Professional Documents
Culture Documents
AWS services italicized in the "AWS Services/Resources" column are out of scope for FedRAMP Moderate and/or ISO 9001/27001/27018.
AWS services in bold in the "AWS Services/Resources" column have been validated by an independent assessor to align to the CSF based on FedRAMP Moderate and/or ISO 9001/27001/27018 accreditation.
Category Subcategory Informative References AWS Services/Resources NIST 800-53 Controls Alignment AWS Responsibility Customer Responsibility
Asset Management (ID.AM): The data, ID.AM-1: Physical devices and systems · CIS CSC 1 AWS Certifications, AWS Resource Tagging, CM-8 AWS is wholly responsible to implement a physical inventory control program. N/A - Customers do not have any responsibility in the AWS Cloud for the
personnel, devices, systems, and within the organization are inventoried · COBIT 5 BAI09.01, BAI09.02 AWS Config, AWS Config Rules, AWS Cloud inventory of AWS physical devices and systems.
facilities that enable the organization to · ISA 62443-2-1:2009 4.2.3.4 Formation, AWS CloudTrail, AWS CloudWatch Implementation:
achieve business purposes are identified · ISA 62443-3-3:2013 SR 7.8 Logs, Customer Responsibility People - All AWS employees and contractors who procure, receive, install, Customers are only responsible for this control for the physical assets they
and managed consistent with their · ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 operate, and dispose of physical devices and systems are trained on company own and operate outside of the Cloud (e.g., servers, computers, network
relative importance to business · NIST SP 800-53 Rev. 4 CM-8, PM-5 policies and procedures. They undergo a background check upon hiring (depth and equipent, mobile devices, IoT devices, peripheals, etc.).
objectives and the organization’s risk process varies based on country of hiring, role in AWS, and AWS region
strategy. supporting). Employees and contractors who do not comply with established
policies and procedures may face disciplinary actions, up to and including
termination of employment or contract.
Processes - AWS has established polcies and processes for the management of
physical devices and systems, which include user responsibilities for assigned
hardware (e.g., laptops); logisticians for procurement, receiving, inventory, and
destruction/disposition; datacenter operators for installation, management, and
removal; and IT operations staff for installation, management, and disposition of
other devices (e.g., printers).
CA-3 A. There are no system interconnections. AWS customers are responsible for documenting, authorizing, reviewing,
B. There are no system interconnections. and updating Interconnection Security Agreements (ISAs) for connections
C. There are no system interconnections. between their system and other systems that include the following
information for each connection: 1) Interface characteristics, 2) Security
requirements, and 3) The nature of the information communicated. AWS
customers are responsible for reviewing and updating ISAs with at a
frequency defined by their security assessment and authorization policy.
CA-9 Several network fabrics exist at Amazon, each separated by boundary protection AWS customers are responsible for documenting and authorizing internal
devices that control the flow of information between fabrics. The flow of system connections for organization-defined system components or
information between fabrics is established by approved authorizations, which exist classes of components. For each internal connection, the interface
as access control lists (ACL) residing on these devices. ACLs are defined, characteristics, security requirements, and the nature of the information
approved by appropriate Amazon’s Information Security team, managed and communicated should be documented in accordance with the security
deployed using AWS ACL-manage tool. assessment and authorization policy.
Approved firewall rule sets and access control lists between network fabrics restrict
the flow of information to specific information system services. Access control
lists and rule sets are reviewed and approved, and are automatically pushed to
boundary protection devices on a periodic basis (at least every 24 hours) to ensure
rule-sets and access control lists are up-to-date.
PL-8 AWS gives customers ownership and control over their content by design through AWS customers are responsible for developing an information security
simple, but powerful tools that allow customers to determine where their content architecture for the information system that: 1) Describes the overall
will be stored, how it will be secured in transit or at rest, and access to their AWS philosophy, requirements, and approach to be taken with regard to
environment will managed. protecting the confidentiality, integrity, and availability of organizational
information, 2) Describes how the information security architecture is
AWS has implemented global privacy and data protection best practices in order to integrated into and supports the enterprise architecture, and 3) Describes
helping customers establish, operate and leverage our security control environment. any information security assumptions about and dependencies on external
These security protections and control processes are independently validated by services.
multiple third-party independent assessments.
AWS customers are responsible for reviewing and updating the
information security architecture at an organization-defined frequency to
reflect updates in the enterprise architecture. Planned information security
architecture changes must be reflected in the security plan, the security
Concept of Operations (CONOPS), and organizational
procurements/acquisitions.
ID.AM-4: External information systems · CIS CSC 12 AWS Certifications, Customer Responsibility AC-20 AWS creates and maintains written agreements with third parties (e.g., contractors AWS customers are responsible for establishing terms and conditions with
are catalogued · COBIT 5 APO02.02, APO10.04, DSS01.02 or vendors) in accordance with the work or service to be provided (e.g., network other organizations owning, operating, and/or maintaining external
· ISO/IEC 27001:2013 A.11.2.6 services agreement, service delivery agreement, or information exchange information systems. Consistent with any trust relationships established
· NIST SP 800-53 Rev. 4 AC-20, SA-9 agreement) and implements appropriate relationship management mechanisms in with these external organizations and in accordance with their access
line with their relationship to the business. Agreements cover, at a minimum, the control policy AWS customers are responsible for authorizing individuals
following: to: 1) Access their system from an external information system and 2)
• Legal and regulatory requirements applicable to AWS Process, store, or transmit organization-controlled information using
• User awareness of information security responsibilities and issues external information systems.
• Arrangements for reporting, notification, and investigation of information
security incidents and security breaches
• Target and unacceptable levels of service (e.g., SLA, Operational Level
Agreement [OLA])
• Service continuity requirements (e.g., Recovery Time Objective [RTO]), in
accordance with AWS business priorities
• Protection of Intellectual Property Rights (IPR) and copyright assignment of
AWS
• Conditions for renegotiation/termination of the agreement.
SA-9 AWS creates and maintains written agreements with third parties (e.g., contractors AWS customers are responsible for: 1) Requiring that providers of
or vendors) in accordance with the work or service to be provided (e.g., network external information system services comply with organizational
services agreement, service delivery agreement, or information exchange information security requirements and employ organization-defined
agreement) and implements appropriate relationship management mechanisms in security controls in accordance with applicable federal laws, Executive
line with their relationship to the business. Agreements cover, at a minimum, the Orders, directives, policies, regulations, standards, and guidance, 2)
following: Defining and documenting government oversight and user roles and
• Legal and regulatory requirements applicable to AWS responsibilities with regard to external information system services, and
• User awareness of information security responsibilities and issues 3) Employing organization-defined processes, methods, and techniques to
• Arrangements for reporting, notification, and investigation of information monitor security control compliance by external service providers on an
security incidents and security breaches ongoing basis.
• Target and unacceptable levels of service (e.g., SLA, Operational Level
Agreement [OLA])
• Service continuity requirements (e.g., Recovery Time Objective [RTO]), in
accordance with AWS business priorities
• Protection of Intellectual Property Rights (IPR) and copyright assignment of
AWS
• Conditions for renegotiation/termination of the agreement.
ID.AM-5: Resources (e.g., hardware, · CIS CSC 13, 14 AWS Tagging, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement AWS customers are responsible for developing a contingency plan for
devices, data, and software) are · COBIT 5 APO03.03, APO03.04, procedures to respond to a serious outage or degradation of AWS services, their system that: 1) Identifies essential missions and business functions
prioritized based on their classification, APO12.01, BAI04.02, BAI09.02 including the recovery model and its implications on the business continuity plan. and associated contingency requirements, 2) Provides recovery objectives,
criticality, and business value · ISA 62443-2-1:2009 4.2.3.6 restoration priorities, and metrics, 3) Addresses contingency roles,
· ISO/IEC 27001:2013 A.8.2.1 responsibilities, and assigned individuals with contact information, 4)
· NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO Addresses maintaining essential missions and business functions despite
SC-6 27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA an information system disruption, compromise, or failure, 5) Addresses
eventual, full information system restoration without deterioration of the
security safeguards originally planned and implemented, and 6) Is
reviewed and approved by organization-defined personnel or roles in
accordance with the contingency planning policy.
RA-2 AWS treats all customer content and associated assets as highly confidential. AWS AWS customers are responsible for: 1) Categorizing their information and
Cloud services are content agnostic in that they offer the same high level of their information system in accordance with applicable federal laws,
security to all customers, regardless of the type of content being stored. We are Executive Orders, directives, policies, regulations, standards, and
vigilant about our customers’ security and have implemented sophisticated guidance, 2) Documenting the security categorization results (including
technical and physical measures against unauthorized access. AWS has no insight supporting rationale) in the security plan for the information system, and
as to what type of content the customer chooses to store in AWS, and the customer 3) Ensuring the security categorization decision is reviewed and approved
retains complete control of how they choose to classify their content, where it is by the AO or authorizing official designated representative.
stored, how it is used, and how it is protected from disclosure.
AWS has implemented data handling and classification requirements that provide
specifications around:
• Data encryption
• Content in transit and during storage
• Access
• Retention
• Physical controls
• Mobile devices
• Handling requirements
Business Environment (ID.BE): The ID.BE-1: The organization’s role in the · COBIT 5 APO08.01, APO08.04, AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement AWS customers are responsible for developing a contingency plan for
organization’s mission, objectives, supply chain is identified and APO08.05, APO10.03, APO10.04, APO10.05 procedures to respond to a serious outage or degradation of AWS services, their system that: 1) Identifies essential missions and business functions
stakeholders, and activities are communicated · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, including the recovery model and its implications on the business continuity plan. and associated contingency requirements, 2) Provides recovery objectives,
understood and prioritized; this A.15.1.3, A.15.2.1, A.15.2.2 restoration priorities, and metrics, 3) Addresses contingency roles,
information is used to inform · NIST SP 800-53 Rev. 4 CP-2, SA-12 responsibilities, and assigned individuals with contact information, 4)
cybersecurity roles, responsibilities, and Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO Addresses maintaining essential missions and business functions despite
risk management decisions. 27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA an information system disruption, compromise, or failure, 5) Addresses
eventual, full information system restoration without deterioration of the
security safeguards originally planned and implemented, and 6) Is
reviewed and approved by organization-defined personnel or roles in
accordance with the contingency planning policy.
SA-12 Key suppliers are identified and chosen for their ability to provide service to AWS customers are responsible for protecting against supply chain threats
defined requirements. Qualified suppliers are added to the approved supplier list to the information system, system component, or information system
maintained by the AWS supplier management team. Through the use of established service by employing organization-defined security safeguards as part of a
assessment procedures, AWS continuously monitors suppliers to ensure that they comprehensive, defense-in-breadth information security strategy.
are conforming to specific AWS requirements. The extent of assessment for a
supplier is dependent upon the significance of the product and/or service purchased
and, where applicable, upon previously demonstrated performance.
All purchased materials and services intended for use in production processes are
specified in purchasing documents. All component/material specification
documents are reviewed and approved by management personnel prior to use.
Additional requirements not specified on component/material specifications are
conveyed via purchase orders or contracts. Purchase orders and/or contracts convey
the degree of control AWS establishes with their suppliers to ensure quality
product and/or service.
AWS maintains standard contract review and signature processes that include legal
reviews that focus on protecting AWS resources.
ID.BE-2: The organization’s place in · COBIT 5 APO02.06, APO03.01 AWS Certifications, Customer Responsibility PM-8 N/A N/A
critical infrastructure and its industry · ISO/IEC 27001:2013 Clause 4.1
sector is identified and communicated · NIST SP 800-53 Rev. 4 PM-8
ID.BE-3: Priorities for organizational · COBIT 5 APO02.01, APO02.06, APO03.01 Customer Responsibility PM-11 N/A N/A
mission, objectives, and activities are · ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 SA-14 N/A N/A
establishedDependencies
ID.BE-4: and communicated
and critical ·· NIST
COBITSP5 800-53 Rev.BAI04.02,
APO10.01, 4 PM-11, SA-14
BAI09.02 AWS Certifications, AWS Best Practices & CP-8 The AWS business continuity plan details the three-phased approach that AWS has N/A
functions for delivery of critical services · ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, Reference Architectures, Customer Responsibility developed to recover and reconstitute the AWS infrastructure:
are established A.12.1.3 • Activation and Notification Phase
· NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, • Recovery Phase
PM-8, SA-14 • Reconstitution Phase
This approach ensures that AWS performs system recovery and reconstitution
efforts in a methodical sequence, maximizing the effectiveness of the recovery and
reconstitution efforts and minimizing system outage time due to errors and
omissions.
AWS maintains a ubiquitous security control environment across all regions. Each
data center is built to physical, environmental, and security standards in an active-
active configuration, employing an n+1 redundancy model to ensure system
availability in the event of component failure. Components (N) have at least one
independent backup component (+1), so the backup component is active in the
operation even if all other components are fully functional. In order to eliminate
single points of failure, this model is applied throughout AWS, including network
and data center implementation. All data centers are online and serving traffic; no
data center is “cold.” In case of failure, there is sufficient capacity to enable traffic
to be load-balanced to the remaining sites.
PE-11 The AWS data center electrical power systems are designed to be fully redundant N/A
and maintainable without impact to operations, 24 hours a day. Power to AWS data
centers is provided through local power providers. In the event of disruption, UPS
units provide backup power or critical and essential loads in the facility and
generators are used to provide backup power for the entire facility.
Each Availability Zone is designed as an independent failure zone. Automated
processes move customer traffic away from the affected area in the case of a
failure.
PE-9 Access to power equipment, power cabling, and transmission lines are restricted to N/A
authorized personnel and are positioned to prevent intentional or accidental
damage.
PM-8 N/A N/A
SA-14 N/A N/A
ID.BE-5: Resilience requirements to · COBIT 5 BAI03.02, DSS04.02 AWS Certifications, AWS Best Practices & CP-11 N/A N/A
support delivery of critical services are · ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, Reference Architectures, Customer Responsibility CP-2 AWS region fault isolation architecture, Availability Zones (AZ) architecture AWS customers are responsible for developing a contingency plan for
established for all operating states (e.g. A.17.1.2, A.17.2.1 within regions, AWS Certifications, AWS Best Practices & Reference their system that: 1) Identifies essential missions and business functions
under duress/attack, during recovery, · NIST SP 800-53 Rev. 4 CP-2, CP-11, SA- Architectures, Customer Responsibility and associated contingency requirements, 2) Provides recovery objectives,
normal operations) 13, SA-14 restoration priorities, and metrics, 3) Addresses contingency roles,
responsibilities, and assigned individuals with contact information, 4)
Addresses maintaining essential missions and business functions despite
an information system disruption, compromise, or failure, 5) Addresses
eventual, full information system restoration without deterioration of the
security safeguards originally planned and implemented, and 6) Is
reviewed and approved by organization-defined personnel or roles in
accordance with the contingency planning policy.
AU-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
AT-1 AWS has implemented formal, documented security awareness and training policy AWS has established and communicated information security framework
and procedures that address purpose, scope, roles, responsibilities, management and policies which have integrated the ISO 27001 certifiable framework
commitment, coordination among organizational entities, and compliance. The based on ISO 27002 controls, American Institute of Certified Public
security awareness and training policy and procedures are reviewed and updated at Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
least annually, or sooner if required due to information system changes. The policy National Institute of Standards and Technology (NIST) Publication 800-
is disseminated through the internal Amazon communication portal to all 53 (Recommended Security Controls for Federal Information Systems).
employees, vendors, and contractors prior to receiving authorized access to the AWS manages third-party relationships in alignment with ISO 27001
information system or performing assigned duties. standards. AWS Third Party requirements are reviewed by independent
AWS has developed, documented, and disseminated security awareness and role- external
based security training for personnel responsible for designing, developing, auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
implementing, operating, maintaining, and monitoring AWS systems. Training compliance.
includes, but is not limited to, the following information (when relevant to the
employee’s role):
• Workforce conduct standards
• Candidate background screening procedures
• Clear desk policy and procedures
• Social engineering, phishing, and malware
• Data handling and protection
• Compliance commitments
• Security precautions while traveling
• How to report security and availability failures, incidents, concerns, and other
complaints to appropriate personnel
• How to recognize suspicious communications and anomalous behavior in
organizational information systems
• Practical exercises that reinforce training objectives
• International Traffic in Arms Regulations (ITAR) responsibilities
• Contingency planning
• Incident response
AWS captures and retains training records for at least five years.
CM-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
CP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
IA-1 AWS implements formal, documented policies and procedures that provide AWS has established and communicated information security framework
guidance for operations and information security within the organization and the and policies which have integrated the ISO 27001 certifiable framework
supporting AWS environments. Policies address purpose, scope, roles, based on ISO 27002 controls, American Institute of Certified Public
responsibilities and management commitment. All policies are maintained in a Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
centralized location that is accessible by employees. National Institute of Standards and Technology (NIST) Publication 800-
53 (Recommended Security Controls for Federal Information Systems).
Policies are reviewed approved by AWS leadership at least annually or following a AWS manages third-party relationships in alignment with ISO 27001
significant change to the AWS environment. standards. AWS Third Party requirements are reviewed by independent
external
All employees, vendors, and contractors who require a user account must be on- auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
boarded through Amazon’s HR management system. As part of the onboarding compliance.
workflow, the direct manager of the employee, vendor, or contractor requests the
establishment of a user account. Group or shared accounts are not permitted within
the system boundary. The approved request serves as the approval to establish a
user account.
In the event that an active or inactive user does not comply with the above stated
policy, their account will be locked.
IR-1 AWS has implemented a formal, documented incident response policy and AWS has established and communicated information security framework
program. The policy addresses purpose, scope, roles, responsibilities, and and policies which have integrated the ISO 27001 certifiable framework
management commitment. based on ISO 27002 controls, American Institute of Certified Public
AWS uses a three-phased approach to manage incidents: Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
1. Activation and Notification Phase – Incidents for AWS begin with the detection National Institute of Standards and Technology (NIST) Publication 800-
of an event. Events originate from several sources such as: 53 (Recommended Security Controls for Federal Information Systems).
• Metrics and alarms – AWS maintains an exceptional situational awareness AWS manages third-party relationships in alignment with ISO 27001
capability; most issues are rapidly detected from 24x7x365 monitoring and standards. AWS Third Party requirements are reviewed by independent
alarming of real time metrics and service dashboards. The majority of incidents are external
detected in this manner. AWS uses early indicator alarms to proactively identify auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
issues that may ultimately impact customers. compliance.
• Trouble tickets entered by an AWS employee.
• Calls to the 24x7x365 technical support hotline.
If the event meets incident criteria, the relevant on-call support engineer uses
AWS’s event management tool system to start an engagement and page relevant
program resolvers (e.g., AWS Security). The resolvers will perform an analysis of
the incident to determine if additional resolvers should be engaged and to
determine the approximate root cause.
2. Recovery Phase – The relevant resolvers will perform break fix to address the
incident. After addressing troubleshooting, break fix and affected components, the
call leader will assign follow-up documentation and follow-up actions and end the
call engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase complete
after the relevant fix activities have been addressed. The post mortem and deep root
cause analysis of the incident will be assigned to the relevant team. The results of
the post mortem will be reviewed by relevant senior management and actions and
captured in a Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the
discovery of previously unknown defects and failure modes. In addition, it allows
the AWS Security and service teams to test the systems for potential customer
impact and further prepare staff to handle incidents such as detection and analysis,
containment, eradication, and recovery, and post-incident activities.
The incident response test plan is executed annually, in conjunction with the
MA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
MP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
PS-1 AWS has implemented formal, documented security awareness and training policy AWS has established and communicated information security framework
and procedures that address purpose, scope, roles, responsibilities, management and policies which have integrated the ISO 27001 certifiable framework
commitment, coordination among organizational entities, and compliance. The based on ISO 27002 controls, American Institute of Certified Public
security awareness and training policy and procedures are reviewed and updated at Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
least annually, or sooner if required due to information system changes. The policyNational Institute of Standards and Technology (NIST) Publication 800-
is disseminated through the internal Amazon communication portal to all 53 (Recommended Security Controls for Federal Information Systems).
employees, vendors, and contractors prior to receiving authorized access to the AWS manages third-party relationships in alignment with ISO 27001
information system or performing assigned duties. standards. AWS Third Party requirements are reviewed by independent
external
AWS has a formal access control policy that is reviewed and updated on an annual auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
basis (or when any major change to the system occurs that impacts the policy). The compliance.
policy addresses purpose, scope, roles, responsibilities and management
commitment. Access control procedures are systematically enforced through
proprietary tools.
Procedures exist so that Amazon employee and contractor user accounts are added,
modified, or disabled in a timely manner and are reviewed on a periodic basis. In
addition, password complexity settings for user authentication to AWS systems are
managed in compliance with Amazon’s Corporate Password Policy.
AWS has established formal policies and procedures to delineate standards for
logical access to AWS platform and infrastructure hosts. Where permitted by law,
AWS requires that all employees undergo a background investigation
commensurate with their position and level of access. The policies also identify
functional responsibilities for the administration of logical access and security.
PE-1 AWS has implemented a formal, documented physical and environmental AWS has established and communicated information security framework
protection policy that is updated and reviewed annually. and policies which have integrated the ISO 27001 certifiable framework
based on ISO 27002 controls, American Institute of Certified Public
Policies are reviewed approved by AWS leadership at least annually or following a Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
significant change to the AWS environment. National Institute of Standards and Technology (NIST) Publication 800-
53 (Recommended Security Controls for Federal Information Systems).
AWS maintains relationships with internal and external parties to monitor legal, AWS manages third-party relationships in alignment with ISO 27001
regulatory, and contractual requirements. Should a new security directives be standards. AWS Third Party requirements are reviewed by independent
issued, AWS has documented plans in place to implement that directive with external
designated timeframes. auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
compliance.
PL-1 AWS has established formal policies and procedures to delineate standards for AWS has established and communicated information security framework
logical access to AWS platform and infrastructure hosts. Where permitted by law, and policies which have integrated the ISO 27001 certifiable framework
AWS requires that all employees undergo a background investigation based on ISO 27002 controls, American Institute of Certified Public
commensurate with their position and level of access. The policies also identify Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
functional responsibilities for the administration of logical access and security. National Institute of Standards and Technology (NIST) Publication 800-
53 (Recommended Security Controls for Federal Information Systems).
AWS has a formal access control policy that is reviewed and updated on an annual AWS manages third-party relationships in alignment with ISO 27001
basis (or when any major change to the system occurs that impacts the policy). The standards. AWS Third Party requirements are reviewed by independent
policy addresses purpose, scope, roles, responsibilities and management external
commitment. Access control procedures are systematically enforced through auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
proprietary tools. compliance.
Procedures exist so that Amazon employee and contractor user accounts are added,
modified, or disabled in a timely manner and are reviewed on a periodic basis. In
addition, password complexity settings for user authentication to AWS systems are
managed in compliance with Amazon’s Corporate Password Policy.
PM-1 AWS has established an information security management program with AWS has established and communicated information security framework
designated roles and responsibilities that are appropriately aligned within the and policies which have integrated the ISO 27001 certifiable framework
organization. AWS management reviews and evaluates the risks identified in the based on ISO 27002 controls, American Institute of Certified Public
risk management program at least annually. The risk management program Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
encompasses the following phases: National Institute of Standards and Technology (NIST) Publication 800-
• Identify – The identification phase includes listing out risks (threats and 53 (Recommended Security Controls for Federal Information Systems).
vulnerabilities) that exist in the environment. This phase provides a basis for all AWS manages third-party relationships in alignment with ISO 27001
other risk management activities. standards. AWS Third Party requirements are reviewed by independent
• Assess – The assessment phase considers the potential impact(s) of identified external
risks to the business and its likelihood of occurrence and includes an evaluation of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
internal control effectiveness. compliance.
• Mitigate – The mitigate phase includes putting controls, processes, and other
physical and virtual safeguards in place to prevent and detect identified and
assessed risks.
• Report – The report phase results in risk reports provided to managers with the
data they need to make effective business decisions and to comply with internal
policies and applicable regulations.
• Monitor – The monitor phase includes AWS Compliance performing monitoring
activities to evaluate whether processes, initiatives, functions, and/or activities are
mitigating the risk as designed.
RA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
CA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
SC-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
SI-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
SA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
ID.GV-2: Information Cybersecurity · CIS CSC 19 AWS Certifications, Customer Responsibility PM-1 AWS provides security policies and security training to employees to educate them AWS customers are responsible for developing and implementing a
security roles & responsibilities are · COBIT 5 APO01.02, APO10.03, as to their role and responsibilities concerning cybersecurity. Employees who cybersecurity program that includes roles and responsibilities of internal
coordinated and aligned with internal APO13.02, DSS05.04 violate Amazon standards or protocols are investigated and appropriate disciplinary and external stakeholders, along with methods of communications and
roles and external partners · ISA 62443-2-1:2009 4.3.2.3.3 action (e.g. warning, performance plan, suspension, and/or termination) is coordination.
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, followed. Refer to the AWS Cloud Security Whitepaper for additional details -
A.15.1.1 available at http://aws.amazon.com/security. Refer to ISO 27001 Annex A, domain
· NIST SP 800-53 Rev. 4 PS-7, PM-1, PM-2 7 for additional details. AWS has been validated and certified by an independent
auditor to confirm alignment with ISO 27001 certification standard.
ID.GV-3: Legal and regulatory · CIS CSC 19 AWS Certifications, Customer Responsibility AC-1 AWS implements formal, documented policies and procedures that provide AWS customers are responsible for developing, documenting,
requirements regarding cybersecurity, · COBIT 5 BAI02.01, MEA03.01, MEA03.04 guidance for operations and information security within the organization and the maintaining, disseminating, and implementing an access control policy
including privacy and civil liberties · ISA 62443-2-1:2009 4.4.3.7 supporting AWS environments. Policies address purpose, scope, roles, and supporting procedures. AWS customers are responsible for reviewing
obligations, are understood and · ISO/IEC 27001:2013 A.18.1.1, A.18.1.2, responsibilities, and management commitment. All policies are maintained in a and updating the policy and procedures at a frequency defined by their
managed A.18.1.3, A.18.1.4, A.18.1.5 centralized location that is accessible by employees. organization.
· NIST SP 800-53 Rev. 4 -1 controls from all
security control families
AU-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing an audit and accountability
1) Identifies and evaluates applicable laws and regulations for each of the policy along with supporting procedures. AWS customers are responsible
jurisdictions in which AWS operates. for reviewing and updating the policy and procedures at a frequency
2) Documents and implements controls to ensure conformity with all statutory, defined by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information More information on implementing logging with an AWS account is
security policies to protect from loss, destruction, falsification, unauthorized available at https://aws.amazon.com/whitepapers/security-at-scale-
access, and unauthorized release. logging-in-aws/ and http://aws.amazon.com/cloudtrail/
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
AT-1 AWS has implemented formal, documented security awareness and training policy AWS customers are responsible for developing, documenting,
and procedures that address purpose, scope, roles, responsibilities, management maintaining, disseminating, and implementing a security awareness and
commitment, coordination among organizational entities, and compliance. The training policy along with supporting procedures. AWS customers are
security awareness and training policy and procedures are reviewed and updated at responsible for reviewing and updating the policy and procedures at a
least annually, or sooner if required due to information system changes. The policy frequency defined by their organization.
is disseminated through the internal Amazon communication portal to all
employees, vendors, and contractors prior to receiving authorized access to the
information system or performing assigned duties.
AWS has developed, documented, and disseminated security awareness and role-
based security training for personnel responsible for designing, developing,
implementing, operating, maintaining, and monitoring AWS systems. Training
includes, but is not limited to, the following information (when relevant to the
employee’s role):
• Workforce conduct standards
• Candidate background screening procedures
• Clear desk policy and procedures
• Social engineering, phishing, and malware
• Data handling and protection
• Compliance commitments
• Security precautions while traveling
• How to report security and availability failures, incidents, concerns, and other
complaints to appropriate personnel
• How to recognize suspicious communications and anomalous behavior in
organizational information systems
• Practical exercises that reinforce training objectives
• International Traffic in Arms Regulations (ITAR) responsibilities
• Contingency planning
• Incident response
AWS captures and retains training records for at least five years.
CM-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a configuration
1) Identifies and evaluates applicable laws and regulations for each of the management policy along with supporting procedures. AWS customers
jurisdictions in which AWS operates. are responsible for reviewing and updating the policy and procedures at a
2) Documents and implements controls to ensure conformity with all statutory, frequency defined by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
CP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a contingency planning
1) Identifies and evaluates applicable laws and regulations for each of the policy along with supporting procedures. AWS customers are responsible
jurisdictions in which AWS operates. for reviewing and updating the policy and procedures at a frequency
2) Documents and implements controls to ensure conformity with all statutory, defined by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
IA-1 AWS implements formal, documented policies and procedures that provide AWS customers are responsible for developing, documenting,
guidance for operations and information security within the organization and the maintaining, disseminating, and implementing an identification and
supporting AWS environments. Policies address purpose, scope, roles, authentication policy along with supporting procedures. AWS customers
responsibilities and management commitment. All policies are maintained in a are responsible for reviewing and updating the policy and procedures at a
centralized location that is accessible by employees. frequency defined by their organization.
All employees, vendors, and contractors who require a user account must be on-
boarded through Amazon’s HR management system. As part of the onboarding
workflow, the direct manager of the employee, vendor, or contractor requests the
establishment of a user account. Group or shared accounts are not permitted within
the system boundary. The approved request serves as the approval to establish a
user account.
In the event that an active or inactive user does not comply with the above stated
policy, their account will be locked.
IR-1 AWS has implemented a formal, documented incident response policy and AWS customers are responsible for developing, documenting,
program. The policy addresses purpose, scope, roles, responsibilities, and maintaining, disseminating, and implementing an incident response policy
management commitment. along with supporting procedures. AWS customers are responsible for
AWS uses a three-phased approach to manage incidents: reviewing and updating the policy and procedures at a frequency defined
1. Activation and Notification Phase – Incidents for AWS begin with the detection by their organization.
of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational awareness
capability; most issues are rapidly detected from 24x7x365 monitoring and
alarming of real time metrics and service dashboards. The majority of incidents are
detected in this manner. AWS uses early indicator alarms to proactively identify
issues that may ultimately impact customers.
• Trouble tickets entered by an AWS employee.
• Calls to the 24x7x365 technical support hotline.
If the event meets incident criteria, the relevant on-call support engineer uses
AWS’s event management tool system to start an engagement and page relevant
program resolvers (e.g., AWS Security). The resolvers will perform an analysis of
the incident to determine if additional resolvers should be engaged and to
determine the approximate root cause.
2. Recovery Phase – The relevant resolvers will perform break fix to address the
incident. After addressing troubleshooting, break fix and affected components, the
call leader will assign follow-up documentation and follow-up actions and end the
call engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase complete
after the relevant fix activities have been addressed. The post mortem and deep root
cause analysis of the incident will be assigned to the relevant team. The results of
the post mortem will be reviewed by relevant senior management and actions and
captured in a Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the
discovery of previously unknown defects and failure modes. In addition, it allows
the AWS Security and service teams to test the systems for potential customer
impact and further prepare staff to handle incidents such as detection and analysis,
containment, eradication, and recovery, and post-incident activities.
The incident response test plan is executed annually, in conjunction with the
MA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing an maintenance policy
1) Identifies and evaluates applicable laws and regulations for each of the along with supporting procedures. AWS customers are responsible for
jurisdictions in which AWS operates. reviewing and updating the policy and procedures at a frequency defined
2) Documents and implements controls to ensure conformity with all statutory, by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
MP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual N/A
agreements and obligations through the following activities:
1) Identifies and evaluates applicable laws and regulations for each of the
jurisdictions in which AWS operates.
2) Documents and implements controls to ensure conformity with all statutory,
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
PS-1 AWS has implemented formal, documented security awareness and training policy AWS customers are responsible for developing, documenting,
and procedures that address purpose, scope, roles, responsibilities, management maintaining, disseminating, and implementing a personnel security policy
commitment, coordination among organizational entities, and compliance. The along with supporting procedures. AWS customers are responsible for
security awareness and training policy and procedures are reviewed and updated at reviewing and updating the policy and procedures at a frequency defined
least annually, or sooner if required due to information system changes. The policy by their organization.
is disseminated through the internal Amazon communication portal to all
employees, vendors, and contractors prior to receiving authorized access to the
information system or performing assigned duties.
AWS has a formal access control policy that is reviewed and updated on an annual
basis (or when any major change to the system occurs that impacts the policy). The
policy addresses purpose, scope, roles, responsibilities and management
commitment. Access control procedures are systematically enforced through
proprietary tools.
Procedures exist so that Amazon employee and contractor user accounts are added,
modified, or disabled in a timely manner and are reviewed on a periodic basis. In
addition, password complexity settings for user authentication to AWS systems are
managed in compliance with Amazon’s Corporate Password Policy.
AWS has established formal policies and procedures to delineate standards for
logical access to AWS platform and infrastructure hosts. Where permitted by law,
AWS requires that all employees undergo a background investigation
commensurate with their position and level of access. The policies also identify
functional responsibilities for the administration of logical access and security.
PE-1 AWS has implemented a formal, documented physical and environmental N/A
protection policy that is updated and reviewed annually.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
PL-1 AWS has established formal policies and procedures to delineate standards for AWS customers are responsible for developing, documenting,
logical access to AWS platform and infrastructure hosts. Where permitted by law, maintaining, disseminating, and implementing a security planning policy
AWS requires that all employees undergo a background investigation along with supporting procedures. AWS customers are responsible for
commensurate with their position and level of access. The policies also identify reviewing and updating the policy and procedures at a frequency defined
functional responsibilities for the administration of logical access and security. by the organization.
AWS has a formal access control policy that is reviewed and updated on an annual
basis (or when any major change to the system occurs that impacts the policy). The
policy addresses purpose, scope, roles, responsibilities and management
commitment. Access control procedures are systematically enforced through
proprietary tools.
Procedures exist so that Amazon employee and contractor user accounts are added,
modified, or disabled in a timely manner and are reviewed on a periodic basis. In
addition, password complexity settings for user authentication to AWS systems are
managed in compliance with Amazon’s Corporate Password Policy.
PM-1 AWS has established an information security management program with N/A
designated roles and responsibilities that are appropriately aligned within the
organization. AWS management reviews and evaluates the risks identified in the
risk management program at least annually. The risk management program
encompasses the following phases:
• Identify – The identification phase includes listing out risks (threats and
vulnerabilities) that exist in the environment. This phase provides a basis for all
other risk management activities.
• Assess – The assessment phase considers the potential impact(s) of identified
risks to the business and its likelihood of occurrence and includes an evaluation of
internal control effectiveness.
• Mitigate – The mitigate phase includes putting controls, processes, and other
physical and virtual safeguards in place to prevent and detect identified and
assessed risks.
• Report – The report phase results in risk reports provided to managers with the
data they need to make effective business decisions and to comply with internal
policies and applicable regulations.
• Monitor – The monitor phase includes AWS Compliance performing monitoring
activities to evaluate whether processes, initiatives, functions, and/or activities are
mitigating the risk as designed.
RA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a risk assessment policy
1) Identifies and evaluates applicable laws and regulations for each of the along with supporting procedures. AWS customers are responsible for
jurisdictions in which AWS operates. reviewing and updating the policy and procedures at a frequency defined
2) Documents and implements controls to ensure conformity with all statutory, by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
CA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a security assessment and
1) Identifies and evaluates applicable laws and regulations for each of the authorization policy along with supporting procedures. AWS customers
jurisdictions in which AWS operates. are responsible for reviewing and updating the policy and procedures at a
2) Documents and implements controls to ensure conformity with all statutory, frequency defined by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
SC-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a system and
1) Identifies and evaluates applicable laws and regulations for each of the communications protection policy along with supporting procedures.
jurisdictions in which AWS operates. AWS customers are responsible for reviewing and updating the policy and
2) Documents and implements controls to ensure conformity with all statutory, procedures at a frequency defined by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
SI-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a system and information
1) Identifies and evaluates applicable laws and regulations for each of the integrity policy along with supporting procedures. AWS customers are
jurisdictions in which AWS operates. responsible for reviewing and updating the policy and procedures at a
2) Documents and implements controls to ensure conformity with all statutory, frequency defined by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
SA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a system and services
1) Identifies and evaluates applicable laws and regulations for each of the acquisition policy along with supporting procedures. AWS customers are
jurisdictions in which AWS operates. responsible for reviewing and updating the policy and procedures at a
2) Documents and implements controls to ensure conformity with all statutory, frequency defined by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
ID.GV-4: Governance and risk · COBIT 5 EDM03.02, APO12.02, AWS Certifications, Customer Responsibility PM-10 AWS management leads an information security program that identifies and N/A
management processes address APO12.05, DSS04.02 establishes security goals that are relevant to business requirements. Annual
cybersecurity risks · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, evaluations are performed to allocate the resources necessary for performing
4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3 information security activities within AWS to meet or exceed customer and service
· ISO/IEC 27001:2013 Clause 6 specifications. AWS leadership review input includes:
· NIST SP 800-53 Rev. 4 SA-2, PM-3, PM-7, • Results of audits and reviews.
PM-9, PM-10, PM-11 • Feedback from interested parties.
• Techniques, products, or procedures that could be used in the organization to
improve security, quality, system performance, and effectiveness.
• Status of preventative and corrective actions.
• Vulnerabilities or threats not adequately addressed in the previous risk
assessment.
• Results from effectiveness measurements.
• Follow-up actions from previous leadership reviews.
• Any changes that could affect the ISMS.
• Recommendations for improvement.
• Customer feedback.
Risk Assessment (ID.RA): The ID.RA-1: Asset vulnerabilities are · CIS CSC 4 AWS Certifications, Customer Responsibility CA-2 The AWS Compliance Assessment Team (CAT) maintains a documented audit AWS customers are responsible for conducting security assessments for
organization understands the identified and documented · COBIT 5 APO12.01, APO12.02, schedule of internal and external assessments to ensure implementation and their systems. Within this context and in accordance with their security
cybersecurity risk to organizational APO12.03, APO12.04, DSS05.01, DSS05.02 operating effectiveness of the AWS control environment to meet business, assessment and authorization policy, AWS customers are responsible for:
operations (including mission, functions, · ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, regulatory, and contractual objectives. 1) Developing a security assessment plan that describes the security
image, or reputation), organizational 4.2.3.12 The needs and expectations of internal and external parties are considered controls and control enhancements under assessment, assessment
assets, and individuals. · ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 throughout the development, implementation, and auditing of the AWS control procedures used to determine effectiveness, the assessment environment,
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, environment. Parties include, but are not limited to: the assessment team, and the assessment roles and responsibilities, 2)
RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 AWS customers, including customers with a contractual interest and potential Assessing security controls in their system and its environment of
customers. operation at an organization-defined frequency to determine the extent to
External parties to AWS, including regulatory bodies such as the external which the controls are implemented correctly, operating as intended, and
auditors and certifying agents. producing the desired outcome with respect to meeting established
Internal parties such as AWS services and infrastructure teams, security, legal, security requirements, 3) Producing a security assessment report that
and overarching administrative and corporate teams. documents the results of the assessment, and 4) Providing the results of
the security control assessment to their organization-defined individuals
or roles.
CA-7 AWS conducts monthly monitoring of its security posture through a continuous AWS customers are responsible for developing a continuous monitoring
risk assessment and monitoring process. Additionally, annual security assessments strategy and implementing a continuous monitoring program in
are conducted by an accredited Third-Party Assessment Organization (3PAO) to accordance with their security assessment and authorization policy that
validate that implemented security controls continue to be effective. Security defines: 1) Metrics to be monitored, 2) Frequencies for monitoring and
assessments that include a risk analysis and a Plan of Action and Milestones reporting, and 3) Personnel or roles responsible for conducting and
(POA&M) are submitted to authorizing officials for review and approval. receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1)
Establishing and configuring monitoring for defined metrics, 2)
Monitoring and conducting assessments as organization-defined
frequencies, 3) Conducting ongoing security control assessments, 4)
Conducting ongoing security status monitoring of their organization-
defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response
actions to address the results of the analysis of security-related
information, and 6) Reporting the security status of their organization and
the information system to the organization-defined personnel or roles at
the organization-defined frequency.
