AWS Professional Services Provider Security Policy

1.1     Security Policy. Provider will comply in all respects with these information security requirements (the “Security Policy”). The Security Policy applies to Provider’s performance under the Agreement and all access, collection, use, storage, transmission, disclosure, destruction or deletion of, and security incidents regarding, AWS Information and Customer Information (defined below) within Provider’s possession or control or otherwise accessible to Provider. This Security Policy does not limit any other obligations of Provider, including under the Agreement, any other agreements with AWS, or any other Laws that apply to Provider, Provider’s performance under the Agreement, AWS Information, Customer Information or the Permitted Purpose (defined below). To the extent this Security Policy directly conflicts with the Agreement, Provider will comply with the requirement that is more restrictive and more protective of AWS Information and Customer Information. Capitalized terms used in this Security Policy but not defined in Section 1.4 or elsewhere in this Security Policy have the meaning set forth in the Agreement.  

1.2     Security Policy Updates. 

1.2.1 AWS may make commercially reasonable updates to this Security Policy from time to time at its sole discretion, which will become effective 30 days after the “Last updated” date of this Security Policy, unless otherwise specified by AWS. Provider agrees to be bound by the updated Security Policy once the updates come into effect.    

1.2.2 If Provider wants to receive advance notice of these updates before they become effective, Provider may subscribe to receive update notices using the subscription form provided at the bottom of this Provider Security Policy webpage. Provider will ensure that all Provider contact information provided for the update notice subscription is up-to-date and accurate at all times. Provider will be deemed to have received any update notice when it is sent via email, regardless of whether or not Provider actually receives the update notice.  

13     Permitted Purpose. Provider may access, collect, use, store, and transmit only the AWS Information and Customer Information expressly authorized under the Agreement and solely for the purpose of providing the services under the Agreement, consistent with the licenses (if any) granted under the Agreement (the “Permitted Purpose”). Provider will access, collect, use, store, and transmit Customer Information pursuant to any data handling standards provided in writing by the engagement lead identified by AWS (the “Engagement Manager”). Except as expressly authorized under the Agreement, Provider will not access, collect, use, store or transmit any Customer Information and will not Aggregate Customer Information, even if Anonymized. Except with AWS’s prior express written consent, Provider will not (1) transfer, rent, barter, trade, sell, rent, loan, lease or otherwise distribute or make available to any third party any Customer Information or (2) Aggregate Customer Information with any other information or data, even if Anonymized.

1.4     Definitions.

“Agreement” has the meaning given in the Main Services Agreement by and between AWS and Provider that governs Provider’s performance of the services.

“Aggregate” means to combine or store Customer Information with any data or information of Provider or any third party.  

“Anonymize” means to use, collect, store, transmit or transform any data or information (including Customer Information) in a manner or form that does not identify, permit identification of, and is not otherwise attributable to any user, device identifier, source, product, service, context, brand, or AWS or its affiliates. 

“AWS Information” means, all AWS Confidential Information (as defined in the Agreement or in the NDA.)

“Customer Information” means, (a) confidential information and other data of the Customers; (b) all other Customer data, records, files, content or information, in any form or format, acquired, accessed, collected, received, stored or maintained by Provider or its affiliates from or on behalf of AWS, its affiliates, the Customers, or otherwise in connection with the Agreement, the services, or the parties’ performance of or exercise of rights under or in connection with the Agreement; and (c) derived from (a) or (b), even if Anonymized.   

2.1     Minimum Security Requirements. Provider will, consistent with current industry standards and such other requirements specified by AWS based on the classification and sensitivity of AWS Information and Customer Information, maintain physical, administrative and technical safeguards and other security measures (i) to maintain the security and confidentiality of AWS Information and Customer Information accessed, collected, used, stored or transmitted by Provider, (ii) to protect that information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure and all other unlawful forms of processing, and (iii) that do not constitute unfair, deceptive or abusive acts or practices with respect to AWS Information and Customer Information.

Without limiting the foregoing, Provider equipment will comply with the following requirements when accessing and handling Customer Information:

2.1.1     Provider-Owned Endpoints. Provider will ensure that Provider Personnel only use “endpoints” (e.g. equipment such as laptop computers, desktop computers, tablets, mobile devices, virtual display interfaces or similar) issued and managed by Provider, AWS, or the Customer to perform the services, and will ensure that Personnel do not use un-managed personal devices to perform the services, or access any Customer Information.

2.1.2    Provider-Controlled Software. Provider will furnish to its Personnel and Third-Party Contractors all software and online services that are used to provide the services. Provider will prevent its Personnel and Third-Party Contractors from using personal email addresses, personal software subscriptions, or personal online services to perform the services or access Customer Information.

2.1.3    Network and Locally Configured Firewall. Provider will install and maintain a working industry standard network firewall and locally configured (end device) firewall (such as Microsoft Defender Firewall, Apple Firewall, etc.) to protect data accessible via the Internet and will keep all Customer Information protected by the firewall at all times.  The firewall must provide both ingress and egress filtering, and have a default policy of blocking network traffic.  

2.1.4     Updates. Provider will keep its systems and software up-to-date with the latest vendor-provided upgrades, updates, bug fixes, new versions and other modifications necessary to ensure the security of Customer Information (“Updates”).  Provider will install all critical Updates within 7 days of release and will install all other applicable Updates within a reasonable time. 

2.1.5     Anti-virus and Anti-malware. Provider will at all times use up-to-date subscription based anti-virus and anti-malware software with (i) scanning technologies, and (ii) signature auto update features to automatically updated signature files, to ensure that all operating systems, software and other systems hosting, storing, processing, or that have access to Customer Information are and remain free from such viruses, spyware and malicious code.  Provider will mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably have been detected.  

2.1.6     Provider Policy. Provider will maintain and enforce an information and network security policy for Provider Personnel, Third Party Contractors, agents, and suppliers that meets the standards set out in this Security Policy, including methods to detect and log policy violations.  Upon request by AWS, Provider will provide AWS with information on violations of Provider’s information and network security policy that are related to the performance of services under the Agreement, even if such violations do not constitute a Security Incident. 

2.1.7     Testing.  Provider will regularly test its security systems and processes to ensure they meet the requirements of this Security Policy.

2.1.8     Access Controls.  Provider will secure Customer Information, including by complying with the following requirements:

(i)     Provider will assign a unique ID to each person (such as username or user ID) with computer access to Customer Information. 

(ii)     Provider will restrict access to Customer Information to only those people with a “need-to-know” for the Permitted Purpose. 

(iii)     Provider will regularly review the list of people and services with access to Customer Information, and remove accounts that no longer require access.  This review must be performed at least once every 180 days during the Term. 

(iv)     Provider will not use manufacturer-supplied defaults for system passwords and other security parameters on any operating systems, software or other systems.  Provider will mandate and ensure the use of system-enforced “strong passwords”, in accordance with the practices described below, on all systems hosting, storing, processing, or that have or control access to, Customer Information (e.g., internal system-level account passwords). Provider will require that all passwords and access credentials are kept confidential (e.g. not shared amongst its Personnel). 

Passwords must satisfy either requirement A or B:

(A) Passwords must possess more than 52 bits of entropy, where bits are calculated as log₂(Mⁿ) where M is the number of possible symbols that can be used in a password, and n is the minimum number of symbols in passwords

(B) Meet the following criteria: 

•      contain at least 12 characters;

•     has a combination of upper and lowercase characters, numbers, punctuation, or special characters as allowed;

•     do not match previous passwords, the user's login, a dictionary word, common name, birthday, or other easily guessed/inferred option

(v)     Provider will track all access to Customer Information by unique ID (such as username or user ID) and will maintain a secure record of that access for at least the trailing 90 days, or such longer period specified by AWS based on the classification and sensitivity of the Customer Information. 

(vi)     Except where expressly authorized by AWS in writing, Provider will isolate Customer Information at all times (including in storage, processing or transmission), from Provider’s and any third-party information. 

(vii)     If additional physical access controls are specified in a Work Order based on the classification and sensitivity of Customer Information, Provider will implement and use those secure physical access control measures.

(viii)     Provider will provide to AWS, on an annual basis or more frequently upon AWS’s request, (1) log data about all use (both authorized and unauthorized) of AWS accounts provided to Provider for use on behalf of AWS (e.g., shared Provider accounts), and (2) detailed log data about any impersonation of, or attempt to impersonate, any Personnel of AWS or Provider who has access to Customer Information, or any access of Customer Information by unauthorized entities.

(ix)     Provider will use industry standard software to search, analyze, monitor, and regularly review access logs files for signs of malicious behavior or unauthorized access. 

2.1.9     Remote Access. Provider will verify that any remote access to servers holding Customer Information or Provider’s corporate or development workstation networks requires two-factor authentication (e.g., requires at least two separate factors for identifying users).  If this is not implemented, Provider will implement this configuration or ensure that it is configured by the Customer.

2.1.10     “In Bulk” Access. Provider may only access, Customer Information “in bulk” on systems such as AWS- or Provider- controlled databases, storage based archives, etc. if authorized by AWS in an applicable Work Order. For purposes of this section, “bulk- access" means accessing data by means of a database query, report generation, or any other mass transfer of data. Provider will not be permitted to house any personal data or personally identifiable information on AWS- or Provider- controlled laptops or cloud environments. If a Work Order authorizes Provider “bulk access” of Customer Information, Provider will preserve detailed log data on all “bulk-data access" to Customer Information, and provide reports from these logs as part of its obligations under Section 2.5 (Security Review). Provider will (1) limit access to “bulk data” to specified Provider Personnel who have a “need to know”, (2) utilize tools that limit access and require explicit authorization and logging of access, and (3) only access "bulk data" as specified in an applicable Work Order. Upon expiration or termination of the applicable Work order, Provider will delete and remove all “bulk” Customer Information from Provider- controlled systems by utilizing methods described in Section 2.4.5 (Deletion Standards) and Section 2.4.6 (Digital Sanitization).

2.1.11     Provider Personnel. Provider will ensure that all Provider Personnel successfully complete, as determined by AWS in its sole discretion, required security training(s) (and any additional requirements identified by AWS) before performance of the services. Provider will restrict access to Customer Information to only Personnel performing Services under the Agreement who have a need to know and have completed all requirements specified by AWS. Provider will maintain a list of all Personnel who have accessed or received Customer Information, and promptly provide that list to AWS upon request. Provider will immediately (within a maximum of 24 hours) notify AWS and terminate access to Customer Information if any of Provider’s Personnel (a) no longer need to access Customer Information (b) is non-compliant with any requirements specified by AWS or (c) no longer qualify as Provider Personnel (e.g. individuals that leave Provider’s employment).

2.1.12     Integrated Development Environments. For all Services performed under each Work Order, Provider will configure independent and segregated environments in any software application that provides facilities to computer programmers for software development (“Integrated Development Environments" or "IDE”). Provider will configure any Integrated Development Environments to connect to isolated repositories designed exclusively for Services performed solely under each Work Order, as approved in writing by the Engagement Manager. Provider will patch and continually update all Integrated Development Environments against any security vulnerabilities. This includes updating plugins, extensions, or other aids used by the IDE. 

2.1.13     No External Exposure. Provider will not make any Customer Information publicly accessible.  Provider will not make any system configurations to Customer’s environments, AWS Accounts, endpoints, or devices that would cause such Customer Information to become publicly accessible.  This includes modifications to security groups, network access controls, or resource policies.

2.2     Access to AWS Extranet and Provider Portals. AWS may grant Provider access to Customer Information via web portals or other non-public websites or extranet services on AWS’s or a third-party’s website or system (each, an “Extranet”) for the Permitted Purpose. If AWS permits Provider to access any Customer Information using an Extranet, Provider must comply with the following requirements:

2.2.1     Permitted Purpose. Provider and its Personnel will access the Extranet and access, collect, use, view, retrieve, download or store Customer Information from the Extranet solely for the Permitted Purpose as described in the Work Order. 

2.2.2     Accounts. Provider will ensure that Provider Personnel use only the Extranet account(s) designated for each individual by AWS and will require Provider Personnel to keep their access credentials, AWS Access Keys, usernames and passwords confidential. 

2.2.3     Systems. Provider will access the Extranet only through computing or processing systems or applications running operating systems managed by Provider and that include: (i) system network firewalls in accordance with section 2.1.3 (Firewall); (ii) centralized patch management in compliance with section 2.1.4 (Updates); (iii) operating system appropriate anti-virus software in accordance with section 2.1.5 (Anti-virus and Anti-malware); and (iv) for portable devices, full disk encryption in accordance with section 2.3 (Data Transmission). 

2.2.4     Restrictions. Except if approved in advance in writing by AWS, Provider will not download, mirror or permanently store any Customer Information from any Extranet on any medium, including any machines, devices or servers. 

2.2.5     Account Termination. Provider will terminate the account of each of Provider’s Personnel and notify AWS no later than 24 hours after any specific individual who has been authorized to access any Extranet (a) no longer needs access to Customer Information or (b) no longer qualifies as Provider’s Personnel (e.g., the person leaves Provider’s employment).

2.3     Data Protection. Provider will comply with AWS’s standards for protecting the confidentiality and integrity of Customer Information, including the requirements set forth below.  Provider acknowledges and agrees that AWS’s choice of encryption mechanisms may depend on a number of factors such as technical capability, transaction volume, latency requirements, and availability requirements. 

2.3.1     Sensitive Key Material. Provider will ensure that encryption keys (including, but not limited to, SSH keys, symmetric keys, and asymmetric private keys), login or authentication credentials (such as names and passwords), and bearer tokens (such as API keys) (collectively, “Sensitive Key Material”) are encrypted at all times in transit and at rest using the data protection and encryption methods set forth in this Security Policy, regardless of what system stores, transmits, or receives the Sensitive Key Material.

2.3.2     Encryption.  

2.3.2.1     Data at Rest. Unless otherwise stated in this Work Order, Provider will enable AES 256-bit encryption on any Endpoints and devices that store Customer Information. This can be enabled through any industry standard full-disk encryption method.

2.3.2.2     Data in Transit. If Provider transmits Customer Information, it must transmit all Customer Information using the following AWS accepted encryption mechanisms and methods for data transmission (which may include other methods as specified by AWS):

Accepted Encryption Mechanisms

i.     Public key encryption must use a 2048-bit (or larger) RSA public key

ii.     Symmetric encryption must use AES with a 256-bit (or larger) key, in CBC or GCM mode. If required for compatibility reasons, TDEA/3DES may be used in CTR or CBC mode, with an HMAC of the encrypted data

iii.     Hashing of encrypted data must use 128-bit HMAC keys or SHA-256 or larger digests using the SHA-2 family of hashes. SHA1 may only be used for HMACs, key derivation functions and random number generators. 

Accepted Transport Encryption Methods

i.     Common Internet protocols (e.g., HTTP, XML/HTTP) over TLS 1.2 or greater, with certificate-based authentication 

ii.     Digitally signed and encrypted PGP (Pretty Good Privacy) or GPG (Gnu Privacy Guard) or S/MIME (Secure MIME) or XML-ENC messages over any transport

iii.     IPSec connections, using suites “VPN-B”, “Suite-B-GCM-128” or “Suite-B-GCM-256"

iv.     SFTP or SSH connections, using 256-bit (or stronger) symmetric encryption and host key verification. 

2.3.3     Verification. For all message-based encryption schemes employing digital signatures (including PGP and S/MIME), Provider will verify the digital signature of the message and reject all messages with invalid signatures.

2.3.4     Confidentiality. For all encryption schemes employing public key (asymmetric) cryptography, Provider will ensure the confidentiality of the private component of the public-private key pair and will promptly notify AWS if the private key is compromised. For all encryption schemes using private key (symmetric) cryptography, Provider will ensure the confidentiality of the private key and will promptly notify AWS if the private key is compromised. Encryption keys must not be shared with third party providers or any other third parties.

2.3.5     Third Party Systems. Provider will not use any third-party system, software, network, or other storage service (including any “cloud” services, electronic mail, or public utility file storage services) (each a “Third Party System”) to store, access, or process Customer Information, and must obtain AWS’s prior written approval before it uses any Third-Party System that stores or may otherwise have access to Customer Information. Provider will ensure that Provider Personnel do not use personal identities or personal subscriptions to Third Party Systems (i.e. personal email addresses or an existing personal account on a Third Party System) in the performance of the services.

Any data shared with a Third-Party System approved by AWS, must be encrypted in accordance with the methods approved in Section 2.3.1 (Encryption) of this Security Policy, and Provider will ensure that the Third-Party System will not have access to the decryption key or unencrypted “plain text” versions of the data and maintains least privileged access to the data.  AWS reserves the right to require an AWS security review (in accordance with Section 2.6 (Security Review)) of the Third-Party System before giving approval.

2.4     Data Retention and Destruction.

2.4.1     Retention. Provider will retain Customer Information only for the purpose of, in accordance with and as long as is necessary for, the Permitted Purpose. Provider will ensure its Personnel, Third-Party Contractors, agents and suppliers do not copy or retain copies of Customer Information outside of Provider-controlled environments or end-points that comply with this Security Policy.

2.4.2     Return or Deletion. Provider will permanently and securely delete all instances of Customer Information within 90 days after the earlier of completion of the Permitted Purpose, request by the Customer, termination or expiration of the Agreement, or termination or expiration of a Work Order. Provider will promptly (but within no more than 72 hours after AWS’s request) return to AWS and permanently and securely delete all Customer Information upon and in accordance with AWS’s notice requiring return.

2.4.3     Archival Copies. If Provider is required by law to retain archival copies of Customer Information for tax or similar regulatory purposes, this archived Customer Information must be stored in one of the following ways:

(i)     As a “cold” or offline (i.e., not available for immediate or interactive use) backup stored in a physically secure facility; or

(ii)     Encrypted in accordance with Section 2.3 (Data Protection), where the system hosting or storing the encrypted file(s) does not have access to a copy of the key(s) used for encryption.

2.4.4     Recovery. If Provider performs a “recovery” (i.e., reverting to a backup) for the purpose of disaster recovery, Provider will have and maintain a process that ensures that all Customer Information that is required to be deleted pursuant to the Agreement or this Security Policy will be re-deleted or overwritten from the recovered data in accordance with this Section 2.4 within 24 hours after recovery occurs. Customer Information recovered to a third-party system or network must be stored with the same level of security as the original data. AWS reserves the right to require an AWS security review (in accordance with Section 2.5 Security Review) of any third-party system or network used for recovery of Customer Information and will provide final approval before Provider’s use of said system.

2.4.5     Deletion Standards. All Customer Information deleted by Provider will be deleted in accordance with the NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitation. With respect to Customer Information encrypted in compliance with this Security Policy, this deletion may be done by permanently and securely deleting all copies of the keys used for encryption.

2.4.6     Digital Sanitization. Before disposing in any manner of any hardware, software, or any other media that contains, or has at any time contained, AWS Information, Provider will perform a complete digital sanitization of the hardware, software or other media utilizing an industry standard sanitization tool that provides cryptographic or data erasure, to prevent Customer Information from being recovered or retrieved in any form. Provider will perform digital sanitization in accordance with the standards AWS may require based on the classification and sensitivity of Customer Information.

Provider will not sell, resell, donate, refurbish, or otherwise transfer (including any sale or transfer of any such hardware, software, or other media, any disposition in connection with any liquidation of Provider’s business, or any other disposition) any hardware, software or other media that contains, or has at any time contained, Customer Information and all data storing devices have not been digitally sanitized by Provider utilizing an industry standard sanitization tool (such as BitLocker, ShredOS, etc.). 

2.5     Security Review.

2.5.1     Initial Review. If AWS requests, Provider will undergo an initial security review (to be conducted by, and in accordance with standards specified by, AWS or its authorized representatives), including the completion of a risk assessment questionnaire provided by AWS.  Provider will cooperate and provide AWS with all required information within a reasonable time frame but no more than 20 calendar days from the date of AWS’s request.  AWS reserves the right to periodically request Provider to complete a new AWS risk assessment questionnaire. 

2.5.2     Certification. Upon AWS’s written request, Provider will certify in writing to AWS that it is in compliance with this Security Policy.

2.5.3     Security Audit. AWS reserves the right to periodically audit the security of systems that Provider uses to process Customer Information, as well as the implemented security polices, controls, guardrails, and processes of Provider to verify Provider and Provider Personnel are in compliance with the information security requirements set forth in this Security Policy. Provider will cooperate and provide AWS with all required information within a reasonable time frame but no more than 20 calendar days from the date of AWS’s request. 

2.5.4     Remediation. If any security review identifies any deficiencies, Provider will, at its sole cost and expense, promptly take all actions necessary to remediate those deficiencies within 30 days from notification and provide proof of remediation directly to AWS.

2.6     Security Incidents.  

2.6.1     Provider will inform the AWS Engagement Manager within 8 hours of detecting any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption or loss of Customer Information, or breach of any environment containing Customer Information (each, a “Security Incident”). Provider will promptly remedy each Security Incident in coordination with the AWS Engagement Manager, and provide AWS written details regarding Provider’s internal investigation regarding each Security Incident. Provider agrees not to notify any regulatory authority, nor any customer, on behalf of AWS unless AWS specifically requests in writing that Provider do so and AWS reserves the right to review and approve the form and content of any notification before it is provided to any party.  

2.6.2     Provider will cooperate and work together with AWS to investigate, formulate and execute a plan to rectify all confirmed Security Incidents.

2.6.3     Sensitive Key Material.  Storage of Sensitive Key Material unencrypted in locations such as source code, configuration files, or other plain files will constitute a confirmed Security Incident, regardless of whether or not the Sensitive Key Material was accessed by an unauthorized person.

2.7     Provider Third-Party Contractors. Provider will ensure that Third-Party Contractors review and comply with the requirements set forth in this Security Policy.

2.8     General. All choices (no matter how described) by AWS under this Agreement will be made in its sole discretion. All references to standards for security requirements under this Security Policy refer to the specified standards and their respective successor versions or equivalent versions, as they may be updated, unless AWS specifies otherwise.

First Name*

Last Name*

Email Address*

Company Name*

You may unsubscribe from receiving Update Notices at any time by following the instructions in the notices received. AWS collects and uses your personal information in accordance with the AWS Privacy Notice.