1. What is the best way to complete my annual vendor/supplier/due-diligence questionnaire of AWS?

In the event that you need assistance to complete a questionnaire to document AWS security and compliance positions, AWS has a recommended approach designed to provide you with the resources you need to answer your security and compliance questions in the context of the cloud and AWS’s business model. The most frequently used resources to complete security and compliance questionnaires are:

  • AWS Artifact – AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’s security and compliance reports and select online agreements. The AWS SOC 2 report is particularly helpful for completing questionnaires because it provides a comprehensive description of the implementation and operating effectiveness of AWS security controls. Another useful document is the Executive Briefing within the AWS FedRAMP Partner Package.
  • CSA Consensus Assessments Initiative Questionnaire – The CSA Consensus Assessments Initiative Questionnaire provides a set of questions the CSA anticipates a cloud consumer and/or auditor would ask of a cloud provider. It provides a series of security, control, and process questions which can then be used for a wide range of uses, including cloud provider selection and security evaluation. This document contains the AWS answers to the CSA questionnaire.
  • AWS Risk and Compliance whitepaper – This document addresses AWS-specific information around general cloud computing compliance questions. There are detailed descriptions of all AWS Certifications, Programs, Reports, and Third-Party Attestations. 
  • AWS Data Center Controls web page – Many questionnaires have an entire section with questions related to data center physical security. This web page provides you with insight into some of our physical and environmental controls.
2. Which AWS services and features comply with common cloud security and compliance standards?

AWS Services in Scope provides a list of services that are assessed to comply with common compliance standards. Unless specifically noted as excluded, features of each of the listed services are considered in scope of the compliance program and are reviewed and tested as part of the assessment. Refer to AWS Documentation for the features of an AWS service. 

3. Can I comply with my regulatory requirements on AWS?

AWS has customers throughout the world and is continually adapting to evolving regulations. The AWS Compliance Center offers you a central location to research cloud-related regulatory requirements and how they impact your industry. Select the country you are interested in and the AWS Compliance Center will display the country’s regulatory position regarding the adoption of cloud services.  

4. Does AWS have any sub-processors?

AWS may engage the entities listed on the AWS Sub-Processors web page to carry out specific processing activities on behalf of the customer or data center facility management activities. This web page also provides customers with the option to subscribe to email notifications if the list of sub-processors changes.

AWS proactively informs our customers of any subcontractors who have access to customer-owned content you upload onto AWS, including content that may contain personal data. There are no subcontractors authorized by AWS to access any customer-owned content that you upload onto AWS. To monitor subcontractor access year-round, please refer to the AWS Third-Party Access web page

5. Can you provide me with the AWS data center locations for my business continuity or disaster recovery policy?

AWS keeps our data center locations strictly confidential to maintain the security and privacy of customer data. Locations are disclosed only to AWS employees and contractors who have an approved business need to be at the facility.

Customers can assess the security and resiliency of the AWS physical infrastructure by considering all of the security controls that AWS has in place for its data centers. To support customers evaluating risks related to AWS data centers, AWS provides the AWS Data Center Controls web page and the AWS SOC 2 report available in AWS Artifact

6. What factors are important for customers to evaluate as part of their disaster recovery planning?

Customers evaluating AWS as part of their disaster recovery planning should first identify their resiliency goals and consider any applicable regulatory requirements for resiliency and disaster recovery. Customers can then architect their AWS environment to meet their resiliency goals and regulatory requirements. For example, to mitigate environmental risks, customers can architect their AWS workloads to take advantage of physically separated Availability Zones and Regions to reach their objectives. Customers with high availability requirements often use multiple Regions for critical applications. Learn more on the AWS Disaster Recovery web page, the AWS Data Center Controls web page, and within the AWS SOC 2 report available in AWS Artifact.

