AWS Services in Scope by Compliance Program

We include generally available services in the scope of our compliance efforts based on the expected use case, feedback and demand. If a service is not currently listed as in scope of the most recent assessment, it does not mean that you cannot use the service. It is part of the shared responsibility for your organization to determine the nature of the data. Based on the nature of what you are building on AWS, you should determine if the service will process or store customer data and how it will or will not impact the compliance of your customer data environment.

We encourage you to discuss your workload objectives and goals with your AWS account team; they will be able to evaluate your proposed use case and architecture, and how our security and compliance processes overlay that architecture. Need to connect with an AWS business representative? 


This webpage provides a list of AWS Services in Scope of AWS assurance programs. Unless specifically excluded, generally available features of each of the services are considered in scope of the assurance programs, and are reviewed and tested at the next opportunity for assessment. Refer to the AWS Documentation for the features of an AWS service.

= This service is currently in scope and is reflected in current reports. For more specific details on status, please refer to each compliance program tab below.

C5 Cloud Computing Compliance Controls Catalog
CCCS Canadian Centre for Cyber Security
CISPE Cloud Infrastructure Services Providers in Europe Data Protection Code of Conduct
CPSTIC National Cryptologic Center (CCN) STIC Products and Services Catalog (CPSTIC)
DESC CSP Dubai Electronic Security Centre Cloud Service Provider Security Standard
DoD CC SRG Department of Defense Cloud Computing Security Requirements Guide
ENS High Esquema Nacional de Seguridad
FedRAMP Federal Risk and Authorization Management Program
FINMA Swiss Financial Market Supervisory Authority
GNS GNS National Restricted Certification
GSMA Global System for Mobile Communications Association
HIPAA BAA Health Insurance Portability and Accountability Act
HITRUST CSF Health Information Trust Alliance Common Security Framework
IAR United Arab Emirates Information Assurance Regulation
IRAP Information Security Registered Assessors Program
ISMAP Information System Security Management and Assessment Program
ISO and CSA STAR certificates International Organization for Standardization (ISO) and Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR)
K-ISMS Korea-Information Security Management System
MTCS Multi-Tier Cloud Security
OSPAR Outsourced Service Provider’s Audit Report
PCI Payment Card Industry Data Security Standard
Pinakes Banking association CCI - Third Party Qualification
PiTuKri Criteria for Assessing the Information Security of Cloud Services
SNI 27001 SNI 27001 accredited by Komite Akreditasi Nasional (KAN)
SOC System and Organization Controls

Want More Information About Services in Scope?