CA-8 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for conducting penetration testing on
conducting security-related activities within the system boundary. Activities organization-defined systems or system components at a frequency
include vulnerability scanning, contingency testing, and incident response prescribed by their security assessment and authorization policy.
exercises. AWS performs external vulnerability assessments at least quarterly, and
identified issues are investigated and tracked to resolution. Additionally, AWS
performs unannounced penetration tests by engaging independent third parties to
probe the defenses and device configuration settings within the system.
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and
proactively monitor vendors’ websites and other relevant outlets for new patches.
AWS customers also have the ability to report issues to AWS via the AWS
Vulnerability Reporting website at http://aws.amazon.com/security/vulnerability-
reporting/.
RA-3 AWS performs a continuous risk assessment process to identify, evaluate and AWS customers are responsible for: 1) Conducting an assessment of risk
mitigate risks across the company. The process involves developing and to include the likelihood and magnitude of harm from the unauthorized
implementing risk treatment plans to mitigate risks as necessary. The AWS risk access, use, disclosure, disruption, modification, or destruction of their
management team monitors and escalates risks on a continuous basis, performing information system and the information it processes, stores, or transmits,
risk assessments on newly implemented controls at least every six months. 2) Documenting risk assessment results in the system plan, security
assessment report, or other organization-defined document, 3) Reviewing
risk assessment results at an organization-defined frequency, 4)
Disseminating risk assessment results to organization-defined personnel
or roles, and 5) Updating the risk assessment at an organization-defined
frequency or whenever there are significant changes to the information
system or environment of operation (including the identification of new
threats and vulnerabilities) or other conditions that may impact the
security state of the system.
RA-5 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for: 1) Scanning for vulnerabilities in
conducting security-related activities within the system boundary. Activities their information system and hosted applications at an organization-
include vulnerability scanning, contingency testing, and incident response defined frequency and/or randomly in accordance with their organization-
exercises. AWS performs external vulnerability assessments at least quarterly, and defined process and when new vulnerabilities potentially affecting the
identified issues are investigated and tracked to resolution. Additionally, AWS system/applications are identified and reported; 2) Employing
performs unannounced penetration tests by engaging independent third parties to vulnerability scanning tools and techniques that promote interoperability
probe the defenses and device configuration settings within the system. among tools and automated parts of the vulnerability management process
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and by using standards for: a) Enumerating platforms, software flaws, and
proactively monitor vendors’ websites and other relevant outlets for new patches. improper configurations, b) Formatting and making transparent checklists
AWS customers also have the ability to report issues to AWS via the AWS and test procedures, and c) Measuring vulnerability impact; 3) Analyzing
Vulnerability Reporting website at http://aws.amazon.com/security/vulnerability- vulnerability scan reports and results from security control assessments;
reporting/. 4) Remediating legitimate vulnerabilities within organization-defined
response times in accordance with an organizational assessment of risk;
and 5) Sharing information obtained from the vulnerability scanning
process and security control assessments with organization-defined
personnel or roles to help eliminate similar vulnerabilities in other
information systems (i.e., systemic weaknesses or deficiencies).
SA-5 AWS documents, tracks and monitors its legal, regulatory and contractual AWS customers are responsible for: 1) Obtaining administrator
agreements and obligations. In order to do so, AWS performs and maintains the documentation for their systems, system components, or information
following activities: system services that describes: a) Secure configuration, installation, and
operation of the system, component, or service, b) Effective use and
1) Identifies and evaluates applicable laws and regulations for each of the maintenance of security functions/mechanisms, and c) Known
jurisdictions in which AWS operates vulnerabilities regarding configuration and use of administrative (i.e.,
2) Documents and implements controls to ensure conformity with all statutory, privileged) functions; 2) Obtaining user documentation for their systems,
regulatory and contractual requirements relevant to AWS system components, or information system services that describes: a)
3) Categorizes the sensitivity of information according to the AWS information User-accessible security functions/mechanisms and how to effectively use
security policies to protect from loss, destruction, falsification, unauthorized access those security functions/mechanisms, b) Methods for user interaction that
and unauthorized release enables individuals to use the system, component, or service in a more
4) Informs and continually trains personnel that must be made aware of secure manner, and c) User responsibilities in maintaining the security of
information security policies to protect sensitive AWS information the system, component, or service; 3) Documenting attempts to obtain
5) Monitors for nonconformities to the information security policies with a process information system, system component, or information system service
in place to take corrective actions and enforce appropriate disciplinary action documentation for their systems when such documentation is either
unavailable or nonexistent and taking organization-defined actions in
AWS maintains relationships with internal and external parties to monitor legal, response; 4) Protecting documentation as required and in accordance with
regulatory, and contractual requirements. Should a new security directives be their system and services acquisition policy; and 5) Distributing
issued, AWS has documented plans in place to implement that directive with documentation to organization-defined personnel or roles.
designated timeframes.
AWS provides Customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications and other compliance enablers. Visit
aws.amazon.com/compliance/resources for additional information.
SI-2 AWS Security performs regular vulnerability scans on the host operating system, AWS customers are responsible for: 1) Identifying, reporting, and
web application, and databases in the AWS environment using a variety of tools. correcting information system flaws, 2) Testing software and firmware
External vulnerability assessments are conducted by an AWS approved third party updates related to flaw remediation for effectiveness and potential side
vendor at least annually, and identified issues are investigated and tracked to effects before installation, 3) Installing security-relevant software and
resolution. Vulnerabilities that are identified are monitored and evaluated and firmware updates within an organization-defined time period of the
countermeasures are designed, implemented, and operated to compensate for release of the updates, and 4) Incorporating flaw remediation into the
known and newly identified vulnerabilities. organizational configuration management process.
SI-5 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for: 1) Receiving information system
conducting security-related activities within the system boundary. Activities security alerts, advisories, and directives from organization-defined
include vulnerability scanning, contingency testing, and incident response external organizations on an ongoing basis, 2) Generating internal security
exercises. AWS performs external vulnerability assessments at least quarterly, and alerts, advisories, and directives as deemed necessary, 3) Disseminating
identified issues are investigated and tracked to resolution. Additionally, AWS security alerts, advisories, and directives to organization-defined
performs unannounced penetration tests by engaging independent third parties to personnel, roles, organizational elements and/or external organizations,
probe the defenses and device configuration settings within the system. and 4) Implementing security directives in accordance with established
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and time frames or notifying the issuing organization of the degree of
proactively monitor vendors’ websites and other relevant outlets for new patches. noncompliance.
AWS customers also have the ability to report issues to AWS via the AWS
Vulnerability Reporting website at http://aws.amazon.com/security/vulnerability-
reporting/.
ID.RA-2: Threat and vulnerability · CIS CSC 4 AWS Certifications, Customer Responsibility PM-15 AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and N/A
information is received from · COBIT 5 BAI08.01 proactively monitor vendors’ websites and other relevant outlets for new patches.
information sharing forums and sources · ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.6.1.4
PM-16 N/A N/A
· NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-
16 SI-5 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for: 1) Receiving information system
conducting security-related activities within the system boundary. Activities security alerts, advisories, and directives from organization-defined
include vulnerability scanning, contingency testing, and incident response external organizations on an ongoing basis, 2) Generating internal security
exercises. AWS performs external vulnerability assessments at least quarterly, and alerts, advisories, and directives as deemed necessary, 3) Disseminating
identified issues are investigated and tracked to resolution. Additionally, AWS security alerts, advisories, and directives to organization-defined
performs unannounced penetration tests by engaging independent third parties to personnel, roles, organizational elements and/or external organizations,
probe the defenses and device configuration settings within the system. and 4) Implementing security directives in accordance with established
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and time frames or notifying the issuing organization of the degree of
proactively monitor vendors’ websites and other relevant outlets for new patches. noncompliance.
AWS customers also have the ability to report issues to AWS via the AWS
Vulnerability Reporting website at http://aws.amazon.com/security/vulnerability-
reporting/.
ID.RA-3: Threats, both internal and · CIS CSC 4 AWS Certifications, Customer Responsibility, AWS PM-12 N/A N/A
external, are identified and documented · COBIT 5 APO12.01, APO12.02, Trusted Advisor PM-16 N/A N/A
APO12.03, APO12.04
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 Clause 6.1.2
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12,
PM-16
ID.RA-3: Threats, both internal and · CIS CSC 4 AWS Certifications, Customer Responsibility, AWS
external, are identified and documented · COBIT 5 APO12.01, APO12.02, Trusted Advisor
APO12.03, APO12.04 RA-3 AWS performs a continuous risk assessment process to identify, evaluate and AWS customers are responsible for: 1) Conducting an assessment of risk
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 mitigate risks across the company. The process involves developing and to include the likelihood and magnitude of harm from the unauthorized
· ISO/IEC 27001:2013 Clause 6.1.2 implementing risk treatment plans to mitigate risks as necessary. The AWS risk access, use, disclosure, disruption, modification, or destruction of their
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, management team monitors and escalates risks on a continuous basis, performing information system and the information it processes, stores, or transmits,
PM-16 risk assessments on newly implemented controls at least every six months. 2) Documenting risk assessment results in the system plan, security
assessment report, or other organization-defined document, 3) Reviewing
risk assessment results at an organization-defined frequency, 4)
Disseminating risk assessment results to organization-defined personnel
or roles, and 5) Updating the risk assessment at an organization-defined
frequency or whenever there are significant changes to the information
system or environment of operation (including the identification of new
threats and vulnerabilities) or other conditions that may impact the
security state of the system.
SI-5 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for: 1) Receiving information system
conducting security-related activities within the system boundary. Activities security alerts, advisories, and directives from organization-defined
include vulnerability scanning, contingency testing, and incident response external organizations on an ongoing basis, 2) Generating internal security
exercises. AWS performs external vulnerability assessments at least quarterly, and alerts, advisories, and directives as deemed necessary, 3) Disseminating
identified issues are investigated and tracked to resolution. Additionally, AWS security alerts, advisories, and directives to organization-defined
performs unannounced penetration tests by engaging independent third parties to personnel, roles, organizational elements and/or external organizations,
probe the defenses and device configuration settings within the system. and 4) Implementing security directives in accordance with established
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and time frames or notifying the issuing organization of the degree of
proactively monitor vendors’ websites and other relevant outlets for new patches. noncompliance.
AWS customers also have the ability to report issues to AWS via the AWS
Vulnerability Reporting website at http://aws.amazon.com/security/vulnerability-
reporting/.
ID.RA-4: Potential business impacts · CIS CSC 4 AWS Certifications, Customer Responsibility PM-11 N/A N/A
and likelihoods are identified · COBIT 5 DSS04.02 PM-9 N/A N/A
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 RA-2 AWS treats all customer content and associated assets as highly confidential. AWS AWS customers are responsible for: 1) Categorizing their information and
· ISO/IEC 27001:2013 A.16.1.6, Clause 6.1.2 Cloud services are content agnostic in that they offer the same high level of their information system in accordance with applicable federal laws,
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA- security to all customers, regardless of the type of content being stored. We are Executive Orders, directives, policies, regulations, standards, and
14, PM-9, PM-11 vigilant about our customers’ security and have implemented sophisticated guidance, 2) Documenting the security categorization results (including
technical and physical measures against unauthorized access. AWS has no insight supporting rationale) in the security plan for the information system, and
as to what type of content the customer chooses to store in AWS, and the customer 3) Ensuring the security categorization decision is reviewed and approved
retains complete control of how they choose to classify their content, where it is by the AO or authorizing official designated representative.
stored, how it is used, and how it is protected from disclosure.
AWS has implemented data handling and classification requirements that provide
specifications around:
• Data encryption
• Content in transit and during storage
• Access
• Retention
• Physical controls
• Mobile devices
• Handling requirements
RA-3 AWS performs a continuous risk assessment process to identify, evaluate and AWS customers are responsible for: 1) Conducting an assessment of risk
mitigate risks across the company. The process involves developing and to include the likelihood and magnitude of harm from the unauthorized
implementing risk treatment plans to mitigate risks as necessary. The AWS risk access, use, disclosure, disruption, modification, or destruction of their
management team monitors and escalates risks on a continuous basis, performing information system and the information it processes, stores, or transmits,
risk assessments on newly implemented controls at least every six months. 2) Documenting risk assessment results in the system plan, security
assessment report, or other organization-defined document, 3) Reviewing
risk assessment results at an organization-defined frequency, 4)
Disseminating risk assessment results to organization-defined personnel
or roles, and 5) Updating the risk assessment at an organization-defined
frequency or whenever there are significant changes to the information
system or environment of operation (including the identification of new
threats and vulnerabilities) or other conditions that may impact the
security state of the system.
RA-3 AWS performs a continuous risk assessment process to identify, evaluate and AWS customers are responsible for: 1) Conducting an assessment of risk
mitigate risks across the company. The process involves developing and to include the likelihood and magnitude of harm from the unauthorized
implementing risk treatment plans to mitigate risks as necessary. The AWS risk access, use, disclosure, disruption, modification, or destruction of their
management team monitors and escalates risks on a continuous basis, performing information system and the information it processes, stores, or transmits,
risk assessments on newly implemented controls at least every six months. 2) Documenting risk assessment results in the system plan, security
assessment report, or other organization-defined document, 3) Reviewing
risk assessment results at an organization-defined frequency, 4)
Disseminating risk assessment results to organization-defined personnel
or roles, and 5) Updating the risk assessment at an organization-defined
frequency or whenever there are significant changes to the information
system or environment of operation (including the identification of new
threats and vulnerabilities) or other conditions that may impact the
security state of the system.
ID.RA-6: Risk responses are identified · CIS CSC 4 AWS Certifications, Customer Responsibility PM-4 N/A N/A
and prioritized · COBIT 5 APO12.05, APO13.02 PM-9 N/A N/A
Risk Management Strategy (ID.RM): ID.RM-1: Risk management processes ·· ISO/IEC
CIS CSC 27001:2013
4 Clause 6.1.3 AWS Certifications, Customer Responsibility PM-9 N/A N/A
The organization’s priorities, constraints, are established, managed, and agreed to · COBIT 5 APO12.04, APO12.05,
risk tolerances, and assumptions are by organizational stakeholders APO13.02, BAI02.03, BAI04.02
established and used to support · ISA 62443-2-1:2009 4.3.4.2
operational risk decisions. · ISO/IEC 27001:2013 Clause 6.1.3, Clause
8.3, Clause 9.3
· NIST SP 800-53 Rev. 4 PM-9
ID.RM-2: Organizational risk tolerance · COBIT 5 APO12.06 AWS Certifications, Customer Responsibility PM-9 N/A N/A
is determined and clearly expressed · ISA 62443-2-1:2009 4.3.2.6.5
· ISO/IEC 27001:2013 Clause 6.1.3, Clause
8.3
· NIST SP 800-53 Rev. 4 PM-9
ID.RM-3: The organization’s · COBIT 5 APO12.02 AWS Certifications, Customer Responsibility PM-11 N/A N/A
determination of risk tolerance is · ISO/IEC 27001:2013 Clause 6.1.3, Clause PM-8 N/A N/A
informed by its role in critical 8.3 PM-9 N/A N/A
infrastructure and sector specific risk · NIST SP 800-53 Rev. 4 SA-14, PM-8, PM-
analysis 9, PM-11 SA-14 N/A N/A
Supply Chain Risk Management ID.SC-1: Cyber supply chain risk · CIS CSC 4 PM-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
(ID.SC): The organization’s priorities, management processes are identified, · COBIT 5 APO10.01, APO10.04, Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
constraints, risk tolerances, and established, assessed, managed, and APO12.04, APO12.05, APO13.02, BAI01.03, Artifacts (AWS service found in the AWS Console for existing customers) or
assumptions are established and used to agreed to by organizational stakeholders BAI02.03, BAI04.02 provided under a signed Non-Disclosure Agreement (NDA).
support risk decisions associated with · ISA 62443-2-1:2009 4.3.4.2
managing supply chain risk. The · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2,
organization has established and A.15.1.3, A.15.2.1, A.15.2.2 SA-12 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
implemented the processes to identify, · NIST SP 800-53 Rev. 4 SA-9, SA-12, PM-9 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
assess and manage supply chain risks. Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
SA-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
ID.SC-2: Suppliers and third party · COBIT 5 APO10.01, APO10.02, PM-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
partners of information systems, APO10.04, APO10.05, APO12.01, APO12.02, Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
components, and services are identified, APO12.03, APO12.04, APO12.05, APO12.06, Artifacts (AWS service found in the AWS Console for existing customers) or
prioritized, and assessed using a cyber APO13.02, BAI02.03 provided under a signed Non-Disclosure Agreement (NDA).
supply chain risk assessment process · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.2,
4.2.3.3, 4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9, 4.2.3.10,
4.2.3.12, 4.2.3.13, 4.2.3.14 RA-2 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA- Artifacts (AWS service found in the AWS Console for existing customers) or
12, SA-14, SA-15, PM-9 provided under a signed Non-Disclosure Agreement (NDA).
RA-3 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
SA-12 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
SA-14 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
SA-15 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
ID.SC-3: Contracts with suppliers and · COBIT 5 APO10.01, APO10.02, PM-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
third-party partners are used to APO10.03, APO10.04, APO10.05 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
implement appropriate measures · ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7 Artifacts (AWS service found in the AWS Console for existing customers) or
designed to meet the objectives of an · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, provided under a signed Non-Disclosure Agreement (NDA).
organization’s cybersecurity program A.15.1.3
and Cyber Supply Chain Risk · NIST SP 800-53 Rev. 4 SA-9, SA-11, SA-
Management Plan. 12, PM-9 SA-11 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
SA-12 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
SA-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
ID.SC-4: Suppliers and third-party · COBIT 5 APO10.01, APO10.03, AU-12 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
partners are routinely assessed using APO10.04, APO10.05, MEA01.01, MEA01.02, Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
audits, test results, or other forms of MEA01.03, MEA01.04, MEA01.05 Artifacts (AWS service found in the AWS Console for existing customers) or
evaluations to confirm they are meeting · ISA 62443-2-1:2009 4.3.2.6.7 provided under a signed Non-Disclosure Agreement (NDA).
their contractual obligations. · ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 AU-2, AU-6, AU- AU-16 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
12, AU-16, PS-7, SA-9, SA-12 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
AU-2 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
AU-6 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
PS-7 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
SA-12 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
SA-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
ID.SC-5: Response and recovery · CIS CSC 19, 20 CP-2 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
planning and testing are conducted with · COBIT 5 DSS04.04 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
suppliers and third-party providers · ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11 Artifacts (AWS service found in the AWS Console for existing customers) or
· ISA 62443-3-3:2013 SR 2.8, SR 3.3, provided under a signed Non-Disclosure Agreement (NDA).
SR.6.1, SR 7.3, SR 7.4
· ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3, CP-4 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
IR-4, IR-6, IR-8, IR-9 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
IR-3 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
IR-4 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
IR-6 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
IR-8 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
IR-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
Note:
AWS services italicized in the "AWS Services/Resources" column are out of scope for FedRAMP Moderate and/or ISO 9001/27001/27018.
AWS services in bold in the "AWS Services/Resources" column have been validated by an independent assessor to align to the CSF based on FedRAMP Moderate and/or ISO 9001/27001/27018 accreditation.
Category Subcategory Informative References AWS Services/Resources NIST 800-53 Controls Alignment AWS Responsibility
Access Control Identity Management, PR.AC-1: Identities and credentials are · CIS CSC 1, 5, 15, 16 AWS IAM Policies & Roles/Customer AC-1 AWS implements formal, documented policies and procedures that provide guidance
Authentication and Access Control (PR.AC): managed for authorized devices and users · COBIT 5 DSS05.04, DSS06.03 Responsibility AC-2 for operations
Access privileges andto information
AWS systems security within theonorganization
are reviewed a quarterly basis and the bysupporting
an
Access to assets and associated facilities is Identities and credentials are issued, managed, · ISA 62443-2-1:2009 4.3.3.5.1 AWS environments.
authorized individual. Policies
Explicit address purpose,
re-approval scope, roles,
is required or accessresponsibilities,
to the resourceandis
limited to authorized users, processes, or verified, revoked, and audited for authorized · ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR IA-1 AWS implements
management formal,
commitment. documented
All policies policies and procedures
are maintained that
in a centralized provide
locationguidance
that
automatically
for operationsby revoked.
and information security within the organization and the supporting
devices, and to authorized activities and devices, users and processes 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 IA-10 N/A
is accessible employees.
transactions. Access to physical and logical · ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, AWS environments. Policies address purpose, scope, roles, responsibilities and
IA-11 N/A
assets and associated facilities is limited to A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, management commitment. All policies are maintained in a centralized location that
IA-2 AWS controls access
is accessible by employees. to systems through authentication that requires a unique user
authorized users, processes, and devices, and is A.9.4.3 ID and password. AWS systems do not allow
managed consistent with the assessed risk of · NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-3 Several network fabrics exist at Amazon, eachactions
separated to be byperformed
boundary on the
protection
information
Policies system
are reviewed without
approved identification
by orbetween
AWS leadership authentication.
atfabrics.
least
unauthorized access to authorized activities and IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-4 devices
AWS
AWS
that
controls
has
control
accessthe
implemented to flow
systems of information
through
lock outauthentication thatannually
The flow
requires or following
of
a enforced.
unique user a
transactions. IA-10, IA-11 significant
information
ID andcontrols change
password. between AWS theasystems
to fabrics session
AWS environment.
is established
do not allow
policy that is systematically
by approved
actions toand authorizations,
be authentication
performed onwhich
the exist
The
IA-5 AWS
session lock
as access control is access
retained
lists to systems
until through
established
(ACL)identification
residing on these authentication
identification that requires a
devices. ACLs are defined,procedures unique user
approved
information
ID and password. system without or authentication.
IA-6 are
The
by
AWS
performed.
obfuscation
Allappropriate
employees,
has implemented ofAWS
Amazon’s systems
authentication
vendors, aand
session
dodata
contractors
Information notSecurity
lock outisallow
who
policy
actions
performed
require
team, touser
be performed
thatthroughout
amanaged
is AWS
account
and
systematically
onhelp
to
must
deployedthe
be on-
enforced. protect
usingThe
information
the information
boarded through
AWS ACL-manage systemfrom without
Amazon’sunauthorized identification
HR personnel.
management or authentication.
This
system. is often
As performed
part
tool.until established identification and authentication proceduresof the by the
onboarding client
session
AWS haslock is retained
implemented a session lockbased
out policy that isneedsystematically enforced.
User access
software
workflow,
are performed.or, privileges
thein direct
some manager are
cases, restricted
theofdevice
the on business
operating
employee, system
vendor, andservers
oncontractor
or the and
requests theThe
job responsibilities.
network
session
AWS
devices
Approved lock
employs isof
identified
establishment firewallretained
thea inconcept until
thesets
user
rule AWS of
account. established
and least
inventory.
Group
access oridentification
privilege, allowing
shared
control accounts
lists and
onlyare
between authentication
the necessary
not
network permitted procedures
fabricsaccess
withinfor
restrict
are
the performed.
users to accomplish
system
flow of boundary.
information their
The tojob function.
approved
specific New serves
request
information usersystem
accounts
as the are created
approval
services. to control
have alists
to establish
Access user
minimal
account. access. User access to AWS systems (for
and rule sets are reviewed and approved, and are automatically pushed to boundary example, network, applications,
IA-7 Third party
tools, etc.)
protection
AWS privileged
requires
is designed
devices toon aaccess
documented
protect
periodictheto confidentiality
AWS
approval
basis systems
(at least are
fromeverythe allocated
and authorized
integrity
24 hours) based
to on least
ofpersonnel
transmitted
ensure privilege,
(for
rule-sets
data
approved
example,
In
andthe
through event
access thebycontrol
user'san manager
that authorized
anlists
comparison active aindividual
and/or
or system
inactive prior
owner)
user to access
does and
not provisioning,
validation
comply with theand
of the supervised
active
above user
isstated in by
IA-8 AWS
an
the AWS
HR controls
employee.
system. access toare
Duties
of up-to-date.
systems
and
cryptographic
through
areas
hash
of responsibility
of data
authentication transmitted.
that
(for requires
example,
This
a unique
access
doneuserto
request
policy,
help
ID their
ensure account
the message willsystems
isbenotlocked.
corrupted or altered in totransit. Data that hasthe
been
IA-9 N/Aand
and
AWS
password.
approval,
altered implements
or corrupted changeAWS
inmanagement
dorequest
not allow and actions
approval, bechange
performed on
development,
information
testing and systemleast
deployment,
transit
withoutprivilege
etc.)
is immediately
throughout
identification
must or its
bedosegregated
rejected.
infrastructure
authentication.
across
AWS provides
different
components.manyAWS
individuals
methods
to
PR.AC-2: Physical access to assets is managed · COBIT 5 DSS01.04, DSS05.05 AWS Best Practices, AWS Reference PE-2 Physical
prohibits
for
AWS customers access
all ports
to to all
securely
and AWS
protocols data
handle centers
that
their housing
data:
not have IT
a infrastructure
specific business components
purpose. is
AWS
and protected · ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 Architectures, AWS Config, AWS ConfigRules, reducehas
restricted
implemented
opportunities
to authorized
aan
fordata session lock outor
unauthorized policy that is systematically
unintentional ofmodification
enforced.
orwho
misuse The
andof
follows
session a rigorous
lock
AWS systems. is retainedapproachuntil center
to employees,
minimal
established vendors,and
implementation
identification and contractors
only those features
authentication require
procedures
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, AWS Cloudwatch, CloudWatch Logs, access
functions
-AWS in order
enables
are performed. that are to essential
execute to
customers their
toopen jobs.
use of Access
a secure,
the device.to facilities
encrypted
Network isscanning
channel onlytopermitted
AWS at using
is performed
servers and
A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6, A.11.2.1, CloudTrail, VPC Flowlogs, AWS Big Data and controlled
any unnecessary
HTTPS accessports
(TLS/SSL). pointsorthat requireinmulti-factor
protocols use are corrected.authentication designed to prevent
A.11.2.3, A.11.2.5, A.11.2.6, A.11.2.7, A.11.2.8 Analytics services, Customer Responsibility tailgating and to ensure that only authorized individuals enter an AWS data center.
· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, On a quarterly
-Amazon basis, access
S3 provides a mechanismlists andthatauthorization
enables users credentials
to utilizeofMD5 personnel with to
checksums
PE-5, PE-6, PE-8 access
validatetothatAWS datadata
sent centers
to AWS areisreviewed by the respective
bitwise identical to what isdata center and
received, AreathatAccess
data
Managers
sent by Amazon (AAM). S3 is identical to what is received by the user. When customers
All entrances
choose to provide to AWS theirdataowncenters,
keys forincluding
encryption theandmain entrance,of
decryption theAmazon
loadingS3 dock,
and any(S3
objects roofSSE-C),
doors/hatches,
Amazonare S3secured
does notwith storeintrusion detection
the encryption devices
key providedthatbysound
the
alarms
customer.if the door isS3
Amazon forced
generatesopen andor held
storesopen.
a one-way salted HMAC of the customer
Trained
encryption security
key and guards are stationed
that salted HMACatvalue the building entrance 24/7. If a door or cage
is not logged.
within a data center has a malfunctioning card reader or PIN pad and cannot be
secured electronically,
-Upon initial communication a security withguard is posted at theWindows
an AWS-provided door until it can
AMI, AWSbe repaired.
enables
secure communication by configuring Terminal Services on the instance and
generating a unique self-signed X.509 server certificate and delivering the
certificate’s thumbprint to the user over a trusted channel.
-AWS further enables secure communication with Linux AMIs, by configuring SSH
on the instance, generating a unique host-key and delivering the key’s fingerprint to
PE-3 Physical access
the user over to all AWS
a trusted data centers housing IT infrastructure components is
channel.
restricted to authorized data center employees, vendors, and contractors who require
access in orderbetween
-Connections to execute their jobs.
customer Access toand
applications facilities
Amazon is RDS
only permitted at
MySQL instances
controlled access using
can be encrypted pointsTLS/SSL.
that require multi-factor
Amazon authentication
RDS generates designed
a TLS/SSL to prevent
certificate for
tailgating
each databaseand to ensure which
instance, that onlycanauthorized
be used toindividuals
establish anenter an AWS
encrypted data center.
connection
On a quarterly
using the default basis,
MySQLaccess lists Once
client. and authorization
an encryptedcredentials
connectionofispersonnel with
established, data
access to AWS data centers are reviewed by the respective data
transferred between the database instance and a customer’s application will be center Area Access
Managers (AAM).
encrypted during transfer. If customers require data to be encrypted while “at rest”
All entrances
in the database, to the
AWS data centers,
customer including
application mustthe main entrance,
manage the loading
the encryption dock,
and decryption
and any Additionally,
of data. roof doors/hatches,
customersare secured
can set with intrusion
up controls detection
to have theirdevices
databasethat sound
instances
alarms if theencrypted
only accept door is forced open orfor
connections held open. user accounts.
specific
Trained security guards are stationed at the building entrance 24/7. If a door or cage
within a data center has a malfunctioning card reader or PIN pad
-Content is encrypted with 256-bit keys when customers enable KMS to encrypt S3 and cannot be
secured
Objects,electronically,
EBS Volumes,a RDS security guard Instances,
Database is posted atRedshift
the doorData
untilBlocks,
it can be repaired.
CloudTrail
Log Files, SES Messages, Workspace Volumes, WorkMail Messages, and EMR S3
Storage.
Physical access points to server locations are recorded by closed circuit television
camera
AWS offers(CCTV). Imagestheare
customers retained
ability for an
to add 90 additional
days, unless limited
layer to 30 days
of security by legal
to data at rest
or contractual
in the obligations.
cloud, providing scalable and efficient encryption features. This includes:
• Data encryption capabilities available in AWS storage and database services, such
as EBS, S3, Glacier, Oracle RDS, SQL Server RDS, and Redshift
• Flexible key management options, including AWS Key Management Service,
allowing you to choose whether to have AWS manage the encryption keys or enable
you to keep complete control over your keys
• Dedicated, hardware-based cryptographic key storage using AWS CloudHSM,
PE-4 allowing
Access toyou to satisfy
power compliance
equipment, power requirements
cabling, and transmission lines are restricted to
In addition,personnel
authorized AWS provides
and are APIs for youto
positioned toprevent
integrateintentional
encryptionorand data protection
accidental damage.
with any of the services you develop or deploy in an AWS environment.
PE-5 Referfollowing
The to the following AWS
statements Audithow
outline Reports
each for additionalofdetails:
requirement PCI 3.2,
the control ISO
is met through
27001, implementation:
AWS’ ISO 27017, HIPAA, IRAP, NIST 800-53, SOC 2 COMMON CRITERIA,
SOC 1 & 2 CONTROLS
Crash carts—carts with a monitor that can be plugged into servers—are the only
output devices used within data centers. Crash carts reside only within data center
server rooms, which are protected by physical access devices (badge readers)
requiring a successful badge swipe and PIN to enter. These prevent unauthorized
individuals from obtaining or observing output displayed on crash carts.
While the crash carts enable data center technicians to troubleshoot using a display
device (monitor), data center technicians are not permitted to log into AWS servers
until customer data have been removed. Server and networking rooms are positioned
in the interior of each data center, and there are no exterior windows at data centers.
PE-6 Physical access to all AWS data centers housing IT infrastructure components is
restricted to authorized data center employees, vendors, and contractors who require
access in order to execute their jobs. Access to facilities is only permitted at
controlled access points that require multi-factor authentication designed to prevent
tailgating and to ensure that only authorized individuals enter an AWS data center.
On a quarterly basis, access lists and authorization credentials of personnel with
access to AWS data centers are reviewed by the respective data center Area Access
Managers (AAM).
All entrances to AWS data centers, including the main entrance, the loading dock,
and any roof doors/hatches, are secured with intrusion detection devices that sound
alarms if the door is forced open or held open.
Trained security guards are stationed at the building entrance 24/7. If a door or cage
within a data center has a malfunctioning card reader or PIN pad and cannot be
secured electronically, a security guard is posted at the door until it can be repaired.
PE-8 Due to the fact that our data centers host multiple customers, AWS does not allow
data center tours by customers, as this exposes a wide range of customers to physical
access of a third party.
AWS provides data center physical access to approved employees and contractors
who have a legitimate business need for such privileges. All visitors are required to
present identification and are signed in and escorted by authorized staff.
PR.AC-3: Remote access is managed · CIS CSC 12 AWS Certifications, AWS Best Practices, AWS AC-1 AWS implements formal, documented policies and procedures that provide guidance
· COBIT 5 APO13.01, DSS01.04, DSS05.03 Reference Architectures, AWS IAM (MFA), AC-17 for operations
Remote accessand information
to AWS production security within theisorganization
environments limited to defined and thesecurity
supporting
· ISA 62443-2-1:2009 4.3.3.6.6 AWS Config, AWS ConfigRules, AWS AWS
groups. environments.
The addition Policies
of policies
members address into purpose,
a group must scope,beroles, responsibilities,
reviewed and approved andby
· ISA 62443-3-3:2013 SR 1.13, SR 2.6 Cloudwatch, CloudWatch Logs, CloudTrail, AC-19 AWS
management maintains formal
commitment. All and
policies procedures that provide guidance for operations
authorized
and informationindividuals
security who confirm
within the are
the organization
maintained
user’s needandfor
in a centralized
theaccess to the AWS
supporting
location
environment. that
· ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, VPC Flowlogs, Customer Responsibility AC-20 AWS
is
Remote creates
accessible
access and
by maintains
employees.
requires written
multi-factor agreements
authentication with third
over anparties
approved (e.g., contractors
cryptographic
A.11.2.6, A.13.1.1, A.13.2.1 environments.
or vendors) in The security
accordance policy
with the iswork
published
or by leadership
service to be to provide
provided (e.g., guidance on
network
SC-15 AWS
channel
ISMS does
for not allow collaborative
authentication.
implementation. The mobile computing
device policy devices
providesto have network
guidance on:connections
· NIST SP 800-53 Rev. 4 AC-1, AC-17, AC- services agreement, service delivery agreement, or information exchange agreement)
•to
AWS
and
the of
Use AWS
employs
mobile
implements
information
automated
devices.
appropriate
system.
mechanisms to facilitate the monitoring and control of
relationship management mechanisms inwhich
line with
19, AC-20, SC-15
•remote access
Protection of methods.
devices Auditing
that access occurs
contenton forthewhich
systems Amazonand devices,
isthe
responsible. are their
then
relationship
aggregated to the
and business.
stored Agreements
in a proprietary toolcover, at a minimum,
for review and incident following:
investigation. The
••AWS Remote
Legal and wipe capability.
regulatory
operational requirements
environment, applicable to AWS
••considered Password-guessing
User awareness of protection to
information
include
restrictions.
security
network
responsibilities
and security configuration, is
and issues
confidential information and is required to be protected by employees per
••Amazon Remote synchronization
Arrangements for reporting, requirements.
notification, and investigation of information security
• Securitydata
incidents patch
and
classification
requirements.
security
policies. All remote administrative access attempts are
PR.AC-4: Access permissions are managed, · CIS CSC 3, 5, 12, 14, 15, 16, 18 AWS Certifications, AWS Best Practices, AWS
AC-1 AWS
loggedimplements and limited to abreaches
formal, documented
specific numberpolicies of attempts. and procedures
Auditing logs thatareprovide
reviewedguidance
by
incorporating the principles of least privilege and · COBIT 5 DSS05.04 Reference Architectures, AWS IAM (including •for Target and
operations unacceptable
and information levels of service
security (e.g.,theSLA, Operational Level Agreement
AC-14 the
AWS
[OLA])
AWS Security
controls accessteam to for
systems throughwithin
unauthorized attempts
authentication organization
or suspicious and
that requires the
activity. supporting
In
a unique theuser
event
separation of duties · ISA 62443-2-1:2009 4.3.3.7.3 MFA & federation), AWS CloudFormation, AWS
thatand
ID environments.
suspicious
password. activity
AWS Policies
issystems address
detected, do thepurpose,
not incident scope,
allow actions response roles,
to be responsibilities,
procedures
performed are and
oninitiated.
the
· ISA 62443-3-3:2013 SR 2.1 AWS Config, AWS ConfigRules, Customer AC-16 •N/A Service
management continuity
commitment.requirementsAll (e.g.,
policies Recovery
are Time inObjective [RTO]), in that
information
accordance system
with AWS without
business identification
priorities ormaintained
authentication. a centralized
Remote access locationrequires
· ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, Responsibility AC-2 Access
is privileges
accessible by to AWS
employees. systems are reviewed on a quarterly basis by an
multi-factor
• Protectionindividual. authentication
of Intellectual and the number
Property Rights is of unsuccessful
(IPR) and copyright log-on attempts of is
A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 AC-24 authorized
N/A Explicit re-approval required or access assignment
to the resourceAWS is
limited.
• Conditions All remote
for administrative access attempts
renegotiation/termination are logged, and the logs are
of the agreement.
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC- automatically revoked.
AC-3 reviewed
User access by privileges
the Security areteam for unauthorized
restricted based on business attempts needor suspicious activity. If
and job responsibilities.
3, AC-5, AC-6, AC-14, AC-16, AC-24 suspicious activity isAWS
detected, the incident response
AC-5 AWS
Privileged employsaccess thetoconcept of least
systems privilege,
is assigned based procedures
allowing ononlyleastthe are initiated.
necessary
privilege, access for
approved by
users
an to accomplish
authorized individualtheirpriorjob function.
to access New user accounts
provisioning, and are created
assigned to have user
a different
AC-6 Privileged
AWS
minimal has access
implemented
access. to AWS
User systems
abusiness
access session
to AWS is assigned
lock out policy based
that on
is ofleast privilege,
systematically approved
enforced. by
The
ID
an than used
authorized for normal
individual prior to use.systems
access Duties (e.g.,
and network,
areas applications,
responsibility tools)
(e.g., access
PR.AC-5: Network integrity is protected (e.g., · CIS CSC 9, 14, 15, 18 AWS Certifications, AWS Best Practices, AWS AC-10 AWS
information
requires
request controls
documented
and accessimplements
systems
approval, to systems
approval
change from
management the provisioning,
through
a session authentication
lock
authorized
request afterandaand
period
personnel assigned
that requires
approval,
a different
a unique
of inactivity,
(e.g., user's
change
user
user as
as well
manager
network segregation, network segmentation) · COBIT 5 DSS01.05, DSS05.02 Reference Architectures, AWS IAM (MFA), ID
ID
in the
and/or than
andcase used
password.
system for
of multiplenormal
AWS
owner) business
systems
log-in
and use.
do not
attempts,
validation Duties
allow
and
ofare and areas
actions
limits
thesegregated
active the to of responsibility
inbethe
usernumber performed
of concurrent
Amazon (e.g., access
on thesessions
Human
development,
request and testing
approval, and
change deployment)
management request and across
approval,different
change individuals to
· ISA 62443-2-1:2009 4.3.3.4 AWS CloudFormation, Config, AWS information
that may
Resources
reduce exist.system
system.
opportunities without
The session
for identification
lock is retained or authentication.
until established Remote
identificationaccess requires
and of
· ISA 62443-3-3:2013 SR 3.1, SR 3.8 ConfigRules, AWS CloudTrail, VPC Flowlogs, development,
multi-factor
authentication testing
authentication
procedures andan unauthorized
deployment)
andperformed.
are the number areorsegregated
unintentional
of unsuccessful across modification
different
log-on attempts
or misuse
individuals
is to
AWS
reduce systems.
opportunities for an unauthorized
· ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, AWS VPC, Security Groups, ACL's, Customer limited. All remote administrative access or unintentional
attempts are logged, modification
and the logs or misuse
are of
A.13.2.1, A.14.1.2, A.14.1.3 Responsibility AC-4 AWS systems.
