Category: Compliance

PCI compliance in the cloud is an important topic for many of our customers. Our PCI FAQ page has received more than 45,000 views, and we have issued our PCI compliance package directly to customers in all major regions and industry verticals. To build on our growing demand of PCI enablers, today we’re happy to announce the release of a new PCI compliance resource for customers. We’ve partnered with Anitian, a Qualified Security Assessor Company (QSAC), on the development and publication of a Workbook for PCI Compliance in the AWS Cloud. This workbook provides guidance around AWS service methodologies for deploying PCI compliance capability within AWS.

The new PCI workbook provides three sample reference architectures outlining the most common PCI-compliant environments:

1. Dedicated – An AWS PCI environment that is not connected to anything else.
2. Segmented – A larger AWS environment that has both a Card Data Environment (CDE) and in-scope systems.
3. Connected – An environment that has both AWS and on-premises items.

Additionally, the workbook contains general guidance and strategies for using AWS services to meet the twelve top-level PCI requirements, as well as links and tips for configuring the use of AWS in a PCI-compliant manner.

Please contact us with questions about complying with financial service regulations or meeting your compliance requirements in the cloud.

– Chad Woolf, Director, AWS Risk and Compliance

The security of personally identifiable information (PII) continues to be an important topic among all sectors, and education is no exception. Covered entities subject to FERPA are turning to cloud computing as a highly efficient way to manage and secure vast amounts of educational records and student data. To bring clarity to securing student data and privacy, we recently published a FERPA Compliance on AWS whitepaper.

As background, the primary intent of the Family Educational Rights and Privacy Act (FERPA) is to protect student identities and the privacy of their student records related to educational records, PII, and directory information. Security is a core functional requirement of FERPA, requiring mission-critical information to be protected from accidental or deliberate theft, leakage, integrity compromise, and deletion. The FERPA Compliance on AWS whitepaper is designed to assist educational agencies and institutions that are considering the use of Amazon Web Services (AWS) for educational data. (more…)

We are now in our sixth year of regularly publishing comprehensive independent audit reports attesting to our alignment with globally accepted security best practices. We have just completed our thorough and extensive semiannual audit and are happy to announce that Amazon Simple Queue Service (SQS) and our newest region in Europe (Frankfurt) are now in-scope for all our SOC reports. The expanding list of services and regions incorporated into our compliance program enables you and your stakeholders to validate that AWS has obtained independent auditor assurance of the design and operation of our controls.

We make SOC 1 (Type 2) and SOC 2 (Type 2) reports available to customers upon request, and we make our SOC 3 report available publicly. To help you understand these reports and the uses for each, we’ve included the following descriptions of the reports.  (more…)

We focus on enabling our customers to scale their security and compliance capabilities on AWS, and we enhance our customers’ ability to meet a wide variety of security and regulatory requirements. With a continued focus on our customers’ regulatory needs in the financial services sector, we created another customer facing workbook, which aligns the new US Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Initiative requirements with the existing AWS compliance reports and certifications. This AWS OCIE Cybersecurity Initiative Workbook will directly support our financial services customers in meeting their obligations related to these new requirements and in establishing and operating a risk alert program compliant with the OCIE Cybersecurity Initiative.

The OCIE Cybersecurity Initiative was designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats. The Risk Alert topics’ recommended risk treatments are in direct alignment with AWS’s highly secure infrastructure.

Please contact us with questions about complying with financial service regulations or meeting your compliance requirements in the cloud.

– Chad Woolf, Director, AWS Risk and Compliance

Today, Amazon Redshift and Amazon RDS for MySQL, PostgreSQL, Oracle, and SQL Server DB released support for encryption using AWS Key Management Service (KMS) in the AWS GovCloud (US) region. Using keys under your control, you can now encrypt RDS instances, including MySQL, PostgreSQL, Oracle, and SQL Server DB instance types, and Amazon Redshift clusters in AWS GovCloud (US).

With the launch of these features, KMS in AWS GovCloud (US) is now integrated with Amazon S3, Amazon Elastic Block Store (Amazon EBS), Amazon Elastic MapReduce (Amazon EMR), Amazon RDS, and Amazon Redshift.

To get started in the AWS GovCloud (US) region, contact us today!

– Sree

Last year, CESG UK published the Cloud Security Guidance documents for public sector organizations that are considering the use of cloud services for handling information classified as OFFICIAL. The guidance aims to help public sector organizations make informed decisions about cloud services and choose a cloud service that balances business benefits and security risks. In relation to this, the legacy Impact Level accreditation scheme has been phased out and is no longer the mechanism used to describe the security properties of cloud services.

In order to provide you with guidance regarding the Cloud Security Principles and to make an informed decision when performing risk assessments, we have published a whitepaper called Using AWS in the Context of CESG UK’s Cloud Security Principles.  (more…)

Update: The slides from this webinar are now available.

As part of the AWS Webinar Series, AWS will present Security Best Practices: Compliance Beyond the Check Box on Tuesday, April 28. This webinar will start at 10:30 A.M. and end at 11:30 A.M. Pacific Time (UTC-7).

Principal Solutions Architect Bill Shinn will help you understand how to take advantage of AWS compliance to not only meet “check box” requirements, but also to use AWS compliance tools such as AWS CloudTrail and AWS Config to improve the security and risk posture of your organization.

The webinar is free, but space is limited and registration is required. Register today.

– Paul

Our US federal customers are finding interesting and exciting ways to use the AWS cloud for their IT infrastructure and data management. Our focus on these customers remains a high priority for AWS Compliance, and to further our efforts in providing customer-focused compliance enablers, we have updated our existing Department of Defense (DoD) whitepaper. This update now reflects the current requirements of the DoD Cloud Computing Security Requirements Guide (CCSRG).

With the updated reference architectures detailed in DoD-Compliant Implementations in the AWS Cloud, DoD mission owners can proceed with designing, deploying, and managing applications on AWS in a manner that complies with the CCSRG requirements that must be satisfied by the mission owner.

Additionally, we have created a centralized DoD website, in order to provide a wider variety of security guidance to our DoD customer base. On this newly expanded site, you will find links to a range of resources, including whitepapers, online documentation, and security videos. You can also request a partner package that will enhance your ability to compile the authorization package for your application.

Please contact us with questions about complying with DoD regulations or meeting your compliance requirements in the cloud.

– Chad Woolf, Director, AWS Risk and Compliance

AWS has radically improved cloud service provider compliance offerings with the ongoing development and releases of next gen customer-focused compliance enablers that directly assist customers in
1) understanding how to apply legacy compliance requirements to an AWS environment, and 2) helping establish a secure, compliant, and auditable AWS IT environment.

Traditionally our global customers have asked us for the standard audit reports, legal agreement terms, and control mapping documents they need to perform their due diligence on AWS. Our heavy investment in these kinds of compliance artifacts results in a mature, robust set of enablers that likely meet or exceed your compliance requirements and can assist you in performing your due diligence on AWS-owned controls. However, the bigger challenge is traditionally left completely up to you, the customer: translating those artifacts to company security requirements and operationalizing a secure and auditable environment that will meet all of the enterprise’s compliance requirements over time.  (more…)

AWS Compliance has made available a new security and compliance workbook for AWS customers who are subject to the German Federal Office for Information Security (BSI) IT Baseline protection methodology (IT-Grundschutz).

IT-Grundschutz Compliance on Amazon Web Services is a new customer workbook that was developed and published by TÜV TRUST IT GmbH TÜV Austria Group, an independent body. This workbook provides a documentation framework meant to assist customers who seek to pursue certification for IT-Grundschutz using AWS. AWS Compliance engaged TÜV TRUST IT to develop this workbook as a customer-focused compliance tool.  (more…)