Menu Close

Chapter 13 – AWS Risk and Compliance

AWS communicates with customers regarding its security and control environment through the following mechanisms:

  1. Obtaining industry certifications and independent third-party attestations
  2. Publishing information about security and AWS control practices via the website, white papers, and blogs
  3. Directly providing customers with certificates, reports, and other documentation (under NDA in some cases)

The shared responsibility model is not just limited to security considerations; it also extends to IT controls. For example, the management, operation, and verification of IT controls are shared between AWS and the customer.

The control environment for AWS contains a large volume of information. This information is provided to customers through white papers, reports, certifications, and other third-party attestations.

AWS provides IT control information to customers in two ways: specific control definition and general control standard compliance.

Certifications and accreditations that AWS achieved:

  • FedRAMP
  • FIPS 140–2
  • FISMA and DIACAP
  • HIPAA
  • ISO 9001
  • ISO 27001
  • ITAR
  • PCI DSS Level 1
  • SOC 1/ISAE 3402
  • SOC 2
  • SOC 3

Leave a Reply

Your email address will not be published. Required fields are marked *