Security and Compliance for Australia and New Zealand

Learn how organisations are keeping their data secure and meeting their local compliance standards across Australia and New Zealand (ANZ).

Security is a top priority at Amazon Web Services (AWS).

Customers in Australia and New Zealand use the AWS Cloud to store confidential data, process sensitive transactions and build critical services. Choose AWS’s world-class infrastructure and benefit from AWS’s secure and resilient environment to protect your information and build applications that enable your business. Learn about Australia and New Zealand’s data privacy and security compliance requirements from our Security and Privacy Knowledge Hub for Australia and New Zealand, and see how AWS can help you meet or exceed your security goals.

Hear from our AWS Director of Technology and Transformation for Public Sector in ANZ

Stay up-to-date

What is AWS security in Australia and New Zealand?

What is AWS security in Australia and New Zealand?

Watch our quick 3-minute video to learn more about AWS security in Australia and New Zealand.

AWS achieves Strategic Hosting Provider certification

AWS achieves Strategic Hosting Provider certification

AWS has achieved Strategic Hosting Provider certification under the Australian Government’s Hosting Certification Framework (HCF), which means government agencies can continue to innovate at a rapid pace and be confident that AWS meets the government’s requirements to support the secure management of government systems and data.

Blog: AWS Partner Network steps up to support Australian governments during a time of crisis

Blog: How AWS Partners are helping local customers to be secure in the cloud

Improving cybersecurity capability can help organisations to better calculate residual risk, respond quickly to threats, and accelerate their move to the cloud. AWS Partners is here to help do the heavy lifting for customers by specialising in AWS Security Competencies.

New 2021 H1 IRAP report is now available on AWS Artifact for Australian customers

New 2021 H1 IRAP report is now available on AWS Artifact for Australian customers

We are excited to announce that an additional 15 AWS services are now assessed to be in scope for Information Security Registered Assessors Program (IRAP) after a successful incremental audit completed in June 2021 by independent ASD (Australian Signals Directorate) certified IRAP assessor.

Data privacy in Australia and New Zealand

Australia Data Privacy

The Australian Privacy Principles (APPs) set out in the Australian Privacy Act 1988 (Cth) impose requirements for collecting, managing, dealing with, using, disclosing and otherwise handling personal information. The APPs set out data protection principles to protect the privacy of individuals.

New Zealand Data Privacy

New Zealand, like most countries, has enacted legislation that enables New Zealand law enforcement and government security bodies to seek access to information, including the New Zealand Security Intelligence Service Act 1969 and the Government Communications Security Bureau.

Data privacy FAQs

AWS gives you ownership and control over your content through simple, powerful tools that allow you to determine where your content will be stored, secure your content in transit and at rest, and manage your access to AWS services and resources for your users.

Meet your local compliance goals

Data privacy

Using AWS in the context of Australian privacy considerations

This whitepaper focuses on typical questions asked by AWS customers when they are considering the implications of the Australian Privacy Act on their use of AWS services to store or process content containing personal information.

Data privacy

Using AWS in the context of New Zealand privacy considerations

This document provides information to assist customers who want to use AWS to store or process content containing personal information, in the context of key privacy considerations and the New Zealand Privacy Act 2020 (NZ).

AWS Compliance

AWS Compliance

Learn more about our compliance offerings and the benefits of using AWS to meet standards around the globe.

Meeting government compliance requirements

Information Security Registered Assessors Program (IRAP) PROTECTED Program

ISM assessed AWS Cloud services as compliant. An independent IRAP assessor examined the AWS controls including people, processes, and technology against the requirements of the ISM. This assessment provides assurance that, in respect of the products that AWS has in place, the applicable controls required for Australian government workloads at the PROTECTED level are implemented.

Learn more »

Meeting financial services compliance requirements

Australian Prudential Regulation Authority (APRA)

Learn about the legal and regulatory requirements in Australia and New Zealand that may apply to AWS financial institution customer's use of AWS services.

Australia Compliance Centre »

New Zealand Compliance Centre »

Hear from our local customers

  • Commonwealth Bank
  • Commonwealth Bank

    The Commonwealth Bank (CBA) is Australia's leading provider of integrated financial services. CBA’s purpose is to improve the financial well-being of customers and communities. CBA offers products and services in retail banking, insurance, investing and superannuation, business, and institutional banking. CBA’s priorities are to lead Australia’s recovery and transition, reimagine products and services, deliver global best digital experiences and technology, and have simpler, better foundations.

    CBA has been using AWS since the launch of the AWS Sydney Region in 2012. CBA extensively uses AWS services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), Amazon Aurora, Amazon GuardDuty, AWS Security Hub, and AWS Shield. CBA has collaborated with AWS Professional Services since 2017 to build their first and second generation AWS Cloud platform to securely build, host, and operate their public website, mobile banking app, wealth management portal, retail share trading web application, and, most recently, their open banking solution.

    “Cybersecurity is a team sport, and it’s important to us that we partner with organisations that have a strong security culture,” explains Keith Howard, CBA’s CISO. “In partnering with AWS, we are able to use a suite of sophisticated cloud native security services to intelligently protect our customers in real time. We also value the global access to AWS service teams and deep security and risk specialists who support us to continuously optimise our capabilities.”

    Commonwealth Bank
  • Australia Post
  • Australia Post

    Australia Post is a government business enterprise (GBE) that’s completely self-funded with both commercial and community service obligations.

    In 2018, the organisation experienced account and role proliferation in their AWS environments leading to challenges in applying security governance, privilege escalation risks, and strain on operation teams who needed to manually configure roles and privileges in every AWS account. The AWS Professional Services team helped conduct a full security review and risk assessment in the environment. Following this, Australia Post launched the Security Uplift Program to address governance at scale. This includes the delivery of a DevSecOps pipeline, consolidation of roles and privileges and an automated solution using serverless architecture to auto provision federated AWS Identity and Access Management (IAM) roles to Identity Provider and assignment to active directory groups.

    “We want to make security as invisible to the developers as possible. We don’t want them to have to think about security; it should just happen. We’re paying $5 a month to run a process that’s going to remediate any violations against your security policy within 30 to 45 seconds. We’re talking about 30 to 45 seconds to remediate a particular condition, and that is magnitudes better than what we’d be able to achieve if we were using a more traditional approach. If we were trying to tackle these sorts of things without the help of automation, we might be talking about hours, days, weeks to remediate. And the reality is you’ve got a repeatable process here, and you’re going to get that same remediation and that same level of service every single time. Using AWS native tools is very important to help us get that improved coverage. Our compliance levels are through the roof, and it’s easy to track that. If you went out and bought a product that does this it would cost thousands of dollars per month. Now we are doing over 70,000 checks a month, and growing, and it costs us $5 per month. We can keep adding to this and the costs only go up a tiny little bit.” – Steven Stojanovski, Head of Security, Education, and Culture, and Jason Gorringe, Manager of Cloud Services, Australia Post, 2019

    Australia Post

    Founded in 1996, KINNECT is one of the leading privately owned occupational health companies in Australia. KINNECT is the only company in this space to have developed their own SaaS platform, Carelever. Carelever enables companies to effectively manage their people’s occupational health in real time with preventative services (pre-employment assessments), injury management (returning injured people back to work) and health surveillance (monitoring the ongoing health of their people). KINNECT’s deep discipline specific knowledge of people’s health allows them to innovate with their clients to enable technology enabled occupational health solutions.

    Carelever wanted to minimise all operational overhead and they did not wish to spend time patching and managing their underlying infrastructure. As such, they leverage services such as Amazon Elastic Container Service (ECS) and AWS Certificate Manager (ACM). Also requiring auditability and governance, KINNECT leverage AWS CloudTrail for an immutable audit log of all of their API calls, and AWS Config for governance over their environment. Finally, they use AWS WAF (Web Application Firewall) to protect their web application from layer 7 attacks, and AWS CloudFormation to ensure consistent deployments across environments.

    "Confidential healthcare data needs not only a highly secure and safe environment but an efficient one too," says Kevin Conlon, Chief Executive and founder of Carelever. "Since 2012 when we started our journey with AWS, the solutions they've provided us are world-class. Moreover, the team has taken the time to really understand our business needs and really helped us to create a scalable, secure and robust platform. We are delighted to count AWS as one of our integral partners."

  • nib
  • nib

    nib Group (nib) is a trusted international health partner, empowering their members to make better decisions and improve health outcomes through greater accessibility to affordable health services and information. nib have a mission and vision of people enjoying better health. Through its success, nib aspires to more prosperous and sustainable communities, not only the creation of enterprise value.

    nib achieved a major milestone in the Australian cloud technology landscape with the successful migration of the system of record for their corporate health insurance business. The health insurer’s number one priority has always been to ensure the security of its members’ information. They worked hard to create strong security controls and supporting documentation for adhering to and maintaining the standards demanded by the regulator, as well as their own privacy policy. To achieve this, nib uses a number of AWS security services, including AWS Key Management Service (AWS KMS) to manage cryptographic keys and encrypt their data, AWS Secrets Manager to protect and rotate their passwords and other credentials, and Amazon GuardDuty to monitor their AWS environment for suspicious or malicious activity.

    “We are an international organisation so we come under both local and global regulatory compliance which means ensuring we meet the expectations of a range of regulators. That’s why we use AWS Trusted Advisor and the Well Architected Framework as it gives us independent guidance on what our maturity and capability looks like,” Wayne Bozza, Head of Cyber Security – nib Group

  • Canva
  • Canva

    Canva’s mission is clear: empower everyone in the world to design anything and to publish anywhere. Millions across the globe use the company’s online design services to create social media graphics, presentations, posters, documents, and other visual content.

    To complement their already strong security posture, Canva worked with AWS Professional Services to build a cloud-based cyber activity data lake. The approach provides new threat detection and digital investigation capabilities. Within the data lake, Amazon Elasticsearch Service (now Amazon OpenSearch Service) indexes big datasets and allows Canva to store vast amounts of historical data to facilitate the analysis of past cyber activity. Other key components include AWS Glue to extract and transform the data, Amazon Kinesis Data Streams to analyze the data, and Amazon S3 to maintain the dataset.

    “We have better security situational awareness thanks to AWS Professional Services. We know in real time what is currently going on and what has transpired,” says Moe Abbas, cloud platform lead for Canva.

  • Pushpay
  • Pushpay

    Pushpay build world-class giving and engagement solutions to help organisations grow their communities. Their purpose is to bring people together by strengthening community, connection, and belonging. Pushpay have over 450 staff across Colorado Springs, Redmond and Auckland.

    Since moving to AWS in 2017, Pushpay have taken advantage of the latest in virtualization and managed services to deliver innovative solutions for their customers. From Amazon EC2 Auto Scaling to provide capacity, Amazon Elastic Container Service (ECS) for container based workloads, AWS Lambda for serverless applications, Amazon DynamoDB for unrivaled database scalability to Amazon Relational Database Service (Amazon RDS), Amazon Simple Storage Service (Amazon S3) and Amazon CloudFront, Pushpay have intentionally moved to a modern set of cloud-native architectures across their platform. In order to maintain PCI DSS Level-1 certification and the trust of customers, Pushpay had to ensure that their innovation under no circumstances compromised their primary concern - Security.

    With Amazon GuardDuty they have all the capabilities of a world class threat and anomaly detection service that natively understands the changing landscape of running services in the cloud. Meanwhile AWS Shield Advanced, CloudFront and AWS WAF enable Pushpay to respond to any emerging threats, often without any intervention on their part. The constant improvement of these services, particularly GuardDuty, has reinforced their confidence that AWS is the right partner to help them deliver on their promises to their customers.

Security and compliance resources

Security and compliance resources

Explore more security and compliance resources for the public sector.

AWS Cloud infrastructure in Australia and New Zealand

Security at AWS starts with our core infrastructure. Custom-built for the cloud and designed to meet the most stringent security requirements in the world, our infrastructure is monitored 24/7 to help with the confidentiality, integrity, and availability of your data. We automatically encrypt all data flowing across the AWS global network that interconnects our data centers and Regions at the physical layer before it leaves our secured facilities.

Australia and New Zealand Regions and edge locations

AWS customers choose the AWS Region(s) in which their content is stored. AWS will not move or replicate your content outside of your chosen AWS Region(s) without your consent, except in each case as necessary to comply with the law or a binding order of a governmental body. Choose the AWS Region(s) that are appropriate for your need. 

AWS Region in Sydney, Australia

With an AWS Region in Sydney, Australia, AWS customers in Australia can now enjoy fast, low-latency access to the suite of AWS infrastructure services. We also have an edge location for Amazon Route 53 and Amazon CloudFront in Sydney.

AWS Region in Melbourne, Australia

The Asia Pacific (Melbourne) region is in the works and will open in the second half of 2022 with three Availability Zones. In addition to the Asia Pacific (Sydney) Region, there are already seven CloudFront Edge locations in Australia, backed by a Regional edge cache in Sydney.

