SOC Compliance

I'd like information about SOC in the Cloud

SOC

AWS Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the AWS controls established to support operations and compliance. There are three types of AWS SOC Reports:

AWS SOC 1 Report - Download with AWS Artifact
AWS SOC 2: Security, Availability, & Confidentiality Report - Download with AWS Artifact
AWS SOC 3: Security, Availability, & Confidentiality Report

SOC Cloud Compliance Customers

Slack provides a messaging platform that integrates with and unifies a wide range of communications services such as Twitter, Dropbox, Google Docs, Jira, GitHub, MailChimp, Trello, and Stripe. The San Francisco–based company, which launched its eponymous app in February 2014, was started by a small group of Silicon Valley entrepreneurs that include Flickr founder Stewart Butterfield. »

Kaplan, Inc. serves more than 1.2 million students globally each year through its array of higher education, test preparation, professional education, English-language training, university preparation, and K-12 offerings to individuals, institutions, and businesses. Kaplan has been recognized for expanding educational access and using technology and learning-science innovations. »

"AWS maintains a strategic commitment to cloud computing and publishes its Service Organization Controls 1 (SOC 1), Type 2 report audit to demonstrate its security practices. We have also found that the service is easy to use and implement." »

Amazon Web Services' demonstrated compliance to standards such as HIPAA, ISO27001, SOC 1/2/3, ISO9001, FedRamp, and FISMA allows DNAnexus to provide a platform that lets its customers pursue clinically compliant projects of enormous scale and scope, confident in the quality and efficiency of analysis and the security and ease of collaboration. »

"Using AWS, Jobvite is able to adhere to SSAE SOC 1, 2, and 3 reporting standards, comply with PCI DSS Level 1, and achieve ISO 27001 certification. That’s an enormous value. We simply could not sell our services to midmarket and enterprise customers without these certifications because they demand them from their SaaS providers.” »

Mambu was reassured by the fact that AWS carries a range of compliance certifications, including SOC 1, SOC 2 and SOC 3 reports, PCI DSS Level 1 certification, and the ISO27001 security management standard—all vital credentials for banks. »

What information do the AWS SOC Reports provide?

	SOC 1	SOC 2: Security, Availability, & Confidentiality	SOC 3: Security, Availability, & Confidentiality
What is the Report?	A description of the AWS control environment and external audit of AWS defined controls and objectives	A description of the AWS controls environment and external audit of AWS controls that meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria	A public facing report demonstrating AWS has met the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria
Under what Standard is the Audit Report Performed?	AICPA: AT 801, Reporting on Controls at a Service Organization	AICPA: AT 101, Attest Engagements AICPA Technical Practice Aid: TSP Section 100, Trust Services Principles, Criteria, and Illustrations	AICPA: AT 101, Attest Engagements
What's the Primary Report Purpose?	To provide information to customers about AWS' control environment that may be relevant to their internal controls over financial reporting To provide information to customers and their auditors for their assessment and opinion of the effectiveness of internal controls over financial reporting (ICOFR)	To provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security, availability, and confidentiality	To provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security, availability, and confidentiality without disclosing AWS internal information
Who is the Primary Report Audience?	Customer management and their auditors	Users with business need	Publicly available here
What Period does the AWS Report Cover?	6 Months: 10/1-3/31 and 4/1-9/30	6 Months: 10/1-3/31 and 4/1-9/30	6 Months: 10/1-3/31 and 4/1-9/30

What is AT 801?

Attestation Standard Section 801 (AT 801) is a standard designed for service organizations (like AWS) to independently report on compliance with policies, procedures and controls. It provides guidance to the auditors who assess AWS as a service organization. The AWS SOC 1 Report is prepared in accordance with AT 801 by our independent service auditors (Ernst & Young, LLP) and provides an assurance report and independent auditor’s opinion on AWS internal controls that may be relevant to a customer’s internal control over financial reporting. AT 801 is issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and supersedes the two prior service organization controls guidance standards for auditors commonly known as SSAE 16 and SAS 70.

The AWS SOC 2 Security, Availability, & Confidentiality and SOC 3 Security, Availability, & Confidentiality Reports are prepared in accordance with Attestation Standard Section 101 (AT 101) which is a standard that enables an auditor to report on subject matter other than financial statements based on the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security Availability, Processing Integrity, Confidentiality, or Privacy and Trust Services Principles and Criteria.

