Cloud Security Alliance (CSA)
Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”
CSA STAR LEVEL 1: CSA STAR Self-Assessment
AWS participates in the voluntary CSA Security, Trust & Assurance Registry (STAR) Self-Assessment to document our compliance with CSA-published best practices. We publish our completed CSA Consensus Assessments Initiative Questionnaire(CAIQ) on the AWS website.
CSA STAR LEVEL 2: CSA STAR Attestation and Certification
AWS aligns with the CSA STAR Attestation and Certification based on the determinations in our third-party audits for System and Organization Controls (SOC) 2 Reports and ISO 27001:
CSA STAR Level 2 Attestation is based on SOC 2. The SOC 2 Report attests that AWS has been validated by a third-party auditor to confirm that AWS control objectives are appropriately designed and are operating effectively. The AWS SOC 2 Report is available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact. AWS also publishes a public version as the System and Organization Controls 3 (SOC 3) Report on the AWS website.
CSA STAR Level 2 Certification is based on ISO 27001. AWS publishes our ISO 27001:2013 Certificate on the AWS website.
CSA STAR LEVEL 3: Continuous Monitoring
AWS provides customers with the tools they need to meet continuous monitoring requirements. CSA is still defining the Level 3 Continuous Monitoring requirements, so there is no available certification to determine alignment. However, customers can use the AWS Security by Design (SbD) program to provide control responsibilities outlines, the automation of security baselines, the configuration of security, and the customer audit of controls for AWS customer infrastructure, operating systems, services, and applications running in AWS. This standardized, automated, prescriptive, and repeatable design can be deployed for common use cases, security standards, and audit requirements across multiple industries and workloads. For more information, see the AWS Security by Design webpage.