AWS Security Blog

New SOC 1, 2, and 3 Reports Available — Including a New Region and Service In-Scope


We are now in our sixth year of regularly publishing comprehensive independent audit reports attesting to our alignment with globally accepted security best practices. We have just completed our thorough and extensive semiannual audit and are happy to announce that Amazon Simple Queue Service (SQS) and our newest region in Europe (Frankfurt) are now in-scope for all our SOC reports. The expanding list of services and regions incorporated into our compliance program enables you and your stakeholders to validate that AWS has obtained independent auditor assurance of the design and operation of our controls.

We make SOC 1 (Type 2) and SOC 2 (Type 2) reports available to customers upon request, and we make our SOC 3 report available publicly. To help you understand these reports and the uses for each, we’ve included the following descriptions of the reports. 

AWS SOC 1 (Formerly SSAE 16/ISAE 3402)

The AWS SOC 1 report focuses on AWS’s processes and controls relevant to our customers’ financial reporting. Many AWS customers use the AWS SOC 1 as an integral part of their Sarbanes-Oxley efforts and other security and compliance initiatives where key controls operated by AWS are evaluated and validated.

AWS SOC 2 – Security & Availability

The AWS SOC 2 report focuses on the security and availability controls, as defined by the American Institute of Certified Public Accountants (AICPA) Security Trust Principles, operated by AWS. This report is leveraged by a wide range of AWS customers, including but not limited to customers in the technology, healthcare, banking, and financial services industries. This report is leveraged to meet a wide range of security control and compliance requirements based on the AICPA’s mature industry control criteria.

AWS SOC 3 – Security & Availability

The SOC 3 report is a public report. It is a summarized version of the SOC 2 report and enables you to validate that AWS has completed a favorable independent audit against the AICPA’s Security Trust Principles.

How to get AWS SOC reports

You can download the AWS SOC 3. To request the latest SOC 1 or SOC 2 reports, please contact AWS Sales and Business Development. You can also visit the AWS Compliance website to learn more about these reports. To see all publicly available certifications, visit AWS Published Certifications, and to keep up with the latest AWS Compliance news, visit AWS Compliance – Latest News.

Additional resources:

– Chad Woolf, Director, AWS Risk and Compliance

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.


Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.