AWS Security Blog

Focus on Customers: Next Gen Compliance Enablers

AWS has radically improved cloud service provider compliance offerings with the ongoing development and releases of next gen customer-focused compliance enablers that directly assist customers in
1) understanding how to apply legacy compliance requirements to an AWS environment, and 2) helping establish a secure, compliant, and auditable AWS IT environment.

Traditionally our global customers have asked us for the standard audit reports, legal agreement terms, and control mapping documents they need to perform their due diligence on AWS. Our heavy investment in these kinds of compliance artifacts results in a mature, robust set of enablers that likely meet or exceed your compliance requirements and can assist you in performing your due diligence on AWS-owned controls. However, the bigger challenge is traditionally left completely up to you, the customer: translating those artifacts to company security requirements and operationalizing a secure and auditable environment that will meet all of the enterprise’s compliance requirements over time. 

We are evolving our compliance program by accelerating the development of next gen compliance artifacts. These new types of enablers build on the traditional compliance programs but focus directly on your efforts in establishing and operating your AWS security control environment by tying together governance-focused, audit-friendly AWS service features with applicable compliance or audit standards. Some of these new enablers include:

  • FFIEC Examiners Workbook. This workbook was developed by Coalfire, a global audit advisory firm, and is targeted to financial institutions, their examiners, and advisors. It is designed to guide customers subject to FFIEC audits on the secure architecture, use, and audit of AWS services.
  • PCI Responsibility Matrix. This document was also developed by Coalfire (our PCI QSA) and is updated annually during the AWS PCI assessment. It describes the responsibility for the customer and for AWS for each of the PCI DSS controls and, because of its general applicability to IT security, has been used by a wide range of global customers to properly implement and audit an effective control environment in AWS.
  • IT-Grundschutz Certification Workbook. This workbook was developed by TUV TRUST IT, an independent auditing body with accredited IT-Grundschutz auditors, and provides a clear path and documentation framework to help enable customers to become certified for IT-Grundschutz on AWS.
  • CJIS Workbook. For our customers protecting criminal justice information on AWS, the AWS CJIS Workbook is a security plan template to document the implementation of CJIS Security Policy requirements. The completed template can be submitted to local law enforcement agencies for a CJIS review and authorization.
  • Auditing Your Security Architecture in AWS. This is a hands-on training bootcamp designed for risk managers and auditors that can be delivered in a classroom setting or done at your own pace online. The course is intended to instruct participants on how to audit the security architecture and controls of core AWS services and features such as Amazon EC2, Amazon EBS, Amazon S3, Amazon VPC, AWS Identity and Access Management, AWS CloudTrail, Amazon AMIs, and AWS CloudFormation.

We believe providing more of this type of next gen compliance material is a more direct way to help you with this critical objective—to continually meet your organization’s specific compliance obligations. At the same time we continue to mature our traditional (and complimentary) compliance enablers, such as standard audit reports (e.g., our recent ISO 9001 certification) and legal agreement terms (e.g., our recent EU Model Clause announcement). Both of these types of enablers make it more straightforward for you to move sensitive and regulated workloads into AWS and to maintain full compliance with a wide range of industry and geographic requirements.

Visit us at http://aws.amazon.com/compliance/ to download or request these and other resources. Let us know what you think of this new approach, or give us your ideas on other ways the AWS Compliance team can directly support your efforts to establish and manage your security and compliance program: awscompliance@amazon.com. You can also get more information from your AWS account representative, or contact the AWS business development team.

– Chad Woolf, Director, AWS Risk and Compliance