Several
reviewed network fabrics exist
by the Security teamatfor Amazon,
unauthorizedeach separated
attempts by boundary protection
or suspicious activity. If
· NIST SP 800-53 Rev. 4 AC-4, AC-10, SC- SC-7 devices
suspicious
Several thatactivity
network control isthe
fabrics flow
existof
detected, information
atthe incidenteach
Amazon, between
response
separated fabrics.
procedures Theare
by boundary flow of
initiated.
protection
7· information
devices that between
controlformal, fabrics
the flow is
ofestablished
information bybetween
approved authorizations,
fabrics. The flow which exist
of
PR.AC-6: Identities are proofed and bound to CIS CSC, 16 AC-1 AWS
as ACL implements documented policies and procedures that provide guidance
credentials and asserted in interactions · COBIT 5 DSS05.04, DSS05.05, DSS05.07, AWS
information
for operations hasresiding
implemented
between on these
fabrics
and information
devices.
a session ACLs
lock
is established
security out are
bydefined,
policy
within thethat
approved approved
is by appropriate
systematically
authorizations,
organization theenforced.
andusing which
supporting The
exist
AC-16 N/A
Amazon’s
information
as ACL Information
residingsystems on these Security
implements
devices. team,
a ACLs and
session managed
arelock afterand
defined, deployed
aapproved
period ofby inactivity, AWS’s
appropriate asand
well as
DSS06.03 AWS
ACL-management environments. Policies
tool. address purpose, scope, roles, responsibilities,
AC-19 AWS
in
Amazon’s the maintains
case Information
of formal
multiple policies
log-in
Security and
attempts,
team, procedures
and
and managed
limits that
the provide
and
number guidance
deployed
of concurrent
using forAWS’s
operations
sessions
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, management
Approved commitment.
firewall rule sets All
andpolicies
access are maintained
control lists in a centralized location that
AC-2 and
that
Access information
ACL-management
may exist.
privileges security
The totool.
session
AWS within
lock
systems the
is organization
retained
are until
reviewed andbetween
the
established
on a quarterly network
supporting
identification
basis fabrics
AWS
by an andrestrict
4.3.3.7.2, 4.3.3.7.4 is
the accessible
flow offirewall by employees.
information to are
specific information system services. ACLs and rule sets
environments.
authentication
Approved
authorized The rule
individual. security
procedures sets
Explicit policy
and is
performed.
access
re-approval published
control by
lists
is required leadership
between
or to provide
network
access to guidance
thefabrics
resource on
restrict
is
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR AC-24 N/Areviewed
are and approved and are information
automatically pushed toguidance
boundary protection
ISMS
the flow
automatically implementation.
of information
revoked. The mobile
to specific device policy provides
system services. ACLs on: and rule sets
1.4, SR 1.5, SR 1.9, SR 2.1 devices
AC-3 User
•are Use ofon
access
reviewed aprivileges
mobile periodic
anddevices. basis
approved (at
andleast
are restricted every
based24
are automatically onhours)
business to ensure
pushed need andrulejob
to boundary sets and access
responsibilities.
protection
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1 control lists
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-
AWS
•devices
Protectionon aare
employs of up concept
the
devices
periodic to date.
that of
basis least
access
(at privilege,
leastcontent
every 24 allowing
forhours)
whichto only
Amazon
ensure therule
isnecessary
sets andaccess
responsible. accessfor
AWS
users
•control
Remoteto
implements
accomplish
wipe
lists upleast
totheir
arecapability. privilege
date. job function.throughout New user its infrastructure
accounts are components.
created to have AWS
3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA- prohibits
minimal access.
all portsUser and access
protocols to AWSthat do
systems
not have
5, IA-8, PE-2, PS-3
•AWS Password-guessing
implements protection
least privilege restrictions.
throughout its(e.g.,
a specific
network,
infrastructure business
applications,
components.purpose. tools)
AWSAWS
follows
requires
Remoteadocumented
•prohibits rigorous
synchronization
all ports and approach
approval to from
minimal
that the
requirements.
protocols authorized
do notimplementation personnel
have a specific of only(e.g.,
business thoseuser's
features
purpose.manager and
AWS
functions
and/or
•follows
Securitysystem
that
patch
a rigorous are
owner)
essential
and validation
requirements.
approach totouse of the
minimal of the
device.
active Network
implementation user inof scanning
the Amazon
only is performed,
those Human and
features and
any unnecessary
Resources
functions system.
that areports or protocols
essential to use ofinthe usedevice.
are corrected.
Network scanning is performed, and
any unnecessary ports or protocols in use are corrected.
PR.AC-6: Identities are proofed and bound to · CIS CSC, 16
credentials and asserted in interactions · COBIT 5 DSS05.04, DSS05.05, DSS05.07,
DSS06.03
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2,
4.3.3.7.2, 4.3.3.7.4
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR
1.4, SR 1.5, SR 1.9, SR 2.1
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC- IA-1 AWS implements formal, documented policies and procedures that provide guidance
3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA- IA-2 for operations
AWS controls and access information
to systemssecurity throughwithin the organization
authentication and the
that requires supporting
a unique user
AWS
ID environments.
andcontrols
password. AWS Policies address purpose, scope, to roles, responsibilities theanduser
5, IA-8, PE-2, PS-3 IA-4 AWS
management access
commitment. to systems
systems
All
do
through
policies
not allow
are
actions
authentication be performed
inthat requires aon unique
information
ID andcontrols
password.system AWS without identification ormaintained
authentication. a centralized location that
IA-5 AWS
is
AWSaccessible byaccess
has implemented employees. toasystems
systems
session
do
throughnot allow
lock outauthentication
policy
actions to that be performed
requires aon
that is systematically
the user
unique
enforced. The
information
ID andcontrols
password.system AWS without systems identification
do not allow or authentication.
actions toand be authentication
performed
IA-8 AWS
session
AWS has lock is access
retained
implemented tountil
asystems
session through
established authentication
lock outidentification
policy thatatisleastthat requires aon
systematically
the
unique user
procedures
enforced. The
information
Policies
ID
are and are
password.
performed. systemAWS
reviewed without
approved
systems identification
bydoAWS not allow or authentication.
leadership
actions toand annually
be authentication
performed oron following
the a
PE-2 Physical
session
AWS access
lock is
has implemented to all
retained AWS until
a AWS data
session centers
established housing
identification
lock out policy IT infrastructure components
that is systematically enforced. The is
procedures
significant
information
restricted to change
system
authorized towithout
thedata environment.
identification
center employees, or authentication.
vendors, and contractors who require
PS-3 are performed.
Background
session lock checks
is retainedareare performed
until established as part of AWS’s hiring verification processes.
AWS
User
access has
access
in implemented
orderprivileges
to execute a session
restricted
their jobs.lockbasedoutidentification
Access policy
ontobusinessthat isand
facilities need
is
authentication
systematically
and
only
procedures
enforced.
jobinresponsibilities.
permitted at The
PR.AC-7: Users, devices, and other assets are · CIS CSC 1, 12, 15, 16 AC-11 Background
are
All performed.
AWS employees,
session controls
lock checksvendors,
is access
retained include
tountil
systemseducation,
and established
contractors
through previous
who employment,
require a and
authentication
identification user and,
account
thatauthentication
requires some
must
a unique cases,
be on- user
procedures
AWS
criminal employs
controlled andaccess the
other concept
points
background thatofrequire
least
checks privilege,
multi-factor
as allowing
permitted only
authentication
by law the
and necessary
designed
regulation access
to
forpreventfor
authenticated (e.g., single-factor, multi-factor) · COBIT 5 DSS05.04, DSS05.10, DSS06.10 AC-12 boarded
ID
are
usersand
Limiting
tailgating through
topassword.
performed.
accomplish
the
and length Amazon’s
AWS
to ensure their
of systems
thatjob
sessions HR management
do
function.
only is not not allowuser
New
feasible
authorized system.
actions
from accounts
individuals As
to be
a business part
are
enter of
performedthe
created onboarding
perspective.
an AWS on
to the
have
data Ancenter.
employees
Third
workflow,party commensurate
privileged access with to the
AWS employee’s
systems position
are allocated and level
based of
onaccess
least to AWS
privilege,
commensurate with the risk of the transaction · ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2,
AC-14
information
minimal
example
On
AWS ofthe
a quarterly
controls this direct
system
access. User
would
basis,
access
manager
without
access
besystems
access
to when ofAWS
lists the
identification
to AWS
and
through
employee,
systems
teams
authorization vendor,
or maintain
authentication.
(for example, or
EC2.
credentials contractor
Remote
network,
The ofEC2 requests
access
aapplications,
bastions
personnel withthe
requires
users
(e.g., individuals’ security and privacy risks and 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, facilities.
approved
establishment
multi-factor
tools,
utilize
access etc.)
ato
by
AWS
anof
requires
“run-parallel”
authorized
a user
authentication
data account.
documented
approach
centers
individual
and
are areasGroup
theto number
approval
reviewedexecute orauthentication
prior to
shared
of
from
by some
access
the the accounts
unsuccessful thatare
provisioning,
authorized
commands
respective
requires
not
log-on
personnel
across
data center
and unique
supervised
permitted
attempts
theon (for
fleet
Area is userby
within
for any
Access
other organizational risks) 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 AC-7 ID
an and
theAWS
AWS system
limited. password.
employee.
controls
All AWS
access
boundary.
remote Duties
to
The systems
and
systems
approved
administrative do
throughnot allow
of owner)
request
access actions
responsibility
authentication
serves
attempts as to
the beapproval
(for
that performed
example,
requires toaccess theare
aestablish
unique request
user
a in
user
example,
number
Managers
information ofuser's
reasons,
(AAM).
system managerto and/or
include
without system
information
identification andare
collection,
or authentication.
logged,
validation andthe
of
investigations,
Remote
the logs
active
and
access user
requires
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR AC-8 and
ID approval,
and
account.
reviewed
AWS password.
employsby the changeAWS
Security management
systems
team do request
not
forexecuting allow
unauthorized and approval,
actions
attempts to bechange
performed
or jobs development,
suspicious on the
activity. ofIf
the
All HR
multi-factor
testing
system.
troubleshooting.
entrances
and toautomated
This can
AWS
authentication
deployment, data mechanisms
require
etc.)centers,
and mustthe number
be
to facilitate
including
segregated
a the
of the monitoring
long-running
main
unsuccessful
across entrance,
log-on
different
that
theand thecontrol
loading
attempts
individuals dock,
isto
1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10 information
suspicious system
activity without
istodetected, identification or authentication. Remote access requires
AC-9 remote
N/A
limited.
reduce
access
administrator
and anyopportunities
roof
All methods.
needs
doors/hatches,
remote Auditing
monitor
administrative
for an arethe(in incident
occurs
a separate,
secured
unauthorized access on
with response
the systems
concurrent
intrusion
attempts
or are
unintentional
procedures
and
detection
logged, and
are
devices,
session) devices
modification
initiated.
inthe which
their
logs
orthat are
terminal
are then
sound
misuse of
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, multi-factor
In the event
aggregated
window authentication
that
and an
stored active
in adoesorand the
inactive
proprietary number
user
tool of
does unsuccessful
not
for review comply log-on
with
andorincident the attempts
above is
stated
investigation. andIfThe
IA-1 AWS iffor
alarmsimplements
reviewed the
by
systems.
status.
door
the isAWS
Securityforced
formal, teamopen however
documentedfor orunauthorized
held ensure
open.
policies all sessions
attempts
and procedures are authenticated
suspicious
that activity.
provide guidance
A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4 limited.
policy, All
their
hassecurity remote
account
implemented administrative
will aarebe locked.
session tolockaccess attempts are logged, and the logs are
AWS
have
Trained operational
strong
suspicious
for activity environment,
multi-factor
guards authentication
is implements
detected, stationed
the atout
include
incident thepolicy
network
measuresbuilding
response
that
inand is security
place. systematically
entrance
procedures Refer24/7. to IA-2
are If aenforced.
configuration, (1) for
door
initiated.
The
oriscage
more
· NIST SP 800-53 Rev. 4 AC-7, AC-8, AC- IA-10 N/Aoperations
reviewed
information
considered
details
within
by
aondata
theand
systems
confidential
the MFA
center
information
Security
employed.
has
team for
information security
a malfunctioning andwithin
a unauthorized
session lock
iscard the
required after
reader
organization
attempts
toaor or
period
be ofand
suspicious
protected
PIN pad
the
inactivity,
and by supporting
activity. If per
asbewell
employees
cannot as
9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA- AWS
in the
Amazon environments.
suspicious
case dataactivity
of multiple is Policies
classificationdetected,
log-in address
the
attempts,
policies. purpose,
incident and limitsscope,
response the roles,
procedures
number responsibilities
of are initiated.
concurrent and
sessions
IA-11 N/A haselectronically,
secured
AWS implemented aasecurity
session guardout is posted at the door until it canenforced.be repaired.
4, IA-5, IA-8, IA-9, IA-10, IA-11 management
that may exist. commitment.
The session All islock
lockpolicies retainedare policy
maintainedthat
until established isinsystematically
a centralized
identification location
and that The
IA-2 AWS
is
AWS controls
information
accessible
has access
systems
byprocedures
implementedemployees. toasystems
implementssession through
alock outauthentication
session lock after
policy that requires
that aisperiod of inactivity,
systematically a enforced.
unique user
as well Theas
authentication are performed.
IA-3 ID andcase
in the
Several
information password.
ofsystems
network AWS
multiple
fabrics systems
log-in
exist attempts,
implements do
at Amazon, not and
a session allow
each
lock actions
limits toperiod
the anumber
separated
after bebyperformed
of
of concurrent
boundary
inactivity,on the sessions
protection
as well as
information
thatthemay
Policies exist.
are system
ofreviewed without
The session approved identification
lock is retained
by AWS orlimits
authentication.
until
leadership established
theatfabrics.
least identification and
IA-4 devices
in
AWS
AWS
casethat
controls
hasexist.
control
accessthe
multiple
implemented to flow
log-in
systems of information
attempts,
through and between
outauthentication thatannually
number The flow
of concurrent
requires or offollowing
a enforced.
unique sessions
user a
authentication
significant
information
that
ID may
and change
password.
procedures
between
TheAWS theasystems
tosession
fabrics session
are
AWS lock is
do
lock
isperformed.
environment.
established
retained
not
policy
allow by
until that is systematically
approved
established
actions to authorizations,
be identification
performed onwhichandexist
the
The
IA-5 AWS
session
as accesscontrols
lock
control access
is procedures
retained
lists to systems
until
(ACL) through
established
residing authentication
on identification
these devices.and thatauthentication
ACLs requires
are defined, a unique user
procedures
approved
authentication
information system without areidentification
performed. or authentication.
IA-8 ID
All
by and password.
are appropriate
AWS performed.
controls
employees, AWS
access
vendors,
Amazon’s toasystems
systems
and do
through
contractors
Information notSecurity
allow actions
authentication
who require
team, touser
be performed
that
amanaged requires
account aon
must
and deployed the
unique
be on- user
using
AWS has
information implemented
system without session lock out
identification policy that is
or authentication. systematically enforced. The
IA-9 ID
AWS
N/A andACL-manage
boarded
session password.
through
lock AWS
Amazon’s
is retained systems
tool.until HR do not allow
management
established actions As
system. to be performed
part of the onboardingon the
AWS
User has
access
information
workflow, implemented
theprivileges
system
directwithout a session
are
manager restricted lockbased
identification
of the outidentification
employee, policy that isand
onauthentication.
or business
vendor, need authentication
systematically procedures
enforced.
and job responsibilities.
or contractor requests theThe
Awareness and Training (PR.AT):The PR.AT-1: All users are informed and trained · CIS CSC 17, 18 AWS Certifications, AWS Training, AWS Best AT-2 are
AWS performed.
sessionhas lockimplemented
isofretained formal,
until documented
established security awareness and training policy
AWS employs
has
establishment
Approved firewall thea user
implemented concept
rule account.
sets of
a session
and least lock
Group
access outoridentification
privilege, policyallowing
shared
control that
lists isand
accounts
betweenonly authentication
the necessary
systematically
are not
network procedures
access
enforced.
permitted
fabrics withinfor
The
restrict
organization’s personnel and partners are · COBIT 5 APO07.03, BAI05.07 Practices, AWS Reference Architectures, and
are
users procedures
performed.
to lock
accomplish that address
their purpose, scope, roles, responsibilities, management
provided cybersecurity awareness education and · ISA 62443-2-1:2009 4.3.2.4.2 Customer Responsibility
session
the system
flow
commitment,
is retained
of boundary.
information
coordination
The tojob
until function.
established
approved
specific
among
New
request
information
organizational
usersystem
identification
serves accounts
as the
entities,
and are created
authentication
approval
services.
and
to control
have
procedures
to establish
Access
compliance.
a user
The lists
minimal
are performed.
account.
and access.
rule awareness
sets are User
reviewed access andtoapproved,
AWS systems (forautomatically
example, network, applications,
are trained to perform their cybersecurity-related · ISO/IEC 27001:2013 A.7.2.2, A.12.2.1 security
Third partydevices
privileged and training to policy andand are
procedures are reviewed pushed
onand
toupdated
boundary at
duties and responsibilities consistent with related · NIST SP 800-53 Rev. 4 AT-2, PM-13
tools, etc.)
protection
least annually,
requires
or on
sooner aaccess
documented
periodic
if required
AWS
approval
basis due
systems
(at to
from
least are
the allocated
every
information
authorized
24 system
hours) based
personnel
to ensure
changes.
least privilege,
(for
rule-sets
The policy
approved
example,
In
andthe event
access bycontrol
user'san manager
that authorized
anlists
active are orindividual
and/or system
inactive prior
userowner) to access
does and provisioning,
validation
not comply with theand
of the supervised
active
above user in by
stated
policies, procedures, and agreements. is
thedisseminated
an AWS employee. through theup-to-date.
internal
areasAmazon communication portal to all employees,
HR their
policy, system. accountDuties will beand locked. of responsibility (for example, access request
vendors,
and approval, and contractors
change prior to receiving authorized access to the information
AWS implements leastmanagement
privilege throughout request and its approval,
infrastructure change development,
components. AWS
system
testing or performing
and assigned duties.
prohibits alldeployment,
ports and protocols etc.) must thatbedosegregated
not have aacross specific different
business individuals
purpose. to AWS
AWS
reduce has developed, for
opportunities documented,
an unauthorized and disseminated
or unintentional security awarenessorand role- of
followssecurity
based a rigorous approach
training to minimal
for personnel implementation
responsible for designing,ofmodification
onlydeveloping,
those features misuse and
AWS
functionssystems.
that are essentialmaintaining,
to use of theand device. Network scanning is performed
implementing, operating, monitoring AWS systems. Training and
any unnecessary
includes, but is not portslimitedor protocols
to, the following in use areinformation
corrected. (when relevant to the
employee’s role):
• Workforce conduct standards
• Candidate background screening procedures
• Clear desk policy and procedures
• Social engineering, phishing, and malware
• Data handling and protection
• Compliance commitments
• Security precautions while traveling
• How to report security and availability failures, incidents, concerns, and other
complaints to appropriate personnel
• How to recognize suspicious communications and anomalous behavior in
organizational information systems
• Practical exercises that reinforce training objectives
• International Traffic in Arms Regulations (ITAR) responsibilities
• Contingency planning
• Incident response
AWS captures and retains training records for at least five years.
PR.DS-3: Assets are formally managed · CIS CSC 1 AWS Certifications, AWS Best Practices, AWS CM-8 In order to ensure asset management and inventory maintenance procedures are
throughout removal, transfers, and disposition · COBIT 5 BAI09.03 Reference Architectures, AWS Trusted Advsior, properly executed, AWS assets are assigned an owner and are tracked and monitored
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1 AWS CloudFormation, AWS Config, AWS with AWS proprietary inventory management tools. AWS asset owner maintenance
· ISA 62443-3-3:2013 SR 4.2 ConfigRulesAWS CloudTrail, Customer procedures are carried out by using a proprietary tool with specified checks that
MP-6 Data destruction: Content on drives is treated at the highest level of classification per
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, Responsibility must be completed according to the documented maintenance schedule.
PE-16 AWS policy. Content
Environments used for is destroyed
deliveryon ofstorage devices as part of the by authorized
A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7 AWS has developed andthedocumented antheinventory
AWS services
of systems are managedand devices within the
decommissioning
personnel and Boundary.
are process in
located in anaccordance
AWS with AWS
managed data security
centers. Media standards. handling controls
PR.DS-4: Adequate capacity to ensure · NISTCSC
CIS SP 800-53
1, 2, 13Rev. 4 CM-8, MP-6, PE- AWS Reference Architectures & Best Practices, AU-4 Authorization
AWS deploys monitoring devices throughout the environment to collect critical
AWS
for thehosts
data are
centers securelyare wiped orby overwritten prior to provisioning for Media
reuse. AWS
availability is maintained ·16 COBIT 5 APO13.01, BAI04.04 AWS Trusted Advisor, AWS S3, Customer CP-2 AWS
information
The AWShas developed
on unauthorized
Business andmanaged
Continuity documents
intrusion AWS
policyanlays
in alignment
inventory
attempts,
out the of
usage with
guidelines AWSthe
theabuse, and
used
AWS
Authorization
network
to implement and
media
Protection is securely
Policy. wiped
This or degaussed
policy includes and physically destroyed prior to leaving
· ISA 62443-3-3:2013 SR 7.1, SR 7.2 Responsibility Boundaries
application
procedures forrespond
to Govcloud
bandwidth usage.
to a and East
Monitoring
serious Westprocedures
outage separately.
devices
or
around
are
degradation Forplaced of
access,
continuous marking,
withinservices,
AWS monitoring
the AWS storage,
including
SC-5 AWS
AWS secure
operates, zones.
andmanages,
· ISO/IEC 27001:2013 A.12.1.3, A.17.2.1 transporting,
activities,
environment
the recovery AWS to
model
sanitation.
provides
detect and and itsaandsystem
monitor controls
implications for:the
inventory on
infrastructure
the tobusiness
our FedRAMP components,
continuity accrediated
plan.
from 3PAO the hostfor
To
operatingvalidate AWS’s
system secure
and virtualization wipe processes
layer and
down procedures,
to the third-party auditors
PR.DS-5: Protections against data leaks are · CIS
NISTCSC 13
SP 800-53 Rev. 4 AU-4, CP-2, SC-5 Customer Responsibility for protection may be AC-4 •validation
Several on a monthly
network
Port scanning fabrics
attacks basis.atOnce
exist Amazon, validated, each this listphysical
separated is byprovided security
boundary to our of the
protection
review the guidance within the AWS media protection policy, observe degaussing
implemented · COBIT 5 APO01.06, DSS05.04, DSS05.07, facilitated/enabled by employing AWS services •facilities
Live
Authorizing
devices
Usage
equipment
media in which
that
(CPU, transported
andcontrol the
Official(s).
Processes,
secure theservices
outside
flow
shred disk ofoperate.
bins
of Data AWS
information
utilization, center
located within
endpoints
secure
between
swap zones
rates,fabrics.
AWS andareerrors
facilities,
tested
isTheescortedassoftware
inflow
and
part
byof
of
review
AWS
authorized
historical
DSS06.02 to automatically detect, alert, contain and AC-5 compliance
personnel.
Privileged
AWS to
information
generated providesloss)vulnerability
access an to
between AWS
inventory
fabrics scans.
systems
to
is is assigned
our FedRAMP
established by based on authorizations,
accredited
approved least
3PAO privilege,
for approved
validation
which andby
exist as
Refer
tickets
AWS the
that following
tracked the AWS
destruction Audit Reports
and removal for additional
of storage details:
media PCI
from 3.2,
the ISO
· ISA 62443-3-3:2013 SR 5.2 respond to events and/or incidents and report as AC-6 an
•part
as ACLofCloud
authorized
AWS’
Application
Privileged
27001, residing
ISO
services
access individual
27017,security
on
performance are
these
toNISTAWS
managed
prior
assessment
devices.
metrics
systems
800-53,
to accessin a on
and
ACLs manner
provisioning,
a monthly
2 are
is assigned
SOC COMMON
that preserves
based basis,
defined, and
approved
on least
CRITERIA
their
assigned
supports confidentiality,
acontinuous
different
by appropriate
privilege, approved userby
environment.
integrity, and availability. AWS has
· ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, required and perform leak mitigation - examples •AWS
ID than
monitoring
Amazon’s
an
has used
Unauthorized
authorized
developed
for
Information normal
requirements.
connection
individual
andSecurity
has
business documented
Additionally,
prior attempts
to use.implemented
team,
access Duties
AWS'
and an inventory
and secure
areas
inventory
managed
provisioning, andand
of issoftware
systems
ofdeployed
responsibility
validated
assigned
development
and
a by
using devices
(e.g.,
our
AWS’s
different 3PAOaccess
user
PE-19 Data
N/A
within deletion
procedures the that
system forareblockfollowed
boundary. device to
The based
ensure storage
inventory thatthe (e.g.,
appropriate
is stored Amazon security
in approval,
Amazon’s EBS,controls
Amazon
Infra areRelational
proprietary
A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, are services such as AWS GuardDuty, AWS request
andthan
AWS
ID and
provided
ACL-management
provides
used approval,
tonear
for our tool.
normal change
Authorizing
real-time business management
alertsOfficial(s)
use.when Duties request
onand
AWS and
a monthly
monitoring
areas basis.
oforder change
tools
responsibility show (e.g., access
PS-3 Database
incorporated
Background Service
database. firewall into
checks [Amazon
the areapplication
performedRDS], ephemeral
design.
as part Asof drives):
part
AWS’s In
of between
the application
hiring to ensure
verification design thatprocess,
processes.
A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, Macie, AWS Security Groups, VPC, Config, development,
Approved testing and deployment) are segregated across different individuals to
indications
request
customer
new
Background
and of
approval,
content
applications checks isrule
compromise
must
sets
change
properly
participate
include
and
or erased,access
potential
management
education, in AWS
an
control
compromise,
AWS
request
wipes
previous
lists and based
underlying
Security
employment,
approval,
review,
network
upon
storage threshold
which
and,
change fabrics
inmedia
includes
some
restrict
alarming
upon
cases, re-
A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, ConfigRules, Cloud Watch, CloudTrail, PS-6 reduce
the
The flow
AWS opportunities
ofHuman
information for
Resources
andto an unauthorized
specific
team is areor
information
responsible unintentional
system
for screening modification
services. AWSACLs new or misuse
and hires
rule of
mechanisms
development,
provisioning
registering the
determined
testing
rather than
application,
by
upon AWS
deployment) service
de-provisioning.
initiating
and
application
Security
segregated
Processes
risk
teams.
across that
classification,
different
wipe individuals
content uponin sets
to
A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, CloudFormation, Lambda, SNS, SQS, Big Data SC-13 criminal
AWS
are
accordance
External
reduce
AWS
release
limits
is
and
systems.
reviewed access
opportunities
ofdesigned
an
other
access
withand
asset to
background
to
tocorporate
approved
data system
anpolicy.
forstored
protect
(e.g., volume,and
thein
checks
output
are Employees
Amazon
unauthorized
confidentiality
object)
as permitted
devices
automatically to
isareonly
S3unintentional
or
are less logged.
and
by
pushed
required law
authorized
The
integrity
reliable to
than
and
toboundary
ofreview
logs
modification areparticipating
regulation
persons,
transmitted
processes and in for
protection
retained sign
orthat
alignment
misuse
data
in
an at
for of
A.14.1.3 & Analytics, Machine Learning etc. architecture
employees
with AWS
devices
employment on review
commensurate
aaccess
periodic
contract andand threatwith
toauthorization
basis acknowledge modeling,
the employee’s
request performing position
procedures. tocode and
AWS review,
level and
of
employs performing
accessvarious toonly
AWS re-
a
SC-31
least
AWS
through 90
provision
N/A
penetration
mechanisms
facilities.
days
systems.
theclean andstorage
comparison
test.
to
include
detect theto a(at
ofrelevant least
cryptographic
customers.
addition of
every
access their
Physical24hash
responsibilities
request
unauthorized
hours)of
servers data ensure
information
can
systems
for
transmitted.
reboot
and
rule
compliance
such atsets
asany
devices Thisand
the iswith
data
time
into
access
donefor to
the
· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC- control
company
accessor
help
many lists
ensure
reasonsstandards
IP are(e.g.,
address,
that up
the to
and date.
object,
message
power information
andisconnections
outage, not security
operation.
corrupted
system requirements.
or altered
process in transit.
interruption or Data
failure), thatwhichhasports
been
6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC- SC-7 system
Several
AWS
All personsboundary.
requestsnetwork
implements working
to KMS To
fabrics
least prevent
with
are exist
privilege
AWS
logged at Amazon,
information
andthroughout
available of
each unauthorized
inseparated
must,
its infrastructure
the atAWS
a AWS
minimum,devices,
byaccount’s
boundary
components.
meetallAWSvacant
protection
thehave screening
AWS
corrupted
might
in leave
network ordevices
aaltered
wiping in
are transit
procedure
disabled is byimmediately
in an incomplete
default. rejected.
state. Customers provides do several
not
31, SI-4 devices
prohibits
process that control inthe flow ofS3. information between fabrics. The flow of
SC-8 CloudTrail
AWS
methods
access
informationtofor
seeks all
for pre-employment
block ports
bucket
to and
maintain
customers
betweendevices protocols
Amazon
todata
or
fabrics
background
that
integrity
securely
physical The do
handle
is establishedmedia not
during checks
logged have
their
that and
a specific
requests
transmission,
data:
was
by approved
sign
previously a storage,
provide business
Non-Disclosure
used
authorizations, topurpose.
information
and processing
store
which
AWS
about
another
SI-4 follows
•Agreement
who
of made
customer
Upon
AWS a rigorous
the
initial
deploys (NDA) request
content. approach
prior
communication
monitoring AWSandtodevices
being
to
under
treats minimal
with granted
which
all atcustomer
an implementation
CMK access
AWS-provided
throughout and toenvironment
content
the AWS
will isofinformation.
also
and
Windows only
describe
associated
to those
Amazon features
All
information
assets as exist
personnel
Machine and
customer’s
as ACL
functions
supporting
about
critical the that
AWS
content.
residing
systems
information. are on
resource
Wiping
these
essential
and
AWS devices
that
blocks
devices.
tosecure
usewithin
was
services ofACLs the
protected
are
time
are
theattempts,
the
device.
contentsystem
capacity
defined,
through Network approved
boundary
agnostic the inscanning
use must
of
that bycollect
re-provisioned
the
they appropriate
sign
isterminal
CMK.
critical
is
performed,
offeran These
NDA
the
sufficient
sameprior
and
log
Image
to ensure (AMI),
information that ontheAWS enables
unauthorized
previous intrusion
content communication
cannot be usage
recovered by configuring
abuse,
from aand
new network
volume and
orservices
Amazon’s
to
anybeing
events
high are
level Information
granted
unnecessaryvisible
of access.
ports
security togenerating
the Security
toor protocols
customer
all customers,team, in use
after and
turningmanaged
are
regardless corrected.
on of AWSand
the deployed
CloudTrail
type of contentusing
in theirAWS’s
being account.
stored.
on the instance
application
object. and
bandwidth usage. a unique
Monitoring self-signed
devices areX.509
placed server
within certificate
the AWS and
ACL-management
We are vigilant about tool. our customers’ security andservices
haveaimplemented sophisticated
delivering
environment
Data deletion the for certificate’s
non-block thumbprint
device to the user
services: For over trusted
such aschannel.
Amazon S3restrict
or
Approved
technical firewall
and physical rule sets
measures and access
against control lists
unauthorized between
access. network
AWS fabrics
has noobjects
insight as
• AWS further
Amazon DynamoDB, enablescustomers secure communication never see with Linux
an attached block AMIs device,by configuring
only
the
to flow
what of
type toinformation
of content to
the(forspecific
customer information
chooses system services. ACLs and rule sets
Secure
and
are the Shell
reviewedpath (SSH)
andthat on the
object
approved
instance,
andexample
are automatically a tabletoor
generating astore
unique in AWS,
an item).
pushed
host-key
to When
andand
boundary a the customer
delivering
customer
protection
the
deletes
retains
key’s
an asset complete
fingerprint
in these control
to the user
services, of how overthey choose
a trusted to classify
channel. their content; where it is
devices
stored, on a periodic basisthe (atdeletion
least isevery
of the 24 mapping
hours) to between
ensure rule an asset
sets and identifier
accessor
key andused,
Customer
control theMaster
lists
archived;
underlying Keys and
are up tocontent
(CMKs)
content
date.
how itused
begins protected
for
immediately. from disclosure.
cryptographic Once operations
the mapping in AWS Key
is removed,
Customer-provided
Management
the content is Service
no longer (KMS), is including
accessible validatedand cannot for integrity,
operations byand AWS
beinfrastructure
processed corrupted
byemployees, or tampered
an application. are secured data
AWS
is not implements
written least
to storage. privilege
Amazon controls. throughout
S3 uses checksums its internally components.
to confirm AWS
the
byW both technical and operational By design,
Wa specific no individual AWS employee
prohibits
continued all ports and
integrity protocols that
of content do within
not have business purpose.
AmazonAWS
can gain access to the physicalinCMK transit material in thethe system
service and dueat torest.hardening S3
follows
provides aarigorous
facility approach to minimal sendimplementation ofwithonlydata thosetransmitted
features and
techniques such as for never customers
storing to
plaintext checksums
master keys alongon persistent disk, using but to
functions
the that areservice
essential to W use of thethe device. Network scanning isdata
performed, and
not service.
persisting The them validates
in volatile memory, checksum
and limiting uponwhich receipt of the
users and to determine
systems can
any
that unnecessary
no corruption ports or protocols in use are corrected.
connect to service occurred hosts. In addition, in transit.multi-party
Regardless access of whether controls a checksum
are enforced is sent forwith
an object to Amazon S3, the service uses
operations on the KMS-hardened security appliances that handle plaintext CMKs in checksums internally. When disk
corruption
memory. or deviceM failure is detected, the system automatically
W attempts W to restore
normal levels of object storage redundancy. External access to content stored in
Amazon S3 is logged, and the logs are retained M for at least 90 days. The logs include
relevant access request information, such as the accessor IP address, object, and
PR.DS-6: Integrity checking mechanisms are · CIS CSC 2, 3 AWS Certifications, AWS Resource Tagging, SC-16 N/A
used to verify software, firmware, and · COBIT 5 APO01.06, BAI06.01, DSS06.02 AWS Config, AWS Config Rules, AWS Cloud
information integrity · ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR Formation, AWS CloudTrail, AWS CloudWatch
3.4, SR 3.8 Logs, Customer Responsibility
· ISO/IEC 27001:2013 A.12.2.1, A.12.5.1,
A.14.1.2, A.14.1.3, A.14.2.4 SI-7 AWS seeks to maintain data integrity during transmission, storage, and processing
PR.DS-7: The development and testing · NISTCSC
CIS SP 800-53
18, 20 Rev. 4 SC-16, SI-7 AWS VPC, Security Groups, ACL's/Customer CM-2 of customer
AWS content. AWS
has established formal treats
policies all customer
and procedures contenttoand associated
provide employees assets with as a
environment(s) are separate from the production · COBIT 5 BAI03.08, BAI07.04 Responsibility, AWS EC2, AWS IAM, AWS critical
commoninformation. baseline forAWS information servicessecurity are content standards agnostic andinguidance.
that theyThe offerAWS the same
environment · ISO/IEC 27001:2013 A.12.1.4 CloudTrail, AWS CloudWatch, AWS S3, high
Information level ofSecurity security Management to all customers, System regardless
(ISMS)ofpolicy the type of content
establishes being stored.
guidelines for
· NIST SP 800-53 Rev. 4 CM-2 AWS SNS, AWS Config, AWS AutoScaling, We
protecting are vigilant about our customers’
the confidentiality, integrity, security and have implemented
and availability of customers’sophisticated systems and
AWS Lambda, AWS ELB, AWS RDS technical
content. Maintaining customer trust and confidence is of the utmost importance to as
and physical measures against unauthorized access. AWS has no insight
to
AWS. what type of content the customer chooses to store in AWS, and the customer
retains complete control
AWS works to comply with applicable federal, state, and local laws, statutes, of how they choose to classify their content; where it is
stored,
ordinances, used,and archived;
regulations and how concerningit is protected security, from disclosure.
privacy, and data protection of
Customer-provided
AWS Cloud servicescontent in order is tovalidated
minimize forthe integrity,
risk of and corrupted
accidental or tampered data
or unauthorized
is
access not written
or disclosure to storage. of customer Amazoncontent. S3 uses checksums internally to confirm the
continued integrity of content in transit within the system and at rest. Amazon S3
provides a facility for customers to send checksums along with data transmitted to
PR.DS-8: Integrity checking mechanisms are · COBIT 5 BAI03.05 SA-10 the service.
AWS Service The teams service create validates
administrator the checksum documentation upon receipt for their of the data toand
services determinestore
used to verify hardware integrity · ISA 62443-2-1:2009 4.3.4.4.4 SI-7 that
the
AWS noseekscorruption
documents occurred
in internal
to maintain dataAWS inintegrity
transit.
document Regardless
during repositories. of whether
transmission, Using athese
storage,checksum documents,
and is sent with
processing
· ISO/IEC 27001:2013 A.11.2.4 an
teams
of customer objectprovideto Amazon initial AWS
content. S3, thetreats
training service
to new uses
teamchecksums
all customer members content internally.
that covers Whenjob
their disk duties,
as on-
Information Protection Processes and PR.IP-1: A baseline configuration of ·· CIS
NISTCSC 3, 9, 11Rev. 4 SA-10, SI-7
SP 800-53 CM-2 AWS
corruption
call has established
or
responsibilities, device formalis
failure
service policies
detected,
specific and the
monitoringprocedures
system toand
automatically
metrics and
associated
provide alarms,employees
attempts
assets
along towith
with restore a
the
Procedures (PR.IP): Security policies (that information technology/industrial control · COBIT 5 BAI10.01, BAI10.02, BAI10.03, critical information.
common baseline forAWS information servicessecurity are content standards agnostic and inguidance.
that theyThe offerAWS the same
CM-3 normal
intricacies
AWS
high level levels
applies of aofsystematic
of security
the object
service tostorage
they
all approach
are redundancy.
customers, supporting.
to regardless
managing External
Oncechange access
trained,
ofpolicy
the to
ofcontent
to service
type ensure content teamstored
that allmembers
being in
changesstored.
address purpose, scope, roles, responsibilities, systems is created and maintained BAI10.05 Information
Amazon
can
are Security
S3 on-call
is logged, Management
and the be logs System
are retained (ISMS) for at ownership
least establishes
90asdays. The guidelines
logs include for
management commitment, and coordination · ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 CM-4 We reviewed,
AWS
protecting
assume
areemploys
vigilant
thethe
tested,
aabout
sharedduties
confidentiality,
andour approved.
and
responsibility
customers’ paged
integrity,
The into
AWS
model
security
and
anfor change
andengagement
data
availability have management
implemented
of
a and
customers’
resolver.
approach
security. In addition
sophisticated
systems AWSand
relevant
to
requires
operates,
technical the access
documentation
that
manages,
and physical request
following
and information,
stored
controls
measures steps
in the be
the
against such
repository,
complete as
infrastructure the
before
unauthorizedAWS accessor also
a change
components, IP
uses address,
Engagement
is deployed:
from object,
the host and
Drills
insightand
among organizational entities), processes, and · ISA 62443-3-3:2013 SR 7.6 CM-5 AWS
content.
operation.