CloudFront edge location in New Zealand

In New Zealand, our two new edge locations in Auckland will provide viewers as much as a 50 percent reduction in p90 latency measures. These new edge locations are priced within CloudFront’s Australia geographic region.

Global Infrastructure

The AWS Global Infrastructure is the most secure, extensive, and reliable cloud platform, offering over 200 fully featured services from data centers globally.

Security guidance for Australia and New Zealand

  • Financial services
  • AWS User Guide to Financial Services Regulations and Guidelines in Australia

    This document provides information to assist financial services institutions in Australia that are regulated by the Australian Prudential Regulation Authority as they accelerate their use of AWS Cloud services.

    Updated guidance to assist customers with APRA requirements

    This paper is for APRA-regulated institutions looking to run material workloads in the cloud. It summarizes APRA requirements and recommendations related to outsourcing, IT risk, and the cloud.

    The APRA CPG 234 Workbook

    The APRA CPG 234 Workbook (download through AWS Artifact; an AWS account is required) includes a detailed analysis of the APRA CPG 234 guidelines and how they map to AWS controls. APRA-regulated institutions can use this guide when conducting technical due diligence before running material workloads in the cloud.

    Developer Guide: Operational Best Practices for APRA CPG 234

    This sample conformance pack template contains mappings to controls within APRA CPG 234 2019, which the Commonwealth of Australia created, and you can find at Prudential Practice Guide: CPG 234 Information Security

  • Government
  • Blog: Approaches to meeting Australian Government gateway requirements on AWS

    This post examines the types of controls you need to provide a gateway that can meet Australian Government requirements defined in the Protective Security Policy Framework (PSPF) and the challenges of using traditional deployment models to support cloud-based solutions. 

    PROTECTED Reference Architecture and Consumer Guide

    The AWS IRAP PROTECTED documentation helps individual agencies simplify the process of adopting AWS services by enabling individual agencies to complete their own assessments and adopt AWS for a broader range of services. Read the publication of the Reference Architectures for ISM PROTECTED Workloads in the AWS Cloud whitepaper and the AWS Consumer Guide that are now available in the IRAP documentation package in AWS Artifact.

    IRAP PROTECTED Quick Start

    This Quick Start automatically deploys the IRAP PROTECTED Reference Architecture on the AWS Cloud in about an hour. You can create cloud-based workloads that use AWS controls that meet the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) requirements for sensitive government data handling at the PROTECTED classification level.

    Using AWS for PROTECTED Data

    In accordance with the Australian Government Secure Cloud Strategy, Commonwealth entities are able to self-assess cloud services using practices already used to assess Information and Communication Technology (ICT) systems. Learn how AWS assists government in their compliance efforts via regularly achieving third-party validation of compliance requirements. 

    Helping the Australian Government innovate securely in the world’s most secure cloud

    The rapid acceleration of digital transformation raised expectations for efficient and effective engagement with service providers. In Australia, the government is prioritising delivering services through technology in a fast and secure way. To help, the Australian Cyber Security Centre (ACSC) under the Australian Signals Directorate (ASD) introduced the Cloud Services Certification Program (CSCP), to assess cloud services on the ability to secure data across government departments. 

    AWS and the Australian Signals Directorate Essential Eight

    With the Australian Signals Directorate (ASD)’s development of eight key strategies for cybersecurity risk and threat mitigation, our customers can now implement the ASD Essential Eight with our services and support. 

    Developer guide: Operational Best Practices for ACSC ISM

    This Australian Government Information Security Manual contains mappings to controls within the ISM framework, which the Commonwealth of Australia created. 

  • Global
  • Improve your Security Posture with AWS

    Stephen Schmidt, Chief Information Security Officer for AWS, recommends ten tips to improve your cloud security.

    Raise the Bar on Data Protection and Security

    At AWS, we aim to make it as easy as possible for you to use encryption to protect your data above and beyond basic access control. Dive deep into data protection in the cloud with encryption, backups, archiving, and disaster recovery strategies that strengthen your security posture. 

Global topics



The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is an update to United States law that clarifies the geographic scope for United States law enforcement requests and provides new means for services providers to challenge requests that conflict with another country's laws or national interests.

GDPR centre

General Data Protection Regulation (GDPR) centre

The European Union’s General Data Protection Regulation (GDPR) protects European Union data subjects' fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.

Frequently asked questions

  • Security & Privacy Knowledge Hub
  • AWS Security and Compliance
  • Customer data and support
Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »