existing organizational use of AWS and to ensure it meets security best practices
  • Develop AWS usage policies or validate that existing policies are being followed

The checklist is also useful to prospective customers to determine how they can apply security best practices to their AWS environment.

Written to be as versatile as possible, the checklist does not advocate a specific standard or framework. Instead, it is written based on the fundamental components of security controls required by many industry or governing bodies, including: the American Institute of Certified Public Accountants (AICPA), International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Payment Card Industry Security Standards Council (PCI SSC), and the Information Systems Audit and Control Association (ISACA).

Want to know more about Operational Checklists for AWS?

The Basic Operations Checklist covers common high-level technical questions that organizations should consider as they adopt different AWS services and are planning for a launch.

It includes the typical questions that AWS Solutions Architects ask customers when they seek guidance to avoid common pitfalls not obvious to new users. When each item is checked off with a satisfactory and affirmative answer, you can confidently deploy your applications in the cloud.  Checklist items are designed to instigate the right conversations about whether or not the specific service or concept is applicable to your application and, if so, whether or not it has been adequately addressed.

The Enterprise Operations Checklist provides a more in-depth operational review of suggested best practices that an enterprise should consider when developing a mature cloud strategy.

It can also be used to help you build a cloud migration and operation strategy for your organization. Checklist items are divided into the following sections:

  • Billing & Account Governance – Has your organization developed an approach for billing and account management?  Have you determined whether or not multiple accounts will be used, who will be responsible for creating AWS accounts, and how billing will be handled?
  • Security & Access Management – Has your organization developed a strategy for managing AWS API, console, operating system, network, and data access?
  • Asset Management – Does your organization have a strategy for identifying and tracking AWS provisioned resources?
  • Application HA/Resilience – Does the implemented AWS solution meet or exceed the application’s high availability and resilience requirements?
  • Application DR/Backup – Does the implemented AWS solution meet or exceed the application’s disaster recovery (DR) and backup requirements?
  • Monitoring & Incident Management – Has your organization instrumented appropriate monitoring tools and integrated your AWS resources into its incident management processes?
  • Configuration & Change Management – Does your organization have a configuration and change management strategy for its AWS resources?
  • Release & Deployment Management – Has your organization determined how it will integrate application releases and deployments with its configuration and change management strategy?

The Operational Checklists for AWS and Auditing Security Checklist for Use of AWS documents are refreshed on a periodic basis as we provide new security controls in AWS. Additional information about AWS Compliance can be found on our compliance website:

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.


Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.