Cloud Security Alliance (CSA)
Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”
CSA STAR LEVEL 1: CSA STAR Self-Assessment
AWS participates in the voluntary CSA Security, Trust & Assurance Registry (STAR) Self-Assessment to document our compliance with CSA-published best practices. We publish our completed CSA Consensus Assessments Initiative Questionnaire (CAIQ) on the AWS website.
CSA STAR LEVEL 2: CSA STAR Certification
The Security Trust Assurance and Risk (STAR) Level 2 Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix criteria. The STAR Level 2 certification with STAR validates for cloud customers the use of best practices and the security posture of AWS cloud offerings. AWS publishes our CSA STAR Level 2 and ISO 27001:2013 certificates on the AWS website and the certificates are also available from AWS Artifact. The covered AWS Regions and services that are in scope can be found on the CSA STAR Level 2 certification. The covered AWS services that are in scope for CSA STAR level 2 certification can be found on ISO-certified webpage.
CSA STAR LEVEL 3: Continuous Monitoring
AWS provides customers with the tools they need to meet continuous monitoring requirements. CSA is still defining the Level 3 Continuous Monitoring requirements, so there is no available certification to determine alignment. However, customers can use the AWS Security by Design (SbD) program to provide control responsibilities outlines, the automation of security baselines, the configuration of security, and the customer audit of controls for AWS customer infrastructure, operating systems, services, and applications running in AWS. This standardized, automated, prescriptive, and repeatable design can be deployed for common use cases, security standards, and audit requirements across multiple industries and workloads. For more information, see the AWS Security by Design webpage.