Category: Compliance

Some of the most common compliance-related requests we receive from our customers are for reference architecture, a template for how to build your infrastructure in the cloud. These requests indicate how some people learn new concepts: reference architecture visualizations can help to clarify subject matter.

In order to clarify how you can use AWS functionality to meet the federal government’s security control requirements, we have published a whitepaper called AWS Architecture and Security Recommendations for FedRAMP Compliance. This whitepaper provides security recommendations for a variety of common use cases. It contains examples that can show you how to satisfy NIST controls by using a broad array of security functionality provided by AWS. If you are a federal customer, this reference architecture enables you to better understand how to accelerate your adoption of the cloud by building secure applications that also comply with federal agency guidelines. (more…)

AWS continually monitors how the work of international standards bodies affects how you run your regulated workloads in the cloud. As such, we were pleased to see a recent security-related announcement from the European Union Agency for Network and Information Security (ENISA). ENISA’s announcement addresses one of the most commonly asked questions by AWS customers who process or store data in the cloud: “With which compliance standards should I align?”

ENISA’s announcement of the latest Cloud Certification Schemes List (CCSL) and new Cloud Certification Schemes Metaframework (CCSM) is the latest step in its execution of the ongoing European Cloud Strategy. This announcement clarifies cloud adoption standards, and the guidance provided by CCSL is directed toward helping to streamline the process by which customers determine cloud compliance needs.  (more…)

Amazon Web Services (AWS) recognizes that when law enforcement agencies place information in the cloud, they require timely and secure access to that information. AWS architecture provides a highly scalable and reliable platform that enables AWS customers to deploy applications and data quickly and securely in support of a wide variety of security and regulatory requirements, including those related to criminal justice.

In the spirit of the AWS Shared Responsibility Model, AWS has created a Criminal Justice Information Services (CJIS) Workbook in a security plan template format aligned to the CJIS Policy Areas. AWS customers who use this workbook will be able to manage regulatory CJIS workloads according to the CJIS Security Policy.

The workbook is intended to support AWS partners in the process of documenting their alignment posture with respect to CJIS security requirements. Furthermore, the security plan template provides AWS partner law enforcement agencies a systematic approach to documenting their implementation of CJIS security requirements for review and authorization. Finally, the workbook provides an overview of CJIS, AWS and AWS services, and the AWS/customer applicability of CJIS requirements.

This document is releasable under an AWS Non-Disclosure Agreement (NDA). Please contact your AWS point of contact for more details, or submit a request for more information to AWS Sales and Business Development.

– Chad Woolf, Director, AWS Risk and Compliance

With the AWS Frankfurt Region officially launched, we’d like to share European and data protection–specific information we’ve published to assist AWS customers who want to store content containing personal data. This information can be found in the newly released Whitepaper on EU Data Protection, a key resource available to customers who want to use AWS to store content containing personal data or who have concerns about meeting data protection requirements.

The target audience for this whitepaper is any AWS customer who operates with and stores sensitive, regulated, or personal data along with those who have concerns about their regulatory data protection requirements and how to potentially meet said requirements. The whitepaper describes how you can use AWS services in compliance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (also known as the “Directive”).  (more…)

I’m very excited to share that AWS has received the first ever U.S. Department of Defense (DoD) level 3-5 Provisional Authorization for the AWS GovCloud (US) region under the Defense Information Systems Agency’s (DISA) Cloud Security Model (CSM). AWS has been authorized for CSM levels 1-2 workloads for all US regions since March of this year. This new authorization allows DoD customers to conduct development and integration activities that are required to secure controlled unclassified information in AWS GovCloud at levels 3-5 of the CSM. Simply put, DoD agencies can now use AWS GovCloud’s compliant infrastructure for all but level 6 (classified) workloads.

Built on the foundation of the FedRAMP Program, the DoD CSM includes additional security controls specific to the DoD. The authorization sponsored by DISA will reduce the time necessary for DoD agencies to evaluate and authorize the use of AWS GovCloud. To learn more about the AWS DoD Authorizations, please visit the AWS DoD CSM FAQs page.

Our services are listed in the DoD Enterprise Cloud Service Broker (ECSB) catalog. DoD agencies can immediately request AWS DoD Provisional Authorization compliance support by submitting a Compliance Support Request to the AWS public sector sales and business development team. For more information on AWS security and compliance, please visit the AWS Security Center and the AWS Compliance Center.

– Chad Woolf, Director, AWS Risk & Compliance

The AWS IAM team recently released new credential lifecycle management features that enable AWS account administrators to define and enforce security best practices for IAM users.

We’ve expanded IAM password policies to enable self-service password rotation, on top of existing options to enforce password complexity. Furthermore, you can download reports for better visibility into the status of your IAM users’ AWS security credentials. These enhancements are designed to help you comply with security standards such as PCI DSS v2.0, ISO 27001, and FedRAMP.

In this blog post, I’ll discuss a number of use cases enabled by this release.  (more…)

On May 21, AWS launched encryption for EBS volumes, a frequently requested feature, which can help you meet stricter security and encryption compliance requirements. You can now create an encrypted EBS volume and attach it to an EC2 instance. Data on the volume, disk I/O, and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host the EC2 instances, providing encryption for data as it moves between EC2 instances and EBS storage.

Over on the AWS blog, Jeff Barr has a writeup with more details, and you can read more about EBS encryption in the EC2 documentation. Check it out!

– Ken

AWS is excited to announce that Amazon Redshift has successfully completed the FedRAMP assessment and authorization process and has been added to our list of services covered under our US East/West FedRAMP Agency Authority to Operate (ATO) granted by the U.S. Department of Health and Human Services (HHS). This is the first new service we’ve added to our FedRAMP program since getting our initial FedRAMP Agency ATO from HHS in May 2013.

With the addition of Redshift we now have six FedRAMP covered services in our US East/West FedRAMP package, including: EC2, VPC, S3, EBS, IAM and now Redshift.  The US East/West FedRAMP package has been updated so that all FedRAMP customers can assess, authorize, and use Redshift for their workloads. Redshift is not yet available in the GovCloud (US) region.

(more…)

I’m very excited to share that AWS has received a DISA Provisional Authorization under the DoD Cloud Security Model’s impact levels 1-2 for all four of AWS’s Infrastructure Regions in the U.S., including AWS GovCloud (US). With this distinction, AWS has shown it can meet the DoD’s stringent security and compliance requirements; and as a result, even more DoD agencies can now use AWS’s secure, compliant infrastructure. To learn more about the AWS DoD Provisional Authorization, please visit https://aws.amazon.com/compliance/dod-csm-faqs.

Built on the foundation of the FedRAMP Program, the DoD CSM includes additional security controls specific to the DoD.  The Defense Information Systems Agency (DISA) assessed our compliance with those additional security controls and granted the authorization which will reduce the time necessary for DoD agencies to evaluate and authorize the use of the AWS Cloud.

With today’s announcement, our services are listed in the DoD Enterprise Cloud Service Broker (ECSB) catalog, and DoD agencies can immediately request AWS DoD Provisional Authorization compliance support by submitting a Compliance Support Request to the AWS public sector sales and business development team.  For more information on AWS security and compliance, please visit the AWS Security Center, https://aws.amazon.com/security, and the AWS Compliance Center, https://aws.amazon.com/compliance.

Chad Woolf
Director, AWS Risk & Compliance

The newly released Security at Scale: Logging in AWS whitepaper is designed to illustrate how AWS CloudTrail can help you meet compliance and security requirements through the logging of API calls. The API call history can be used to track changes to resources, perform security analysis, operational troubleshooting and as an aid in meeting compliance requirements. (more…)