In the event that you need assistance to complete a questionnaire to document AWS security and compliance positions, AWS has a recommended approach designed to provide you with the resources you need to answer your security and compliance questions in the context of the cloud and AWS’s business model. The most frequently used resources to complete security and compliance questionnaires are:
- AWS Artifact – AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’s security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) attestation of compliance, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).
- AWS Compliance Programs web page - AWS Compliance Programs help customers to understand the robust controls in place at AWS to maintain security and compliance in the cloud.
- AWS Data Center Controls web page – Many questionnaires have an entire section with questions related to data center physical security. This web page provides you with insight into some of our physical and environmental controls.
- AWS Risk and Compliance whitepaper – This document addresses AWS-specific information around general cloud computing compliance questions.
- CSA Consensus Assessments Initiative Questionnaire – The CSA Consensus Assessments Initiative Questionnaire provides a set of questions the CSA anticipates a cloud consumer and/or auditor would ask of a cloud provider. It provides a series of security, control, and process questions which can then be used for a wide range of uses, including cloud provider selection and security evaluation. This document contains the AWS answers to the CSA questionnaire.
- SIG Questionnaire - The Standardized Information Gathering (SIG) questionnaire is intended for use by customers using Shared Assessment's SIG Questionnaire Tools to standardize their process for third party risk assessments. AWS has completed the questionnaire with narrative responses to assist AWS customers with their due diligence process of the AWS Cloud. SIG can be found on AWS Artifact.
The AWS Services in Scope web page provides a list of services that are assessed to comply with common compliance standards.
AWS may engage the entities listed on the AWS Sub-Processors web page to carry out specific processing activities on behalf of the customer or data center facility management activities. This web page also provides customers with the option to subscribe to email notifications if the list of sub-processors changes.
AWS keeps our data center locations strictly confidential to maintain the security and privacy of customer data. The naming convention for our AWS Regions are indicative of the general geographic location of the availability zones and data centers that make-up that region. Additional detail regarding the general location of data centers is contained in our PCI-DSS report available through AWS Artifact. To learn more visit our AWS Global Infrastructure web page.
Customers can assess the security and resiliency of the AWS physical infrastructure by considering all of the security controls that AWS has in place for its data centers. To help customers more deeply understand our physical security and resiliency controls, an independent and competent auditor validates the presence and operation of controls as part of our SOC 2 Type II report which is available to customers through AWS Artifact. This broadly accepted third-party validation provides customers with the independent attestation of the effectiveness of controls in place. Independent reviews of data center physical security is also a part of the ISO 27001, PCI, ITAR, and the FedRAMP compliance programs.
No. Due to the fact that our data centers host multiple customers, AWS does not allow data center tours by customers, as this exposes a wide range of customers to physical access of a third party. However, customers and the general public can take a digital tour of an AWS Data Center to better understand our infrastructure and controls on our website.
Customers evaluating AWS as part of their disaster recovery planning should first identify their resiliency goals and consider any applicable regulatory requirements for resiliency and disaster recovery. Customers can then architect their AWS environment to meet their resiliency goals and regulatory requirements. For example, to mitigate environmental risks, customers can architect their AWS workloads to take advantage of physically separated Availability Zones and Regions to reach their objectives. When planning for business continuity and disaster recovery AWS customers should utilize the best practices contained in the reliability pillar of the AWS Well Architected Framework.
AWS Artifact provides several compliance reports issued by third-party auditors who have tested and verified our compliance with a variety of global, regional, and industry-specific security standards and regulations. When new reports are released, they are made available for customers to download in AWS Artifact. For more information, go to the Compliance Reports FAQ. You can access AWS Artifact directly from the AWS Management Console.
Based on AWS's full-year of coverage within our SOC 1 and SOC 2 report cycles, we publish a SOC Continued Operations Letter instead of a bridge letter or gap letter. This document can be downloaded using AWS Artifact from the AWS Management Console.
No. SOC audits are performed over a period of time. Once the audit period is over, the report is prepared and made available to customers within 6-8 weeks. AWS issues two SOC 1 and two SOC 2 reports covering 6-month periods each year (the first report covers October 1 through March 31, and the second covers April 1 through September 30). There are many factors that play into the release date of the report, but we target early May and early November each year to release new reports. When new SOC reports are released, they are made available for customers to download in AWS Artifact.
AWS is happy to provide your customer with a copy of our SOC 1 or SOC 2 report. To best support your customers, we recommend they utilize the Getting Started with AWS Artifact guide to download the SOC 1 or SOC 2 report by using their own AWS Account. There is no charge associated with creating an account. After logging into their account, your customers can access available reports in the AWS Console by navigating to Artifact under Security, Identity & Compliance.
Alternatively, you can download the AWS compliance reports from AWS Artifact and share with your customers directly if permitted by the terms and conditions applicable to the specific AWS compliance report. Please refer to the applicable terms and conditions on the first page of the AWS compliance report downloaded from AWS Artifact to check whether or not sharing of that report is permitted.
We also publish the AWS SOC 3 report on our SOC Compliance web page. The SOC 3 report is a summary of the AWS SOC 2 report; it provides assurance, including the external auditor’s opinion, that AWS maintains effective operation of controls based on the criteria set forth in the AICPA’s Trust Services Principles.
There is no HIPAA certification for a cloud service provider (CSP) such as AWS. However, AWS aligns its HIPAA risk management program with FedRAMP, NIST 800-30, and NIST 800-53, which are security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 Rev. 1, An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule. Refer to the AWS HIPAA web page for more information about HIPAA compliance on AWS.
Yes. AWS has a standard BAA we enter into with customers. It takes into account the unique services AWS provides and accommodates the AWS Shared Responsibility Model.
To review, accept, and manage the status of the BAA for your account, or for all accounts that are part of your organization in AWS Organizations, sign in to AWS Artifact from the AWS Management Console.
AWS follows a standards-based risk management program to ensure that the HIPAA-eligible services specifically support the security, control, and administrative processes required under HIPAA. Customers may use any AWS service in an account designated as a HIPAA account, but should only process, store, and transmit protected health information (PHI) using HIPAA-eligible services. Refer to the following AWS resources for more information about HIPAA compliance on AWS:
Customers may look to leverage the AWS HITRUST CSF certification of in-scope services to support their own HITRUST CSF certification. For the latest list of HITRUST CSF certified AWS services, see the AWS Services in Scope by Compliance Program web page. AWS customers can inherit AWS HITRUST CSF certification provided that customers use only in-scope services and apply the controls detailed in the HITRUST Alliance website. Customers can download the AWS Custom HITRUST Shared Responsibility Matrix to determine HITRUST requirements that AWS customers can inherit as part of the shared responsibility model. Customers should refer to MyCSF User Guide web page for guidance on how to initiate inheritance request.
You do not need to take any action to get the benefit of the GDPR DPA. The terms of the GDPR DPA are incorporated into the AWS Service Terms and, since May 25, 2018, the GDPR DPA automatically applies to customers whose activities come within the scope of the GDPR. Refer to this AWS Security blog post to learn more about AWS's DPA. For additional information visit the GDPR Center.
Yes, AWS is certified under the EU-US Privacy Shield. You can view AWS’s certification here. Although the Court of Justice of the European Union issued a judgment in July 2020 declaring that the European Commission’s Decision 2016/1250 (on the adequacy of the protection provided by the EU-US Privacy Shield) is no longer valid, this decision does not relieve participants in the EU-US Privacy Shield of their obligations under the framework.