AWS Compliance Solutions Guide

Repository of frequently used resources and processes needed to perform compliance responsibilities on AWS.

Welcome to the AWS Compliance Solutions Guide! This guide is designed to provide you with a repository of frequently used resources and processes needed to perform your compliance responsibilities on AWS.

Security at AWS is our top priority. Today, AWS protects millions of active customers around the world, from large enterprises and government organizations, to start-ups and non-profits. Through these relationships, we’ve developed best-in-class resources to allow customers from any industry to quickly understand how to achieve compliance in the AWS Cloud. AWS customers inherit all of the benefits of our experience, including best practices for security policies, architecture, and operational processes validated against external assurance frameworks.

AWS communicates its security and control environment relevant to customers by doing the following:

  • Industry certifications and independent third-party attestations listed below
  • Information about AWS security and control practices in whitepapers and web content
  • Certificates, reports, and other documentation provided directly to AWS customers under NDA

Compliance Solutions

The best practice for accessing AWS compliance reports is through the console via AWS Artifact. AWS Artifact provides customers with on-demand self service access to the latest AWS compliance reports. When new reports are released by AWS, they are immediately made available for download in AWS Artifact. In addition to on demand access, here are three advantages to using AWS Artifact:

  1. It does not require entry of credit card. There is no charge associated with creating an account or using the AWS Artifact portal.
  2. It provides the ability to set up accounts for other users through IAD.
  3. It enables the convenience of click-through NDA.

Please note that all third party attestations, certifications, Service Organization Controls (SOC) reports and other relevant compliance reports require an NDA. The exceptions are the AWS ISO 27001 certification and the AWS SOC 3 reports which are available publically.

If you have an AWS account and are ready to start utilizing AWS Artifact, you can use the resources below to familiarize yourself with this feature in the console. If you do not already have an AWS account, you can create one using these steps.

AWS Artifact Website - This website will give you the basic information about Artifact including a Getting Started Quick Guide with step-by-step instructions on how to log into the console and download a report, as well as an AWS Artifact FAQs page with a comprehensive list of all the frequently asked questions.

Below are a few of the most common scenarios that generate questions:


In the event that you need assistance to complete a Security Questionnaire to document AWS security and compliance positions, AWS has a recommended approach, designed to provide you with the resources that appropriately address your security and compliance questions in the context of the cloud and AWS’s business model. This procedure ensures that all our customers are given consistent answers that have been verified by our third party auditors.

AWS Artifact is the first place to visit as it houses all compliance reports. AWS undergoes several audits throughout the year by third-party auditors, most of which are conducted in accordance with international security standards, such as ISO 27001, PCI and SOC. You can use these reports to answer questions on any security questionnaires you may receive.

In addition, there are several types of resources available online to provide answers for some of the most commonly asked questions. The two most frequently used documents for questionnaires are:

Consensus Assessments Initiative Questionnaire –  The Cloud Security Alliance (CSA) is a non-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. The CSA Consensus Assessments Initiative Questionnaire provides a set of questions the CSA anticipâtes a cloud consumer and/or auditor would ask of a cloud provider. It provides a series of security, control, and process questions which can then be used for a wide range of uses, including cloud provider selection and security evaluation. This document contains the AWS answers to the CSA questionnaire.

Risk and Compliance Whitepaper – This document is intended to provide information to assist AWS customers with integrating AWS into their existing control framework supporting their IT environment. It includes a basic approach to evaluating AWS controls and provides information to assist customers with integrating control environments. This document also addresses AWS-specific information around general cloud computing compliance questions. There are detailed descriptions of all AWS Certifications, Programs, Reports, and Third-Party Attestations. The CSA questionnaire is included in the Appendix of this document.

If you still need help answering a question, reach out to your AWS Sales Account Manager and they can help direct you to the appropriate resources.

Security Questionnaire Examples

Control Question Answer AWS Reference Documents
Encryption Do the provided services support encryption?

Yes. AWS allows customers to use their own encryption mechanisms for nearly all the services, including S3, EBS, SimpleDB, and EC2. IPSec tunnels to VPC are also encrypted. Amazon S3 also offers Server Side Encryption as an option for customers. Customers may also use third-party encryption technologies.

AWS Security Whitepaper
Physical and Environmental Controls

Are physical and environmental  controls operated by the cloud provider specified?

Yes. These are specifically outlined in the SOC 1 Type II report. In addition, other certifications AWS supports such as ISO 27001 and FedRAMPsm require best practice physical and environmental controls.

FedRAMP package, ISO 27001 Report, SOC 1
Human Resources Training / Awareness

Are formal, role-based, security awareness training program provided for cloud-related access and data management issues (e.g., multi-tenancy, nationality, cloud delivery model segregation of duties implications and conflicts of interest) for all persons with access to tenant data?

Yes. In alignment with ISO 27001 standard, all AWS employees complete periodic Information Security training which requires an acknowledgement to complete. Compliance audits are periodically performed to validate that employees understand and follow the established policies.

Refer to SOC, PCI DSS, ISO 27001 and FedRAMP compliance reports

These are some of the most common challenges encountered with the HIPAA BAA. To get access to more BAA related resources including a full list of HIPAA FAQ, BAA instructional videos, whitepapers, etc. please visit the main AWS HIPAA Compliance page.

Q: Can I obtain a hard copy of my existing BAA?

A: BAA versions in Artifact and a hard-copy do not differ. And when using Artifact, you will always be able to download a copy of the BAA before and after accepting the terms. If you have an existing offline BAA, you can contact your sales rep to get a copy.

Q: I need an Exhibit A to confirm account(s) have been added to an existing BAA or I need evidence that a given account(s) is covered under BAA.

A: AWS does not issue updated Exhibit A following additional accounts being covered under an existing BAA. By using Artifact, you will be able to immediately designate new accounts self-service in the console. After a BAA has been accepted in Artifact, you can sign into the console with the account ID and confirm the status is active. If you would like to add a new account, you can do so self-service.  To confirm coverage status and share the BAA with auditors or regulators, the pdf is available for download. In addition the status also serves as evidence of coverage.

Q: I don’t have the ability to enter into a BAA or I cannot check the boxes for the NDA.

A: This issue arises from an error in permissions. The individual or team handling IAM requests for your AWS account can resolve this by adjusting permissions. More information on setting up IAM accounts can be found here.


More AWS Compliance Resources


The Services in Scope Page will detail which services are currently in scope, and which are in progress. You can also contact your AWS Sales Account Manager and SA about any specific needs for a certain service.


The AWS Security Blog is a great way to keep track of all the newest updates to the AWS security programs.


For information on some of AWS current customer experiences please visit our customer testimonial page which lists case studies from our customers across all industries.


If you need more information on a specific compliance regime, please refer to the following pages for FAQs:


The AWS Auditor Learning Path is a resource designed specifically for those in auditor, compliance, and legal roles who want to learn how their internal operations can demonstrate compliance using AWS’ platform.

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »