SOC Compliance

Overview

SOC-SizedLogo

AWS System & Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the AWS controls established to support operations and compliance. There are three types of AWS SOC Reports:

  • What information do the AWS SOC Reports provide?

      SOC 1 SOC 2: Security, Availability & Confidentiality SOC 3: Security, Availability & Confidentiality
    What is the report? A description of the AWS control environment and external audit of AWS defined controls and objectives A description of the AWS controls environment and external audit of AWS controls that meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria A public facing report demonstrating AWS has met the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria
    Under what Standard is the Audit Report Performed? SSAE No. 18, Attestation Standards: Clarification and Recodification (AICPA, Professional Standards), which includes AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting. AICPA Guide, Service Organizations: Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1®) SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements AICPA Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy(SOC 2®) TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria) SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria)
    What's the Primary Report Purpose?

    To provide information to customers about AWS' control environment that may be relevant to their internal controls over financial reporting

    To provide information to customers and their auditors for their assessment and opinion of the effectiveness of internal controls over financial reporting (ICOFR)

    To provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security, availability, and confidentiality To provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security, availability, and confidentiality without disclosing AWS internal information
    Who is the Primary Report Audience? Customer management and their auditors Users with business need Publicly available here
    What Period does the AWS Report Cover?

    6 Months:

    10/1-3/31 and 4/1-9/30

    6 Months:

    10/1-3/31 and 4/1-9/30

    6 Months:

    10/1-3/31 and 4/1-9/30

  • Which AWS services are in scope for the SOC Reports?

    The covered AWS services that are already in scope for the SOC reports can be found within AWS Services in Scope by Compliance Program. If you would like to learn more about using these services and/or have interest in other services please contact us.

  • Which regions are covered by the AWS SOC Reports?

    US East (Northern Virginia), US East (Ohio), US West (Oregon), US West (Northern California), AWS GovCloud (US), Canada (Central), Europe (Ireland), Europe (Frankfurt), Europe (London), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Mumbai), and South America (São Paulo) Regions, as well as the AWS Edge Locations in:

    Melbourne, Australia

    Sydney, Australia

    Vienna, Austria

    Rio de Janeiro, Brazil

    São Paulo, Brazil

    Montréal, Canada

    Toronto, Canada

    Prague, Czech Republic

    Hong Kong, China

    London, England

    Marseille, France

    Paris, France

    Berlin, Germany

    Frankfurt, Germany

    Munich, Germany

    Chennai, India

    Mumbai, India

    New Delhi, India

    Dublin, Ireland

    Milan, Italy

    Osaka, Japan

    Tokyo, Japan

    Seoul, Korea

    Kuala Lumpur, Malaysia

    Amsterdam, Netherlands

    Manila, Philippines

    Warsaw, Poland

    Singapore

    Madrid, Spain

    Stockholm, Sweden

    Taipei, Taiwan

    California, United States

    Florida, United States

    Georgia, United States

    Illinois, United States

    Indiana, United States

    Minnesota, United States

    Missouri, United States

    New Jersey, United States

    New York, United States

    Ohio, United States

    Oregon, United States

    Pennsylvania, United States

    Texas, United States

    Virginia, United States

    Washington, United States

  • Who performs the independent third-party audit of AWS for the SOC Reports?

    Ernst & Young LLP performs the AWS SOC 1, SOC 2 and SOC 3 audits.

  • How often are the AWS SOC Reports issued and when can I expect a new report to be released?

    AWS issues two SOC 1, SOC 2, and SOC 3 Reports covering 6-month periods each year (the first report covers October 1 – March 31 and the second report covers April 1 – September 30). New reports are released in mid-May and mid-November.

  • Is there an ISAE 3402 Report?

    The AWS SOC 1 Audit is conducted in accordance with International Standards for Assurance Engagements No. 3402 (ISAE 3402). Customers needing an ISAE 3402 Report should request the AWS SOC 1 Type II Report.

  • Is a non-disclosure agreement (NDA) required to receive the AWS SOC Reports?

    An NDA is only required to review the AWS SOC 1 and 2 reports; the AWS SOC 3 report is publicly available here. The AWS SOC 3 report is a summary of the AWS SOC 2 report. It outlines that AWS meets the AICPA’s Trust Security Principles in SOC 2 and includes the external auditor’s opinion of the operation of controls.

  • How do I request an AWS SOC 1 or SOC 2 Report?

    The AWS SOC 1 and SOC 2 reports are available to customers using AWS Artifact, a self-service portal for on-demand access to AWS’ compliance reports. Get started with AWS Artifact today.

  • Where can I find the AWS SOC 3 Report?

    The AWS SOC 3 is publicly available and can be found here.

SOC Resources

compliance-contactus-icon
Have Questions? Connect with an AWS Compliance Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »