AWS communicates with customers regarding its security and control environment through the following mechanisms:
- Obtaining industry certifications and independent third-party attestations
- Publishing information about security and AWS control practices via the website, white papers, and blogs
- Directly providing customers with certificates, reports, and other documentation (under NDA in some cases)
The shared responsibility model is not just limited to security considerations; it also extends to IT controls. For example, the management, operation, and verification of IT controls are shared between AWS and the customer.
The control environment for AWS contains a large volume of information. This information is provided to customers through white papers, reports, certifications, and other third-party attestations.
AWS provides IT control information to customers in two ways: specific control definition and general control standard compliance.
Certifications and accreditations that AWS achieved:
- FIPS 140–2
- FISMA and DIACAP
- ISO 9001
- ISO 27001
- PCI DSS Level 1
- SOC 1/ISAE 3402
- SOC 2
- SOC 3