Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”
AWS has completed the CSA STAR Self-Assessment and published the results to the AWS website. Please refer to the CSA Consensus Assessments Initiative Questionnaire. This is the latest CAIQ (v3) released by the CSA.
Per the CSA definitions, AWS aligns with the CSA STAR Attestation and Certification via the determinations in our third party audits for SOC and ISO:
CSA STAR Level 2 Attestation is based on SOC2, which can be requested under NDA - The SOC 2 report audit attests that AWS has been validated by a third party auditor to confirm that AWS’ control objectives are appropriately designed and operating effectively.
CSA STAR Level 2 Certification is based on ISO 27001:2005.
As noted on the CSA website, CSA is still defining the Level 3 Continuous Monitoring requirements. Although, for this reason, AWS cannot determine alignment, AWS does provide customers with the tools they need to meet continuous monitoring requirements. Customers can leverage the AWS Security by Design (SbD) program by providing control responsibilities outlines, the automation of security baselines, the configuration of security and the customer audit of controls for AWS customer infrastructure, operating systems, services and applications running in AWS. This standardized, automated, prescriptive and repeatable design can be deployed for common use cases, security standards and audit requirements across multiple industries and workloads. For more information visit the Security by Design page.
