AWS Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the AWS controls established to support operations and compliance. There are four types of AWS SOC Reports:
|SOC 1||SOC 2: Security & Availability
||SOC 3: Security & Availability
|What is the Report?||A description of the AWS control environment and external audit of AWS defined controls and objectives||A description of the AWS controls environment and external audit of AWS controls that meet the AICPA Trust Services Security and Availability Principles and Criteria||A public facing report demonstrating AWS has met the AICPA Trust Services Security and Availability Principles and Criteria|
|Under what Standard is the Audit Report Performed?||AICPA: AT 801, Reporting on Controls at a Service Organization||
AICPA: AT 101, Attest Engagements
AICPA Technical Practice Aid: TSP Section 100, Trust Services Principles, Criteria, and Illustrations
|AICPA: AT 101, Attest Engagements|
|What's the Primary Report Purpose?||
To provide information to customers about AWS' control environment that may be relevant to their internal controls over financial reporting
To provide information to customers and their auditors for their assessment and opinion of the effectiveness of internal controls over financial reporting (ICOFR)
|To provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security and availability||To provide customers and users with a business need with an independent assessment of AWS' control environment relevant to system security and availability without disclosing AWS internal information|
|Who is the Primary Report Audience?||Customer management and their auditors||Users with business need||Publicly available here
|What Period does the AWS Report Cover?||
10/1-3/31 and 4/1-9/30
10/1-3/31 and 4/1-9/30
10/1-3/31 and 4/1-9/30
Attestation Standard Section 801 (AT 801) is a standard designed for service organizations (like AWS) to independently report on compliance with policies, procedures and controls. It provides guidance to the auditors who assess AWS as a service organization. The AWS SOC 1 Report is prepared in accordance with AT 801 by our independent service auditors (Ernst & Young, LLP) and provides an assurance report and independent auditor’s opinion on AWS internal controls that may be relevant to a customer’s internal control over financial reporting. AT 801 is issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and supersedes the two prior service organization controls guidance standards for auditors commonly known as SSAE 16 and SAS 70.
The AWS SOC 2 Security & Availability and SOC 3 Security & Availability Reports are prepared in accordance with Attestation Standard Section 101 (AT 101) which is a standard that enables an auditor to report on subject matter other than financial statements based on the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security Availability, Processing Integrity, Confidentiality, or Privacy and Trust Services Principles and Criteria.
|Issuing Body||Standard||Guidance Description||Report|
Auditing Standard Board (ASB) of the American Institute of Certified Public Accountants (AICPA)
Learn More: www.aicpa.org
|Attestation Standard Section 801 (AT 801)||
Reporting on Controls at a Service Organization:
This section addresses examination engagements undertaken by a service auditor to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting.
Learn more: AT 801
|Attestation Standard Section 101 (AT 101)||
This section establishes a framework for attest engagements and outlines general attestation standards, including examples of examination reports and review reports.
Learn more: AT 101
SOC 2: Security & Availability
SOC 3: Security & Availability
The AWS SOC Reports covers the data centers in the US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US), EU (Ireland), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Seoul), Asia Pacific (Mumbai), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South America (São Paulo) Regions
The following AWS Edge Locations are also covered by the report, for more information on AWS’ global infrastructure refer here.
- Melbourne, Australia
- Sydney, Australia
- Rio de Janeiro, Brazil
- São Paulo, Brazil
- Hong Kong, China
- London, England
- Marseille, France
- Paris, France
- Frankfurt, Germany
- Chennai, India
- Mumbai, India
- New Delhi, India
- Dublin, Ireland
- Milan, Italy
- Osaka, Japan
- Tokyo, Japan
- Seoul, Korea
- Amsterdam, Netherlands
- Manila, Philippines
- Warsaw, Poland
- Madrid, Spain
- Stockholm, Sweden
- Taipei, Taiwan
- California, United States
- Florida, United States
- Georgia, United States
- Illinois, United States
- Indiana, United States
- Missouri, United States
- New Jersey, United States
- New York, United States
- Texas, United States
- Virginia, United States
- Washington, United States
Ernst & Young LLP performs the AWS SOC 1, SOC 2 and SOC 3 audits.
AWS issues two SOC 1, SOC 2, and SOC 3 Reports covering 6-month periods each year (the first report covers October 1 – March 31 and the second report covers April 1 – September 30). New reports are released in mid-May and mid-November.
The AWS SOC 1 Audit is conducted in accordance with International Standards for Assurance Engagements No. 3402 (ISAE 3402). Customers needing an ISAE 3402 Report should request the AWS SOC 1 Type II Report.
An NDA is only required to review the AWS SOC 1 and 2 reports; the AWS SOC 3 report is publicly available here. The AWS SOC 3 report is a summary of the AWS SOC 2 report. It outlines that AWS meets the AICPA’s Trust Security Principles in SOC 2 and includes the external auditor’s opinion of the operation of controls.