Compliance Reports

1. Where can I download AWS compliance reports, such as a SOC or PCI report?

AWS Artifact provides several compliance reports issued by third-party auditors who have tested and verified our compliance with a variety of global, regional, and industry-specific security standards and regulations. When new reports are released, they are made available for customers to download in AWS Artifact. For more information, go to the Compliance Reports FAQ. You can access AWS Artifact directly from the AWS Management Console.

2. Where can I find a bridge letter for the AWS SOC 1 and SOC 2 reports?

Based on AWS's full-year of coverage within our SOC 1 and SOC 2 report cycles, we publish a SOC Continued Operations Letter instead of a bridge letter or gap letter. This document can be downloaded using AWS Artifact from the AWS Management Console.

3. Do the AWS SOC reports expire at the end of the reporting period?

No. SOC audits are performed over a period of time. Once the audit period is over, the report is prepared and made available to customers within 6-8 weeks. AWS issues two SOC 1 and two SOC 2 reports covering 6-month periods each year (the first report covers October 1 through March 31, and the second covers April 1 through September 30). There are many factors that play into the release date of the report, but we target early May and early November each year to release new reports. When new SOC reports are released, they are made available for customers to download in AWS Artifact.

4. How do my end customers obtain a copy of the AWS SOC 1 and SOC 2 reports?

AWS is happy to provide your customer with a copy of our SOC 1 or SOC 2 report; however, we require that the intended user of the report have a Nondisclosure Agreement (NDA) in place with AWS directly. To best support your customers, we recommend they utilize the Getting Started with AWS Artifact guide to download the requested compliance report(s).

If your customer does not want to enter into an NDA with AWS, we publish the AWS SOC 3 report on our SOC Compliance web page. The SOC 3 report is a summary of the AWS SOC 2 report; it provides assurance, including the external auditor’s opinion, that AWS maintains effective operation of controls based on the criteria set forth in the AICPA’s Trust Services Principles.

Compliance Programs

1. Is AWS HIPAA certified?

There is no HIPAA certification for a cloud service provider (CSP) such as AWS. In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule. Refer to the AWS HIPAA web page for more information about HIPAA compliance on AWS.

2. Will AWS sign a Business Associate Addendum (BAA) as described in the HIPAA rules and regulations?

Yes. AWS has a standard BAA we enter into with customers. It takes into account the unique services AWS provides and accommodates the AWS Shared Responsibility Model.

To review, accept, and manage the status of the BAA for your account, or for all accounts that are part of your organization in AWS Organizations, sign in to AWS Artifact from the AWS Management Console.

3. What does it mean for an AWS service to be HIPAA eligible?

AWS follows a standards-based risk management program to ensure that the HIPAA-eligible services specifically support the security, control, and administrative processes required under HIPAA. Customers may use any AWS service in an account designated as a HIPAA account, but should only process, store, and transmit protected health information (PHI) using HIPAA-eligible services. Refer to the following AWS resources for more information about HIPAA compliance on AWS:

4. How do I become HITRUST compliant on AWS?

AWS offers a wide range of certifications and attestations, covering compliance programs from around the globe. You can leverage these certifications and attestations to meet your additional compliance programs, such as the HITRUST Common Security Framework or programs offered by the Electronic Healthcare Network Accreditation Commission (EHNAC). You can also work with one of our partners that specializes in healthcare compliance.

5. How do I enter into a GDPR-compliant Data Processing Addendum (DPA) with AWS?

You do not need to take any action to get the benefit of the GDPR DPA. The terms of the GDPR DPA are incorporated into the AWS Service Terms and, since May 25, 2018, the GDPR DPA automatically applies to customers whose activities come within the scope of the GDPR. Refer to this AWS Security blog post to learn more about AWS's DPA.

6. Is AWS certified under the EU-US Privacy Shield?

Yes, AWS is certified under the EU-US Privacy Shield. You can view AWS’s certification here. Although the Court of Justice of the European Union issued a judgment in July 2020 declaring as invalid European Commission Decision 2016/1250 (on the adequacy of the protection provided by the EU-US Privacy Shield), this decision does not relieve participants in the EU-US Privacy Shield of their obligations under the framework.

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »