AWS Security Blog
Frequently Asked Questions About Compliance in the AWS Cloud
May 22, 2019 update: We’ve removed a reference to the IT-Grundschutz Certification Workbook. AWS now recommends that customers refer to the Cloud Computing Compliance Controls Catalog (C5) instead. Learn more about C5 here: https://thinkwithwp.com/compliance/bsi-c5/
Every month, AWS Compliance fields thousands of questions about how to achieve and maintain compliance in the cloud. Among other things, customers are eager to take advantage of the cost savings and security at scale that AWS offers while still maintaining robust security and regulatory compliance. Because regulations across industries and geographies can be complex, we thought it might be helpful to share answers to some of the frequently asked questions we hear about compliance in the AWS cloud, as well as to clear up potential misconceptions about how operating in the cloud might affect compliance.
Is AWS compliant with [Program X]?
Context is required to answer this question. In all cases, customers operating in the cloud remain responsible for complying with applicable laws and regulations, and it is up to you to determine whether AWS services meet applicable requirements for your business. To help you make this determination, we have enacted assurance programs across multiple industries and jurisdictions to inform and support AWS customers. We think about these assurance programs across the following three broad categories.
1. Certifications and attestations
Compliance certifications and attestations (evidence showing that something is true) are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance.
Assurance programs in this category include:
- DoD SRG
- FedRAMP
- FIPS
- IRAP
- ISO 9001
- ISO 27001
- ISO 27017
- ISO 27018
- MLPS Level 3
- MTCS
- PCI DSS Level 1
- SEC Rule 17a-4(f)
- SOC 1
- SOC 2
- SOC 3
2. Laws and regulations
AWS customers remain responsible for complying with applicable compliance laws and regulations. In some cases, AWS offers functionality (such as security features), enablers, and legal agreements (such as the AWS Data Processing Agreement and Business Associate Agreement) to support customer compliance. Requirements under applicable laws and regulations may not be subject to certification or attestation.
Assurance programs in this category include:
- EU Model Clauses
- FERPA
- HIPAA
- IRS-1075
- ITAR
- My Number Act [Japan]
- VPAT / Section 508
- EU Data Protection Directive
3. Alignments and frameworks
Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function. AWS provides functionality (such as security features) and enablers (including compliance playbooks, mapping documents, and whitepapers) for these types of programs.
Requirements under specific alignments and frameworks may not be subject to certification or attestation; however, some alignments and frameworks are covered by other compliance programs. (for instance, NIST guidelines can be mapped to applicable FedRAMP security baselines).
Assurance programs in this category include:
How does AWS separate the responsibilities that they cover from the ones I still need to maintain around my compliance program?
AWS operates on the AWS Shared Responsibility Model. While AWS manages security of the cloud, customers remain responsible for compliance and security in the cloud. You retain control of the security you choose to implement to protect your content, platform, applications, systems, and networks, and you are responsible for meeting specific compliance and regulatory requirements.
Learn more about the AWS Shared Responsibility Model by watching the following video.
What’s an example of an AWS community focused on compliance?
AWS recently released a publicly available GitHub repository for AWS Config Rules. All members of the AWS community can contribute to this repository to help make effective and useful Config Rules. You can tap into the collective ingenuity and expertise of the entire AWS community to automate your compliance checks. For more information, see Announcing the AWS Config Rules Repository: A New Community-Based Source of Custom Rules for AWS Config.
What is AWS’s formal security incident response plan?
AWS’s formally documented incident response plan addresses purpose, scope, roles, responsibilities, and management commitment. It has been developed in alignment with ISO 27001 and NIST 800-53 standards. AWS has implemented the following three-phased approach to incident management:
- AWS detects an incident.
- Specialized teams address the incident.
- AWS conducts a postmortem and deep root-cause analysis of the incident.
Mechanisms are in place to allow the customer support team to be notified of operational issues that impact the customer experience. A Service Health Dashboard is available and maintained by the customer support team to alert customers to any issues that may be of broad impact. The AWS incident management program is reviewed by independent external auditors during audits of AWS’s SOC, PCI DSS, ISO 27001, and FedRAMP compliance.
How often does AWS issue SOC reports and when does the next one become available?
AWS issues two SOC 1 and SOC 2 reports covering 6-month periods each year (the first report covers October 1 through March 31, and the other covers April 1 through September 30). There are many factors that play into the release date of the report, but we target early May and early November each year to release new reports. Our downloadable AWS SOC 3 Report is issued annually and is released along with the May SOC 1 and SOC 2 reports.
Please contact us with questions about using AWS products in a compliant manner, or if you’d like to learn more about compliance in the cloud, see the AWS Cloud Compliance website.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.