Category: Compliance

As I mentioned previously, the breakout sessions for the Security & Compliance track at re:Invent 2015 have been announced. And in my most recent re:Invent post, I focused on the AWS Identity and Access Management (IAM) sessions that will be offered as part of the Security & Compliance track.

Today, I want to highlight the AWS Compliance Summit at re:Invent as well as the compliance sessions that will be presented as part of the Security & Compliance track. If you are going to re:Invent this year, you can add these sessions to your schedule now.

GEN117 – AWS Compliance Summit

Want to learn more about Compliance in the cloud? Attend the AWS Compliance Summit, where key verticals such as Financial Services, Government and Public Sector, and Healthcare and Life Sciences will be discussed, along with customer use cases and prescriptive guidance from AWS subject matter experts. (more…)

If you will be attending re:Invent 2015 in Las Vegas next month, you know that you’ll have many opportunities to learn more about AWS security at the conference. The following breakout sessions compose this year’s Security and Compliance track. Look for blog posts in the coming three weeks to highlight some of these specific breakout sessions as the October 6 start date approaches.

Didn’t register before the conference sold out? All sessions will be recorded and made available on YouTube after the conference. Also, all slide decks from the sessions will be made available on SlideShare.net after the conference.

Click any of the following links to learn more about a breakout session. (more…)

AWS’s industry-leading security strength benefits you in many ways, one of which is by using a platform that is audited extensively by independent third-party assessors. At times, these audits confirm we can meet new requirements, even as they are issued, and this is the case for the National Institute of Standards and Technology (NIST) guidelines 800-171, which were released in June 2015. This guidance is applicable to the protection of Controlled Unclassified Information (CUI) on nonfederal systems.

AWS is already compliant with these guidelines, and customers can effectively comply with NIST 800-171 immediately. NIST 800-171 outlines a subset of the NIST 800-53 requirements, a guideline under which we have already been audited under our FedRAMP program. The FedRAMP Moderate security control baseline is more rigorous than the recommended requirements established in Chapter 3 of 800-171 and includes a significant number of security controls above and beyond those required of FISMA Moderate systems that protect CUI data. A detailed mapping is available in the NIST Special Publication 800-171, starting on page D2 (which is page 37 in the PDF).

With this in mind, federal customers can move forward with migrating CUI workloads to AWS, with the knowledge that AWS can maintain compliance with US federal security requirements as they evolve.

Please contact us with questions about NIST, FedRAMP, and any other security assurance questions you may have.

– Chad Woolf, Director of AWS Risk and Compliance

Positive news for our Australian customers: we recently launched a compliance hub and FAQ page for Australian government customers and their assessors for the Information Security Registered Assessors Program (IRAP) on implementing the Australian Signals Directorate’s (ASD) Information Security Manual (ISM). The new hub and FAQ address many of the questions that Australian government customers have about using AWS to build ISM-compliant workloads, as well as illustrating how Australian government customers can take advantage of the compliance packages that we have created to support their accreditation efforts.

Based on whitepapers, videos, and online documentation, the page brings together numerous pieces of guidance related to protecting and securing workloads on AWS. It also provides instructions on the requirements to access the IRAP compliance package and their contents, as well as other compliance reports that are available for use.  (more…)

September 16 update: The full schedule is now included below.

Even though AWS re:Invent 2015 is sold out, you can still get the latest announcements and product information by viewing our Livestream Broadcasts of the keynotes and select technical breakout sessions. Sign up for the Livestream Broadcasts now. (more…)

AWS is an attractive environment for regulated data, including Criminal Justice Information (CJI) subject to the Criminal Justice Information Services (CJIS) Security Policy. AWS customers have used the AWS cloud for a wide range of sensitive federal and state government workloads, including CJI data. Law enforcement customers and partners who manage CJI are taking advantage of AWS services to both comply with the Federal Bureau of Investigation’s policy and dramatically improve the security and protection of CJI data by using:

• The advanced security services and features of AWS such as activity logging (AWS CloudTrail).
• Encryption of data in motion and at rest (Amazon S3 server-side encryption with the option to bring your own key).
• Comprehensive key management and protection (AWS Key Management Service and AWS CloudHSM).
• Integrated permission management (IAM federated identity management and multi-factor authentication).

Our latest whitepaper, CJIS Compliance on AWS, details how AWS services can be utilized to comply with CJIS requirements, what AWS services make possible within the framework of CJIS, and the portioning of responsibilities between AWS and CJIS customers.

Additionally, AWS has evaluated the 13 policy areas along with the 131 security requirements and has determined: 10 controls can be directly inherited from AWS; both AWS and the CJIS customer share 78 controls; and 43 controls are customer-specific controls. AWS has documented these requirements within a detailed control workbook, which can be requested under an NDA: AWS CJIS Security Policy Workbook.

Chad Woolf
Director, AWS Risk and Compliance

Additional resource

• CJIS Compliance Summary and FAQ Page

We’re happy to announce the availability (upon request) of the 2015 AWS PCI Compliance Package, an assessment completed against the newly released PCI Data Security Standard (PCI DSS) Version 3.1. The PCI DSS is a globally accepted security standard that customers use to support a wide range of sensitive workloads, including the processing and storage of sensitive payment card data.

The PCI Compliance Package includes our AWS PCI Attestation of Compliance (AoC), which shows that AWS has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 3.1. It also contains our independent assessor’s revised and expanded AWS PCI Responsibility Summary, which describes customers’ and AWS’s shared responsibility for each of the 200+ PCI DSS controls. This document will help 1) those who need to effectively manage a PCI cardholder environment on AWS, and 2) any customer looking to better understand their responsibility of operating controls in order to effectively develop and operate a highly secure environment on AWS.

Amazon Web Services now features 23 in-scope services for PCI, including the latest additions of AWS CloudFormation, Amazon CloudFront, AWS Elastic Beanstalk, and AWS KMS. Additionally, AWS continues to be a Validated Service Provider with Visa and MasterCard, which means that both organizations have received our updated AoC and have accepted and recognized our compliance with the PCI DSS standard.

How do you request an AWS PCI Compliance Package?

To request a 2015 AWS PCI Compliance Package, please contact AWS Sales and Business Development. Learn more about AWS PCI Compliance Reports by visiting the PCI DSS Level 1 Compliance FAQs page.

You can also visit the AWS Compliance website to learn more about AWS compliance programs.
Chad Woolf
Director, AWS Risk and Compliance

Additional resources

• PCI Compliance in the AWS Cloud
• PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC
• PCI Compliance Workbook
• PCI Security Standards Council – Why Comply with PCI Security Standards?

To provide guidance about how to leverage Amazon Web Services (AWS) to develop applications that meet HIPAA and HITECH compliance requirements, we recently updated the Architecting for HIPAA Security and Compliance on Amazon Web Services whitepaper.

The advancements and growth of healthcare technology have been an accelerating force behind the continued adoption of cloud computing, creating exciting new horizons for research and patient care. However, these innovative and creative healthcare programs can be difficult to drive to technical completion within the framework of federal standards.

This whitepaper provides information about how to use AWS’s HIPAA-eligible services to architect HIPAA solutions, and encrypt and protect data in the AWS cloud. It also gives guidance around the use of AWS Key Management Service for encryption of personal health information (PHI) and outlines auditing, backup, and disaster recovery considerations.

Additional Resources:

• AWS HIPAA Compliance FAQs
• AWS Compliance Website
• AWS Compliance – Latest News
• U.S. Department of Health & Human Services

– Chad

The PCI requirements for encryption for data in transit are different for private networks than they are for public networks. When correctly designed, Amazon Virtual Private Cloud (Amazon VPC), a logically isolated portion of the AWS infrastructure that allows you to extend your existing data center network to the cloud, can be considered a private network, as qualified by the Payment Card Industry Data Security Standards (PCI DSS).

In this blog post, I will review the importance of understanding the logical isolation provided by Amazon VPC and then review some of the key points to consider when designing for PCI workloads that need to transmit sensitive data within or outside the AWS infrastructure. I will also demonstrate how you can use the native isolation provided by Amazon VPC for additional security. (more…)

At Amazon Web Services, strong encryption is one of our standard features, and an integral aspect of that is the TLS (previously called SSL) encryption protocol. TLS is used with every AWS API and is also available directly to customers of many AWS services including Elastic Load Balancing (ELB), AWS Elastic Beanstalk, Amazon CloudFront, Amazon S3, Amazon RDS, and Amazon SES.

The last 18 months or so has been an eventful time for the TLS protocol. Impressive cryptography analysis highlighted flaws in several TLS algorithms that are more serious than previously thought, and security research revealed issues in several software implementations of TLS. Overall, these developments are positive and improve security, but for many they have also led to time-consuming operational events, such as software upgrades and certificate rotations.

Part of the challenge is that the TLS protocol, including all of its optional extensions, has become very complex. OpenSSL, the de facto reference implementation, contains more than 500,000 lines of code with at least 70,000 of those involved in processing TLS. Naturally, with each line of code there is a risk of error, but this large size also presents challenges for code audits, security reviews, performance, and efficiency.

In order to simplify our TLS implementation and as part of our support for strong encryption for everyone, we are pleased to announce the availability of a new Open Source implementation of the TLS protocol: s2n.  s2n is a library that has been designed to be small, fast, with simplicity as a priority. s2n avoids implementing rarely used options and extensions, and today is just more than 6,000 lines of code. As a result of this, we’ve found that it is easier to review s2n; we have already completed three external security evaluations and penetration tests on s2n, a practice we will be continuing. (more…)