AWS Security Blog
New AWS services launch with HIPAA, PCI, ISO, and SOC – a company first
Our security culture is one of the things that sets AWS apart. Security is job zero — it is the foundation for all AWS employees and impacts the work we do every day, across the company. And that’s reflected in our services, which undergo exacting internal and external security reviews before being released. From there, we have historically waited for customer demand to begin the complex process of third-party assessment and validating services under specific compliance programs. However, we’ve heard you tell us you want every generally available (GA) service in scope to keep up with the pace of your innovation and at the same time, meet rigorous compliance and regulatory requirements.
I wanted to share how we’re meeting this challenge with a more proactive approach to service certification by certifying services at launch. For the first time, we’ve launched new GA services with PCI DSS, ISO 9001/27001/27017/27018, SOC 2, and HIPAA eligibility. That means customers who rely on or require these compliance programs can select from 10 brand new services right away, without having to wait for one or more trailing audit cycles.
Verifying the security and compliance of the following new services is as simple as going to the console and using AWS Artifact to download the audit reports.
- Amazon DocumentDB (with MongoDB compatibility) [HIPAA, PCI, ISO, SOC 2]
- Amazon FSx [HIPAA, PCI, ISO]
- Amazon Route 53 Resolver [ISO]
- AWS Amplify [HIPAA, ISO]
- AWS DataSync [HIPAA, PCI, ISO]
- AWS Elemental MediaConnect [HIPAA, PCI, ISO]
- AWS Global Accelerator [PCI, ISO]
- AWS License Manager [ISO]
- AWS RoboMaker [HIPAA, PCI, ISO]
- AWS Transfer for SFTP [HIPAA, PCI, ISO]
This proactive compliance approach means we move upstream in the product development process. Over the last several months, we’ve made significant process improvements to deliver additional services with compliance certifications and HIPAA eligibility. Our security, compliance, and service teams have partnered in new ways to implement controls and audit earlier in a service’s development phase to demonstrate operating effectiveness. We also integrated auditing mechanisms into multiple stages of the launch process, enabling our security and compliance teams, as well as auditors, to assess controls throughout a service’s preview period. Additionally, we increased our audit frequency to meet services’ GA deadlines.
The work reflects a meaningful shift in our business. We’re excited to get these services into your hands sooner and wanted to report our overall progress. We also ask for your continued feedback since it drives our decisions and prioritization. Because going forward, we’ll continue to iterate and innovate until all of our services are certified at launch.