Issuing Body	Standard	Guidance Description	Report
Auditing Standard Board (ASB) of the American Institute of Certified Public Accountants (AICPA) Learn More: www.aicpa.org	Attestation Standard Section 801 (AT 801)	Reporting on Controls at a Service Organization: This section addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting. Learn more: AT 801	SOC 1
Attestation Standard Section 101 (AT 101)	Attest Engagements: This section establishes a framework for attest engagements and outlines general attestation standards, including examples of examination reports and review reports. Learn more: AT 101	SOC 2: Security, Availability, & Confidentiality SOC 3: Security, Availability, & Confidentiality

Issuing Body

Standard

Guidance Description

Report

Auditing Standard Board (ASB) of the American Institute of Certified Public Accountants (AICPA)

Learn More: www.aicpa.org

Attestation Standard Section 801 (AT 801)

Reporting on Controls at a Service Organization:

This section addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting.

Learn more: AT 801

SOC 1

Attestation Standard Section 101 (AT 101)

Attest Engagements:

This section establishes a framework for attest engagements and outlines general attestation standards, including examples of examination reports and review reports.

Learn more: AT 101

SOC 2: Security, Availability, & Confidentiality

SOC 3: Security, Availability, & Confidentiality

What AWS services are in scope for the SOC Reports?

The covered AWS services that are already in scope for the SOC reports can be found within AWS Services in Scope by Compliance Program. If you would like to learn more about using these services and/or have interest in other services please contact us.

What regions are covered by the AWS SOC Reports?

US East (Northern Virginia), US East (Ohio), US West (Oregon), US West (Northern California), AWS GovCloud (US), Canada (Central), Europe (Ireland), Europe (Frankfurt), Europe (London), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Mumbai), and South America (São Paulo) Regions, as well as the AWS Edge Locations in:

Melbourne, Australia
Sydney, Australia
Rio de Janeiro, Brazil
São Paulo, Brazil
Montréal, Canada
Toronto, Canada
Hong Kong, China
London, England
Marseille, France
Paris, France
Frankfurt, Germany
Chennai, India
Mumbai, India
New Delhi, India
Dublin, Ireland
Milan, Italy
Osaka, Japan
Tokyo, Japan
Seoul, Korea
Amsterdam, Netherlands
Manila, Philippines

Warsaw, Poland
Singapore
Madrid, Spain
Stockholm, Sweden
Taipei, Taiwan
California, United States
Florida, United States
Georgia, United States
Illinois, United States
Indiana, United States
Minnesota, United States
Missouri, United States
New Jersey, United States
New York, United States
Ohio, United States
Oregon, United States
Pennsylvania, United States
Texas, United States
Virginia, United States
Washington, United States

Who performs the independent third-party audit of AWS for the SOC Reports?

Ernst & Young LLP performs the AWS SOC 1, SOC 2 and SOC 3 audits.

How often are the AWS SOC Reports issued and when can I expect a new report to be released?

AWS issues two SOC 1, SOC 2, and SOC 3 Reports covering 6-month periods each year (the first report covers October 1 – March 31 and the second report covers April 1 – September 30). New reports are released in mid-May and mid-November.

Is there an ISAE 3402 Report?

The AWS SOC 1 Audit is conducted in accordance with International Standards for Assurance Engagements No. 3402 (ISAE 3402). Customers needing an ISAE 3402 Report should request the AWS SOC 1 Type II Report.

Is a non-disclosure agreement (NDA) required to receive the AWS SOC Reports?

An NDA is only required to review the AWS SOC 1 and 2 reports; the AWS SOC 3 report is publicly available here. The AWS SOC 3 report is a summary of the AWS SOC 2 report. It outlines that AWS meets the AICPA’s Trust Security Principles in SOC 2 and includes the external auditor’s opinion of the operation of controls.

How do I request an AWS SOC 1 or SOC 2 Report?

The AWS SOC 1 and SOC 2 report is available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports. Get started with AWS Artifact today.

Where can I find the AWS SOC 3 Report?

The AWS SOC 3 is publicly available and can be found here.

SOC Compliance Resources