We include services in the scope of our compliance efforts based on the expected use case, feedback and demand. If a service is not currently listed as in scope of the most recent assessment, it does not mean that you cannot use the service. It is part of the shared responsibility for your organization to determine the nature of the data. Based on the nature of what you are building on AWS, you should determine if the service will process or store customer data and how it will or will not impact the compliance of your customer data environment.
We encourage you to discuss your workload objectives and goals with your AWS account team; they will be able to evaluate your proposed use case and architecture, and how our security and compliance processes overlay that architecture. Need to connect with an AWS business representative?
This webpage provides a list of AWS Services in Scope of AWS assurance programs. Unless specifically excluded, features of each of the services are considered in scope of the assurance programs, and are reviewed and tested as part of the assessment. Refer to the AWS Documentation for the features of an AWS service
✓ = This service is currently in scope and is reflected in current reports. For more specific details on status, please refer to each compliance program tab below.
Click here for a full list of services covered under our ISO and CSA STAR certificates.
-
SOC
-
PCI
-
ISMAP
-
FedRAMP
Services going through FedRAMP assessment and authorization will have the following status:
- Third-Party Assessment Organization (3PAO) Assessment: This service is currently undergoing an assessment by our third-party assessor
- Joint Authorization Board (JAB) Review: This service is currently undergoing a JAB review
*Services not within the scope of JAB review. As such, the JAB team has issued neither an approval nor disapproval decision regarding this product under FedRAMP. Customers are able to leverage this service by working with their AWS Sales Representative directly to seek independent agency approval.
-
DoD CC SRG
Services going through DoD CC SRG assessment and authorization will have the following status:
- Third-Party Assessment Organization (3PAO) Assessment: This service is currently undergoing an assessment by our third-party assessor
- Joint Authorization Board (JAB) Review: This service is currently undergoing a JAB review
- Defense Information Systems Agency (DISA) Review: This service is currently undergoing a DISA review
* Denotes the service is Impact Level 6 authorized, but not Generally Available (GA) in the region.
-
HIPAA BAA
-
IRAP
*Namespaces help you identify services across your AWS environment. For example, when you create IAM policies, work with Amazon Resource Names (ARNs), and read AWS CloudTrail logs. Learn more about namespaces on the documentation page.
-
MTCS
MTCS (Singapore) MTCS (Singapore) ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ -
C5
For more information, see Cloud Computing Compliance Controls Catalog (C5).
-
K-ISMS
-
ENS High
✓ ✓ ✓ ✓ -
OSPAR
-
HITRUST CSF
-
FINMA