AWS Security Blog

Spring SOC Report Now Available—Amazon WorkMail Now in Scope


Today, I’m pleased to announce that we have completed our semiannual AWS Service Organization Control (SOC) assessments and the reports are available to NDA customers now.

The AWS SOC program is an intense, period-in-time audit performed every six months. We have been releasing AWS services SOC Reports (or their SAS 70 predecessors) regularly since 2009, and we have gradually added more controls and services in scope over the years. These third-party assessments from Ernst & Young are comprehensive attestations to our alignment with the American Institute of Certified Public Accountants (AICPA) Security and Availability Trust Service Principles. The SOC program continues to be a key component of our efforts to provide transparency to our global customer base around information security, confidentiality, and privacy.

The AWS SOC Reports cover the US East (N. Virginia), US West (Oregon), US West (N. California), AWS GovCloud (US), EU (Ireland), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) regions, as well as AWS Edge locations. Visit the AWS website for more information about the AWS Global Infrastructure.

For this latest period’s SOC 2 and SOC 3 Reports, AWS was assessed against the latest edition of the TSP Section 100, which the AICPA released in March 2016. Amazon WorkMail is now also in scope for our SOC Reports. This increases the number of services covered in our SOC Reports to 26, and with 34 AWS Edge Locations also in scope, AWS customers can satisfy a variety of audit use cases.

Our updated AWS SOC 1 and SOC 2 Security and Availability Reports cover the report period of October 1, 2015, through March 31, 2016, and will continue to be reaffirmed in a six-month cadence. To request the latest SOC 1 or SOC 2 Report, contact AWS Sales and Business Development. Alternatively, depending on your compliance needs, the SOC 3 Report is publically available for download via our AWS Cloud Compliance website, or directly as a PDF.

If you have additional questions about SOC Reports, see our SOC Compliance FAQ on the topic. To see all publicly available certifications, see Compliance Resources. To keep up with the latest AWS Compliance news, see AWS Compliance – Latest News.

– Chad Woolf, Director of AWS Risk and Compliance

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.


Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.