GameDay
1. applies
Maintaining a systematic customer approach trust to managing
and confidence is access.
change of theto ensure AWSthat
utmost has no changes
all
importance and to
as
to Document
operating
are what type Exercises
systemofand communicate
and
content to train
virtualization
the coordinators
customer the change
layer
chooses andviato
down Service
the
to appropriate
the
store TeamsAWS,inAWS
physical
in their
security
and thechange
roles
of the
customer
procedures are maintained and used to manage · ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, CM-6 Likereviewed,
AWS.
AWS
management
responsibilities.
facilities
retains
applies
Amazon in which
complete
atested,
S3,
tool. systematic
Amazon and
the services
control
approved.
approach
Elastic
of steps
how operate.
they
The
Block choose
AWS
to managing
Store to
change change
(Amazon
classify
management
to ensure
EBS)
their employs
content;
approach
that all
where
changes
redundantit is
protection of information systems and assets. A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 requires
AWS
are
storage
2. Plan works
reviewed, that
and the
to
data
implementation following
comply
tested, and
validation. with
ofapproved.
the applicable
To be complete
prevent
change The andfederal,
AWS
data before
loss
rollback state,
change
due ato change
and local
management
proceduresfailure isto
of deployed:
laws,any statutes,
approach
minimize single
CM-7 AWS
stored,
1. implements
Document used, archived; the
andregulations
communicateleast
and functionality
how it
the is protected
change principle
viabeforefrom throughout
theprivacy,disclosure. its infrastructure
· NIST SP 800-53 Rev. 4 CM-2, CM-3, CM- ordinances,
requires
hardware
disruption.
components.
AWS
Customer-provided
that
Services
andthe
component,
Network
in following
production each
contentdevices concerning
steps
Amazon
is and beservers
operations
validated
complete
EBS security,
are
forvolume
aremanaged isappropriate
implemented
integrity,
ain change
and a
andwith
automatically
manner
corrupted
isAWS
data deployed:
minimal
thator
change within
protection
replicated
preserves
tampered
of
their
data
4, CM-5, CM-6, CM-7, CM-9, SA-10 CM-9 management
AWS has
Cloud established
tool.
services and maintains company-wide policy that AWS defines roles,
1.
thenot
3.
functionality, Document
same
Test and
theAvailability
change and in ain
communicate
service Zone.order
logically
teams tothe
Amazon minimize
change
segregated,
add EBSAWS the
via
also risk
the of
provides
non-production accidental
appropriate the ability or unauthorized
environment. tochange
create point-for
SA-10 confidentiality,
is
responsibilities
2.
access
AWS Plan written
or to
implementation
Service disclosure integrity
teamsstorage.
and and
ofAmazon
classifications
of
createcustomer the availability.
change
administrator S3foronly
content. uses software
managing
and checksums
rollback
documentation has packages
changesimplemented
internally
procedures to the and toservices
secure
confirm
toproduction
minimize needed
software
the
management
in-time
4.
the
development
continued
environment. Complete
device to atool.
snapshots peerofreview
perform
procedures
integrity
Changes ofvolumes,
its of
tooffunction.
contentthat
AWS the
arewhich
in change
followed
transit
services
are persisted
with
within
and athe
to features
ensure focus to on for
Amazon business
appropriate
system follow
their
andsecure S3. services
These
impact
at security
rest. Amazon
software
and
snapshots
and
controls
store
S3 are
disruption.
the
2.
canPlan documents
begivesimplementation
used asinto in
the internal
starting AWS
the
point document
changefor new and repositories.
rollback
Amazon proceduresUsing these
toby documents,
minimize
PR.IP-2: A System Development Life Cycle to · CIS CSC 18 AWS Certifications, AWS Best Practices, AWS PL-8 technical
AWS
incorporated
provides
development
3. arigor.
customers
facility The
practices, the
for reviewownership
aapplication
customers
which should
toinclude
include
and
design.
to send controlAs a part
checksums
a security code
over ofEBS
review.
risktheir
the
along volumes
content
application
review with prior
and
data to protect
design
todesign
transmitted
launch. through
process, datato
manage systems is implemented · COBIT 5 APO13.01, BAI03.01, BAI03.02, Reference Architectures, AWS Trusted Advsior, SA-10 forTest
teams
disruption.
5.
simple,
new
the
AWS Attain the
provide
long-termbut
applications
service.
Service
change
approval
The
initial
durability.
powerful
teams
in training
for
must
service create
logically
the
tools change
that
participate
validates
segregated,
new
allow
administrator by
in
the
team
an authorized
customers
an AWS
checksum
non-production
members
documentation
that
individual.
to determine
Security
upon
covers
review
receiptfor
environment.
wheretheir
including
their
of the
job duties,
their
services
data tocontent
registering
and
determine
on-
store
4.
call Complete
responsibilities, a peerinreview ofspecific
thesegregated,
change with a focus on and business impact and
BAI03.03 AWS CloudFormation, AWS Config, AWS 3.
In Test
will
that
the
AWS order theto change
bedevelopers
stored,
application,
documents
no validate
corruption how
in itservice
that
initiating
internal
awill
occurred
that
logically
changes
require bein
the
AWS secured follow
application
transit.
accessdocument
monitoring
toin the
transit
risk
Regardless standard ormetrics
non-production
classification,
repositories.
production of change
atenvironments
rest,
whetherUsing
alarms,
environment.
management
andparticipating
aaccess
these
checksum
must
along
to their
documents, in
is
explicitly
with
AWS
the
sent
the
with
SA-11 technical
AWS
intricacies
4.
procedures, applies
Complete rigor.
ofall apeer
the
awill The
systematic
service
changes review
review to they should
approach
of
the are
the
AWS include
to managing
supporting.
change with
environment a code
Once
a focus review.
change
are trained, to service
on business
reviewed ensure on that
team
impact
at least allmembers
achanges
and monthly
· ISA 62443-2-1:2009 4.3.4.3.3 ConfigRulesAWS CloudTrail, Customer environment
architecture
an
teams
request objectprovideto
access review
Amazoninitial
throughmanaged.
andtraining
S3, thethreat
the AWS modeling,
service
to new
access uses
team performing
checksums
members
management code
that
internally.review,
covers
system, havetheir
When and
the job performing
disk duties,
access on- a
SA-12 5.
to
can
technical
Key
basis. Attain An approval
a assume
production
suppliers on-call
rigor.
audit areThe
trail for
environment
duties the
review
identified
of the change
and are
should
and
changes bechosenbyinclude
reviewed,
paged an authorized
foratested,
into
ismonitoring
maintained an
code
their individual.
and
engagement
review.
ability
for a approved.
to
least as ayear.
provide
one Facilities,
resolver. AWSIn
service to addition
defined
· ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, Responsibility penetration
corruption
call
reviewed and test.
responsibilities,
or device
approved service
failureby is
thespecific
detected,
appropriate the system
owner, metrics
automatically
and uponand alarms,
approval attempts
along
obtain to
with restorethe
In
equipment,
to
5.
requirements.
maintains order
the
Attain toapproval
validate
and
documentation
processes software
Qualified that
for stored
the
toservicechanges
components
detect change
suppliers follow
inunauthorized
the by
are anof
repository,the standard
production
authorized
added to AWS
changes the change
operations
also
individual.
approved
made uses
to management
are
Engagement
supplier
the identified
liststored
environment. Drills
maintained Any and
A.14.2.1, A.14.2.5 SA-15 AWS has
maintainsimplemented a systematic global privacy
approach, and
to data
planning protection
and best
developing practices new in order
services to
· NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-4,
normal
intricacies
authentication.
procedures,
throughout
GameDay
In
by
exceptions
helping order
the
levels
AWS
ofall
theirthe
Exercisesof
toenvironment,
validate
are
customers
AWS
supplier
object
service
changes
lifecycle
analyzed that
storage
to they
tomanagement
establish, train the
changes
tobuild
are
teams
AWS
todetermine
ensure redundancy.
coordinators
operate
supporting.
follow maintain
environment
that
team. the
and only
the and
Through
root
External
leverage
Once
service
acceptable
Service
standard
cause. are
the
our
trained,
access
specific
reviewed
Teams
change
use
Appropriate
security
service
of90as
to
components content
change
on
incontrol
their
management
established atteam
actions roles members
management
least
are a
usedand
assessment
are
environment. in forto
in
monthly
taken
SA-17 the
Customers
Amazon
can
standards
AWS
basis.
production. AWS
assume S3
Services
An assume
thaton-call
auditis logged,
inherit
in
trail duties
production
of and
and to
responsibility
the ensure
and
the
changes be
logs
on
operations the
and
paged
are
the
is quality
management
retained
AWS into
are
maintained and
an
Change
managed security
for of
engagement
for at the
least
Management
a in a
least requirements
guest
manner
one operating
days.
a resolver.
that
year. The are
guidelines. logs
In
preserves
AWS met
system with
addition
include their
SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, SI- responsibilities.
procedures,
bring
These the all
AWS
change
security changescontinuously
into
protections to the
compliance and AWS monitors
controlor environment
roll suppliers
back
processes the are
change,
are reviewed
toalsoensure if
independently that on
necessary. atvalidated
they least
are atomonthly
Actions by are
each
(including
relevant
to
confidentiality,
maintains therelease. access
documentation AWS’
updates
processes request and
integrity strategysecurity
information,
stored
toand and
detect for
in thethe
patches),
availability.
unauthorized design
such
repository, asand
other
AWS the AWS
changes development
associated
accessor
has implemented
made uses
to of
application
IP address,
the services
Engagement
secure object,
environment. is
software,
software clearly
and
Drills Anyasand
12, SI-13, SI-14, SI-16, SI-17 SA-3 AWS
basis.
conforming
then
multiple
define maintains
An
taken audit
to
third-party
services ina terms
trail
toaddress
specificsystematic
of the
AWS
independent
of approach
changes
requirements.
remediate
customer isthe
assessments.
use toprocess
planning
maintained
cases, The for
extent
or
service and
people developing
a least
of one
assessment
issue.
performance, year. new AWS
for services
marketing a supplier foris
and
well
operation.
GameDay
AWS as the
applies configuration
Exercises
aanalyzed
systematic to to trainof the AWS-provided
coordinators
approach to and
managing security
Service change group
Teams to infirewalls
their roles and and other
SA-4
development
exceptions
The
the
maintains
dependent
AWS
distribution
development,
AWS maintains
areprocedures
environment
processes
upon the test to and
amanagement,
requirements, systematic
that
to
detect
significance are
determine
production
ensure followed
that
unauthorized
approach
production of the the
andproduct
to
to
root
environments
quality ensure
andcause.
changes
planning
testing, security
and/or appropriate
Appropriate
emulate
made
and
and toensurethe
requirements
service
developing
legal the that
security
actions
production
environment.
purchased new
all
are are
and,
changes
controls
met
services
taken
system
Anywith
where are
for
to
security,
Like
responsibilities.
to
incorporated
bring
environment
each
exceptions the change
Amazon
a production
release. change
are andS3,
into
AWS’s Amazon
environment
the
into
are
analyzed application
compliance
used
strategy toElastic
toensure are and
properly
fornew or
the
logging
Block
reviewed,
design. roll
assess
design Store
As
back features.
tested,
part
and
and the(Amazon
of andthe
change,
prepare
development if and
EBS)
approved.
application
for regulatory
ofemploys
necessary.
the The
impactdesign
services AWS redundant
Actions
of Change
isprocess,
amet
tochange are
clearly
SA-8 applicable,
the
requirements.
storage
AWS
Management
new
then
to
AWS
the operates,
and
applications
taken
production
upon
environment
todata The
approach
address
previously
design
manages,
validation.
must
system and
to ofdetermine
and
requires
participate
demonstrated
all
To
remediate
environment.
that
controls
prevent
that in
the
quality
services
an
the the
In
root
data
following
AWS
process
order orcause.
performance.
and
infrastructure
loss
Securitysecurity
any
due
or
to steps
Appropriate
significant
people
reduce to requirements
failure
components,
be
review complete
issue.
the of
actions
changes
any
including
risks of
are
from to
single
before
are
the
a
taken
current
registering
unauthorized
withto
host
change
define
bring
All
each
services services
the
purchased
release. change
follow AWS’s in
secureterms
into
materials of
andcustomer
compliance
strategy
software services or roll
fordevelopment
the use cases,
back
intended
design and the service
for change,
use
development
practices inperformance,
and ifarenecessary.
production of marketing
Actions
processes
services
controlled is to
through areanda
are
clearly
SI-12 hardware
operating
is
the
access
AWS
distribution deployed
application,
or
treats component,
system
to
changeall the and
to
customer the virtualization
production
initiating each the Amazon
production
content environment:
application
and layer
EBS
environment, down
volume
risk
associated to is
the
classification,
the
assets automatically
physical
development,
as highly security
participating replicated
test
confidential. of
and inthe within
theAWS
then taken
specified
define
project intorequirements,
services
management address
purchasingin terms and
system production
ofremediate
documents.
customer
with the
All and
use testing,
process
component/material
cases,
multi-disciplinary orand
servicepeople legal and
issue.
performance,
participation. regulatory
specification marketing
Requirements documents anda
SI-13
the
facilities
architecture
production
Cloud
requirements.
are
N/Areviewed
distribution
same Availability
in
services which
review
environments
The
and
the
areapproved
requirements,
and
content
design Zone.
services
threat
are
of Amazon
agnostic
byall
production
operate.
modeling,
logically
new in
management
EBS AWS
that
services
and
also
performing
separated.
they or
personnel
testing,
provides
endpointsIn
offer
any and
code
order
the the
are
same
significant
prior
legal
ability
tested
review,
to apply
to
and high as
changes
use.
to
and create
part
changes
level
Additional
regulatory
ofcurrent
performing
toof AWS
to theand
point-
security
service
in-time
compliance
1.
penetration Document specifications
snapshotsvulnerability
andregardless
communicateare scans.
of volumes, established which
the during
are
change via service
persisted thebeingto development,
Amazon
appropriate S3.
AWS taking
These change intoof tests
snapshots
SI-14
AWS
to
services
requirements
requirements.
N/A
account are test.
production
all customers,
legal controlled
not
The
and
environments,
specified
design
regulatory throughof onof
all the AWS
anew type
project
component/material
requirements,
service
ofmanagement
services content orteams
customer any must
specifications
significant
contractual
firstwith
stored.
system run
We are
changes aarefull
conveyed
commitments, toset
vigilant
multi-disciplinary
current about
via
and
can
AWS
management
in
our
participation. thebeCloud
used
test
customers’ as the
services
tool.
environment, starting
security
Requirements areand point
managed the
have
and for innew
testing a manner
implemented
service Amazon
methodology
specifications that EBS
sophisticatedmustvolumes
preserves
are their
betechnical and
documented.
established to protect
confidentiality,
and
during physicaldata
service
purchase
services
requirements orders
are controlled
to or contracts.
meet thethrough Purchase
ahasproject orders
management and/or contracts
system convey
with the degree
multi-disciplinary of
SI-16 for
integrity,
Different
2.
measures
development, long-term
Plan and
instances
implementation
against durability.
availability.
taking running
unauthorized
into ofconfidentiality,
AWS
theonchange
account the
access. same
legal and
AWS
and
integrity
implemented
physical
rollback
has
regulatory noand
secure
machine availability
procedures
insight software
areas
requirements, isolated
to what
to of
minimizethe
development
from
type
customer
service.
ofeach
control AWS
participation.
Service reviews establishes
Requirements
are completed with and their
as service
partsuppliers
of to ensure are
specifications
theappropriate
development quality product
established
process. Prior and/or
duringto service
SI-17 procedures
other
disruption.
The
content
N/A
contractual
service.
development,
viathe
AWS the thatXen
service,
customer are
commitments,
taking
followed
hypervisor.
including
chooses
into
toAWS ensure
andapplication
account torequirements
store
legal
is in that
active
andAWS, in meet
programming
to the Xen
and the security
community,
interfaces
customer
therequirements,
confidentiality,controls
retains
(APIs),which arelaunch,
are provides
complete
integrity,labeled
each
incorporated
awareness
3. Test
control of the
marked thehow
of following
of into
change
by the they the
latest
in
identifiers. requirements
aapplication
choose developments.
logicallyFacilities, must
design.
segregated,
to classify In be regulatory
As
equipment,
their complete:
part
addition, of
non-production
content, the
and the
where application
Amazon
software EC2
environment.
itensure
isas
components
stored,
customer
design
firewall
how process,
itresides
are islegal
PR.IP-3: Configuration change control · CIS CSC 3, 11 AWS Resource Tagging, AWS Config, AWS CM-3 and
AWS
contractual
•tracked availability
maintains
applies of
apeer-review the
standard
systematic
commitments, service.
contract
approach
and Service review
requirements to reviews
and
managing are
signature
toSecurity
meet completed
change the processes
tointerface
confidentiality, part
that
that ofinclude
the
all changes
integrity,
4.Security
new
within
used,
development applications
Completethe
and such Risk
hypervisor
how athat itAssessment
process. must
is participate
layer,
quality-impacting
protected
Prior of between
to the
from
launch, in
change an
the
disclosure.
issues AWS
each physical
with
and
of aerrors
the network
focus on
are
following review,
business
traceable which
requirements and
impact
to includes
relatedtheand
must be
processes are in place · COBIT 5 BAI01.06, BAI06.01 Config Rules, AWS Cloud Formation, AWS •reviews
are
and
registering
instance’s
technical
components.
AWS
reviewed, that
availability
Threat modeling
hasthat thefocus
virtual
rigor.
tested,
implemented
on
ofinterface.
the
application,
The
protecting
and
review
approved.
service.
datastepsinitiating
All
should
AWS
Service
packets
handling
The resources.
AWSpass
reviews
application
includeand must a code
change
are
classification risk
through
review.
management
completed thisas
classification,
requirements layer, approach
partparticipating
of the
thus
that an provide in
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 CloudTrail, AWS CloudWatch & CloudWatch complete:
requires
development the
process. following Prior be access
complete before acode
change isanydeployed:
• Security
architecture
instance’s
•5.
specifications Attain approval design
review
neighborsaround:
reviews
forandhave
the notomore
threat
change launch, by aneach
modeling, toofthat
performing
authorized theinstance
following
individual. requirements
review,
than and
other must
performing
host onbethe a
· ISA 62443-3-3:2013 SR 7.6 Logs, Customer Responsibility
CM-4 • Security
1.
complete:
penetration
Internet Document
Secure risk
code
and and
test.
can
assessment
reviews
a be
communicate
treated as if the theychange are on via separatethe appropriatehosts.
for dataphysical ownership andThe
AWS change physical
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, •AWS
• Threat
management Data employs
Security encryption
modeling
risk tool.
testing
shared
assessment
responsibility model security. AWS
SA-10 Random-Access
•Where
operates,
AWS Content appropriate,
Service
Security manages,
in transit
design teams Memory acreate
and
reviews continuous
during(RAM)
controls storage
administrator is infrastructure
separated
deployment
the documentationusing
methodology similar
components, for ismechanisms.
conducted
their fromservicesthe to host ensure
and store
A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 2. Plan implementation
Threat modeling of the change and rollback procedures to minimize
· NIST SP 800-53 Rev. 4 CM-3, CM-4, SA- ••changes
operating
the
disruption.
• Security
Vulnerability/penetration
Access
documents
Secure are
code automatically
system in
reviews and
internal virtualization
AWS
testing
built, tested,
documentlayer and down pushed to the
repositories. to physical
production,
Using with
security
these the
of the
documents, goal of
PR.IP-4: Backups of information are conducted, CIS CSC 10 CP-4 The
eliminating AWSindesign business
as initial
many reviews
continuity
manual planasdetails
steps possible. the three-phased
Continuous approach that
deployment AWS to has
10 •facilities
• Retention
teams
3. Testprovide
Security the
which
testing
change
the services
in training
aandlogically tooperate.
new
segregated,team members
non-production that covers their jobseeks duties, on-
maintained, and tested periodically · COBIT 5 APO13.01, DSS01.01, DSS04.07 CP-6 developed
Within
•eliminate
call
Secure
Physical anycodeto
the singlereviews
recover
manual
controls
responsibilities, AWS nature
service
reconstitute
region of thisthere
specific
themultiple
are
process
monitoring
AWS infrastructure:
and automate facilities
metrics eachorenvironment.
data
step,centers
allowing called service
· ISA 62443-2-1:2009 4.3.4.3.9 4.
•AWS Vulnerability/penetration
Complete
Security
Activation a peer
testing
and review testing
of the change withtoaidenticalfocus on and business alarms, impactalongand with the
CP-9 Availability
•teams
Each
intricacies Mobile Services
Amazon Zones.
to standardize
devices
of the inNotification
EBS Each
the process
production
volume
service data
they
Phase
center
stored
are and
isoperations is
as
supporting. built
increase
aarefile, the
andefficiency
managed
Once AWS in aphysical,
trained, creates withtwo
manner
service environmental,
which
that they
preserves
copies
team ofdeploy
members thetheir
· ISA 62443-3-3:2013 SR 7.3, SR 7.4 technical
•confidentiality,
and Recovery
security rigor.
Vulnerability/penetration
Phase The
standards reviewin and an should
testing
active-active include a code
configuration. review. System management
PR.IP-5: Policy and regulations regarding the · COBIT •code.
EBS
can
5.
In continuous
Handling
volume
assume
Attain on-call
approval
integrity
requirements
for deployment,
redundancy.
duties
for the and
change Both
be an
availability.
paged
by
entire
copies
an into release
AWS
reside
authorizedan has
in process
engagementimplemented
the same
individual.
is asaAvailability
"pipeline"
a secure software
resolver. containing
Zone,
In addition
ISO/IEC527001:2013
DSS01.04, DSS05.05
A.12.3.1, A.17.1.2, AWS Certifications PE-10 The
• Reconstitution
activities AWS data
arewhile center
performedPhase by electrical AWS power systems
personneltowho are designed
are also cleared to
and be fully
authorized redundant to
physical operating environment for ·A.17.1.3,
ISA 62443-2-1:2009
A.18.1.3 4.3.3.3.1 4.3.3.3.2,
"stages”.
development
however,
to
In
and
This the
order documentation
maintainable
approach
procedures
tosovalidate ensures Amazon
that
without stored that
changes
that impactinare
EBS
AWS the followed
replication
torepository,
follow the system
operations,
performs
ensure
can AWS
standard 24survive appropriate
hourschange hardware
uses
a day.
security
Engagement
management
Power failure; controls
to AWS is work
itDrills not
data
are
and
within
incorporated
suitable AWS data
into centers.
the applicationThere forare design. no alternate
As
andpart ofrecovery
data thecenters
applicationandin reconstitution
the sense
design of
process,
organizational assets are met 4.3.3.3.3,
· NIST4.3.3.3.5, 4.3.3.3.6
SP 800-53 Rev. 4 CP-4, CP-6, CP-9 GameDay
procedures,
centers
efforts
traditional
AWS
new isasaprovided
in
host
applications
anallavailability
Exercises
methodicalchanges
cold/warm/hot
configuration must
to
through totool
train
sequence,the
sites
settings
participate
coordinators
localAWS prolonged
power environment
maximizing
maintained
are
in providers.
monitored
an AWS
outages
Service
the
in application
the
Security
areInor
effectiveness
toevent
validate
disaster
Teams
reviewed
the event
oflevel,
review
inon
acompliance of
Continuity
recovery
their
the
including
roles
at least
disruption,
recovery
of
with
purposes.
aandmonthly
UPS
Operations
AWS
registering and
We
responsibilities.
basis. recommend
Ansituation.
auditbackup that
trail ofyou thereplicate
changes data at
is maintained the for a centers,
least inone and/or
year. create
· ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, units
reconstitution
(COOP)
security
the
backups.
providestandards
application,Amazon
efforts All
and
initiating
EBS
power
and
AWS
automatically
the
provides
or
minimizing
data critical
centers
application
snapshots
and
system
pushed are
riskessential
that
outage
live
to the data loads
host
classification,
capture
time due
fleet.
the
the to
and
Firewall
participating
data storedall AWS
facility
errors and the
and
relevant
policies
onin an Any
A.11.2.2, A.11.2.3 maintains
generators
omissions.
security processes
are
controls used areandtoto detect
provide
applicable unauthorized
backup
across power
all AWS changes
for the made
entire to the
facility. environment.
(configuration
architecture
Amazon EBS review files) are automatically
threat modeling, pushedperforming todatafirewall centers.
code devices AWS
review, personnel
every
and 24(for hours.
performing with a
· NIST SP 800-53 Rev. 4 PE-10, PE-12, PE- exceptions
Each
AWS
approved Availability
maintains arevolume
logical analyzedZone
aaccess
ubiquitous atis a designed
to
are
specific
determine
security
capable
point
ofthe
as an in
controlroot time.
independent
providing cause. If the
environment
remote
volume
Appropriate
failure across
support
is corrupt
zone. actions
toallAutomated
regions.
other are taken
Each as
facilities to
penetration
example, due test.to customer
system failure), or
13, PE-14, PE-15, PE-18 bring
processes the change into compliance ordataroll from
backthe itthe is deleted,
change, ifyou incan therestore
necessary. ofthe
inActions are
data
necessary.
In order
volume
center tomove
from
is built
validate
snapshots.
to
that physical, trafficenvironmental,
changes away
follow from
the standard affected
and security
change area standards
management case an a failure.
active-
then
active taken to address
configuration, andAmazon
employing remediate anEBS thesnapshots
n+1 process
redundancy orare AWSissue.
people objects to system
which IAM
procedures,
Customers
users, groups, alland
assume changes to
responsibility
roles can the beAWS and
assigned production
management
permissions, ofmodel
environment thethat
so
toare
guest ensure
only reviewed
operating
authorized on users
system at least
availability
a monthly.
(including in the
An auditand event trail ofof component
the changes failure.
patches),isother Components
maintained (N)
for aapplication have
least a year. at least one
can
independent access updatesAmazon
backup EBS
security
component backups. (+1), so the backup
associated
component is activeand
software, as
in the
well as the configuration of the AWS-provided security group firewalls other
PE-12 operation
Emergency
security,
The AWSchange evenchanges
data if all follow
other
management,
center electricalcomponents
theand AWS
power logging are fully
incident
systems features. functional.
response
are designed Intoorder
procedures. be fully to eliminate
Exceptions
redundant to
single
the change points of failure,
management this modeltois applied throughout AWS, including network
PE-13 and
Each
and
maintainable
AWS
data center
without
dataimplementation.
center isprocesses
impact
evaluated All
are
todata
documented
operations,
determine
centers
24the
are
and
hours escalated
controls
online
a day.
and that to
Powermust
serving
AWS to
be AWS
traffic;
data
no
management.
centers
implemented is provided to through
mitigate, local power
prepare, monitor, providers.
and respondIn thetoevent natural of disruption,
disasters or UPS
PE-14 data
Each
units provide center
AWS is
data“cold.”
backup center In is
power case
evaluated
of failure,
or Controls to
critical and determine
there is sufficient
the
essential loads controls capacitythat
in the facility must
to enable
beand traffic
malicious
to
implemented be actsto
load-balanced that may
mitigate, to the occur.
prepare,
remaining monitor,
sites. implemented
and respond to to address
natural environmental
disasters or risks
PE-15 Each
Refer
generators
can AWS
to theare
include, data
following
butused center
aremay to is
AWS
notprovide evaluated
limited Audit
backup
to, the to
Reportsdetermine
power
following: the
forforadditional controls
entiredetails: that must
facility.HKMA TM-G-1, be
malicious
implemented
PCI 3.2, ISOacts
Availability tothat
27001, mitigate,
Zone ISOis occur.
prepare,
27017,
designed Controlsmonitor,
HIPAA,as an implemented
andand
IRAP,
independent respond
NIST to address
to
800-53,
failure natural SOC
zone. environmental
disasters
2 COMMON
Automated or risks
PE-18 Each
• AWS
can AWS data
include, data
centers
but center
are not2isequipped
are evaluated
limited to, with to determine
the sensors
following: themastercontrols shutoffthat must
valves beto detect
malicious
CRITERIA,
processes acts
move tothat
SOC 1may
customer & occur.
CONTROLS
traffic Controls
away implemented
from the respond
affected to to address
area in the environmental
case of to adetect risks
failure.
PR.IP-6: Data is destroyed according to policy · COBIT 5 BAI09.03, DSS05.06 AWS Certifications, Customer Responsibility MP-6 •implemented
the
Data
can AWSpresence
destruction:
data centers
include,
of
but
mitigate,
water.
areContent
are
not
prepare,
Mechanisms
on drives
equipped
limited to,
monitor,
with are
the
in
is treated
sensors
following:
and
place atand to
theremove
highest
master natural
water
level in
shutoff ofdisasters
order
classification
valves to or
prevent per
· ISA 62443-2-1:2009 4.3.4.4.4 malicious
any additional actsof that
water may damage. occur. Controls implemented to
as address environmental risks
•AWS
the
• AWS
can
policy.
presence
Automatic data centers
include,
Content
butwater
fire
water.
are are
not
detection
is destroyed
Mechanisms
equipped
limitedand to,with
onarestorage
in
sensors
the following:
suppression
place devices
equipmentandto remove
master part water
has shutoff
been
of the invalves
order to
installed
to detect
prevent
to reduce
· ISA 62443-3-3:2013 SR 4.2 decommissioning
any
the additional
presence of water.processdamage. in
Mechanisms accordance are in with
place AWS to security
remove standards.
water in order to prevent
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, ••risk
AWS AWS and data
hosts
Automatic notify centers
are
fire the
securelyAWSare equipped
detection Security
wiped or with
and suppression Operationssensors
overwritten and master
Center
prior
equipment toand shutoff
hasemergency
provisioning
been installed valves
for to reduce
responders
reuse.
to detect
AWS in
any
the additional
presence
event of aoffire. water
water. damage.
TheMechanisms
fire detection are in place
system uses tosmoke
remove waterprior
detection insensors
order to(e.g.,
prevent
A.8.3.2, A.11.2.7 •media
risk and is notify
Theadditional
data securely
center the wiped
AWS
electrical or degaussed
Security
power Operations
systems and physically
areCenter designed destroyed
and emergency to leaving
responders in
· NIST SP 800-53 Rev. 4 MP-6 any
Very
AWS
the Early
secure
event ofSmoke
azones.water
fire. The damage.
Detection fire detectionApparatus system [VESDA], pointtodetection
be fully
source redundant
detection) in and
all data
maintainable
•Very
center Automatic without
fire
environments, detection impact
mechanical and tosuppression
operations,
and electrical 24uses
equipmenthours smoke a has
infrastructure day.been UPS unitssensors
installed
spaces, provide
chiller
(e.g.,
to in reduce
rooms,
To
backup validate
Earlypower AWS’s
Smoke in secure
Detection wipe an processes
of Apparatus and
[VESDA], procedures,
forpoint third-party
source detection) auditors allin data
risk
and generator
review
center and thenotify
guidance
environments, thethe
equipment AWS event
within Security
rooms.
mechanical the AWS
electrical
Operations
These
and areas
media
electrical
failureCenter
are
protection protected critical
and
infrastructure policy, byand
emergency eitheressential
observe
spaces, responders
wet-pipe, loads
degaussing
chiller rooms, in
the
the facility.
event ofandData
a fire. centers
The fireuse generators
detection system to provide
uses backup
smoke power
detection for the entire
double-interlocked
equipment
and
facility. generator secure
equipment pre-action,
shred rooms. bins orThesegaseous
located sprinkler
within
areas areAWS systems.
protected facilities,
by either andsensors
review
wet-pipe, (e.g.,
historical
Very
• The Early data
thatcenterSmokeelectrical Detection Apparatus
power systems [VESDA],
are designed point tosource
be fully detection)
redundant in and
all data
•tickets
double-interlocked
center Availability tracked
environments, Zones theare destruction
pre-action, physically
mechanical
or gaseous
and
and removal
separated sprinkler
electrical within of storage
systems.
a
infrastructure
media
metropolitan spaces,
fromregion the and
provideand in
chiller rooms,are
•maintainable
environment.
The dataflood
different centerwithout electrical
plains.
impact to operations,
power systems are 24 designed
hours a day. to be UPS fully unitsredundant
and
backup
Data generator
powerwithout
deletion equipment
in
for the
block event rooms.
device of toanbased These
electrical areas
storage are
failure
24(e.g., protected
for acritical
Amazon by and
EBS, either wet-pipe,
essential
Amazon loads
Relational in
•maintainable
Each Availability
double-interlocked Zone impact
pre-action, is designed operations, as an hours
independent day.
failure UPS units
zone. provide
for Automated
the
Database
backup facility.
power Data
Service centers
[Amazon
incustomer
the event use of anorelectrical
generators
RDS], gaseous
ephemeral to sprinkler
provide
failuredrives): for systems.
backup In area
critical power
order and tothe ensure
essentialthe thatentire in
ofloads
•processes
The
facility.
customer
the data
facility.
move
center
content
Data centers electrical
is properly
traffic
power away
erased, AWS
use generators systems from are the affected
designed
wipes underlying
to provide to
backup power be in
fully
storage
case
redundant
for media
the entire
a failure.
uponandre-
maintainable
• Climate control
provisioning
facility. without
rather is than impact
required upontode-provisioning.
operations,
maintain 24 hours
a constant Processes a day.that
operating UPS units
temperature
wipe provide
content forupon servers
backup
and
release
• Climate other powerhardware,
of control in
an assetis(e.g., the event
which
required of
volume, an
prevents electrical
overheating
object) are
to maintain failure for
and
less reliable
a constant critical
reduces
operating and
the
than temperature essential
possibility
processes that loads
of
foronly inre-
servers
the
and facility.
service
provision other outages. Datastorage
clean
hardware, centers
Data which touse
centers generators
are conditioned
customers.
prevents to provide
Physical
overheating toservers backup
maintain
and power
canatmospheric
reduces reboot for
at any
the possibility the entire
conditions
time offor at
facility.
specified
many
servicereasons levels.
outages. (e.g., Personnel
Data powercenters andare
outage, systems system
conditioned monitor
process and
to maintain control
interruption temperature
atmosphericor failure), and
which at
conditions
•humidity
mightClimate
specified leave control
at appropriate
a wiping
levels. is required
Personnel levels.
procedure to maintain
This
and systems is
in an incomplete a
provided constant
monitor and at operating
N+1
state. and
Customers
control also temperature
uses
temperature free
do notand for
have as
cooling servers
and
primary
access
humidity other hardware,
tosource
block
at of
devices
appropriate which
cooling or prevents
when
physical
levels. Thisandmediaoverheating
iswhere
provided it iswas
that atand
available reduces
previously
N+1 and basedalsothe on
used possibility
uses local
tofreestorecooling of
another as
service
primaryoutages.
environmental
customer’s sourcecontent. ofData
conditions. centers
Wiping
cooling when areand
blocks conditioned
atwhere
the time it istocapacity
maintain
available atmospheric
is based
re-provisioned
on local conditions
is sufficient at
specified
•to Availability levels.
ensure that the
environmental Zones Personnel and systems monitor
previous content cannot be recovered from a new volumeand
conditions. are physically separated within and acontrol
metropolitan temperature region and or are in
humidity
• Availability Zones are physically separated within a metropolitan region and are as
different
object. at
flood appropriate
plains. levels. This is provided at N+1 and also uses free cooling in
primary
•Data
Each
different source
Availability
deletionfloodfor of cooling
Zone iswhendesigned and where
as an
non-block device services: For services such as Amazon S3 or
plains. it is
independent available based
failure on
zone. local
Automated
environmental
processes
Amazon moveconditions.
DynamoDB,
• Each Availability customerZone istraffic
customers designed away
never asfrom
see antheattached
an independent affectedblock area device,
failure inzone.
the case onlyofobjects
Automated a failure.
•processes
Availability
and the path move toZonesthat
customer are physically
object (for example
traffic away separated a table
from within
the or an aitem).
affected metropolitan
area When in thea regioncustomer
case ofand are in
deletes
a failure.
different
an asset inflood theseplains. services, the deletion of the mapping between an asset identifier or
• Each
key andAvailability
the underlying Zonecontent is designed beginsasimmediately.
an independent Once failure zone. Automated
the mapping is removed,
processes
the contentmove is nocustomer longer accessible traffic away and from cannot thebeaffected
processed areabyinan theapplication.
case of a failure.
PR.IP-7: Protection processes are continuously · COBIT 5 APO11.06, APO12.06, DSS04.05 AWS Certifications, Customer Responsibility CA-2 The AWS Compliance Assessment Team (CAT) maintains a documented audit
improved · ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, CA-7 schedule
AWS of internal
conducts and external
monthly monitoring assessments to ensure
of its security implementation
posture and
through a continuous risk
4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8 operating effectiveness
assessment and monitoring of the AWS control
process. environment to
Additionally, meet business,
· ISO/IEC 27001:2013 A.16.1.6, Clause 9, CP-2 The AWS Business
regulatory, Continuity
andancontractual policy
objectives. lays out the annual security
guidelines used assessments
to implementare
conducted
procedures by accredited
to respond Third-Party
toa aformal,
serious outage Assessment Organization (3PAO) to
Clause 10 IR-8 AWS
The needs
validate hasthat
implemented
and expectations
implemented of internal
security andorexternal
documented
controls
degradation
incident
continue
of are
parties
be
AWS
toresponse
services,
policy
considered
effective. and including
Securityprogram.
the recovery model
The policy addresses and its
purpose, implications
scope, on
roles, the business continuity plan.
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, PL-2 throughout
assessments the
thatdevelopment,
include analysis and responsibilities,
a riskimplementation, and auditing
a Plan of Actionof and
themanagement
and AWS control
Milestones
IR-8, PL-2, PM-6 commitment.
environment.
(POA&M) areParties include,
submitted but are notofficials
to authorizing limited to:for review and approval.
PM-6 N/A
AWS uses a three-phased approach to manage
AWS customers, including customers with aincidents:
contractual interest and potential
Refer
1. to the following
Activation
customers. AWS Audit
and Notification PhaseReports for additional
– Incidents for AWSdetails:
begin withPCI the
3.2,detection
ISO
27001,
of an ISO
event. 27017,
Events NIST
originate800-53,
from SOC 2
several COMMON
sources suchCRITERIA
as:
External parties to AWS, including regulatory bodies such as the external auditors
•and
Metrics and alarms
certifying agents.– AWS maintains an exceptional situational awareness
capability; most issues are rapidly detected from 24x7x365 monitoring
Internal parties such as AWS services and infrastructure teams, security, legal, and alarming
of
andWreal time metrics
overarching and service and
administrative dashboards.
corporateThe majority of incidents are detected
teams. W
in this manner. AWS Wuses early indicator alarms to proactively identify issues that
may ultimately impact customers.
• Trouble tickets entered by an AWS employee.
AC-21 W
• Calls to the 24x7x365 technical support hotline.
CA-7 If W
the event meets incident criteria, the relevant on-call support engineer uses AWS’s
SI-4 event
W Wmanagement tool system to start an engagement and page relevant program
AWS Certifications, Customer Responsibility CP-12 resolvers
N/A (e.g., AWS Security). The resolvers will perform an analysis of the
incident to determine if additional M resolvers should be engaged and to determine W the
CP-13 N/AW M
approximate root cause.
CP-2 W WM
2. Recovery Phase – The relevant resolvers will perform break fix to address the
CP-7 incident.
W After addressing troubleshooting, break fix and affected W components, W the
IR-7 call
W leader will assign follow-up documentation W and follow-up actions and end the
call engagement. W W W
IR-8 3.WReconstitution Phase – The call leader will declare the recovery phase complete
IR-9 after
WWthe relevant fix activities W have been addressed. W The post mortem and deep root
PE-17 cause analysis of theW
W incidentW W MM
will be assigned toWthe relevant
W team. The results WW of
theWpost mortem will be reviewed W by relevant senior management and actions and
AWS Certifications, Customer Responsibility CP-4 W
WW in a Correction of Errors (COE) document
captured Wtracked to completion.
and W
IR-3 ToWensure the effectiveness ofWthe AWS incident W W responseW plan, AWS conducts W
M
incident
W response testing.
W W This testing provides excellent coverage for the discovery
PM-14 N/AW W
of previously unknown M defects and failure modes.WIn addition, W it allowsWthe AWS
AWS Certifications, Customer Responsibility PS-1 W
W
Security and service teams to test the systems for potential customer impact and
M W W W
PS-2 further
W prepare MWasWdetection W and analysis,
W staff to handle incidents such W containment,
PS-3 eradication,
W Wand recovery, and post-incident activities. W M
M incident response testWplan isW
The executed annually,Win conjunction with the incident
PS-4 W W
response plan. W The test plan includes multiple scenarios, potential W vectors of attack,
PS-5 andW
W the inclusion of theW systems integrator in reporting and coordination (when W W
PS-6 applicable),
W as wellW as varying reporting/detection avenues (i.e. cus W
W W W W W
PS-7 W W
W W
PS-8 W W
SA-21 N/A W W
W W W W
W W W
AWS Certifications, Customer Responsibility RA-3 W
W W W
RA-5 W W WW
W W
SI-2 W
W W
M M M M M MA-2 W
W
W WW
W
W W W
W W
M M M WW
M
W WW
W W W
W
W W
W
W
W
W
repairs of industrial control and information organizational assets is performed and logged in DSS01.05
system components is performed consistent with a timely manner, with approved and controlled · ISA 62443-2-1:2009 4.3.3.3.7
policies and procedures. tools · ISO/IEC 27001:2013 A.11.1.2, A.11.2.4,
A.11.2.5, A.11.2.6
· NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-
5, MA-6
MA-3 AWS monitors and performs preventative maintenance of electrical and mechanical
MA-5 equipment
AWS to maintain
monitors the continued
and performs operability
preventative of systems
maintenance within AWS
of electrical data
and mechanical
centers. to maintain the continued operability of systems within AWS data
equipment
MA-6 AWS
In order monitors andmaintenance
to ensure performs preventative
proceduresmaintenance
are properly of electrical
executed, AWSand assets
mechanical
are
centers.
equipment toowner
maintain the
PR.MA-2: Remote maintenance of · CIS CSC 3, 5 AWS Certifications, AWS IAM, CloudTrail, MA-4 AWS
assigned
In monitors
order anensure
to and are continued
andmaintenance
performs tracked andoperability
preventative
monitored
procedures
ofwith
maintenance systems
are properly of
AWS within
electricalAWS data
and assets
proprietary
executed, AWS mechanical
inventory
are
organizational assets is approved, logged, and · COBIT 5 DSS05.04 AWS CloudWatch & CloudWatch Logs, AWS centers.
equipment
management toowner
maintain
tools. AWS the continued operability ofare
systems within
byAWS data
assigned
In anensure
order to and areasset
maintenance
owner
tracked and procedures
monitored
procedures withcarried
AWS out method
proprietary of using
inventory
performed in a manner that prevents · ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, Config, AWS Config Rules, Customer centers.
a proprietary
management tool with
tools. AWS specified
asset checks
owner thatare properly
must
procedures
executed,
be completed
are carried out
AWS assets
according
by method
are
toofthe
using
unauthorized access 4.3.3.6.7, 4.3.3.6.8 Responsibility assigned
Inproprietaryan owner
order to ensure and are
maintenancetracked and monitored
procedures with AWS proprietary inventory
adocumented
management
maintenance
tool with
tools. AWS
schedule.
specified
asset checks
owner thatare
procedures
properly
must are
executed,
be completed
carried out
AWS assets
according
by method
are
toofthe
using
· ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, assigned
Third-party an auditors
owner and
testare tracked
AWS and monitored
equipment with AWS
maintenance proprietary
controls inventory
by validating that
A.15.2.1 adocumented
proprietary
management
the asset owner
maintenance
tool
tools.with
AWS
schedule.
specified checks
asset equipment
is documented owner that must
and thatprocedures be completed
are carried
themaintenance
condition according
out by
ofcontrols
the assetsbyare
method to the
ofthat
visually using
Third-party
documented auditors test AWS
maintenance validating
· NIST SP 800-53 Rev. 4 MA-4 ainspected
proprietary
the tool
is with
according
asset owner theschedule.
to specified
documented checks
documented
and thatcondition
must be policy.
that maintenance
the completed
ofcontrols according
the assets are to the
visually
Third-party
documented auditors test
maintenance AWS equipment maintenance by validating that
inspected
the according
asset owner to theschedule.
is documented documented
and that maintenance
conditionpolicy.
themaintenance ofcontrols
the assets
Third-party auditors test AWS equipment byare visuallythat
validating
inspected
the according
asset owner to the documented
is documented and that maintenance
the conditionpolicy.
of the assets are visually
inspected according to the documented maintenance policy.
Protective Technology (PR.PT): Technical PR.PT-1: Audit/log records are determined, · CIS CSC 1, 3, 5, 6, 14, 15, 16 AWS Resource Tagging, AWS Config, AWS AU-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual
security solutions are managed to ensure the documented, implemented, and reviewed in · COBIT 5 APO11.04, BAI03.05, DSS05.04, Config Rules, AWS Cloud Formation, AWS agreements and obligations through the following activities:
security and resilience of systems and assets, accordance with policy DSS05.07, MEA02.01 CloudTrail, AWS CloudWatch & CloudWatch 1) Identifies and evaluates applicable laws and regulations for each of the
consistent with related policies, procedures, and · ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, Logs, Customer Responsibility jurisdictions in which AWS operates.
agreements. 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 2) Documents and implements controls to ensure conformity with all statutory,
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR regulatory, and contractual requirements relevant to AWS.
2.10, SR 2.11, SR 2.12 3) Categorizes the sensitivity of information according to the AWS information
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, security policies to protect from loss, destruction, falsification, unauthorized access,
A.12.4.3, A.12.4.4, A.12.7.1 and unauthorized release.
· NIST SP 800-53 Rev. 4 AU Family 4) Informs and continually trains personnel that must be made aware of information
security policies to protect sensitive AWS information.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be issued,
AWS has documented plans in place to implement that directive with designated
timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
AU-2 AWS deploys monitoring devices throughout the environment to collect critical
information on unauthorized intrusion attempts, usage abuse, and network and
application bandwidth usage. Monitoring devices are placed within the AWS
environment to detect and monitor for:
• Port scanning attacks
• Usage (CPU, Processes, disk utilization, swap rates, and errors in software
generated loss)
• Application performance metrics
• Unauthorized connection attempts
AWS provides near real-time alerts when the AWS monitoring tools show
indications of compromise or potential compromise, based upon threshold alarming
mechanisms determined by AWS service and Security teams.
External access to data stored in Amazon S3 is logged. The logs are retained for at
least 90 days and include relevant access request information such as the data
accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s AWS
CloudTrail bucket in Amazon S3. The logged requests provide information about
who made the request and under which CMK and will also describe information
about the AWS resource that was protected through the use of the CMK. These log
events are visible to the customer after turning on AWS CloudTrail in their account.
AU-3 AWS deploys monitoring devices throughout the environment to collect critical
AU-4 information
AWS deploys onmonitoring
unauthorized devicesintrusion attempts,
throughout theusage abuse, and
environment network
to collect and
critical
application
information bandwidth
onmonitoring
unauthorized usage.intrusionMonitoring devicesusage
attempts, are placedabuse,within and the AWS
network and
AU-5 AWS
environment deploys to detect and devices
monitor throughout
for: devices the environment to collect critical
application bandwidth
information onmonitoring
unauthorized usage. Monitoring
intrusion attempts, are placed
usage abuse,within and the AWS
network and
AU-6 •environment
AWS Port deploys
scanning attacks
to detect and devices
monitor throughout the environment
for: devices are placed within the AWS to collect critical
application
•AWS bandwidth usage. Monitoring
AU-7 • Usage
information
environment
(CPU,
Port deploys
scanning Processes,
onmonitoring
unauthorized
to attacks
detect and
disk
devices
monitor
utilization,
intrusion attempts,
throughout
for: devices
swap therates,
usage and
abuse,
environment errors toin
and software
network
collect and
critical
AU-8 •generated
application
••information
AWS Usage
Port scanning
loss)
(CPU,
information
bandwidth
Processes,
on unauthorized
attacks
systems
usage.disk
use
Monitoring
utilization,
intrusion
internal attempts,swap
system clocks
are
rates, placed
and
usagesynchronized errorswithin
abuse, and network in the
software AWS
via Network and
environment
generated
application Application loss) toperformance
bandwidthdetect and metrics
monitor for:
AU-9 •• Application
Time Usage (CPU,
Protocol
Unauthorized
Port scanning Processes,
(NTP)
connection
attacks orusage.
a disk Monitoring
comparable
attempts utilization, source devices
swap are placed
to rates,
generate andtimeerrorswithin inaudit
stamps thefor
software AWS auditfrom
•AWS
environment has implemented
toperformance
detect and processes
metrics
monitor tofor:
protect audit information and tools
AU-10 •generated
records.
AWS
•unauthorized
AWS Usage provides
Unauthorized
Port scanning
has
loss)
Third-party
(CPU, near
Processes,
access,
implemented connection
attacks
testing
real-timethedisk
modification, ofalerts
attempts
AWS’s
non-repudiation when
utilization,
and time the
deletion. stamps
swap AWS
control
validates
rates,
Auditmonitoring
and
through errors
records thattools
thecontain
system
in
use ofshow
software time
set ofisdata
aasources.
central log
•indications
configured
generated
elements Application to
of
loss)
in performance
automatically
ordercompromise
to support metrics
orsynchronize
potential
necessary with
compromise,
analysis approved based
requirements. stratum-1
upon In time
threshold
addition, alarming
audit
AU-11 •AWS
archival
• Application
Amazon Usage provides
(CPU,
Unauthorizedstorage
Simple near
Processes,
system. real-time
connection
Storage disk
The alerts
central
attempts
Service when
utilization,
(Amazon the
log archivalswap
S3) AWS rates,monitoring
and
system protects
Application errors tools
Programmingin show
software
against an Interfaces
mechanisms
•indications
records
generated are of
loss) determined
performance
available
compromise by orAWS
metrics
to authorized potential service forand
userscompromise, Security
inspection teams.
oraction
based analysis
upon on demand
threshold and in
alarming
individual
AWS
(APIs) provides
providefalsely near
both denying
real-time
bucket- having
andalerts performed
when S3
object-level theis aaccess
particular
AWS monitoring
controls, with based
tools on the
show
defaults that
AU-12 •External
response
AWS Unauthorized access
to
deploys to data
connection
security-related
monitoring stored in
attempts
or Amazon
business-impacting logged.
events. The logs toare retained foronly at
•mechanisms
attributes
indications
permit Application ofdetermined
attached
authenticated performance
compromise eachbydevices
to access orAWS
metrics
logby file
potential
throughout
theservice
as well
bucket and
as
compromise,
and/orthethe
Securityenvironment
authlog
object teams.
based auditing
upon
creator.
collect
that
threshold
critical
is performed.
alarming
least
AWS
information
•External 90 days
provides
Unauthorized access onand near include
real-time
unauthorized
to data
connection relevant
stored alerts
intrusion
in
attempts access
Amazon when request
the
attempts,
S3 is AWS information
usage
logged. monitoring
abuse,
The logssuch
and tools
are asretained
network the data
show and for at
PR.PT-2: Removable media is protected and its · CIS CSC 8, 13 MP-2 The
Environments
mechanisms
External fundamental
access used data
determined
to data for type
thebyor
stored in
AWS the
delivery central
of
service
in operation.
Amazon the log
AWS archival
andisSecurity
S3 services
logged, system are
teams.
and upontheis a
managed
logslog. A by
are AWS log is a
authorized
retained for
accessor
indications
application
least 90 IP of
days address,
compromise
bandwidth
and object,
include usage. and
relevant potential
Monitoringaccess compromise,
devices
request based
aremonitoring
placed
information within
such threshold
the alarming
use restricted according to policy · COBIT 5 APO13.01, DSS05.02, DSS05.06 AWS
chunk
personnel
External
at
Allleast
mechanisms
environment
provides
of90
requests
arbitrary
and
access
days.
to
near
areto
The
KMS
determined
tocompromise
detect
real-time
data
located
data logs
areand
with in the
stored
include
logged
by
AWS
AWS
monitor
alerts
in following
and
when
managed
Amazon
relevant
available
service
for:
the
S3 isAWS
attributes
data
access
and inlogged.
attached:
centers.
request
the
Security AWS The Media
teams. logs
information,
account’s areasretained
tools
handling the data
show
AWSsuchcontrols
asfortheat
· ISA 62443-3-3:2013 SR 2.3 accessor
•indications
for
least Logthe
90Id:
dataIP
days address,
of
Unique
centers
and object,
identifier
are
include managedorand
(assigned
relevant operation.
potential
by by
AWS
access compromise,
the in system)
requestalignment based
information with upon
thesuch threshold
AWS Media alarming
data
CloudTrail
External
••mechanisms
All Port
Log
accessor access
scanning
requests
Group: to
IPattacks
bucket to
KMS
address,
determined
the
in are
data
group
Amazon object,
stored
logged
by
that AWS
the inS3. and
and
log
The
Amazon operation.
logged
available
service
belongs S3
and to
requests
isSecurity
inlogged.
the AWS provide
Theaccount’s
teams. logs areasretained
information the data
AWS about
for at
· ISO/IEC 27001:2013 A.8.2.1, A.8.2.2, Protection
accessor Policy.
IPtheaddress, This object,policy includes
andutilization,
operation. procedures around access, marking, storage,
who
•least
CloudTrail Usagemade
90 days
(CPU, bucketrequest
and include
Processes,
in are and
Amazon under
relevant
disk S3. which
access
The CMK
loggedrequest
swap isand willand
information
rates,
requests also describe
Theerrors
provide such in as
information information
the data
software about
A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9 •External Name:
transporting,
All requests access
(any toand tosanitation.
KMS data
user-defined stored text,in
logged Amazon
does
and not
available S3
need tologged.
in be
the unique)
AWS logs are retained for at
about
accessor
generated
who
•least Start90the
made AWS
IP
days
time: address,
loss)
the and
the resource
request object,
include
time at and that and
under
relevant
which wasthe protected
operation.
which
access
log CMK
began through
request and
recording willthe
information useaccount’s
also ofsuch
describe
(inclusive) the CMK. AWSThese
asinformation
the data log
· NIST SP 800-53 Rev. 4 MP-2, MP-3, MP- CloudTrail bucket
events
•All
about
•accessor areIP
requests
Application
End the
time: visible
AWS address,
the tointhe
toperformance
KMS
resource
time
Amazon
are
object,
at customer
logged
that
which metrics
and was
S3. and The
after
protected
theoperation.
log
logged
turning
available
stopped
requests
throughonthe
in
recordingAWS AWS
the
provide
CloudTrail
use account’s information
of the CMK.
(exclusive) -inAWStheir
must These
be
about
account.log
greater
4, MP-5, MP-7, MP-8 who made the request and under which CMK and will also describe information
MP-3 CloudTrail
•than
events
All Unauthorized
are
requests
Environments the start bucket
visible
totimeKMS
used toinfor
connection Amazon
the
are the attempts
customer
logged
delivery S3. and The
after logged
turning
available
of the AWS requests
on
in theAWS
servicesAWS provide
CloudTrail
areaccount’s information
managed inAWStheir
by about
account.
authorized
aboutmade
who the AWS the resource
request andthat under waswhich protected CMK through
and willthealsouse describe
of the CMK. These log
information
AWS
•CloudTrail
personnel provides
Searchable andbucket
Keys:near
are in
A real-time
locatedAmazon
set of
in alerts
S3.
Key-Value
AWS Thewhen
managedlogged thedata
pairs. AWS
requests
Keys monitoring
are
centers. provide
strings
Media of tools
information
up
handlingtoshow50 about
characters
controls
MP-4 eventsthe
Environments
about areAWS visible used tofor
resource thethe customer
thatdelivery after
of theturning
AWS onservices
AWS CloudTrail
areupon managed in bytheir account.
authorized
indications
who
in
for made
length
the dataand of
the compromise
request
values
centers are
are and or was
under
strings
managed potential
of by
protected
which
up to
AWS 200 in
through
compromise,
CMK and
characters
alignment willthe
based
inuse
also
with
of
describe
length.
the
thethreshold
The
AWS
CMK. These
information
Searchable
media alarming log
personnel
events areAWS and
visible are located indelivery
AWSafter managed data centers. Media handling controls
MP-5 Environments
mechanisms
about
Keys
for theallow
protection the
data you
policy. used
centers toto
determined
resource thethe
for
define
This
are policy
customer
by
that
the
managed
AWS was
dimensions
includes
by
of the
service
protected
AWS
turning
AWS
and
along
procedures
on
Security
inthrough which
alignment
AWS
services
for
CloudTrail
are
teams.
theaccess
use
your
with of
logsmanaged
theare
control,
the AWS CMK.in their
by
organized
media
media Theseaccount.
authorized
andlog
MP-7 personnel
External
From
events
provide
marking, seeker:
are and
access
visible
values
storage, aretoto
for located
datathepolicy
those
transportation, in AWS
stored
customer
dimensions.in Amazon managed
after
and S3
turning
There
sanitation. data
areis on nocenters.
logged.
AWS
schemata The Medialogs
CloudTrail handling
aresystem
incontrol,
the in theircontrols
retained for at
- account.
rather,
protection
for
leastthe 90datadays policy.
centers This
and include areset managed
relevant includes
bydataAWS
access procedures
in alignment
request for access
information withisthe such AWS as themedia
media data
MP-8 each
Live
N/A
marking, log
media can have
transported
storage, any
transportation, of
outside keys. of center
and sanitation. secure zones escorted by authorized
protection
accessor
Portable
Logs media
personnel. IP policy.
are storage address,
symmetrically This
devices object,policy
(e.g. and
encrypted includes
operation.
external using procedures
hard drives,
AES-128 for
floppy access
encryption disks, control,
beforestorage media tapes,
transmitting
PR.PT-3: Access to systems and assets is · CIS CSC 3, 11, 14 AC-3 Live
User access transported
privileges outside
arelogged of data center secure zones is escorted by authorized
marking,
All
themrequests
compact
personnel. to and storage,
discs, to KMS transportation,
digital
storing are
them video inrestricted
discs,
S3. and
and based
USB sanitation.
available on business
flash/thumb in the AWS needaccount’s
drives, and diskettes
and job responsibilities.
AWSexcept for
controlled, incorporating the principle of least · COBIT 5 DSS05.02, DSS05.05, DSS06.06 CM-7 AWS
Live
Logs media
CloudTrail
AWS
those employs
implements
that
are are
securely thetransmitted
transported
bucket
part concept
in
the
of Amazon
an outside
least of least
functionality
approved to privilege,
ofS3device,
S3. data
Theover center
logged
principle
ansuch allowing
secure
requests
as athroughout
encrypted flash only
zones
provide
card
SSL/TLS isthe its necessary
escorted
information
that by(see
infrastructure
is part
session access
authorized
of about
acontrol for
functionality · ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, users
personnel.
who made
components.
networking
SC-8 to accomplish
for the request
Network
router)
information their
are and job
devices
not
related under function.
permitted
to and which forNew
servers
protection CMK
use are
of userand accounts
will
implemented
within
data in the also are
system
transit). withcreated
describe minimal
boundary. to have
information
PR.PT-4: Communications and control ·4.3.3.5.3,CIS CSC 8, 12,4.3.3.5.5,
4.3.3.5.4, 15 4.3.3.5.6, AWS Certifications, AWS VPC, Security AC-17 Remote
minimal access
access. toUser
AWS production
access to environments is limited to defined security
networks are protected ·4.3.3.5.7,
COBIT 5 DSS05.02, APO13.01 Groups, ACL's, VPC Flowlogs, Customer
about the
functionality,
Access
groups. to
The
AWS
audit and resource
logs
addition service
and
of
that
teams
tools
members isAWS
was add
restricted
into
systems
protected
only
a grouptothrough
software (e.g.,
onlymust
network,
the use of
packages
authorized
be reviewed
applications,
and theservices
users. and
CMK.Once
approved atools)
These
needed
log by islogfor
4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, AC-18 Remote
requires
events areaccess
documented to AWS production
approval from environments
theturning
authorized on is limited
personnel to(e.g.,
defined user's security
manager
·4.3.3.6.3,
ISA 62443-3-3:2013 SR 4.3.3.6.6,
3.1, SR 3.5, SR Responsibility the
stored,
authorizeddevicethe visible
to
name, perform
individuals
to the
start its
who
customer
time,function.
end time,
confirm
after
the oruser’s
data cannot need
AWS CloudTrail
beaccess
for changed. to the
in their
environment.
account.
4.3.3.6.4, 4.3.3.6.5, AC-4 groups.
and/or system
Several The
network addition
owner)
fabrics ofand members
validation
exist at Amazon,intoofa the group
eachactive must user
separated be in reviewed
theboundary
by Amazon and approvedHuman
protection by
3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR Remote
authorized access requires
individuals multi-factor authentication need over an approved cryptographic
4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1,
7.1, SR 7.6 CP-8
Resources
devices
The
channel AWS that system.
forbusiness
authentication. thewho
control continuity flowconfirmofplan the
information
details
user’s
thebetween for
three-phased
access
fabrics. to the
The
approach flow environment.
of AWS has
that
4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 Baselining
information of groups
between (e.g.,
fabrics reviewing
is established of existing
by approved members in the
authorizations, group for their
which exist
·· ISO/IEC 27001:2013 A.13.1.1, A.13.2.1, SC-19 developed
AWS
Voice employs toInternet
recover
automated and reconstitute
mechanisms istheto90AWS
facilitate infrastructure:
bythe monitoring andis control of byas
ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR
A.14.1.3 remote ACLover
continued
•asActivation access
need
residing and
for
methods.
Protocol
onaccess)
theseAuditing
Notification devices.(VoIP)
occurs
Phase
every
ACLs
occurs
not are
on
employed
days
defined,
the systems
thewithin
manager
approved the by
andgovernment
devices,
system
and boundary;
enforced
appropriate
which arethe then
1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR SC-20 such,
the Since this
permissions
AWS control
does is
toolnot not
which applicable.
resolve provides
to team,
GC.CA automated
domain notification
names for to the manager. users,
·1.9, SR
NIST SPSR
800-53 •Amazon’s
Recovery Information
Phase inSecurity and
tool managed
for reviewand anddeployed
incident using AWS’s
1.10, 1.11, Rev. 4 AC-4,
SR 1.12, AC-17,
SR 1.13, SRAC-
2.1, SC-21
aggregated
implementation
ACL-management
Customer
and
provided
stored
of DNSSEC a proprietary
content isisvalidated
tool. not applicable. fornetwork
integrity, and corrupted
investigation.
or tamperedisdata
The
18, CP-8, •AWS Reconstitution Phase
SR 2.2, SRSC-7, SC-19,
2.3, SR 2.4, SC-20,
SR 2.5, SC-21,
SR 2.6,SC-22,
SR 2.7 Approved
operational
firewall
environment,
rule that sets and access
to include
control
and
listsrecovery
between
security
network
configuration,
SC-23,
· SC-24,27001:2013
ISO/IEC SC-25, SC-29, SC-32, SC-36,
A.9.1.2 SC-22 is
This notapproach
considered
DNS written
systems to storage.
ensures
confidential
and devices Amazon
AWS
information
within S3and
the utilizes
performs
system checksums
system
is required
boundary to be internally
and
collectively
protected byfabrics
to confirm
reconstitution
provide employees restrict
the per
the
effortsflowinof
continued information
aintegrity
methodical of contenttoservice,
specific
sequence, in transitinformation
maximizing within system
the
the system services.
effectiveness and ataccess ACLs
ofrest.
the Amazonand ruleS3
recovery sets
and
·SC-37, SC-38,
NIST SC-39, Rev.
SP 800-53 SC-40, SC-41,CM-7
4 AC-3, SC-43 SC-23 Amazon
name/address
AWS is
are reviewed
data
designed classification
resolution
and to protect
approved
policies.
the
and are
are All
faulttolerant,
confidentiality remote
automatically andadministrative
and implement
integrity
pushed of internal/external
transmitted attempts data are
provides
reconstitution
logged
role a facility
separation.
and efforts for
to andacustomers
minimizing istoimplemented
sendsystemchecksums outage time to
along with
due boundary
to data
errors protection
transmitted
andweighted to
through
devices thealimited
on comparison
periodic
Fault tolerance
specific
basis
number
of a cryptographic of attempts.
24hash
by multiple
of data Auditing servers
transmitted. logs are
using
Thisreviewed doneby
isdetermine to
the
the service.
omissions.
round-robin
help AWS
ensure
The
Security
DNS service
(rrDNS).
team for (at
validates least
Monitoring
unauthorized theevery
checksum
and attemptshours)
alarming upon ortosuspicious
of ensure
receipt
DNS ofrulethe
servers sets
data
activity.
Dataisthat
andtoIn
in access
place,
the been
event
control
that
that no
AWS
which lists that
corruption
maintains
suspicious
monitors
the
areactivity
up tomessage
occurred
a ubiquitous
CPU, date. inis not corrupted
transit.
security Regardless
control
or altered
ofarewhether
environment
in transit.
a checksum
across all sent
regions. is has
to sent Each with
corrupted
AWS orAmazon
implements altered inload, is detected,
transit and is disk the
space.
immediately incident Alerts response
rejected. generated
AWS procedures
provides and are initiated.
several
an
data object
center
appropriate
methods
to
for builtleast
ispersonnel
customers to S3, privilege
when
to
thealarm
physical, service
securely
throughout
environmental,
thresholds
handle their
its
utilizes checksums are
infrastructure
and
data: security
surpassed internally components.
standards
(i.e. high in an AWS
to confirm
errors the
active-
rates,
prohibits
continued
active all portsseparation
integrity and protocols
ofemploying
content forin that
transitdo andnot
within have thea system
specific andbusiness
at rest.purpose.
When AWS
disk
Uponconfiguration,
•utilization).
follows initial Role
a rigorous communication
approach with an
system
istoexternal
minimal
n+1
an redundancy
devices
AWS-provided
implementation
model
within
Windows to ensure
the
of only
system
Amazon
those
system
boundary
Machine is
corruption
availability
implemented
Image (AMI),
or
inbydevice
the
AWS event
internal failure
enables ofandcomponentdetected, the
failure.
DNS system automatically
Components
servers. Internal (N)
DNS haveattemptsatfeatures
isterminal least
separated to one and
restore
from
functions
normal
independent
External thatbackup
levels
DNS are
of essential
object
services. storage
component
A DNS tosecure
use ofcommunication
the
redundancy.
(+1), device.
sozonethe External
backup Network byaccess
configuring
componentscanning
a to content is performed,
iscertificate
active stored
in the
services
in and
on
any the instance
unnecessary and generating aMaster
unique transfers
self-signed atX.509
with serverDNS slave. Slave andzones
Amazon
operation
are then
delivering
S3 even
propagated
the if ports
is logged all via
certificate’sotherorNotify
and protocols
the logs
components
thumbprint AXFR/IXFRin use
are arethe
to
are
retained fully
tocorrected.
user
for least
functional.
multiple
over a DNS 90 Indays,
trusted order
slave
channel.
including
to eliminate
zones. External
relevant
single access
ispoints request
ofexternally
failure,secure information,
this
bymodel issuch
applied as the accessor IP address,
throughout object, and
•DNS
AWS
operation.
hosted
further enables UltraDNS.
communication with LinuxAWS, AMIsincluding by configuring network
and dataShell
Secure center (SSH) implementation.
on the instance, All generating
data centersa are unique online and serving
host-key traffic; nothe
and delivering
data center
key’s is “cold.”
fingerprint to the Inuser caseover of failure,
a trusted there is sufficient capacity to enable traffic
channel.
to be load-balanced to the remaining sites.
Customer Master Keys (CMKs) used for cryptographic operations in AWS Key
Management Service (KMS), including operations by AWS employees, are secured
by both technical and operational controls. By design, no individual AWS employee
can gain access to the physical CMK material in the service due to hardening
techniques such as never storing plaintext master keys on persistent disk, using but
not persisting them in volatile memory, and limiting which users and systems can
connect to service hosts. In addition, multi-party access controls are enforced for
operations on the KMS-hardened security appliances that handle plaintext CMKs in
memory.
SC-24 Network devices, including firewall and other system boundary devices are
SC-25 configured
N/A to fail securely in the event of an operational failure. Boundary firewalls
and load balancer devices are set to fail to deny all until the device’s functionality is
SC-29 N/A
restored.
SC-32 N/A
SC-36 N/A
SC-37 N/A
SC-38 N/A
SC-39 Amazon EC2 currently uses a highly customized version of the Xen hypervisor,
SC-40 taking
N/A advantage of paravirtualization (in the case of Linux guests). Because
paravirtualized guests rely on the hypervisor to provide support for operations that
SC-41 N/A
normally require privileged access, the guest operating system has no elevated
SC-43 N/A
access to the CPU. The CPU provides four separate privilege modes: 0-3, called
SC-7 rings.
SeveralRing 0 is the
network mostexist
fabrics privileged and 3 each
at Amazon, the least. The host
separated operatingprotection
by boundary system
executes in Ring
devices that 0. However,
control the flow ofrather than executing
information betweeninfabrics.
Ring 0 The
as most
flowoperating
of
systems do, the
information guest fabrics
between operating system runsbyinapproved
is established a lesser-privileged Ring which
authorizations, 1 and exist
applications
as in the
ACL residing onleast
theseprivileged Ring 3.are
devices. ACLs This explicit
defined, virtualization
approved of the physical
by appropriate
resources leads
Amazon’s to a clear
Information separation
Security team,between guest instances
and managed and the
and deployed hypervisor,
using AWS’s
resulting in additional
ACL-management tool.security given the separation between the two.
Approved firewall rule sets and access control lists between network fabrics restrict
the flow of information to specific information system services. ACLs and rule sets
are reviewed and approved and are automatically pushed to boundary protection
devices on a periodic basis (at least every 24 hours) to ensure rule sets and access
control lists are up to date.
AWS implements least privilege throughout its infrastructure components. AWS
prohibits all ports and protocols that do not have a specific business purpose. AWS
follows a rigorous approach to minimal implementation of only those features and
functions that are essential to use of the device. Network scanning is performed, and
any unnecessary ports or protocols in use are corrected.
PR.PT-5: Mechanisms (e.g., failsafe, load · COBIT 5 BAI04.01, BAI04.02, BAI04.03, CP-7 The AWS business continuity plan details the three-phased approach that AWS has
balancing, hot swap) are implemented to achieve BAI04.04, BAI04.05, DSS01.05 developed to recover and reconstitute the AWS infrastructure:
resilience requirements in normal and adverse · ISA 62443-2-1:2009 4.3.2.5.2 • Activation and Notification Phase
situations · ISA 62443-3-3:2013 SR 7.1, SR 7.2 • Recovery Phase
· ISO/IEC 27001:2013 A.17.1.2, A.17.2.1 • Reconstitution Phase
· NIST SP 800-53 Rev. 4 CP-7, CP-8, CP- This approach ensures that AWS performs system recovery and reconstitution
11, CP-13, PL-8, SA-14, SC-6 efforts in a methodical sequence, maximizing the effectiveness of the recovery and
reconstitution efforts and minimizing system outage time due to errors and
omissions.
AWS maintains a ubiquitous security control environment across all regions. Each
data center is built to physical, environmental, and security standards in an active-
active configuration, employing an n+1 redundancy model to ensure system
availability in the event of component failure. Components (N) have at least one
independent backup component (+1), so the backup component is active in the
operation even if all other components are fully functional. In order to eliminate
single points of failure, this model is applied throughout AWS, including network
and data center implementation. All data centers are online and serving traffic; no
data center is “cold.” In case of failure, there is sufficient capacity to enable traffic
to be load-balanced to the remaining sites.
CP-8 The AWS business continuity plan details the three-phased approach that AWS has
CP-11 developed
N/A to recover and reconstitute the AWS infrastructure:
CP-13 • Activation and Notification Phase
N/A
• Recovery Phase
PL-8 AWS gives customers
• Reconstitution Phase ownership and control over their content by design through
SA-14 simple,
This but
N/A approach powerful
ensurestools
that that
AWS allow customers
performs systemto recovery
determineand where their content
reconstitution
SC-6 will be in
efforts stored, how it will
a methodical be secured
sequence, in transitthe
maximizing or at rest, and access
effectiveness of thetorecovery
their AWS and
AWS operates,
environment willmanages,
managed. and controls the infrastructure components, from the host
reconstitution
operating system efforts
and and minimizing
virtualization system
layer downoutage
to thetime due tosecurity
physical errors and
of the
omissions.
facilities inimplemented
which the services operate.and AWS endpoints arebest
tested as partin
oforder
AWSto
AWS has
maintains global
a ubiquitous privacy data protection practices
security control environment across all regions. Each
compliance
helping vulnerability
customers scans.
establish, operate and leverage our security control environment.
data center
AWS Cloud isservices
built to are
physical, environmental,
managed manner and
in a processes that security standards in an active-
These
active security protections
configuration, and control
employing an n+1 redundancy arepreserves
model
their confidentiality,
independently
to ensure validated
system by
integrity,
multiple and availability.
third-party AWS has
independent implemented
assessments. secure software development
availability
procedures that in theareevent of component
followed to ensure failure. Components
that appropriate (N) have
security at least
controls are one
independent
incorporated backup
into thecomponent
application(+1),
design.so the backup
As part component
of the applicationis active
designinprocess,
the
operation even if all other components are fully functional.
new applications must participate in an AWS Security review, which includes In order to eliminate
single points of failure, this model is applied throughout AWS, including
registering the application, initiating application risk classification, participating networkin
and data center implementation. All data centers are online and serving traffic; no
architecture review and threat modeling, performing code review, and performing a
data center is
penetration “cold.” In case of failure, there is sufficient capacity to enable traffic
test.
to be load-balanced to the remaining sites.
Customer Responsibility
N/A
N/A
N/A
N/A
N/A
N/A
AT-3: AWS customers are responsible for providing role-based
security
N/A training to personnel with assigned security roles and
responsibilities: 1) Before authorizing access or performing assigned
duties, 2) When required by information system changes, and 3) At a
frequency defined by their organization thereafter.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AWS customers are responsible for: 1) Monitoring and controlling
communications at the external boundary of the system and at key
internal boundaries within the system, 2) Implementing subnetworks
for publicly accessible system components that are physically or
logically separated from internal organizational networks, and 3)
Connecting to external networks or information systems only through
managed interfaces consisting of boundary protection devices arranged
in accordance with organizational security architecture.
N/A
N/A
N/A
AWS customers are responsible for developing an information security
architecture
N/A for the information system that: 1) Describes the overall
philosophy, requirements, and approach to be taken with regard to
AWS customers
protecting are responsible
the confidentiality, for configuring
integrity, their systems
and availability of to
protect the availability
organizational of resources
information, by allocating
2) Describes how the organization-defined
information security
resources byispriority,
architecture quota,
integrated intoorand
other organization-defined
supports security
the enterprise architecture,
safeguard.
and 3) Describes any information security assumptions about and
dependencies on external services.
More information on configuring for fault tolerance and high
availability
AWS is available
customers at
are responsible for reviewing and updating the
http://media.amazonwebservices.com/architecture
information security architecture at an organization-defined frequency
center/AWS_ac_ra_ftha_04.pdf.
to reflect updates in the enterprise architecture. Planned information
security architecture changes must be reflected in the security plan, the
security Concept of Operations (CONOPS), and organizational
procurements/acquisitions.
Note:
AWS services italicized in the "AWS Services/Resources" column are out of scope for FedRAMP Moderate and/or ISO 9001/27001/27018.
AWS services in bold in the "AWS Services/Resources" column have been validated by an independent assessor to align to the CSF based on FedRAMP Moderate and/or ISO 9001/27001/27018 accreditation.
Category Subcategory Informative References AWS Services/Resources NIST 800-53 Controls Alignment AWS Responsibility
Anomalies and Events (DE.AE): DE.AE-1: A baseline of network · CIS CSC 1, 4, 6, 12, 13, 15, 16 AWS Best Practices, AWS Reference Architectures, AC-4 Several network fabrics exist at Amazon, each separated by boundary
Anomalous activity is detected in a operations and expected data flows · COBIT 5 DSS03.01 AWS Cloudwatch, CloudTrail, VPC Flowlogs, AWS protection devices that control the flow of information between fabrics.
timely manner and the potential impact for users and systems is established · ISA 62443-2-1:2009 4.4.3.3 Config, AWS Organizations, AWS Firewall Manager, The flow of information between fabrics is established by approved
of events is understood. and managed · ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, AWS PrivateLink, AWS Systems Manager, AWS authorizations, which exist as ACL residing on these devices. ACLs are
A.13.1.1, A.13.1.2 OpsWorks, Amazon Macie, AWS Managed Services, defined, approved by appropriate Amazon’s Information Security team,
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, AWS IoT Defender and managed and deployed using AWS’s ACL-management tool.
SI-4 Approved firewall rule sets and access control lists between network
fabrics restrict the flow of information to specific information system
services. ACLs and rule sets are reviewed and approved and are
automatically pushed to boundary protection devices on a periodic basis
(at least every 24 hours) to ensure rule sets and access control lists are
up to date.
AWS implements least privilege throughout its infrastructure
components. AWS prohibits all ports and protocols that do not have a
specific business purpose. AWS follows a rigorous approach to minimal
implementation of only those features and functions that are essential to
use of the device. Network scanning is performed, and any unnecessary
ports or protocols in use are corrected.
DE.AE-2: Detected events are · CIS CSC 3, 6, 13, 15 AWS Best Practices, AWS Reference Architectures, AU-6 AWS deploys monitoring devices throughout the environment to collect
analyzed to understand attack · COBIT 5 DSS05.07 AWS Cloudwatch, CloudTrail, VPC Flowlogs, Amazon critical information on unauthorized intrusion attempts, usage abuse,
targets and methods · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, Athena, AWS Config, Amazon GuardDuty, Amazon S3, and network and application bandwidth usage. Monitoring devices are
4.3.4.5.8 Amazon Machine Learning, Amazon SageMaker, placed within the AWS environment to detect and monitor for:
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, Amazon Macie, AWS Managed Services, AWS Systems • Port scanning attacks
SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2 Manager • Usage (CPU, Processes, disk utilization, swap rates, and errors in
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, software generated loss)
A.16.1.4 • Application performance metrics
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, • Unauthorized connection attempts
SI-4 AWS provides near real-time alerts when the AWS monitoring tools
show indications of compromise or potential compromise, based upon
threshold alarming mechanisms determined by AWS service and
Security teams.
External access to data stored in Amazon S3 is logged. The logs are
retained for at least 90 days and include relevant access request
information such as the data accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s
AWS CloudTrail bucket in Amazon S3. The logged requests provide
information about who made the request and under which CMK and
will also describe information about the AWS resource that was
protected through the use of the CMK. These log events are visible to
the customer after turning on AWS CloudTrail in their account.
IR-4 AWS will notify customers of a security breach in accordance with the
terms outlined in the service agreement with AWS. AWS’s commitment
to all AWS customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any
customer data (i.e., any personal data that is uploaded to a customer’s
AWS account) on AWS’s equipment or in AWS’s facilities and this
unlawful or unauthorized access results in loss, disclosure, or alteration
of customer data, AWS will promptly notify the customer and take
reasonable steps to reduce the effects of this security incident.
AWS defines, administers, and monitors security for the underlying
cloud infrastructure (i.e., the hardware, the facilities housing the
hardware, and the network infrastructure).
Because AWS manages the infrastructure and the security controls that
apply to it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would
be unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control
and this incident results in loss, disclosure, or alteration of customer
content, AWS will promptly notify the customer. AWS does this
regardless of whether the customer's content is sensitive or not, because
AWS does not know what the customer content is and protects all
customer content in the same robust way.
SI-4 AWS deploys monitoring devices throughout the environment to collect
critical information on unauthorized intrusion attempts, usage abuse,
and network and application bandwidth usage. Monitoring devices are
placed within the AWS environment to detect and monitor for:
• Port scanning attacks
• Usage (CPU, Processes, disk utilization, swap rates, and errors in
software generated loss)
• Application performance metrics
• Unauthorized connection attempts
AWS provides near real-time alerts when the AWS monitoring tools
show indications of compromise or potential compromise, based upon
threshold alarming mechanisms determined by AWS service and
Security teams.
External access to data stored in Amazon S3 is logged. The logs are
retained for at least 90 days and include relevant access request
information such as the data accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s
AWS CloudTrail bucket in Amazon S3. The logged requests provide
information about who made the request and under which CMK and
will also describe information about the AWS resource that was
protected through the use of the CMK. These log events are visible to
the customer after turning on AWS CloudTrail in their account.
DE.AE-3: Event data are · CIS CSC 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, AWS Best Practices, AWS Reference Architectures, AU-6 AWS deploys monitoring devices throughout the environment to collect
aggregated and correlated from 16 AWS Cloudwatch, CloudWatch Logs, CloudTrail, VPC critical information on unauthorized intrusion attempts, usage abuse,
multiple sources and sensors · COBIT 5 BAI08.02 Flowlogs, Amazon GuardDuty, Amazon S3, Amazon and network and application bandwidth usage. Monitoring devices are
· ISA 62443-3-3:2013 SR 6.1 Athena, AWS Systems Manager, AWS Managed placed within the AWS environment to detect and monitor for:
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.7 Services, AWS IoT Device Defender, Amazon Macie • Port scanning attacks
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, • Usage (CPU, Processes, disk utilization, swap rates, and errors in
IR-5, IR-8, SI-4 software generated loss)
• Application performance metrics
• Unauthorized connection attempts
AWS provides near real-time alerts when the AWS monitoring tools
show indications of compromise or potential compromise, based upon
threshold alarming mechanisms determined by AWS service and
Security teams.
External access to data stored in Amazon S3 is logged. The logs are
retained for at least 90 days and include relevant access request
information such as the data accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s
AWS CloudTrail bucket in Amazon S3. The logged requests provide
information about who made the request and under which CMK and
will also describe information about the AWS resource that was
protected through the use of the CMK. These log events are visible to
the customer after turning on AWS CloudTrail in their account.
IR-4 AWS will notify customers of a security breach in accordance with the
terms outlined in the service agreement with AWS. AWS’s commitment
to all AWS customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any
customer data (i.e., any personal data that is uploaded to a customer’s
AWS account) on AWS’s equipment or in AWS’s facilities and this
unlawful or unauthorized access results in loss, disclosure, or alteration
of customer data, AWS will promptly notify the customer and take
reasonable steps to reduce the effects of this security incident.
AWS defines, administers, and monitors security for the underlying
cloud infrastructure (i.e., the hardware, the facilities housing the
hardware, and the network infrastructure).
Because AWS manages the infrastructure and the security controls that
apply to it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would
be unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control
and this incident results in loss, disclosure, or alteration of customer
content, AWS will promptly notify the customer. AWS does this
regardless of whether the customer's content is sensitive or not, because
AWS does not know what the customer content is and protects all
customer content in the same robust way.
IR-5 AWS will notify customers of a security breach in accordance with the
terms outlined in the service agreement with AWS. AWS’s commitment
to all AWS customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any
customer data (i.e., any personal data that is uploaded to a customer’s
AWS account) on AWS’s equipment or in AWS’s facilities and this
unlawful or unauthorized access results in loss, disclosure, or alteration
of customer data, AWS will promptly notify the customer and take
reasonable steps to reduce the effects of this security incident.
AWS defines, administers, and monitors security for the underlying
cloud infrastructure (i.e., the hardware, the facilities housing the
hardware, and the network infrastructure).
Because AWS manages the infrastructure and the security controls that
apply to it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would
be unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control
and this incident results in loss, disclosure, or alteration of customer
content, AWS will promptly notify the customer. AWS does this
regardless of whether the customer's content is sensitive or not, because
AWS does not know what the customer content is and protects all
customer content in the same robust way.
IR-8 AWS has implemented a formal, documented incident response policy
and program. The policy addresses purpose, scope, roles,
responsibilities, and management commitment.
AWS uses a three-phased approach to manage incidents:
1. Activation and Notification Phase – Incidents for AWS begin with
the detection of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational
awareness capability; most issues are rapidly detected from 24x7x365
monitoring and alarming of real time metrics and service dashboards.
The majority of incidents are detected in this manner. AWS uses early
indicator alarms to proactively identify issues that may ultimately
impact customers.
• Trouble tickets entered by an AWS employee.
• Calls to the 24x7x365 technical support hotline.
If the event meets incident criteria, the relevant on-call support engineer
uses AWS’s event management tool system to start an engagement and
page relevant program resolvers (e.g., AWS Security). The resolvers
will perform an analysis of the incident to determine if additional
resolvers should be engaged and to determine the approximate root
cause.
2. Recovery Phase – The relevant resolvers will perform break fix to
address the incident. After addressing troubleshooting, break fix and
affected components, the call leader will assign follow-up
documentation and follow-up actions and end the call engagement.
3. Reconstitution Phase – The call leader will declare the recovery
phase complete after the relevant fix activities have been addressed. The
post mortem and deep root cause analysis of the incident will be
assigned to the relevant team. The results of the post mortem will be
reviewed by relevant senior management and actions and captured in a
Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS
conducts incident response testing. This testing provides excellent
coverage for the discovery of previously unknown defects and failure
modes. In addition, it allows the AWS Security and service teams to test
SI-4 AWS deploys monitoring devices throughout the environment to collect
critical information on unauthorized intrusion attempts, usage abuse,
and network and application bandwidth usage. Monitoring devices are
placed within the AWS environment to detect and monitor for:
• Port scanning attacks
• Usage (CPU, Processes, disk utilization, swap rates, and errors in
software generated loss)
• Application performance metrics
• Unauthorized connection attempts
AWS provides near real-time alerts when the AWS monitoring tools
show indications of compromise or potential compromise, based upon
threshold alarming mechanisms determined by AWS service and
Security teams.
External access to data stored in Amazon S3 is logged. The logs are
retained for at least 90 days and include relevant access request
information such as the data accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s
AWS CloudTrail bucket in Amazon S3. The logged requests provide
information about who made the request and under which CMK and
will also describe information about the AWS resource that was
protected through the use of the CMK. These log events are visible to
the customer after turning on AWS CloudTrail in their account.
DE.AE-4: Impact of events is · CIS CSC 4, 6 AWS Best Practices, AWS Reference Architectures, CP-2 The AWS Business Continuity policy lays out the guidelines used to
determined · COBIT 5 APO12.06, DSS03.01 AWS CloudFormation, AWS Cloudwatch, CloudTrail, implement procedures to respond to a serious outage or degradation of
· ISO/IEC 27001:2013 A.16.1.4 VPC Flowlogs, AWS Config, AWS Organizations, AWS AWS services, including the recovery model and its implications on the
· NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI- Firewall Manager, AWS Systems Manager, AWS business continuity plan.
4 OpsWorks, Amazon Macie, AWS Managed Services,
AWS IoT Defender, Amazon GuardDuty, Amazon
Machine Learning, Amazon SageMaker, AWS WAF, Refer to the following AWS Audit Reports for additional details: PCI
AWS Shield 3.2, ISO 27001, ISO 27017, NIST 800-53, SOC 2 COMMON
CRITERIA
IR-4 AWS will notify customers of a security breach in accordance with the
terms outlined in the service agreement with AWS. AWS’s commitment
to all AWS customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any
customer data (i.e., any personal data that is uploaded to a customer’s
AWS account) on AWS’s equipment or in AWS’s facilities and this
unlawful or unauthorized access results in loss, disclosure, or alteration
of customer data, AWS will promptly notify the customer and take
reasonable steps to reduce the effects of this security incident.
AWS defines, administers, and monitors security for the underlying
cloud infrastructure (i.e., the hardware, the facilities housing the
hardware, and the network infrastructure).
Because AWS manages the infrastructure and the security controls that
apply to it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would
be unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control
and this incident results in loss, disclosure, or alteration of customer
content, AWS will promptly notify the customer. AWS does this
regardless of whether the customer's content is sensitive or not, because
AWS does not know what the customer content is and protects all
customer content in the same robust way.
IR-5 AWS will notify customers of a security breach in accordance with the
terms outlined in the service agreement with AWS. AWS’s commitment
to all AWS customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any
customer data (i.e., any personal data that is uploaded to a customer’s
AWS account) on AWS’s equipment or in AWS’s facilities and this
unlawful or unauthorized access results in loss, disclosure, or alteration
of customer data, AWS will promptly notify the customer and take
reasonable steps to reduce the effects of this security incident.
AWS defines, administers, and monitors security for the underlying
cloud infrastructure (i.e., the hardware, the facilities housing the
hardware, and the network infrastructure).
Because AWS manages the infrastructure and the security controls that
apply to it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would
be unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control
and this incident results in loss, disclosure, or alteration of customer
content, AWS will promptly notify the customer. AWS does this
regardless of whether the customer's content is sensitive or not, because
AWS does not know what the customer content is and protects all
customer content in the same robust way.
DE.CM-2: The physical · COBIT 5 DSS01.04, DSS01.05 AWS Artifact CA-7 AWS conducts monthly monitoring of its security posture through a
environment is monitored to detect · ISA 62443-2-1:2009 4.3.3.3.8 continuous risk assessment and monitoring process. Additionally,
potential cybersecurity events · ISO/IEC 27001:2013 A.11.1.1, A.11.1.2 annual security assessments are conducted by an accredited Third-Party
· NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, Assessment Organization (3PAO) to validate that implemented security
PE-20 controls continue to be effective. Security assessments that include a
risk analysis and a Plan of Action and Milestones (POA&M) are
submitted to authorizing officials for review and approval.
PE-20 N/A
PE-3 Physical access to all AWS data centers housing IT infrastructure
components is restricted to authorized data center employees, vendors,
and contractors who require access in order to execute their jobs.
Access to facilities is only permitted at controlled access points that
require multi-factor authentication designed to prevent tailgating and to
ensure that only authorized individuals enter an AWS data center. On a
quarterly basis, access lists and authorization credentials of personnel
with access to AWS data centers are reviewed by the respective data
center Area Access Managers (AAM).
All entrances to AWS data centers, including the main entrance, the
loading dock, and any roof doors/hatches, are secured with intrusion
detection devices that sound alarms if the door is forced open or held
open.
Trained security guards are stationed at the building entrance 24/7. If a
door or cage within a data center has a malfunctioning card reader or
PIN pad and cannot be secured electronically, a security guard is posted
at the door until it can be repaired.
AU-13 N/A
CA-7 AWS conducts monthly monitoring of its security posture through a
continuous risk assessment and monitoring process. Additionally,
annual security assessments are conducted by an accredited Third-Party
Assessment Organization (3PAO) to validate that implemented security
controls continue to be effective. Security assessments that include a
risk analysis and a Plan of Action and Milestones (POA&M) are
submitted to authorizing officials for review and approval.
DE.CM-4: Malicious code is · CIS CSC 4, 7, 8, 12 AWS Best Practices, AWS Reference Architectures, SI-3 Amazon assets (e.g., laptops) are configured with anti-virus software
detected · COBIT 5 DSS05.01 AWS Config, AWS Cloudwatch, CloudTrail, VPC that includes email filtering and malware detection.
· ISA 62443-2-1:2009 4.3.4.3.8 Flowlogs, AWS CodePipeline, Amazon Inspector, AWS
· ISA 62443-3-3:2013 SR 3.2 SDKs, AWS X-Ray, AWS Managed Services, Customer
· ISO/IEC 27001:2013 A.12.2.1 Responsibility
· NIST SP 800-53 Rev. 4 SI-3, SI-8
SI-8 Amazon assets (e.g., laptops) are configured with anti-virus software
that includes email filtering and malware detection.
DE.CM-5: Unauthorized mobile · CIS CSC 7, 8 AWS Artifact, AWS Best Practices, AWS Reference SC-18 AWS has defined JavaScript as the only acceptable mobile code that is
code is detected · COBIT 5 DSS05.01 Architectures, Amazon Inspector, AWS SDKs, AWS used within the system. JavaScript is used to implement certain features
· ISA 62443-3-3:2013 SR 2.4 CodeStar, AWS X-Ray, AWS CodePipeline, AWS within the IAM service. Other forms of mobile code are not approved
· ISO/IEC 27001:2013 A.12.5.1, A.12.6.2 Config, AWS OpsWork, AWS Managed Services by AWS.
· NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-44
SC-44 N/A
DE.CM-5: Unauthorized mobile · CIS CSC 7, 8 AWS Artifact, AWS Best Practices, AWS Reference
code is detected · COBIT 5 DSS05.01 Architectures, Amazon Inspector, AWS SDKs, AWS
· ISA 62443-3-3:2013 SR 2.4 CodeStar, AWS X-Ray, AWS CodePipeline, AWS
· ISO/IEC 27001:2013 A.12.5.1, A.12.6.2 Config, AWS OpsWork, AWS Managed Services
· NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-44
DE.CM-6: External service · COBIT 5 APO07.06, APO10.05 AWS Artifact, AWS Best Practices, AWS Reference CA-7 AWS conducts monthly monitoring of its security posture through a
provider activity is monitored to · ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 Architectures, AWS CloudTrail, VPC Flow Logs, continuous risk assessment and monitoring process. Additionally,
detect potential cybersecurity · NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, Amazon Macie, Amazon GuardDuty, AWS Managed annual security assessments are conducted by an accredited Third-Party
events SA-9, SI-4 Services Assessment Organization (3PAO) to validate that implemented security
controls continue to be effective. Security assessments that include a
risk analysis and a Plan of Action and Milestones (POA&M) are
submitted to authorizing officials for review and approval.
PS-7 AWS creates and maintains written agreements with third parties (e.g.,
contractors or vendors) in accordance with the work or service to be
provided (e.g., network services agreement, service delivery agreement,
or information exchange agreement) and implements appropriate
relationship management mechanisms in line with their relationship to
the business. Agreements cover, at a minimum, the following:
• Legal and regulatory requirements applicable to AWS
• User awareness of information security responsibilities and issues
• Arrangements for reporting, notification, and investigation of
information security incidents and security breaches
• Target and unacceptable levels of service (e.g., SLA, Operational
Level Agreement [OLA])
• Service continuity requirements (e.g., Recovery Time Objective
[RTO]), in accordance with AWS business priorities
• Protection of Intellectual Property Rights (IPR) and copyright
assignment of AWS
• Conditions for renegotiation/termination of the agreement.
SA-9 AWS creates and maintains written agreements with third parties (e.g.,
contractors or vendors) in accordance with the work or service to be
provided (e.g., network services agreement, service delivery agreement,
or information exchange agreement) and implements appropriate
relationship management mechanisms in line with their relationship to
the business. Agreements cover, at a minimum, the following:
• Legal and regulatory requirements applicable to AWS
• User awareness of information security responsibilities and issues
• Arrangements for reporting, notification, and investigation of
information security incidents and security breaches
• Target and unacceptable levels of service (e.g., SLA, Operational
Level Agreement [OLA])
• Service continuity requirements (e.g., Recovery Time Objective
[RTO]), in accordance with AWS business priorities
• Protection of Intellectual Property Rights (IPR) and copyright
assignment of AWS
• Conditions for renegotiation/termination of the agreement.
PE-20 N/A
PE-3 Physical access to all AWS data centers housing IT infrastructure
components is restricted to authorized data center employees, vendors,
and contractors who require access in order to execute their jobs.
Access to facilities is only permitted at controlled access points that
require multi-factor authentication designed to prevent tailgating and to
ensure that only authorized individuals enter an AWS data center. On a
quarterly basis, access lists and authorization credentials of personnel
with access to AWS data centers are reviewed by the respective data
center Area Access Managers (AAM).
All entrances to AWS data centers, including the main entrance, the
loading dock, and any roof doors/hatches, are secured with intrusion
detection devices that sound alarms if the door is forced open or held
open.
Trained security guards are stationed at the building entrance 24/7. If a
door or cage within a data center has a malfunctioning card reader or
PIN pad and cannot be secured electronically, a security guard is posted
at the door until it can be repaired.
DE.CM-8: Vulnerability scans are · CIS CSC 4, 20 AWS Artifact, AWS Best Practices, AWS Reference RA-5 AWS Security notifies and coordinates with the appropriate service
performed · COBIT 5 BAI03.10, DSS05.01 Architectures, Amazon Inspector, Amazon RDS, teams when conducting security-related activities within the system
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 Amazon Aurora, Amazon Dynamo DB, AWS Managed boundary. Activities include vulnerability scanning, contingency
· ISO/IEC 27001:2013 A.12.6.1 Services testing, and incident response exercises. AWS performs external
· NIST SP 800-53 Rev. 4 RA-5 vulnerability assessments at least quarterly, and identified issues are
investigated and tracked to resolution. Additionally, AWS performs
unannounced penetration tests by engaging independent third parties to
probe the defenses and device configuration settings within the system.
AWS Security teams also subscribe to newsfeeds for applicable vendor
flaws and proactively monitor vendors’ websites and other relevant
outlets for new patches. AWS customers also have the ability to report
issues to AWS via the AWS Vulnerability Reporting website at
http://aws.amazon.com/security/vulnerability-reporting/.
Detection Processes (DE.DP): DE.DP-1: Roles and · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CA-2 The AWS Compliance Assessment Team (CAT) maintains a
Detection processes and procedures are responsibilities for detection are · COBIT 5 APO01.02, DSS05.01, DSS06.03 Architectures, AWS Managed Services documented audit schedule of internal and external assessments to
maintained and tested to ensure timely well defined to ensure · ISA 62443-2-1:2009 4.4.3.1 ensure implementation and operating effectiveness of the AWS control
and adequate awareness of anomalous accountability · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 environment to meet business, regulatory, and contractual objectives.
events. · NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14 The needs and expectations of internal and external parties are
considered throughout the development, implementation, and auditing
of the AWS control environment. Parties include, but are not limited to:
AWS customers, including customers with a contractual interest and
potential customers.
External parties to AWS, including regulatory bodies such as the
external auditors and certifying agents.
Internal parties such as AWS services and infrastructure teams,
security, legal, and overarching administrative and corporate teams.
PM-14 N/A
DE.DP-2: Detection activities · COBIT 5 DSS06.01, MEA03.03, MEA03.04 AWS Artifact, AWS Best Practices, AWS Reference AC-25 N/A
comply with all applicable · ISA 62443-2-1:2009 4.4.3.2 CA-2 The AWS Compliance Assessment Team (CAT) maintains a
requirements · ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, documented audit schedule of internal and external assessments to
A.18.2.3 ensure implementation and operating effectiveness of the AWS control
· NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7, environment to meet business, regulatory, and contractual objectives.
SA-18, SI-4, PM-14 The needs and expectations of internal and external parties are
considered throughout the development, implementation, and auditing
of the AWS control environment. Parties include, but are not limited to:
AWS customers, including customers with a contractual interest and
potential customers.
External parties to AWS, including regulatory bodies such as the
external auditors and certifying agents.
Internal parties such as AWS services and infrastructure teams,
security, legal, and overarching administrative and corporate teams.
PM-14 N/A
SA-18 N/A
SI-4 AWS deploys monitoring devices throughout the environment to collect
critical information on unauthorized intrusion attempts, usage abuse,
and network and application bandwidth usage. Monitoring devices are
placed within the AWS environment to detect and monitor for:
• Port scanning attacks
• Usage (CPU, Processes, disk utilization, swap rates, and errors in
software generated loss)
• Application performance metrics
• Unauthorized connection attempts
AWS provides near real-time alerts when the AWS monitoring tools
show indications of compromise or potential compromise, based upon
threshold alarming mechanisms determined by AWS service and
Security teams.
External access to data stored in Amazon S3 is logged. The logs are
retained for at least 90 days and include relevant access request
information such as the data accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s
AWS CloudTrail bucket in Amazon S3. The logged requests provide
information about who made the request and under which CMK and
will also describe information about the AWS resource that was
protected through the use of the CMK. These log events are visible to
the customer after turning on AWS CloudTrail in their account.
DE.DP-3: Detection processes are · COBIT 5 APO13.02, DSS05.02 AWS Artifact, AWS Best Practices, AWS Reference CA-2 The AWS Compliance Assessment Team (CAT) maintains a
tested · ISA 62443-2-1:2009 4.4.3.2 documented audit schedule of internal and external assessments to
· ISA 62443-3-3:2013 SR 3.3 ensure implementation and operating effectiveness of the AWS control
· ISO/IEC 27001:2013 A.14.2.8 environment to meet business, regulatory, and contractual objectives.
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, The needs and expectations of internal and external parties are
SI-3, SI-4, PM-14 considered throughout the development, implementation, and auditing
of the AWS control environment. Parties include, but are not limited to:
AWS customers, including customers with a contractual interest and
potential customers.
External parties to AWS, including regulatory bodies such as the
external auditors and certifying agents.
Internal parties such as AWS services and infrastructure teams,
security, legal, and overarching administrative and corporate teams.
PM-14 N/A
SI-3 Amazon assets (e.g., laptops) are configured with anti-virus software
that includes email filtering and malware detection.
DE.DP-4: Event detection · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference, AU-6 AWS deploys monitoring devices throughout the environment to collect
information is communicated to · COBIT 5 APO08.04, APO12.06, DSS02.05 AWS Managed Services critical information on unauthorized intrusion attempts, usage abuse,
appropriate parties · ISA 62443-2-1:2009 4.3.4.5.9 and network and application bandwidth usage. Monitoring devices are
· ISA 62443-3-3:2013 SR 6.1 placed within the AWS environment to detect and monitor for:
· ISO/IEC 27001:2013 A.16.1.2, A.16.1.3 • Port scanning attacks
· NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, • Usage (CPU, Processes, disk utilization, swap rates, and errors in
RA-5, SI-4 software generated loss)
• Application performance metrics
• Unauthorized connection attempts
AWS provides near real-time alerts when the AWS monitoring tools
show indications of compromise or potential compromise, based upon
threshold alarming mechanisms determined by AWS service and
Security teams.
External access to data stored in Amazon S3 is logged. The logs are
retained for at least 90 days and include relevant access request
information such as the data accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s
AWS CloudTrail bucket in Amazon S3. The logged requests provide
information about who made the request and under which CMK and
will also describe information about the AWS resource that was
protected through the use of the CMK. These log events are visible to
the customer after turning on AWS CloudTrail in their account.
RA-5 AWS Security notifies and coordinates with the appropriate service
teams when conducting security-related activities within the system
boundary. Activities include vulnerability scanning, contingency
testing, and incident response exercises. AWS performs external
vulnerability assessments at least quarterly, and identified issues are
investigated and tracked to resolution. Additionally, AWS performs
unannounced penetration tests by engaging independent third parties to
probe the defenses and device configuration settings within the system.
AWS Security teams also subscribe to newsfeeds for applicable vendor
flaws and proactively monitor vendors’ websites and other relevant
outlets for new patches. AWS customers also have the ability to report
issues to AWS via the AWS Vulnerability Reporting website at
http://aws.amazon.com/security/vulnerability-reporting/.
DE.DP-5: Detection processes are · COBIT 5 APO11.06, APO12.06, DSS04.05 AWS Artifact, AWS Best Practices, AWS Reference, CA-2 The AWS Compliance Assessment Team (CAT) maintains a
continuously improved · ISA 62443-2-1:2009 4.4.3.4 AWS Managed Services documented audit schedule of internal and external assessments to
· ISO/IEC 27001:2013 A.16.1.6 ensure implementation and operating effectiveness of the AWS control
· NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, environment to meet business, regulatory, and contractual objectives.
RA-5, SI-4, PM-14 The needs and expectations of internal and external parties are
considered throughout the development, implementation, and auditing
of the AWS control environment. Parties include, but are not limited to:
AWS customers, including customers with a contractual interest and
potential customers.
External parties to AWS, including regulatory bodies such as the
external auditors and certifying agents.
Internal parties such as AWS services and infrastructure teams,
security, legal, and overarching administrative and corporate teams.
PM-14 N/A
RA-5 AWS Security notifies and coordinates with the appropriate service
teams when conducting security-related activities within the system
boundary. Activities include vulnerability scanning, contingency
testing, and incident response exercises. AWS performs external
vulnerability assessments at least quarterly, and identified issues are
investigated and tracked to resolution. Additionally, AWS performs
unannounced penetration tests by engaging independent third parties to
probe the defenses and device configuration settings within the system.
AWS Security teams also subscribe to newsfeeds for applicable vendor
flaws and proactively monitor vendors’ websites and other relevant
outlets for new patches. AWS customers also have the ability to report
issues to AWS via the AWS Vulnerability Reporting website at
http://aws.amazon.com/security/vulnerability-reporting/.
AWS customers are responsible for documenting, authorizing, reviewing, and updating
Interconnection Security Agreements (ISAs) for connections between their system and
other systems that include the following information for each connection: 1) Interface
characteristics, 2) Security requirements, and 3) The nature of the information
communicated. AWS customers are responsible for reviewing and updating ISAs with
at a frequency defined by their security assessment and authorization policy.
AWS customers are responsible for developing, documenting, and maintaining under
configuration control a current baseline configuration of their systems.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for reviewing and analyzing audit records at an
organization-defined frequency for indications of organization-defined inappropriate or
unusual activity and reporting these findings to organization-defined personnel or roles
in accordance with their audit and accountability policy.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
AWS customers are responsible for implementing an incident handling capability for
security incidents that includes preparation, detection and analysis, containment,
eradication, and recovery in accordance with their incident response policy. In
addition, AWS customers are responsible for coordinating incident handling activities
with contingency planning activities; incorporating lessons learned from ongoing
incident handling activities into incident response procedures, training, and
testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for reviewing and analyzing audit records at an
organization-defined frequency for indications of organization-defined inappropriate or
unusual activity and reporting these findings to organization-defined personnel or roles
in accordance with their audit and accountability policy.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
AWS customers are responsible for implementing an incident handling capability for
security incidents that includes preparation, detection and analysis, containment,
eradication, and recovery in accordance with their incident response policy. In
addition, AWS customers are responsible for coordinating incident handling activities
with contingency planning activities; incorporating lessons learned from ongoing
incident handling activities into incident response procedures, training, and
testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for tracking and documenting information system
security incidents.
AWS customers are responsible for developing an Incident Response Plan (IRP) that:
1) Provides their organization with a roadmap for implementing its incident response
capability, 2) Describes the structure and organization of the incident response
capability, 3) Provides a high-level approach for how the incident response capability
fits into the overall organization, 4) Meets the unique requirements of the organization,
which relate to mission, size, structure, and functions, 5) Defines reportable incidents,
6) Provides metrics for measuring the incident response capability within the
organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved
by organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization
defined incident response personnel (identified by name and/or role) and organizational
elements. The IRP must be review and updated at a frequency defined by the incident
response policy to address system/organizational changes or problems encountered
during plan implementation, execution, or testing. Changes to the IRP must be
communicated to organization-defined incident response personnel (identified by name
and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure
and modification.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for developing a contingency plan for their system
that: 1) Identifies essential missions and business functions and associated contingency
requirements, 2) Provides recovery objectives, restoration priorities, and metrics, 3)
Addresses contingency roles, responsibilities, and assigned individuals with contact
information, 4) Addresses maintaining essential missions and business functions
despite an information system disruption, compromise, or failure, 5) Addresses
eventual, full information system restoration without deterioration of the security
safeguards originally planned and implemented, and 6) Is reviewed and approved by
organization-defined personnel or roles in accordance with the contingency planning
policy.
AWS customers are responsible for distributing copies of the contingency plan to
organization-defined key contingency personnel (identified by name and/or by role)
and organizational elements. Contingency planning activities must be coordinated with
incident handling activities. The contingency plan must be reviewed at a frequency
defined in the contingency planning policy and updated to address changes to their
organization, system, or environment of operation and problems encountered during
implementation, execution, or testing.
AWS customers are responsible for implementing an incident handling capability for
security incidents that includes preparation, detection and analysis, containment,
eradication, and recovery in accordance with their incident response policy. In
addition, AWS customers are responsible for coordinating incident handling activities
with contingency planning activities; incorporating lessons learned from ongoing
incident handling activities into incident response procedures, training, and
testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for: 1) Conducting an assessment of risk to include the
likelihood and magnitude of harm from the unauthorized access, use, disclosure,
disruption, modification, or destruction of their information system and the information
it processes, stores, or transmits, 2) Documenting risk assessment results in the system
plan, security assessment report, or other organization-defined document, 3) Reviewing
risk assessment results at an organization-defined frequency, 4) Disseminating risk
assessment results to organization-defined personnel or roles, and 5) Updating the risk
assessment at an organization-defined frequency or whenever there are significant
changes to the information system or environment of operation (including the
identification of new threats and vulnerabilities) or other conditions that may impact
the security state of the system.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for implementing an incident handling capability for
security incidents that includes preparation, detection and analysis, containment,
eradication, and recovery in accordance with their incident response policy. In
addition, AWS customers are responsible for coordinating incident handling activities
with contingency planning activities; incorporating lessons learned from ongoing
incident handling activities into incident response procedures, training, and
testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for tracking and documenting information system
security incidents.
AWS customers are responsible for developing an Incident Response Plan (IRP) that:
1) Provides their organization with a roadmap for implementing its incident response
capability, 2) Describes the structure and organization of the incident response
capability, 3) Provides a high-level approach for how the incident response capability
fits into the overall organization, 4) Meets the unique requirements of the organization,
which relate to mission, size, structure, and functions, 5) Defines reportable incidents,
6) Provides metrics for measuring the incident response capability within the
organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved
by organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization
defined incident response personnel (identified by name and/or role) and organizational
elements. The IRP must be review and updated at a frequency defined by the incident
response policy to address system/organizational changes or problems encountered
during plan implementation, execution, or testing. Changes to the IRP must be
communicated to organization-defined incident response personnel (identified by name
and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure
and modification.
AWS customers are responsible for managing accounts associated with their
applications hosted on AWS. AWS customers are responsible for properly using AWS
Identity and Access Management (IAM) to create and manage user accounts and to
enforce access within their Amazon Elastic Compute Cloud (Amazon EC2) instances
and all applications they install.
AWS customers in the context of managing their user accounts are responsible for: 1)
Identifying and selecting system accounts; 2) Assigning account managers for system
accounts; 3) Specifying authorized users, group and role membership, access
authorizations, and other attributes as required for each account; 4) Requiring
approvals from customer-defined personnel or roles for account creation requests; 5)
Monitoring account usage; 6) Notifying account managers when: a) Accounts are no
longer required, b) Users are terminated or transferred, and c) Individual system usage
or need-to-know changes; 7) Authorizing access based on: a) A valid access
authorization, b) Intended system usage, and c) Other attributes as required by their
organization or associated mission/business functions; 8) Reviewing accounts for
compliance with account management requirements at a frequency defined by their
organization; and 9) Establishing a process for reissuing shared/group account
credentials when individuals are removed from the group.
AWS customers are responsible for configuring their systems to: 1) Provide audit
record generation capabilities for the auditable events defined in AU-2a for all system
components where audit capabilities are deployed/required based on the audit and
accountability policy, 2) Allow organization-defined personnel or roles to select which
auditable events are to be audited by specific components, and 3) Generate audit
records for the events defined in AU-2d with the content defined in AU-3.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
AWS customers are responsible for implementing a configuration change control
process in accordance with their configuration management policy that includes the
following elements: 1) Determination of the types of changes to the information system
that are configuration-controlled, 2) Review of all proposed configuration-controlled
changes to the information system and approval or disapproval of such changes with
explicit consideration for security impact analyses, 3) Documentation of configuration
change decisions associated with the information system, 4) Implementation of
approved configuration-controlled changes to the information system, 5) Retention of
records of configuration-controlled changes to the information system for an
organization-defined time period.
AWS customers are responsible for configuring their systems to protect against or limit
the effects of organization-defined types of denial of service attacks by employing
organization-defined security safeguards.
More information on best practices for resiliency against denial of service attacks is
available at https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
N/A
N/A
N/A
AWS customers are responsible for managing accounts associated with their
applications hosted on AWS. AWS customers are responsible for properly using AWS
Identity and Access Management (IAM) to create and manage user accounts and to
enforce access within their Amazon Elastic Compute Cloud (Amazon EC2) instances
and all applications they install.
AWS customers in the context of managing their user accounts are responsible for: 1)
Identifying and selecting system accounts; 2) Assigning account managers for system
accounts; 3) Specifying authorized users, group and role membership, access
authorizations, and other attributes as required for each account; 4) Requiring
approvals from customer-defined personnel or roles for account creation requests; 5)
Monitoring account usage; 6) Notifying account managers when: a) Accounts are no
longer required, b) Users are terminated or transferred, and c) Individual system usage
or need-to-know changes; 7) Authorizing access based on: a) A valid access
authorization, b) Intended system usage, and c) Other attributes as required by their
organization or associated mission/business functions; 8) Reviewing accounts for
compliance with account management requirements at a frequency defined by their
organization; and 9) Establishing a process for reissuing shared/group account
credentials when individuals are removed from the group.
AWS customers are responsible for configuring their systems to: 1) Provide audit
record generation capabilities for the auditable events defined in AU-2a for all system
components where audit capabilities are deployed/required based on the audit and
accountability policy, 2) Allow organization-defined personnel or roles to select which
auditable events are to be audited by specific components, and 3) Generate audit
records for the events defined in AU-2d with the content defined in AU-3.
N/A
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
AWS customers are responsible for: 1) Using software and associated documentation
in accordance with contract agreements and copyright laws, 2) Tracking the use of
software and associated documentation protected by quantity licenses to control
copying and distribution, and 3) Controlling and documenting the use of peer-to-peer
file sharing technology to ensure that this capability is not used for the unauthorized
distribution, display, performance, or reproduction of copyrighted work.
AWS customers are responsible for establishing, enforcing, and monitoring software
installation policies that govern the installation of software by users based on
organization-defined methods and frequency for monitoring.
AWS customers are responsible for defining acceptable and unacceptable mobile code,
establishing usage restrictions and implementation guidance for acceptable mobile
code, and authorizing, monitoring, and controlling the use of mobile code within their
systems.
N/A
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
AWS customers are responsible for including the following requirements, descriptions,
and criteria explicitly or by reference in the acquisition contract for the information
system, system component, or information system service in accordance with
applicable federal laws, Executive Orders, directives, policies, regulations, standards,
guidelines, and organizational mission/business needs: 1) Security functional
requirements, 2) Security strength requirements, 3) Security assurance requirements, 4)
Security-related documentation requirements, 5) Requirements for protecting security-
related documentation, 6) Description of the information system development
environment and environment in which the system is intended to operate, and 7)
Acceptance criteria.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for configuring their systems to: 1) Provide audit
record generation capabilities for the auditable events defined in AU-2a for all system
components where audit capabilities are deployed/required based on the audit and
accountability policy, 2) Allow organization-defined personnel or roles to select which
auditable events are to be audited by specific components, and 3) Generate audit
records for the events defined in AU-2d with the content defined in AU-3.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
AWS customers are responsible for developing, documenting, reviewing, and updating
at an organization-defined frequency an inventory of system components for their
systems. AWS customers are responsible verifying that the inventory: 1) Accurately
reflects the current system, 2) Includes all components within the authorization
boundary, 3) Is at the level of granularity deemed necessary for tracking and reporting,
and 4) Includes the information prescribed by the configuration management policy
that is deemed necessary to achieve effective information system component
accountability.
N/A
N/A
N/A
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for: 1) Scanning for vulnerabilities in their information
system and hosted applications at an organization-defined frequency and/or randomly
in accordance with their organization-defined process and when new vulnerabilities
potentially affecting the system/applications are identified and reported; 2) Employing
vulnerability scanning tools and techniques that promote interoperability among tools
and automated parts of the vulnerability management process by using standards for: a)
Enumerating platforms, software flaws, and improper configurations, b) Formatting
and making transparent checklists and test procedures, and c) Measuring vulnerability
impact; 3) Analyzing vulnerability scan reports and results from security control
assessments; 4) Remediating legitimate vulnerabilities within organization-defined
response times in accordance with an organizational assessment of risk; and 5) Sharing
information obtained from the vulnerability scanning process and security control
assessments with organization-defined personnel or roles to help eliminate similar
vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): RDS
Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): AWS Customers
are responsible for meeting scanning requirements on their databases in accordance
with organization-defined frequency and/or when new vulnerabilities have been
identified. Also, AWS Customers are required to remediate legitimate findings within
the organization-defined timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL database service.
AWS Customers offload database management tasks such as hardware or software
provisioning, setup and configuration, software patching, operating a reliable,
distributed database cluster, or partitioning data over multiple instances as you scale.
AWS customers are responsible for conducting security assessments for their systems.
Within this context and in accordance with their security assessment and authorization
policy, AWS customers are responsible for: 1) Developing a security assessment plan
that describes the security controls and control enhancements under assessment,
assessment procedures used to determine effectiveness, the assessment environment,
the assessment team, and the assessment roles and responsibilities, 2) Assessing
security controls in their system and its environment of operation at an organization-
defined frequency to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to
meeting established security requirements, 3) Producing a security assessment report
that documents the results of the assessment, and 4) Providing the results of the
security control assessment to their organization-defined individuals or roles.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
N/A
N/A
AWS customers are responsible for conducting security assessments for their systems.
Within this context and in accordance with their security assessment and authorization
policy, AWS customers are responsible for: 1) Developing a security assessment plan
that describes the security controls and control enhancements under assessment,
assessment procedures used to determine effectiveness, the assessment environment,
the assessment team, and the assessment roles and responsibilities, 2) Assessing
security controls in their system and its environment of operation at an organization-
defined frequency to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to
meeting established security requirements, 3) Producing a security assessment report
that documents the results of the assessment, and 4) Providing the results of the
security control assessment to their organization-defined individuals or roles.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
N/A
N/A
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for conducting security assessments for their systems.
Within this context and in accordance with their security assessment and authorization
policy, AWS customers are responsible for: 1) Developing a security assessment plan
that describes the security controls and control enhancements under assessment,
assessment procedures used to determine effectiveness, the assessment environment,
the assessment team, and the assessment roles and responsibilities, 2) Assessing
security controls in their system and its environment of operation at an organization-
defined frequency to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to
meeting established security requirements, 3) Producing a security assessment report
that documents the results of the assessment, and 4) Providing the results of the
security control assessment to their organization-defined individuals or roles.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
N/A
N/A
AWS customers are responsible for: 1) Implementing malicious code protection
mechanisms at information system entry and exit points to detect and eradicate
malicious code; 2) Updating malicious code protection mechanisms whenever new
releases are available in accordance with organizational configuration management
policy and procedures; 3) Configuring malicious code protection mechanisms to: a)
Perform periodic scans of the information system at an organization-defined frequency
and real-time scans of files from external sources at endpoints and/or network
entry/exit points as the files are downloaded, opened, or executed in accordance with
organizational security policy and b) Either block malicious code, quarantine malicious
code, send an alert to an administrator, and/or take other organization-defined actions
in response to malicious code detection; and 4) Addressing the receipt of false positives
during malicious code detection and eradication and the resulting potential impact on
the availability of the information system.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for reviewing and analyzing audit records at an
organization-defined frequency for indications of organization-defined inappropriate or
unusual activity and reporting these findings to organization-defined personnel or roles
in accordance with their audit and accountability policy.
AWS customers are responsible for conducting security assessments for their systems.
Within this context and in accordance with their security assessment and authorization
policy, AWS customers are responsible for: 1) Developing a security assessment plan
that describes the security controls and control enhancements under assessment,
assessment procedures used to determine effectiveness, the assessment environment,
the assessment team, and the assessment roles and responsibilities, 2) Assessing
security controls in their system and its environment of operation at an organization-
defined frequency to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to
meeting established security requirements, 3) Producing a security assessment report
that documents the results of the assessment, and 4) Providing the results of the
security control assessment to their organization-defined individuals or roles.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
AWS customers are responsible for: 1) Scanning for vulnerabilities in their information
system and hosted applications at an organization-defined frequency and/or randomly
in accordance with their organization-defined process and when new vulnerabilities
potentially affecting the system/applications are identified and reported; 2) Employing
vulnerability scanning tools and techniques that promote interoperability among tools
and automated parts of the vulnerability management process by using standards for: a)
Enumerating platforms, software flaws, and improper configurations, b) Formatting
and making transparent checklists and test procedures, and c) Measuring vulnerability
impact; 3) Analyzing vulnerability scan reports and results from security control
assessments; 4) Remediating legitimate vulnerabilities within organization-defined
response times in accordance with an organizational assessment of risk; and 5) Sharing
information obtained from the vulnerability scanning process and security control
assessments with organization-defined personnel or roles to help eliminate similar
vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): RDS
Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): AWS Customers
are responsible for meeting scanning requirements on their databases in accordance
with organization-defined frequency and/or when new vulnerabilities have been
identified. Also, AWS Customers are required to remediate legitimate findings within
the organization-defined timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL database service.
AWS Customers offload database management tasks such as hardware or software
provisioning, setup and configuration, software patching, operating a reliable,
distributed database cluster, or partitioning data over multiple instances as you scale.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for conducting security assessments for their systems.
Within this context and in accordance with their security assessment and authorization
policy, AWS customers are responsible for: 1) Developing a security assessment plan
that describes the security controls and control enhancements under assessment,
assessment procedures used to determine effectiveness, the assessment environment,
the assessment team, and the assessment roles and responsibilities, 2) Assessing
security controls in their system and its environment of operation at an organization-
defined frequency to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to
meeting established security requirements, 3) Producing a security assessment report
that documents the results of the assessment, and 4) Providing the results of the
security control assessment to their organization-defined individuals or roles.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
AWS customers are responsible for developing a security plan for their systems that: 1)
Is consistent with the organization’s enterprise architecture, 2) Explicitly defines the
authorization boundary for the system, 3) Describes the operational context of the
information system in terms of missions and business processes, 4) Provides the
security categorization of the information system including supporting rationale, 5)
Describes the operational environment for the information system and relationships
with or connections to other information, 6) Provides an overview of the security
requirements for the system, 7) Identifies any relevant overlays, if applicable, 8)
Describes the security controls in place or planned for meeting those requirements, to
include a rationale for the tailoring decisions, and 9) Is reviewed and approved by the
authorizing official or designated representative prior to plan implementation.
In addition, AWS customers are responsible for distributing copies of the security plan
to organization-defined personnel or roles, reviewing the security plan at organization-
defined frequencies, and updating the security plan to address changes to the
information system/environment of operation or problems identified during plan
implementation or security control assessments. AWS customers are responsible for
protecting their security plan from unauthorized disclosure or modification.
N/A
AWS customers are responsible for: 1) Scanning for vulnerabilities in their information
system and hosted applications at an organization-defined frequency and/or randomly
in accordance with their organization-defined process and when new vulnerabilities
potentially affecting the system/applications are identified and reported; 2) Employing
vulnerability scanning tools and techniques that promote interoperability among tools
and automated parts of the vulnerability management process by using standards for: a)
Enumerating platforms, software flaws, and improper configurations, b) Formatting
and making transparent checklists and test procedures, and c) Measuring vulnerability
impact; 3) Analyzing vulnerability scan reports and results from security control
assessments; 4) Remediating legitimate vulnerabilities within organization-defined
response times in accordance with an organizational assessment of risk; and 5) Sharing
information obtained from the vulnerability scanning process and security control
assessments with organization-defined personnel or roles to help eliminate similar
vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): RDS
Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): AWS Customers
are responsible for meeting scanning requirements on their databases in accordance
with organization-defined frequency and/or when new vulnerabilities have been
identified. Also, AWS Customers are required to remediate legitimate findings within
the organization-defined timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL database service.
AWS Customers offload database management tasks such as hardware or software
provisioning, setup and configuration, software patching, operating a reliable,
distributed database cluster, or partitioning data over multiple instances as you scale.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
Note:
AWS services italicized in the "AWS Services/Resources" column are out of scope for FedRAMP Moderate and/or ISO 9001/27001/27018.
AWS services in bold in the "AWS Services/Resources" column have been validated by an independent assessor to align to the CSF based on FedRAMP Moderate and/or ISO 9001/27001/27018 accreditation.
Category Subcategory Informative References AWS Services/Resources NIST 800-53 Controls Alignment AWS Responsibility
Response Planning (RS.RP): RS.RP-1: Response plan is · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-10 The AWS business continuity plan details the three-phased approach that AWS has
Response processes and executed during or after an · COBIT 5 APO12.06, BAI01.10 Architectures, CloudFormation, AWS Lambda, developed to recover and reconstitute the AWS infrastructure:
procedures are executed and event · ISA 62443-2-1:2009 4.3.4.5.1 Amazon SNS, Amazon SES, AWS Cloudwatch, AWS • Activation and Notification Phase
maintained, to ensure timely · ISO/IEC 27001:2013 A.16.1.5 CloudTrail, VPC Flowlogs, AWS Config, AWS • Recovery Phase
response to detected · NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8 Organizations, AWS Firewall Manager, AWS • Reconstitution Phase
cybersecurity events. PrivateLink, AWS Systems Manager, AWS OpsWorks, This approach ensures that AWS performs system recovery and reconstitution
Amazon Macie, AWS Managed Services, AWS IoT efforts in a methodical sequence, maximizing the effectiveness of the recovery and
Defender reconstitution efforts and minimizing system outage time due to errors and
omissions.
AWS maintains a ubiquitous security control environment across all regions. Each
data center is built to physical, environmental, and security standards in an active-
active configuration, employing an n+1 redundancy model to ensure system
availability in the event of component failure. Components (N) have at least one
independent backup component (+1), so the backup component is active in the
operation even if all other components are fully functional. In order to eliminate
single points of failure, this model is applied throughout AWS, including network
and data center implementation. All data centers are online and serving traffic; no
data center is “cold.” In case of failure, there is sufficient capacity to enable traffic
to be load-balanced to the remaining sites.
CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
IR-4 procedures
AWS will notify to respond customers to a serious
of a securityoutagebreach or degradationin accordance of AWS withservices,
the terms
includinginthe
outlined therecovery
service agreementmodel and with its implications
AWS. AWS’s on the business continuity plan.
IR-8 AWS has implemented a formal, documented incidentcommitmentresponse policy to alland AWS
customers
program. Theis aspolicy
follows: addresses purpose, scope, roles, responsibilities, and
Communications (RS.CO): RS.CO-1: Personnel know · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The
If AWSAWS Business
becomes awareContinuity
of any policy lays
unlawful or out the
unauthorized guidelines access used to to
any implement
customer
Response activities are their roles and order of · COBIT 5 EDM03.02, APO01.02, APO12.03 Architectures, AWS IAM, AWS Config, ConfigRules, management
procedures
Refer to the commitment.
tofollowing
respond to
AWS a serious
Audit outage
Reportsorfor degradation
additional of AWS
details: services,
PCI 3.2, ISO
data
AWS uses (i.e., any
a27017,personal
three-phased data that
approach is uploaded to a customer’s AWS account) on
coordinated with internal and operations when a response is · ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 Cloud Watch, CloudTrail, CloudFormation, Lambda, including
27001,
AWS’s ISO the
equipment recovery NIST
or inmodel800-53,
AWS’s itstoimplications
andfacilities
SOC manage
2 COMMON
and thisfor
incidents:
on the business
CRITERIA
unlawful continuityaccess
or unauthorized plan.
external stakeholders, as needed · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, A.16.1.1 Amazon SNS, Amazon SES. 1. Activation and Notification Phase – Incidents AWS begin with the detection
results
of an event. in loss, disclosure,
Events originate or alteration
from several of customer
sources such data,as: AWS will promptly notify
appropriate, to include external · NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
support from law enforcement •the
Refer
customer
Metricsto the
and
andfollowing
alarms take–reasonable
AWS Audit
AWS
steps to
maintains Reports anreduce
exceptional the effects
for additional
of thisawareness
situational
details: PCI
security
3.2, ISO
incident.
capability; most issues are rapidly detected from 24x7x365 monitoring and
agencies. 27001,defines,
AWS ISO 27017, NIST 800-53,
administers, and SOC 2 COMMON
monitors CRITERIA
alarming of real time metrics and service security dashboards. for the Theunderlying
majority of cloud
incidents are
infrastructure
detected in this(i.e., manner. the hardware,
AWS uses theearly facilities
indicator housing alarms theto hardware,
proactively andidentify
the
network
issues that infrastructure).
may ultimately impact customers.
•Because TroubleAWS tickets manages
enteredthe by infrastructure
an AWS employee. and the security controls that apply to it,
•AWS Callscan: to the 24x7x365 technical support hotline.
• Identify
If the event potential
meets incident incidents affecting
criteria, thethe infrastructure.
relevant on-call support engineer uses
• Determine
AWS’s eventifmanagement
any access totool customer
systemdata resulted
to start from an incident.
an engagement and page relevant
• Determine
program if access
resolvers (e.g.,was AWSactually unlawful
Security). Theorresolversunauthorized (it would
will perform anbe analysis of
unauthorized
the incident toifdetermine it was in breach if additionalof AWS' Security
resolvers Policies).
should be engaged and to determine
If anapproximate
the incident happens root cause. within AWS’s sphere of knowledge and control and this
incident
2. Recovery results Phase in loss,– The disclosure,
relevant resolvers or alteration will of customer
perform breakcontent,
fix to AWS address willthe
promptly After
incident. notifyaddressing
the customer. AWS does this
troubleshooting, break regardless
fix and of whether
affected the customer's
components, the
content
call leader is sensitive
will assign or not,
follow-upbecause AWS does not
documentation and know what the
follow-up customer
actions and end content
the
is and
call protects all customer content in the same robust way.
engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase complete
after the relevant fix activities have been addressed. The post mortem and deep root
cause analysis of the incident will be assigned to the relevant team. The results of
the post mortem will be reviewed by relevant senior management and actions and
captured in a Correction of Errors (COE) document and tracked to completion.
CP-3 To ensure
AWS teststhe theeffectiveness
business continuity of the AWS plan and incident responseprocedures
its associated plan, AWSatconducts least
IR-3 incident
annually
AWS hasresponse ensuretesting.
toimplemented effectiveness This testing
a formal, of theprovides
documented plan andincident excellent
the organizationalcoverage
response for the anddiscovery
readiness
policy to
of previously
execute
program. theThe unknown
plan.
policy Testing defects
addressesconsists andoffailure
purpose, engagement modes.
scope, In addition,
drills
roles, that execute
responsibilities,it allows onand the AWS
activities
IR-8 AWS
Security
that hasand
would implemented
beservice
performed teams a in
formal,
to
antest documented
actualthe outage.
systemsAWS incident
for potential response
documents customer
thepolicy
results,andincluding
impact and
management
program. commitment.
The policy addresses purpose, scope, roles, responsibilities, andcritical
RS.CO-2: Events are reported · CIS CSC 19 AU-6 AWS
furtherdeploys
lessons
AWS prepare
useslearned monitoring
staff
and any
a three-phased to devices
handle
corrective
approach throughout
incidentsactions
to manage such thatas thewere environment
detection
incidents: completed. to collect
and analysis,
consistent with established · COBIT 5 DSS01.03 management
information
containment, oncommitment.
unauthorized
eradication, andintrusion
recovery, attempts,
and post-incidentusage abuse, andwith
activities. network and
1.
AWS Activation and
uses a three-phased Notification approach Phaseto– manage Incidents for AWS
incidents: begin the detection
criteria · ISA 62443-2-1:2009 4.3.4.5.5 application
Theanincident
of event.bandwidth response
Events usage.
test
originate plan Monitoring
fromis executed
several devices
annually,
sources are in placed within the
conjunction withAWS the
· ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 1.
environment Activation and
to Notification
detect Phase –includes
Incidents forsuch
AWS as: begin with the detection
•incident
of Metrics
an event.
response
andEvents alarms plan. –and Themonitor
AWS
originate
test plan
maintains for: an sources multiple
exceptional scenarios,
situational potential
awarenessvectors
· NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8 •ofPort scanning
attack, and theattacks
inclusion offrom several
the systems integrator such as:
in reporting and coordination
•capability;
•alarming Metrics and
Usageapplicable),
(CPU,
most issues
alarms – are rapidly
AWS maintains detected an from 24x7x365
exceptional monitoring
situational awareness and
(when
capability; ofmostrealProcesses,
time
issues
welldisk
as metrics andutilization,
as varying service
are reporting/detecting).
rapidly detected
swap rates, The
reporting/detection
dashboards.
from 24x7x365majority
andavenues
errors in(i.e.
monitoring
software
customer are
of incidents
and
generated
reporting/detecting,
detected in loss) manner. AWS
alarming
•AWS Application
incidentofthisreal time metrics
performance
management
AWSand
metrics
usesservice
planning,
early indicator
dashboards.
testing,
alarms to
and test The results
proactively
majority
are reviewed
identifyare
of incidentsby third-
issues
detected that in may ultimately
this connection
manner. AWS impact usescustomers.
early indicator alarms to proactively identify
••party
issues
Unauthorized
Troubleauditors.
that tickets
may entered byimpact
ultimately
attempts
an AWS employee.
customers.
AWS Callsprovides near real-time alerts when hotline. the AWS monitoring tools show
••indications Trouble to thetickets
of
24x7x365
entered
compromise
technical
by an AWS
or potential
support employee.
compromise, based uponengineer
threshold alarming
•If
mechanisms
the event
Calls to the meets
24x7x365
determined
incident criteria,
technical
bytoolAWS
the relevant
support
service hotline. on-call support uses
AWS’s
If the event event management
meets system to and
startSecurity
an engagementteams. and page relevant
External
program access
resolvers to incident
data
(e.g.,stored
AWS
criteria,
in Amazon the relevant S3 is on-call
logged. support
The logsengineer
are an retainedusesfor at
AWS’s
leastincident 90 event
daystoand management
include if toolSecurity).
relevant systemaccess toThestartresolvers
request aninformation
engagementwill perform
and as
such page analysis
thetorelevant
data
of
the
program resolvers determine(e.g., AWS additional resolvers should will be engaged
performand determine
accessor
the approximateIP address, rootobject,cause. andSecurity).
operation. The resolvers an analysis of
the
AllRecovery incident
requests to to determine
KMS if
are logged additional
and resolvers
available should
in perform
the AWSbreak be engaged
account’s and to determine
2.
the approximate Phase root – Thecause. relevant resolvers will fix to AWS address the
CloudTrail
incident. Afterbucket in
addressing Amazon S3.
troubleshooting,The logged break requests provide
fix and break affected information about
2.
who Recovery
made the Phase
request – The and relevant
under resolvers
which CMK will and perform
will also fixcomponents,
describe address thethe
toinformation
call leaderAfter
incident. will assign follow-up documentation and follow-up actions and end the
about
call leader the AWSaddressing
engagement. resource that troubleshooting,
was protected break through fixtheanduse affected
of the components,
CMK. These the log
call
events will assign
are visible to thefollow-up
customerdocumentation
after turning onand AWS follow-up
CloudTrail actions and end the
in their
3. Reconstitution
call engagement. Phase – The call leader will declare the recovery phase complete
account.
after the relevant fix activities haveleader been addressed.
3. Reconstitution Phase – The call will declareThe thepost mortem
recovery phase andcomplete
deep root
causethe
after analysis
relevant of the incident will
fix activities havebebeen assignedaddressed. to the The relevant post team.
mortem The and results
deep of root
the post
cause mortem
analysis ofwill be reviewed
the incident will by be relevant
assignedsenior to the management
relevant team.and The actions
resultsand of
captured
the post mortemin a Correction will be reviewed of Errors by (COE) relevant document senior and tracked toand
management completion.
actions and
To ensureinthe
captured effectiveness
a Correction of the AWS
of Errors (COE)incident document response
and tracked plan, AWS conducts
to completion.
IR-6 incident
To
AWS ensure response
employees testing.
the effectiveness
are trained Thisof testing
onthehow AWS toprovides
incidentexcellent
recognize response
suspected coverage
plan,
securityAWS for the discovery
incidents
conducts and
of previously
incident
where toresponse
report unknown
them.testing. defects
When This and failure
appropriate,
testing provides modes.
incidents In
areaddition,
excellent reported
coverage ittoallows
relevant
for the the AWS
IR-8 AWS
Security has implemented
and service teams a formal,
tothetest documented
the systems incident
for potential responsecustomer policy anddiscovery
impact and
of
authorities.
program. previously The AWS unknown
policy maintains defects
addresses and
AWS
purpose, failure
Security modes.
scope, Bulletin
roles, In addition,
webpage,
responsibilities,it allows
locatedand theat AWS
RS.CO-3: Information is · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CA-2 The
further
Security AWS prepare
and Compliancestaff to
service
https://aws.amazon.com/security/security-bulletins,teamsAssessment
handle incidents
to test the Team such
systems (CAT) asfor maintains
detection
potential
to notify anda customers
documented
analysis,
customer of audit
impact and
security
shared consistent with response · COBIT 5 DSS03.04 Architectures, AWS IAM, AWS Cloudwatch, AWS management
schedule
containment, of commitment.
internal
eradication, and external
andAWS assessments
recovery, and to ensure
post-incident implementation
activities. and
further
and
AWS prepare
privacy
uses a events staffaffecting
three-phased to handle approach incidentsCloud
to such
manage asincidents:
services. detection
Customers and analysis,
can subscribe to the
plans · ISA 62443-2-1:2009 4.3.4.5.2 CloudTrail, VPC Flowlogs, AWS Config, AWS operating
The incident
containment,
security effectiveness
bulletin response
eradication,
RSS feedof and
test the
plan
to keepAWS
recovery, control
is executed
abreast and environment
ofannually,
post-incident
security in toactivities.
meet business,
conjunction
announcements with
on the the AWS
· ISO/IEC 27001:2013 A.16.1.2, Clause 7.4, Clause Organizations, AWS Firewall Manager, AWS Systems 1.
regulatory,
incident Activation and
response and Notification
contractual
plan.test Theplan testPhase
objectives. –includes
Incidents for AWS begin with the detection
The
Security
of incident
anneeds
event. Bulletin response
Events webpage.
originate The isplan
executed
customer support multiple
annually, team inscenarios,
conjunction
maintains potential
with the
a Service vectors
Health
16.1.2 Manager, AWS OpsWorks, Amazon Macie, AWS The
of
incident attack, and
and expectations
the inclusion The of offrominternal
atthe
several
systems andsources
external
integrator such
parties as:
in scenarios,are considered
reporting to and coordination
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, Managed Services, AWS IoT Defender, AWS •Dashboard
throughout
(when Metrics response
and webpage,
the
applicable), alarms plan.
development,
as –located
AWS
well as
test http://status.aws.amazon.com/,
plan
maintains
implementation,
varying
includes multiple
an exceptionaland
reporting/detection situational
auditing of
avenues the
potential
alert
awareness
AWS
customers
vectorsto
control
(i.e.coordination
customer
of attack,
any
capability; broadly and impacting
most theissues
inclusion availability
of the systems issues. integrator
are reporting/detecting).
rapidly detected from to: in reporting
24x7x365 monitoring and and
PE-6, RA-5, SI-4 CloudFormation, AWS Lambda, Amazon SNS, environment.
reporting/detecting,
(when
In the event
applicable), Parties
of antime include,
AWS
incident,
as metrics
well as AWS but
varying are
requires not limited
reporting/detection
that AWS Security avenues and/or (i.e.
Amazon SES, Amazon Athena, Amazon GuardDuty, alarming
AWS AWS incidentof real
customers, management including and
planning, service
customers dashboards.
with
testing, aand contractual
test The
resultsmajority
interest
are ofaffected
and
reviewed
customer are
incidents
potential
reporting/detecting,
service
detected team
in this conduct
manner. AWSa post
AWS reporting/detecting).
mortem
uses early to determine
indicatorthe causetoofproactively
alarms incident, as wellthird-
by
identify as to
Amazon S3, AWS WAF, Amazon Machine Learning, customers.
party
AWS auditors.
document incident
Amazon Inspector, Amazon SageMaker, Amazon issues
that lessons
External may management
parties
learned. impact
ultimately
to AWS, including
planning, customers.testing, and test results are reviewed by third-
regulatory bodies such as the external
Pinpoint •party
auditors Troubleauditors.
andtickets entered
certifying by an AWS employee.
agents.
• Calls
Internal to the 24x7x365
parties such as technical
AWS services supportand hotline.
infrastructure teams, security, legal,
If theoverarching
and event meetsadministrative incident criteria, and the relevant
corporate on-call support engineer uses
teams.
AWS’s event management tool system to start an engagement and page relevant
program resolvers (e.g., AWS Security). The resolvers will perform an analysis of
the incident to determine if additional resolvers should be engaged and to determine
CA-7 AWS conducts monthly monitoring of its security posture through a continuous risk
the approximate root cause.
CP-2 assessment
The AWS Business and monitoring process. Additionally, annual security assessments are
2. Recovery Phase –ContinuityThe relevant policy
resolvers lays out willthe guidelines
perform breakused fix to implement
to address the
conducted
procedures byto an accredited
respond Third-Party
to a troubleshooting,
serious outageAssessment orbreak
degradation Organization (3PAO) to
IR-4 incident.
AWS will After
notify addressing
customers of a security breach infix and of
accordance AWS
affected services,
withcomponents,
the terms the
validate
including that
the implemented
recovery model security controls
anddocumentation
its implications continue to bebusiness
onfollow-up
the effective. Security
continuity plan.
call leader
outlined will
hasinimplemented
the assign follow-up
service agreement with AWS. and actions and end the
IR-8 AWS
assessments that include a aformal,
risk analysis documented and a AWS’s incident
Plan commitment
response
of Action andpolicy to all
Milestonesand AWS
call engagement.
customers
program. Theisareaspolicy
follows:
PE-6 (POA&M)
Physical
3. AWS
If access
Reconstitution
becomes alladdresses
submitted
toPhase
aware AWS to data
–ofTheanycall
purpose,
authorizing
centers
leaderhousing
unlawful
scope, roles,
officials
will
or declare
unauthorizedIT responsibilities,
forinfrastructure
review
the access
and approval.
recovery
and
tocomponents
phase
any complete
customer is
management
restricted commitment.
to following
authorized datacoordinates
center employees,
RA-5 Refer
AWS
after (i.e.,
data
AWS
to
the
uses
the
Security
relevant
any
a27017, notifies AWS
and
fix activities
personal
three-phased data Audit
that
approach have Reports
been
is uploaded
to with
manage
for
addressed.
to avendors,
theincidents: Theand
additional
appropriate
customer’s post contractors
details:
service
mortem
AWS PCI 3.2,
teams
and
account) whoISO
when
deep
on root
require
27001,
conducting
cause access
ISO
analysis in order
security-related
of the NIST to
or incident execute
800-53,
activities
will their
SOC
be jobs.
2
within COMMON
andtheAccess
tosystem to facilities
CRITERIA
boundary. is only permitted
Activities of at
SI-4 AWS’s
AWS
1.
controlled Activation equipment
deploys access monitoring
and in AWS’s
Notification
points devices
that
facilities
Phase –assigned
throughout Incidents this
the the relevant
unlawful
environment
for AWS orteam.
begin todesignedThe
unauthorized
collect
with theresults access
critical
detection
include
thean
results
information post invulnerability
mortem
loss, onto will
disclosure,
unauthorizedscanning,
be or require
reviewed alteration
intrusion by multi-factor
contingency relevant
of customer
attempts, testing,
senior authentication
usage and incident
management
data, AWSand
abuse, response
will and to prevent
actions
promptly
network and
notify
RS.CO-4: Coordination with · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-2 of
The
tailgating
exercises.
captured AWSevent.
inand
AWS
Events
Business
a and ensure originate
Continuity
performs
Correction that from
only
ofexternal
Errors policy several
authorized lays
vulnerability
(COE)
sources
out the
individuals such
guidelines
assessments
as:
enter used
an
at AWS
least to dataand
implement
quarterly, center.
and
stakeholders occurs consistent · COBIT 5 DSS03.04 Architectures, AWS Config, Cloud Watch, CloudTrail,
the
•application
procedures
On
customer
Metrics
a quarterlyand bandwidth
to alarms
respond
take–reasonable
basis, usage.
AWS
to
access a
steps
Monitoring
maintains
serious
lists andoutage andocument
to reduce
devices
exceptional
or
authorization degradation
the
are and
effects
placedtracked
of
situational
credentials of within
AWS of
to
this completion.
security
the
awareness
services,
personnel AWS with
identified
To ensure issues
incident.
environment
capability; the
mostto are investigated
effectiveness
detect
issues and of theand
are monitor
rapidly AWSfor: tracked
detected incident to resolution.
response plan, Additionally,
AWS conducts AWS
with response plans · ISA 62443-2-1:2009 4.3.4.5.5 CloudFormation, Amazon Pinpoint, AWS Lambda, including
access
performs the
toresponse
AWS recovery
unannounced data model
centers are
penetration and its
reviewed
tests bybyfrom
implications 24x7x365
theexcellent
engaging on the
respectiveindependent
monitoring
business
data continuity
center and
Area plan.
Access
· ISO/IEC 27001:2013 Clause 7.4 Amazon SNS, Amazon SES
incident
•AWS
alarming
ManagersPort defines,
scanning
of real
(AAM).
testing.
administers,
attacks
time metrics This
and andtesting
monitors
service provides
security
dashboards. for the majoritythird
coverage
Theunderlying for cloud
of parties
the
incidents toare
discovery
probe
ofUsage
•infrastructure the(CPU,
previously indefensesunknown
(i.e., and device
defects
the hardware,
Processes, disk configuration
and failure
theearly
utilization, facilities swapsettings
modes. housing
rates,In within
addition,
theto
and the itsystem.
hardware,
errors allows
in andthe theAWS
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 detected
All
AWS
Security
network entrances
Security
and
this manner.
toteams
service
infrastructure). AWSteams data
also
AWS
subscribe
to
uses
centers,
test the including
tosystems
indicator
newsfeeds the
for main
alarms entrance,
for applicable
potential customer thesoftware
proactively
vendor loadingidentify
flawsand
impact dock,
and
generated
issues
Refer
and any that
to the
roofloss)
may ultimately
following
doors/hatches, AWS impact
Audit
are customers.
securedReports with for additional
intrusion details:
detection PCInew
devices 3.2, ISO
that sound
proactively
further
•Because prepare
Application
Trouble AWS monitor
tickets staff
manages
performance
enteredvendors’
to handle
the
by websites
incidents
infrastructure
metrics
an AWS and
such
employee. otheras relevant
detection outlets
and for
analysis,
and the security controls that apply to it, patches.
27001,
alarms
AWS ISO
if the 27017,
door isNIST
forced 800-53,
open orSOC held to2and COMMON
open. CRITERIA
Callscustomers
containment, can:
• Unauthorized
Trained tosecurity
the 24x7x365 also
eradication,
connection
guards
have
are
the
and ability
recovery,
attempts
technical
stationed support atthe
report
thehotline.
issues to
post-incident
building entrance
AWS via the AWS
activities.
24/7. Ifwith a door
Vulnerability
The
AWS
If theincident
• Identify provides
event Reporting
response
potential test
incidents
nearincident website
real-time plan isatexecuted
affecting
alerts http://aws.amazon.com/security/vulnerability-
when annually,
infrastructure.
the AWS in support
conjunction
monitoring tools show the or cage
within
reporting/.
•incident
Determine datameets
a response center
anyplan. has The
criteria,
a malfunctioning
test
the
plan includes
relevant
card on-call
reader
multiple orscenarios,
PIN padengineer
and cannot
potential
uses be
vectors
indications
AWS’s event ofifmanagement
compromiseaccess toor customer
tool potential
system data
to resulted
compromise,
start from
based
anatengagement anupon
incident.
and threshold
itpage alarming
relevant
•secured
of attack,
Determine
mechanisms
electronically,
program resolvers and if the
accessinclusion
determined wasa security
(e.g., AWS of
actually
by AWS the guard
systems
unlawful
serviceThe
Security).
is posted
integrator
or the
in
unauthorized
and resolvers
Security teams.
door
reportinguntil
(it
will perform and
would can be repaired.
ancoordination
beanalysis of
(when
unauthorized
External
the incident applicable),
access if it wasas well
in
to data stored
to determine as
breach varying
of
in Amazon
if additional AWS' reporting/detection
Security
S3 is logged.
resolvers Policies).
should be avenues
Theengaged
logs areand(i.e. customer
retained for at
to determine
reporting/detecting,
If
leastan incident
90 days androot
the approximate happens AWS
include within
cause. reporting/detecting).
AWS’s sphere of knowledge
relevant access request information such as the data and control and this
AWS
incident
accessor
2. Recoveryincident
results
IP address, management
Phase in loss,– object,
The planning,
disclosure,
and
relevant operation.
resolvers testing,
or alteration will and of test
customer
perform results
break arefixreviewed
content, to AWS
address bythe
will third-
party
promptly
All
incident. auditors.
requests notify
After to KMS the customer.
addressing are logged AWS does this
and available
troubleshooting, break regardless
in the and of
fix AWS whether
account’s
affected the
AWS
components,customer's the
content
CloudTrail
call leader willis sensitive
bucket assign or not,
in Amazon
follow-upbecause AWS
S3.documentation does
The logged requests not know
and follow-up what the
provide actions customer
information and end content
aboutthe
is
who and protects all customer content in the
made the request and under which CMK and will also describe information
call engagement. same robust way.
about the AWS resource
3. Reconstitution Phase –that Thewas callprotected
leader will through
declarethe theuse of the CMK.
recovery These log
phase complete
events are visible to the customer after turning
after the relevant fix activities have been addressed. The post mortem and deep root on AWS CloudTrail in their
account.
cause analysis of the incident will be assigned to the relevant team. The results of
the post mortem will be reviewed by relevant senior management and actions and
captured in a Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the discovery
of previously unknown defects and failure modes. In addition, it allows the AWS
Security and service teams to test the systems for potential customer impact and
IR-4 AWS
furtherwill prepare notifystaff customers
to handle of incidents
a securitysuch breach in accordance
as detection with the terms
and analysis,
IR-8 outlined
AWS hasinimplemented
containment, theeradication,
service agreement and recovery,
a formal, with AWS.
documented AWS’s
incidentcommitment
and post-incident activities.
response to alland
policy AWS
customers
The
program.incident Theis as follows:
response
policy test plan purpose,
addresses is executed annually,
scope, roles, in conjunction with
responsibilities, and the
RS.CO-5: Voluntary · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference PM-15 AWS
If AWS Security
becomes teamsaware alsoofsubscribe
any unlawful to newsfeeds
or unauthorized for applicableaccess vendor
to flaws and
any customer
incident
managementmonitorresponse plan.
commitment. The test plan includes multiple scenarios, potential vectors
information sharing occurs with · COBIT 5 BAI08.04 Architectures, proactively
data (i.e., vendors’ websites and other relevant outlets AWSfor new patches.
external stakeholders to achieve · ISO/IEC 27001:2013 A.6.1.4
of
AWS usesany
attack, and personal
the
a three-phasedinclusion dataapproach
that
of theissystems
uploaded
to manage to incidents:
integratora customer’s
in reporting account)
and on
coordination
AWS’s
(when
1. Activation equipment
applicable), or
as in
and Notification wellAWS’sas varying facilities
Phase and thisfor
–reporting/detection
Incidents unlawful
AWSavenues or unauthorized
begin (i.e.the
with customer access
detection
broader cybersecurity · NIST SP 800-53 Rev. 4 SI-5, PM-15 results in loss, disclosure,
SI-5 reporting/detecting,
AWS
of Security
an event. Eventsnotifies AWS andor
originate alteration
reporting/detecting).
coordinates
from several of
withcustomer
the appropriate
sources data,as:
such AWS will promptly
service teams when notify
situational awareness
•the
AWS customer
conducting
Metricsincidentand and
alarms take–reasonable
security-related
management AWSactivities
planning, stepswithin
maintains to
anreduce
testing, the and
exceptional the
testeffects
system results ofare
boundary.
situational this securityby third-
reviewed
Activities
awareness
incident.
party auditors.
include
capability; vulnerability
most issues scanning,
are rapidly contingency
detected from testing, and incident
24x7x365 monitoringresponse and
AWS defines,
exercises.
alarming ofAWS real administers,
performs
time metrics and
external
and monitors
vulnerability
service security
dashboards. for the
assessmentsTheunderlyingat leastof
majority cloud
quarterly,
incidentsand are
infrastructure
identified
detected this(i.e.,
inissues arethe
manner. hardware,
investigated
AWS uses theearly
and facilities
tracked indicatortohousing
resolution.
alarms theto hardware,
Additionally,
proactively andidentify
the
AWS
network
performs
issues that infrastructure).
unannounced
may ultimately penetration
impact customers. tests by engaging independent third parties to
•Because
probe
Trouble theAWS defenses
tickets manages and device
entered the
by infrastructure
anconfiguration
AWS employee. andsettings
the security withincontrolsthe system. that apply to it,
AWS can:
• CallsSecurity
to the 24x7x365 teams also subscribe
technical to newsfeeds
support hotline. for applicable vendor flaws and
• Identify
proactively
If the event potential
monitor
meets incident incidents
vendors’ affecting
websites
criteria, thethe and infrastructure.
relevantotheron-call relevant outletsengineer
support for new uses patches.
• Determine
AWS
AWS’s eventifmanagement
customers any also accesshavetothe customer
tool systemtodata
ability resulted
toreport
start issues from
to AWS
an engagement an incident.
via
andthe page AWS relevant
• Determine
Vulnerability
program ifReporting
resolvers access (e.g.,was actually
website
AWS at unlawful
Security). Theorresolversunauthorized
http://aws.amazon.com/security/vulnerability- (it would
will perform anbe analysis of
unauthorized
incident toifdetermine
reporting/.
the it was in breach if additionalof AWS' Security
resolvers Policies).
should be engaged and to determine
If anapproximate
the incident happens root cause. within AWS’s sphere of knowledge and control and this
incident
2. Recovery results Phase in loss,– The disclosure,
relevant resolvers or alteration will of customer
perform breakcontent,
fix to AWS address willthe
promptly After
incident. notifyaddressing
the customer. AWS does this
troubleshooting, break regardless
fix and of whether
affected the customer's
components, the
content
call leader is sensitive
will assign or not,
follow-upbecause AWS does not
documentation and know what the
follow-up customer
actions and end content
the
is and
call protects all customer content in the same robust way.
engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase complete
after the relevant fix activities have been addressed. The post mortem and deep root
cause analysis of the incident will be assigned to the relevant team. The results of
the post mortem will be reviewed by relevant senior management and actions and
captured in a Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the discovery
of previously unknown defects and failure modes. In addition, it allows the AWS
Security and service teams to test the systems for potential customer impact and
further prepare staff to handle incidents such as detection and analysis,
containment, eradication, and recovery, and post-incident activities.
The incident response test plan is executed annually, in conjunction with the
incident response plan. The test plan includes multiple scenarios, potential vectors
of attack, and the inclusion of the systems integrator in reporting and coordination
(when applicable), as well as varying reporting/detection avenues (i.e. customer
reporting/detecting, AWS reporting/detecting).
AWS incident management planning, testing, and test results are reviewed by third-
party auditors.
Analysis (RS.AN): Analysis is RS.AN-1: Notifications from · CIS CSC 4, 6, 8, 19 AWS Artifact, AWS Best Practices, AWS Reference AU-6 AWS deploys monitoring devices throughout the environment to collect critical
conducted to ensure adequate detection systems are · COBIT 5 DSS02.04, DSS02.07 Architectures, AWS Config, AWS Cloudwatch, AWS information on unauthorized intrusion attempts, usage abuse, and network and
response and support recovery investigated · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 Lambda, AWS Step Functions, AWS OpsWorks, AWS application bandwidth usage. Monitoring devices are placed within the AWS
activities. · ISA 62443-3-3:2013 SR 6.1 Managed Services, AWS CloudFormation environment to detect and monitor for:
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5 • Port scanning attacks
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, • Usage (CPU, Processes, disk utilization, swap rates, and errors in software
SI-4 generated loss)
• Application performance metrics
• Unauthorized connection attempts
AWS provides near real-time alerts when the AWS monitoring tools show
indications of compromise or potential compromise, based upon threshold alarming
mechanisms determined by AWS service and Security teams.
External access to data stored in Amazon S3 is logged. The logs are retained for at
least 90 days and include relevant access request information such as the data
accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s AWS
CloudTrail bucket in Amazon S3. The logged requests provide information about
who made the request and under which CMK and will also describe information
about the AWS resource that was protected through the use of the CMK. These log
events are visible to the customer after turning on AWS CloudTrail in their
account.
CA-7 AWS conducts monthly monitoring of its security posture through a continuous risk
IR-4 assessment
AWS and monitoring
will notify customers process. Additionally,
of a security breach inannual security
accordance withassessments
the terms are
conducted
outlined by
thean
innotify accredited
service agreementThird-Party
with AWS. Assessment
AWS’s Organization
commitment (3PAO) to
IR-5 AWS
validate willthat customers
implemented of a security
security controls breach in accordance
continue withtothe
to be effective.
allterms
AWS
Security
customers
outlined in istheasservice
follows:agreement with AWS.
PE-6 Physical
assessments
If AWS becomesaccess that toinclude
all AWS
aware dataanalysis
a risk
of any centers
unlawful housing
and a AWS’s
Plan
or unauthorized
commitment
ITofinfrastructure
Action to all AWS is
components
andtoMilestones
access any customer
customers
restricted is
toare as follows:
authorized data center employees,
SI-4 (POA&M)
AWS
data
If AWS deploys
(i.e., any
becomes
submitted
monitoring
personal
aware data
of
to authorizing
devices
that
any is throughout
uploaded
unlawful
officials
or avendors,
tothe for
customer’s
unauthorized
and and
review
environment contractors
AWS
access toapproval.
tocollect
account)
any
who
critical
customeron
require
information access inunauthorized
onpersonal order into execute their attempts,
intrusion jobs. Access to abuse,
facilities isnetwork
only permitted accessat
RS.AN-2: The impact of the · COBIT 5 DSS02.02 AWS Artifact, AWS Best Practices, AWS Reference CP-2 AWS’s
The
data
controlled AWS equipment
(i.e., Business
any
access
orContinuity
points
AWS’s
data
that that facilities
policy laysand
is uploaded
require out
multi-factor a usage
tothis
the unlawful
guidelines
customer’s
authentication
or and
unauthorized
used
AWS to implement
account)
designed
and
to on
prevent
incident is understood · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 Architectures, AWS CloudFormation, AWS application
results
procedures
AWS’s bandwidth
inequipment
loss,
to disclosure,
respond or intousage.
aor Monitoring
alteration
serious
AWS’s outage devices
of and thisinare
customer
or individuals
degradation placed
data, AWS
of orwithin
AWS will the AWS
promptly
services, notify
IR-4 AWS
tailgating will notify
and customers
todetect
ensure that of a facilities
only security
authorized breach unlawful
accordance
enter unauthorized
with the data access
termscenter.
· ISO/IEC 27001:2013 A.16.1.4, A.16.1.6 Cloudwatch, CloudTrail, VPC Flowlogs, AWS Config, environment
the
including
results customer
in the
loss, to
and
recoverytake and
disclosure, model monitor
reasonable
or and for:
steps
its
alteration to customer
reduce the
implications
of on effects
the
data, ofan
business
AWS
AWS
this
will security
continuity
promptly plan.
notify
outlined
•On in the basis,
a quarterly
Port scanning service
attacks agreement
access lists andwithauthorization
AWS. AWS’s commitment
credentials to all AWS
of personnel with
· NIST SP 800-53 Rev. 4 CP-2, IR-4 AWS Organizations, AWS Firewall Manager, AWS incident.
the customer and take reasonable steps to reduce the effects of this security
customers
•access Usage to(CPU,is as Processes,
AWS follows:
data centers areutilization,
disk reviewed security
byswapthe rates,
respective data center
andunderlying
errors in softwareArea Access
Systems Manager, AWS OpsWorks, Amazon Macie, AWS
incident. defines, administers, and monitors for the cloud
If AWS
Managers loss)
generated becomes
(AAM). aware of any unlawful or unauthorized access to any customer
AWS Managed Services, AWS IoT Defender, Amazon infrastructure
Refer
AWS to the
defines, (i.e.,
following the AWS
administers, hardware, Audit
and the facilities
Reports
monitors for
security housing
additional
for theunderlying
the hardware,
details: PCI and
3.2,
cloud the
ISO
data
•All (i.e.,
entrances
Application any topersonal data
AWS data metrics
performance that is uploaded to a customer’s AWS
centers, including the main entrance, the loading dock, account) on
GuardDuty, Amazon Machine Learning, Amazon network
27001, infrastructure).
AWS’s
•and
Because anyISO
infrastructure roof
UnauthorizedAWS
27017,
equipment (i.e., or NIST
the
doors/hatches,
connection
manages
800-53,
inhardware,
AWS’s SOC
the
are secured
theattempts
infrastructure
2with
COMMON
facilities
facilities housing
andintrusion
this CRITERIA
the hardware,
unlawful
and the security
or unauthorized
detection
controlsdevices andthat
that apply
theaccess
sound
to it,
SageMaker, AWS WAF, AWS Shield network
results
alarmscan: ifinfrastructure).
in loss,door
the disclosure,forcedoropen
is real-time alteration
or held ofopen.
customer data, AWS will promptly notify
AWS
Because provides
AWSand near
manages alerts
the stationed when
infrastructure the
and AWS
thethe monitoring
security toolsthat show
the
Trained
indicationscustomersecurity take reasonable
guards
of compromise are steps
oraffecting
potential to
thereduce
atthe building
compromise, effectscontrols
entrance
based of24/7.
upon this securityapplyortocage
If a door
threshold
it,
alarming
• Identify
AWS can: potential incidents infrastructure.
incident.
within a data center has a malfunctioning card reader or PIN pad and cannot be
•mechanisms
• Identify
AWS
secured
Determine ifdetermined
potential
defines,
electronically,
any access
incidents
administers, a
bytoAWS
customer
and
security
service
affecting
monitors
guard
data
theis
and
security
posted
Security
resulted
infrastructure.
for
at
fromteams.
the
the
an incident.
underlying
door until it cloud
can be repaired.
External
•• Determine
Determine access if any
if to data
access was
access stored in Amazon
actually
to customer dataS3resulted
unlawful is unauthorized
or logged.from The logs are retained
(it would
anhardware,
incident. be for at
infrastructure (i.e., the hardware, the facilities housing the and the
•least
unauthorized90 daysifand
Determine
network infrastructure).
it include
ifaccess was was relevant
in breach
actually of access
AWS'
unlawful request
Security information
Policies). (it
or unauthorized such
wouldas the be data
accessor
If an incident
unauthorized IP address, it wasobject,
ifhappens within
in and
breach operation.
AWS’s
of AWS'sphere of knowledge
Security and control and this
Policies).controls
Because
All AWS manages the infrastructure and thethe security that apply to it,
If
AWS anrequests
incident results
incident
can: bucket
tohappens
KMS
in loss, are logged
disclosure,
within andoravailable
AWS’s sphere ofinknowledge
alteration AWS account’s
of customer content,
and control AWSand will
this
CloudTrail
promptlyresults notify in incustomer.
theloss, Amazon S3. The
AWS ordoeslogged requests
this regardless provide information
of whether the about
customer's
•incident
who Identify
made potential
the request
disclosure,
incidents
and under affecting
which
alteration
theCMK
of customer
infrastructure.
and
content, AWS will
content is notify
sensitive or not, because AWS does not will
know also describe
what information
the customer content
•promptly
Determine
about if anytheaccess
customer. to AWS
customer does
data this regardless
resulted from of
an whether
incident. the customer's
is and the is AWS
protects resource
all customernot,that was protected
content in thedoes through
same robust theway.
use of the
the customer
CMK. These log
•content
Determine
events
sensitive
are visibleif accessto
or was because
actually
the customer
AWS
unlawful
after turning or not know
unauthorized what (it would be content
is and protects
unauthorized if all
it customer
was in content
breach of in the
AWS' sameon
Security
AWSway.
robust CloudTrail in their
Policies).
account.
If an incident happens within AWS’s sphere of knowledge and control and this
incident results in loss, disclosure, or alteration of customer content, AWS will
promptly notify the customer. AWS does this regardless of whether the customer's
content is sensitive or not, because AWS does not know what the customer content
is and protects all customer content in the same robust way.
RS.AN-3: Forensics are · COBIT 5 APO12.06, DSS03.02, DSS05.07 AWS Artifact, AWS Best Practices, AWS Reference AU-7 AWS deploys monitoring devices throughout the environment to collect critical
performed · ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, Architectures, AWS IAM, AWS CloudFormation, IR-4 information
AWS on unauthorized
will notify customers ofintrusion
a security attempts,
breach in usage abuse, and
accordance withnetwork and
the terms
SR 2.12, SR 3.9, SR 6.1 AWS Cloudwatch, CloudTrail, VPC Flowlogs, application
outlined bandwidth
in the usage. Monitoring
service agreement with AWS. devices
AWS’sare commitment
placed withintothe allAWS
AWS
· ISO/IEC 27001:2013 A.16.1.7 Amazon Macie, AWS Managed Services, AWS environment
customers to follows:
is as detect and monitor for:
· NIST SP 800-53 Rev. 4 AU-7, IR-4 Lambda, VPC, AWS IoT Defender, Amazon • Port
If AWS scanning
becomes attacks
aware of any unlawful or unauthorized access to any customer
GuardDuty, Amazon Machine Learning, Amazon • Usage
data (i.e.,(CPU, Processes,
any personal datadisk
thatutilization,
is uploaded swap
to arates, and errors
customer’s AWSinaccount)
softwareon
SageMaker, AWS WAF, AWS KMS, AWS generated
AWS’s loss)
equipment or in AWS’s facilities and this unlawful or unauthorized access
CloudHSM, Amazon WorkSpaces • Application
results in loss,performance
disclosure, ormetrics
alteration of customer data, AWS will promptly notify
• Unauthorized
the customer and connection attempts
take reasonable steps to reduce the effects of this security
AWS provides near real-time alerts when the AWS monitoring tools show
incident.
indications
AWS defines, of compromise
administers, or andpotential
monitorscompromise,
security for based upon threshold
the underlying cloud alarming
mechanisms determined
infrastructure by AWSthe
(i.e., the hardware, service and Security
facilities housing theteams.
hardware, and the
External infrastructure).
network access to data stored in Amazon S3 is logged. The logs are retained for at
least 90 days
Because AWSand includethe
manages relevant access request
infrastructure and theinformation such as
security controls theapply
that data to it,
accessor
AWS can: IP address, object, and operation.
•All requests
Identify to KMSincidents
potential are logged and available
affecting in the AWS account’s AWS
the infrastructure.
•CloudTrail
Determinebucketif any in Amazon
access S3. The data
to customer logged requests
resulted fromprovide information about
an incident.
•who made the
Determine if request
access wasand actually
under which CMKorand
unlawful will also describe
unauthorized (it would information
be
about the AWS
unauthorized resource
if it that wasofprotected
was in breach throughPolicies).
AWS' Security the use of the CMK. These log
events
If are visible
an incident happensto thewithin
customer
AWS’s aftersphere
turning of on AWS CloudTrail
knowledge and controlin their
and this
account. results in loss, disclosure, or alteration of customer content, AWS will
incident
promptly notify the customer. AWS does this regardless of whether the customer's
content is sensitive or not, because AWS does not know what the customer content
is and protects all customer content in the same robust way.
RS.AN-4: Incidents are · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
categorized consistent with · COBIT 5 DSS02.02 Architectures, AWS Cloudwatch, Amazon Macie, IR-4 procedures
AWS will notifyto respond
customersto a serious outagebreach
of a security or degradation
in accordanceof AWS withservices,
the terms
response plans · ISA 62443-2-1:2009 4.3.4.5.6 AWS Managed Services, AWS Lambda, AWS IoT includinginthe
outlined therecovery
service model and with
agreement its implications
AWS. AWS’s on the business continuity
commitment plan.
· ISO/IEC 27001:2013 A.16.1.4 Defender, Amazon GuardDuty, Amazon Machine IR-5 AWS will notify customers of a security breach in accordance withtotheallterms
AWS
customers
outlined isthe
asservice
follows:agreement with AWS. AWS’s commitment to all AWS
inimplemented
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8 Learning, Amazon SageMaker, AWS WAF IR-8 AWS
If AWS hasbecomes aware aofformal, documented
any unlawful incident response
or unauthorized access to policy and
any customer
customers
program.
Refer(i.e., to the is
The as follows:
policy addresses purpose, scope, roles, responsibilities, and
data
If AWS anyfollowing
becomes personal
aware
AWS
data
of any
Audit
that Reports for
is uploaded
unlawful or to aadditional
customer’s
unauthorized
details:
AWS
access to
PCI 3.2, ISO
account)
any on
customer
management
27001, ISO
AWS’s equipment commitment.
27017, or NISTAWS’s800-53,facilities
SOC 2 COMMON CRITERIA
data
AWS (i.e., any personalindata that is uploaded andtothis unlawful
a customer’s or unauthorized
AWS account) on access
resultsuses
AWS’s
a three-phased
inequipment
loss, disclosure,
or in AWS’s
approach
or alteration to manage
facilities of and
customerincidents:
data, AWS
this unlawful will promptlyaccess
or unauthorized notify
1.
theActivation
customer and take
and Notification
reasonable Phasesteps– Incidents
reduce for
to customer AWS
thedata,
effects begin with the detection
of this
results
of in loss,
an event. disclosure,
Events originateor alteration
from several of sources such AWS
as: will security
promptly notify
incident.
•the customer
Metrics and and take–reasonable
alarms AWS steps to
maintains an
AWS defines, administers, and monitors security for the underlying cloud
reduce the effects
exceptional of thisawareness
situational security
incident.
capability; most issues are rapidly detected from 24x7x365 monitoring and
infrastructure
AWS defines, (i.e., the hardware,
administers, and the facilities
monitors housing the hardware,cloud and the
alarming of real
network infrastructure). time metrics and service security
dashboards. for theTheunderlying
majority of incidents are
infrastructure
detected in this(i.e., the hardware,
manner. AWS uses theearly
facilities housing
indicator alarmsthetohardware,
proactively andidentify
the
Because infrastructure).
network AWS manages the infrastructure and the security controls that apply to it,
issues
AWS can: that may ultimately impact customers.
•Because
Trouble
• Identify
AWS
tickets manages
entered the
by infrastructure
an AWS and the security controls that apply to it,
employee.
potential incidents affecting the infrastructure.
•AWS Calls can:
to the 24x7x365 technical support hotline.
•• Identify
If
Determine
the event
if any access
potential
meets incidents
incident
to customer
affecting
criteria, the
data
the resulted from an incident.
infrastructure.
relevant on-call support engineer uses
•• Determine
Determine if
AWS’s
if any
access
event ifmanagement
was to
access actually
customer
tool
unlawful
system data or unauthorized
resulted
to Security
start
(it would be
from an incident.
an engagement
•unauthorized
Determine it was was
if access in breach
actually of AWS'
unlawful Policies). (itand page relevant
program
If an incident resolvershappens(e.g.,within
AWS Security).
AWS’s Theor
sphere of
unauthorized
resolvers
knowledge will and would
perform
controlanbeanalysis
and this of
unauthorized
the incident toifdetermine
it was in breach of AWS'
if additional Security
resolvers Policies).
should be engaged and to determine
incident results
If anapproximate
incident in loss,within
happens disclosure, or alteration of customer content, AWS
and will
the
promptly notify the cause. AWS’s
rootcustomer. AWS
sphere of knowledge
does this regardless of
and control
whether
this
the customer's
incident
2. Recovery resultsPhasein loss,
–orThe disclosure,
relevant or alteration
resolvers of
willnot customer
perform content,
break to AWS
fixcustomer
address will
the
content is
promptly After sensitive
notifyaddressing not,
the customer. because AWS
AWS does this does know
regardless what
of the
whether content
the customer's
incident.
is and protects all customer troubleshooting,
contentAWS in thedoes break
same fix and
robust way.affected components, the
content
call leader is sensitive
will assign or not, because
follow-up documentation not
andknow what the
follow-up customer
actions content
and end the
is and
call protects all customer content in the same robust way.
engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase complete
after the relevant fix activities have been addressed. The post mortem and deep root
cause analysis of the incident will be assigned to the relevant team. The results of
the post mortem will be reviewed by relevant senior management and actions and
captured in a Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the discovery
of previously unknown defects and failure modes. In addition, it allows the AWS
Security and service teams to test the systems for potential customer impact and
further prepare staff to handle incidents such as detection and analysis,
containment, eradication, and recovery, and post-incident activities.
The incident response test plan is executed annually, in conjunction with the
RS.AN-5: Processes are · CIS CSC 4, 19 AWS Artifact, AWS Best Practices, AWS Reference SI-5 AWS Security notifies and coordinates with the appropriate service teams when
established to receive, analyze · COBIT 5 EDM03.02, DSS05.07 Architectures, Amazon S3, AWS Managed Services, PM-15 conducting
AWS Security security-related
teams also subscribe activitiestowithin the system
newsfeeds boundary.
for applicable Activities
vendor flaws and
and respond to vulnerabilities · NIST SP 800-53 Rev. 4 SI-5, PM-15 AWS Lambda, AWS IoT Defender, Amazon include vulnerability
proactively scanning,websites
monitor vendors’ contingency testing,
and other and incident
relevant outlets forresponse
new patches.
disclosed to the organization GuardDuty, Amazon Macie, AWS OpsWorks, AWS exercises. AWS performs external vulnerability assessments at least quarterly, and
from internal and external CloudFormation, Amazon Inspector, Amazon Machine identified issues are investigated and tracked to resolution. Additionally, AWS
Mitigation (RS.MI): Activities RS.MI-1: Incidents
sources (e.g. internalare
testing, · CIS CSC 19 AWS Artifact,
Learning, AWSSageMaker,
Amazon Best Practices,
AWS AWS
WAF, Amazon IR-4
Reference AWS
performs willunannounced
notify customers of a security
penetration tests bybreach in accordance
engaging independent withthird
the terms
parties to
are performed to prevent contained
security bulletins, or security · COBIT 5 APO12.06 Architectures,
SNS, Amazon CloudFormation, AWS Lambda,
SES, Amazon WorkMail outlined
probe theindefensesthe service andagreement with AWS.settings
device configuration AWS’swithin commitment to all AWS
the system.
expansion of an event, mitigate researchers) · ISA 62443-2-1:2009 4.3.4.5.6 Amazon SNS, Amazon SES, AWS Cloudwatch, AWS customers
AWS Security is asteams
follows: also subscribe to newsfeeds for applicable vendor flaws and
its effects, and eradicate the · ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4 CloudTrail, Amazon VPC, Security Groups, NACLS, If AWS becomes
proactively monitor aware of anywebsites
vendors’ unlawfuland or other
unauthorized
relevant access
outletstoforany newcustomer
patches.
incident. · ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 AWS Config, AWS Organizations, AWS Firewall data
AWS(i.e., any personal
customers also have datathe thatability
is uploaded
to report to issues
a customer’s
to AWSAWS account)
via the AWS on
· NIST SP 800-53 Rev. 4 IR-4 Manager, AWS PrivateLink, AWS Systems Manager, AWS’s
Vulnerabilityequipment Reportingor in AWS’s
website facilities and this unlawful or unauthorized access
at http://aws.amazon.com/security/vulnerability-
AWS OpsWorks, Amazon Macie, AWS Managed results
reporting/.in loss, disclosure, or alteration of customer data, AWS will promptly notify
Services, AWS IoT Defender the customer and take reasonable steps to reduce the effects of this security
incident.
AWS defines, administers, and monitors security for the underlying cloud
infrastructure (i.e., the hardware, the facilities housing the hardware, and the
network infrastructure).
Because AWS manages the infrastructure and the security controls that apply to it,
AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would be
unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control and this
incident results in loss, disclosure, or alteration of customer content, AWS will
promptly notify the customer. AWS does this regardless of whether the customer's
content is sensitive or not, because AWS does not know what the customer content
is and protects all customer content in the same robust way.
RS.MI-2: Incidents are · CIS CSC 4, 19 AWS Artifact, AWS Best Practices, AWS Reference IR-4 AWS will notify customers of a security breach in accordance with the terms
mitigated · COBIT 5 APO12.06 Architectures, AWS CloudFormation, AWS Lambda, outlined in the service agreement with AWS. AWS’s commitment to all AWS
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 AWS Cloudwatch, AWS CloudTrail, AWS Config, customers is as follows:
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 AWS Systems Manager, AWS OpsWorks, Amazon If AWS becomes aware of any unlawful or unauthorized access to any customer
· NIST SP 800-53 Rev. 4 IR-4 Macie, AWS Managed Services, AWS IoT Defender data (i.e., any personal data that is uploaded to a customer’s AWS account) on
AWS’s equipment or in AWS’s facilities and this unlawful or unauthorized access
results in loss, disclosure, or alteration of customer data, AWS will promptly notify
the customer and take reasonable steps to reduce the effects of this security
incident.
AWS defines, administers, and monitors security for the underlying cloud
infrastructure (i.e., the hardware, the facilities housing the hardware, and the
network infrastructure).
Because AWS manages the infrastructure and the security controls that apply to it,
AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would be
unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control and this
incident results in loss, disclosure, or alteration of customer content, AWS will
promptly notify the customer. AWS does this regardless of whether the customer's
content is sensitive or not, because AWS does not know what the customer content
is and protects all customer content in the same robust way.
RS.MI-3: Newly identified · CIS CSC 4 AWS Artifact, AWS Best Practices, AWS Reference CA-7 AWS conducts monthly monitoring of its security posture through a continuous risk
vulnerabilities are mitigated or · COBIT 5 APO12.06 Architectures, AWS Managed Services, AWS Lambda, assessment and monitoring process. Additionally, annual security assessments are
documented as accepted risks · ISO/IEC 27001:2013 A.12.6.1 AWS IoT Defender, Amazon GuardDuty, Amazon conducted by an accredited Third-Party Assessment Organization (3PAO) to
· NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5 Macie, Amazon Inspector, Amazon Machine Learning, validate that implemented security controls continue to be effective. Security
Amazon SageMaker, AWS WAF assessments that include a risk analysis and a Plan of Action and Milestones
(POA&M) are submitted to authorizing officials for review and approval.
RA-3 AWS performs a continuous risk assessment process to identify, evaluate and
RA-5 mitigate
AWS risks across
Security theand
notifies company. The process
coordinates with theinvolves
appropriatedeveloping and when
service teams
implementing
conducting risk treatmentactivities
security-related plans to mitigate
within risks
the as necessary.
system boundary. The AWS risk
Activities
Improvements (RS.IM): RS.IM-1: Response plans · COBIT 5 BAI01.13 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The AWS Business
management Continuity
team monitors andpolicy laysrisks
escalates out the
on guidelines
a and
continuous used to implement
basis, performing
Organizational response incorporate lessons learned · ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4 Architectures include vulnerability
procedures to respond scanning, contingency
to a implemented
serious or testing,
outagecontrols
degradation incident
of AWS response
services,
risk assessments
exercises. AWS on newly
performs external vulnerability at least every
assessments at six months.
least quarterly, and
activities are improved by · ISO/IEC 27001:2013 A.16.1.6, Clause 10 including the recovery model and its implications on the business continuity plan.
incorporating lessons learned · NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 identified issues are investigated and tracked to resolution. Additionally, AWS
from current and previous performs unannounced penetration tests by engaging independent third parties to
detection/response activities. probe the defenses and device configuration settings within the system.
Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO
AWS
27001,Security teams
ISO 27017, also 800-53,
NIST subscribeSOCto newsfeeds
2 COMMON for applicable
CRITERIAvendor flaws and
proactively monitor vendors’ websites and other relevant outlets for new patches.
AWS customers also have the ability to report issues to AWS via the AWS
Vulnerability Reporting website at http://aws.amazon.com/security/vulnerability-
reporting/.
IR-4 AWS will notify customers of a security breach in accordance with the terms
IR-8 outlined
AWS hasinimplemented
the service agreement with AWS. AWS’s
a formal, documented incidentcommitment
response policy to alland
AWS
customersThe
program. is aspolicy
follows: addresses purpose, scope, roles, responsibilities, and
RS.IM-2: Response strategies · COBIT 5 BAI01.13, DSS04.08 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The
If AWS AWS Business
becomes Continuity
aware policy lays
of any unlawful or out the guidelines
unauthorized used
access to to
anyimplement
customer
are updated · ISO/IEC 27001:2013 A.16.1.6, Clause 10 Architectures management
procedures tocommitment.
respond
data (i.e.,
AWS usesany personalto
a three-phased
a serious
data that is outage
approach uploaded or to
degradation
toimplications
manage a customer’s
incidents:
of AWS
AWSservices,
account) on
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 including
AWS’s the
equipmentrecovery model
or in AWS’sPhase and its
facilities and thisfor on the
unlawful business continuity
or unauthorized plan.
access
1. Activation and Notification – Incidents AWS begin with the detection
results
of in loss,
an event. disclosure,
Events originateor alteration
from several of customer
sources such data,as:
AWS will promptly notify
•the
Refer
customer
Metricsto the
and
andfollowing
alarmstake–reasonable
AWS Audit
AWS
steps to
maintains
Reports anreduce the effects
exceptional
for additional
of thisawareness
situational
details:
security
PCI 3.2, ISO
incident. most issues are rapidly detected from 24x7x365 monitoring and
capability;
27001,
AWS defines, ISO 27017, NIST 800-53,
administers, and SOC 2 COMMON
monitors CRITERIA
alarming of real time metrics and service security
dashboards. for the
Theunderlying
majority of cloud
incidents are
infrastructure
detected in this(i.e., the hardware,
manner. AWS uses theearly
facilities housing
indicator alarmsthetohardware,
proactively andidentify
the
network
issues thatinfrastructure).
may ultimately impact customers.
•Because
TroubleAWS tickets manages
enteredthe by infrastructure
an AWS employee. and the security controls that apply to it,
•AWSCallscan:to the 24x7x365 technical support hotline.
• Identify
If the event potential incidents
meets incident affecting
criteria, thethe infrastructure.
relevant on-call support engineer uses
• Determine
AWS’s eventifmanagement
any access totool customer
systemdata resulted
to start from an incident.
an engagement and page relevant
• Determine
program if access
resolvers was
(e.g., actually
AWS unlawful
Security). Theorresolvers
unauthorized (it would
will perform anbeanalysis of
unauthorized
the incident toifdetermine
it was in breach of AWS'
if additional Security
resolvers Policies).
should be engaged and to determine
If an incident happens
the approximate root cause. within AWS’s sphere of knowledge and control and this
incident
2. Recovery Phase – The relevant resolvers will perform break fix to AWS
results in loss, disclosure, or alteration of customer content, address will
the
promptly notify the customer. AWS does this regardless
incident. After addressing troubleshooting, break fix and affected components, of whether the customer's
the
content
call leader is sensitive
will assign or not, because
follow-up AWS does not
documentation andknow what the
follow-up customer
actions content
and end the
is and protects
call engagement. all customer content in the same robust way.
3. Reconstitution Phase – The call leader will declare the recovery phase complete
after the relevant fix activities have been addressed. The post mortem and deep root
cause analysis of the incident will be assigned to the relevant team. The results of
the post mortem will be reviewed by relevant senior management and actions and
captured in a Correction of Errors (COE) document and tracked to completion.
IR-4 To ensure
AWS will thenotifyeffectiveness
customers of the a security
AWS incident
breach inresponse
accordanceplan,with
AWS theconducts
terms
IR-8 incident
outlined
AWS hasresponse
inimplemented
the servicetesting.
agreement
This testing
a formal, with provides
AWS. AWS’s
documented excellent
incident commitment
coverage
response for
to all
policy the AWS
and discovery
of previously
customers
program. is as
The unknown
follows:
policy defects purpose,
addresses and failure modes.
scope, In addition,
roles, it allows
responsibilities, andthe AWS
Security
If AWS becomes
management and service aware
commitment. teams of any
to testunlawful
the systemsor unauthorized
for potential access
customer
to any impact
customerand
further
data prepare
(i.e., any staff
personal to handle
data incidents
that is
AWS uses a three-phased approach to manage incidents: uploaded such as
to a detection
customer’s and analysis,
AWS account) on
containment,
AWS’s equipmenteradication,
or in and
AWS’s recovery,
facilities and
and post-incident
this unlawful
1. Activation and Notification Phase – Incidents for AWS begin with the detection activities.
or unauthorized access
The
resultsincident
in loss, response
disclosure, test plan
or is executed
alteration
of an event. Events originate from several sources such as: of annually,
customer in
data,conjunction
AWS will with the
promptly notify
incident
the customer
• Metrics response
and andalarms plan.
take The test
–reasonable
AWS plan
steps
maintains includes
to
anreduce multiple scenarios,
the effects
exceptional of thispotential
situational securityvectors
awareness
of
incident.
attack, and
capability; mosttheissues
inclusion of the systems
are rapidly detectedintegrator
from 24x7x365in reporting and coordination
monitoring and
(when
AWS defines,
applicable), administers,
as well as
andvarying
monitors reporting/detection
security for
alarming of real time metrics and service dashboards. The majority of incidents are the underlying
avenues (i.e.
cloud
customer
reporting/detecting,
infrastructure
detected in this(i.e., the
manner. AWS hardware,
reporting/detecting).
AWS usestheearly
facilities housing
indicator alarmsthetohardware,
proactively andidentify
the
AWS
network
issues incident
thatinfrastructure).
maymanagement
ultimately impact planning, testing, and test results are reviewed by third-
customers.
party
Because
• Trouble auditors.
AWS
tickets manages
enteredthe by infrastructure
an AWS employee. and the security controls that apply to it,
AWS can:
• Calls to the 24x7x365 technical support hotline.
•IfIdentify
the event potential incidents
meets incident affecting
criteria, thethe infrastructure.
relevant on-call support engineer uses
• Determine
AWS’s eventifmanagement
any access totool customer
systemdata resulted
to start from an incident.
an engagement and page relevant
• Determine
program if access
resolvers was
(e.g., actually
AWS unlawful
Security). Theorresolvers
unauthorized (it would
will perform anbeanalysis of
unauthorized
the incident toifdetermine
it was in breach of AWS'
if additional Security
resolvers Policies).
should be engaged and to determine
If anapproximate
the incident happens within AWS’s sphere of knowledge and control and this
root cause.
incident
2. Recovery results
Phasein loss,
– The disclosure, or alteration
relevant resolvers will of customer
perform content,
break fix to AWS
address will
the
promptly After
incident. notifyaddressing
the customer. AWS does this
troubleshooting, regardless
break fix and of whether
affected the customer's
components, the
content
call leader is sensitive
will assign or not, because
follow-up AWS does not
documentation andknow what the
follow-up customer
actions content
and end the
is and
call protects all customer content in the same robust way.
engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase complete
after the relevant fix activities have been addressed. The post mortem and deep root
cause analysis of the incident will be assigned to the relevant team. The results of
the post mortem will be reviewed by relevant senior management and actions and
captured in a Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the discovery
of previously unknown defects and failure modes. In addition, it allows the AWS
Security and service teams to test the systems for potential customer impact and
further prepare staff to handle incidents such as detection and analysis,
containment, eradication, and recovery, and post-incident activities.
The incident response test plan is executed annually, in conjunction with the
incident response plan. The test plan includes multiple scenarios, potential vectors
of attack, and the inclusion of the systems integrator in reporting and coordination
(when applicable), as well as varying reporting/detection avenues (i.e. customer
reporting/detecting, AWS reporting/detecting).
AWS incident management planning, testing, and test results are reviewed by third-
party auditors.
Customer Responsibility
AWS customers are responsible for providing for the recovery and reconstitution of the
information system to a known state after a disruption, compromise, or failure.
AWS customers are responsible for developing a contingency plan for their system that: 1)
Identifies
AWS essential
customers aremissions and for
responsible business functionsanand
implementing associated
incident handlingcontingency
capability requirements,
for security 2)
Provides recovery
incidents objectives,
that includes restoration
preparation, priorities, and metrics, 3) Addresses contingency roles,
AWS customers
responsibilities, are assigned
and responsible for detection
developing
individuals with
andananalysis,
Incident
contact
containment,
Response
information, Planeradication,
(IRP) that:
4)customers
Addresses
and recovery
maintaining
in
1) accordance
Provides with
their their incident
organization response policy. In addition, AWS are responsible for2)
AWS customers
essential missions
coordinating are
and
incident businesswith
responsible
handling foradeveloping
roadmap
functions
activities
for
despite
with
implementing
a an
contingency
information
contingency plan
planning
its incident
for
system their response
system
disruption,
activities;
capability,
that: 1)
compromise,
incorporating
Describes
Identifies
or failure, the structure
essential
5) Addresses and
missions organization
and
eventual, business offunctions
the incident
full information and response
system associated capability,
restoration contingency
without 3)deterioration
Provides a high-
requirements, 2)
of the
lessons learned
level approach from ongoing
for objectives,
how incident
the incident handling
response activities
capability into
fits incident response procedures,
Provides
security
training, recovery
safeguards
and originally
testing/exercises; restoration
planned
and andpriorities,
implemented,
implementing theand andinto
metrics,
resulting
the
6)changes
Is overall organization,
3)reviewed
Addresses and
accordingly.approved4)by
contingency Meets
roles,
the unique requirements
responsibilities, of theindividuals
and assigned
organization-defined personnel organization,
or roles inwith which
contact
accordance relate tothe
mission,
information,
with 4)size, structure,
Addresses
contingency planning and functions,
maintaining
policy.
5) Defines
essential reportable
missions andincidents, 6) Provides
business functions metrics
despite an for measuringsystem
information the incident response
disruption, capability
compromise,
within
or
AWS the 5)
failure, organization,
Addresses
customers 7) Defines
eventual,
are responsible the
full
for resourcescopies
information
distributing and management
systemof restoration support
the contingency withoutneeded
plan to effectively
deterioration of the
to organization-
maintain
security andcontingency
matureoriginally
safeguards
defined key an incident response
planned
personnel andcapability,
implemented,
(identified by name andand/or
8) Is6)reviewed
and byIsrole)
reviewedandorganizational
and approved
and by by
approved
organization-defined
organization-defined
elements. Contingency personnel
personnel or roles.
planningoractivities
roles in must
accordance with the contingency
be coordinated with incidentplanning
handlingpolicy.
activities.
The contingency plan must be reviewed at a frequency defined in the contingency planning policy
AWS
AWS customers
customers
and updated are
are responsible
responsible
to address changes to for distributing
fortheir
distributing copies of
of the
the IRP
copiessystem,
organization, to organization
contingency defined
planoftooperation
or environment incident
organization-
and
response
defined key
problems personnel (identified
contingency
encountered by name
personnel
during and/or by
(identified
implementation, role) andand/or
name
execution, organizational elements.
by role) and
or testing. The IRP must be
organizational
review
elements.andContingency
updated at aplanning
frequency defined must
activities by thebeincident response
coordinated withpolicy to handling
incident address activities.
system/organizational
The
AWScontingency
customers are changes
planresponsible or problems
must be reviewed encountered
at a frequency
for communicating during plan
defined inplan
contingency implementation,
the contingency execution, or
planning policy
changes to organization-
testing.
and
defined Changes
updated
personnel to the
to address IRP must
changes
and for be communicated
to their
protecting theorganization, to organization-defined
system,
contingency plan fromorunauthorized incident
environment disclosureresponse
of operation
andand
personnel
problems (identified byduring
encountered
modification. nameimplementation,
and/or role) and execution,
organizational elements.
or testing.
AWS
AWS customers
customers are
are responsible
responsible for
for protecting the IRP
communicating from unauthorized
contingency disclosure
plan changes and
to organization-
modification.
defined personnel and for protecting the contingency plan from unauthorized disclosure and
modification.
AWS customers are responsible for providing contingency training to system users consistent with
assigned
AWS roles and
customers areresponsibilities.
responsible forTraining must
testing the be provided
incident response within an organization-defined
capability for their system at time
an
period of assuming the
organization-defined role, as required
frequency using by system changes,tests
organization-defined and at
to an organization-defined
determine the that:
incident response
AWS customers
frequency are responsible
thereafter. for developing an Incident Response Plan (IRP)
effectiveness
1) Provides andorganization
their documentingwith the results.
AWS customers are responsible forareviewing
roadmap forandimplementing
analyzing audit itsrecords
incidentatresponse capability, 2)
an organization-
Describes the structure and organization of the incident response capability, 3) Provides
defined frequency for indications of organization-defined inappropriate or unusual activity and a high-
level approach
reporting these for how the
findings incident response capability
to organization-defined fitsorinto
personnel theinoverall
roles organization,
accordance 4) audit
with their Meets
the
and unique requirements
accountability policy.of the organization, which relate to mission, size, structure, and functions,
5) Defines reportable incidents, 6) Provides metrics for measuring the incident response capability
within the organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved by
organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization defined incident
response personnel (identified by name and/or role) and organizational elements. The IRP must be
review and updated at a frequency defined by the incident response policy to address
system/organizational changes or problems encountered during plan implementation, execution, or
testing. Changes to the IRP must be communicated to organization-defined incident response
personnel (identified by name and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure and
modification.
AWS customers are responsible for requiring their personnel to report suspected security incidents
to the customers
AWS organizational incident response
are responsible capabilityanwithin
for developing Incident an Response
organization-defined
Plan (IRP) that: time period and
forProvides
1) reportingtheir incident information
organization with to organization-defined authorities.
AWS customers are responsible foraconducting
roadmap for implementing
security assessments its incident
for theirresponse
systems.capability,
Within this 2)
Describes
context andthe instructure
accordance andwithorganization
their of theassessment
security incident response and capability,policy,
authorization 3) Provides acustomers
high-
AWSapproach
level customers forarehow
responsible
the incident for response
reporting incidents for
capability fits customer
into thedescribes
overall virtualAWS
storage,organization, machines,
4) Meetsand
are responsible
applications for: 1)
unless caused Developing
by a security assessment plan that the security controls
the
and unique
control requirements
enhancements theAWS
ofunder or an incident
organization,
assessment, which
assessment
isrelate
the result of AWS
to mission,
procedures
action.
size,
used
AWSand
structure,
to determine
customers
functions,are
responsible
5) for providing
Defines reportable a point6)ofProvides
incidents, contact and metrics escalation plan to AWS
for measuring thethe in orderresponse
incident to facilitate
effectiveness,
ongoingthe incident the communications.
assessment environment, the assessment team, and assessment rolescapability and
within
responsibilities,organization,
2) Assessing 7) Defines
security thecontrols
resources in and
theirmanagement
system and its support needed to
environment of effectively
operation at
maintain
an and mature an incident
organization-defined frequency response
to determine capability, the extent and 8)toIswhichreviewedcontrols and approved by
AWS customers should
organization-defined work
personnel with
orand AWS
roles. to develop an agreed upon the reporting process are implemented
and method
correctly, operating as intended, producing the desired
to receive notification of security incidents involving the potential breach of customer data. outcome with respect to meeting
established security requirements, 3) Producing a security assessment report that documents the
AWS customers
results of thethe are responsible
assessment, and 4) for distributing
Providing copiesofofthe
the results thesecurity
IRP to organization
control assessment definedtoincident
their
Throughout
response personnel incident response
(identified byor process,
name and/orAWS willand
role) keep the AWS customer’s
organizational elements.senior The IRP must be
organization-defined
management and other individuals roles.
review and updated at anecessary
frequencyparties defined informed
by the incident of response activities
response policy as totheaddress
investigation
progresses. Under certain
system/organizational circumstances,
changes or problems lawencountered
enforcement agencies
during planmay become involved.
implementation, All or
execution,
requestsChanges
testing. for information
to the IRP by law
mustenforcement
be communicated will betohandled by AWS legal incident
organization-defined counsel. response
The AWS
Security team
personnel will, toby
(identified thenamebest of its ability,
and/or role) and comply with all information
organizational elements. requests as approved by
AWS legal counsel. Delivered materials will be reviewed by AWS Legal to ensure that AWS fully
AWS
complies customers
with theare are responsible
request, and the for developing a continuous monitoring strategy and
AWS customers responsible forAWS Chief the
protecting Information
IRP fromSecurity unauthorized Officer (CISO) will
disclosure and review for
implementing
compliance.
AWS customers a continuous
are responsible monitoring programaincontingency
for developing accordanceplan withfor theirtheirsecurity
systemassessment
that: 1) and
modification.
authorization
Identifies policymissions
essential that defines: and for 1) Metrics
business to be monitored,
functions and 2) Frequencies
associated contingency forrequirements,
monitoring and
AWS customers
reporting, and 3) are responsible
Personnel or restoration implementing
roles responsible foran incident
conducting handling
and capability
receiving for security 2)
continuous
Provides recovery
incidents that objectives,
includes preparation, detection priorities,
and and metrics,
analysis, 3) Addresses
containment, contingency
eradication, roles,
and customers
recovery
AWS customers
monitoring
responsibilities, analysisare responsible
information.
andtheir
assigned for
individuals developing
Pursuant to
with this an Incident
continuous
contact Response
monitoring
information, Plan (IRP)
program,
4)customers
Addressesare that:
AWS
maintaining
in
1) accordance
Provides with
their organization incident response policy. Inmonitoring
addition, AWS responsible for2)
are
N/A responsible
essential
coordinating missions for:
incidentand businesswith
1) Establishing
handling
aand
functions roadmap
configuring
despite for an implementing
information its
for incident
defined
system response
metrics,
disruption, 2)capability,
Monitoring
compromise,
Describes
and
or
AWS conducting
failure, the structure
assessments
5) Addresses
customers arehow
and as activities
organization
eventual,
responsible
with
of
organization-defined
full1)information
for:
thecontingency
Scanning
incident
for
planning
response
frequencies,
system restoration
vulnerabilities
activities;
capability,
3) in
Conducting
without
their
incorporating
3)deterioration
Provides
ongoingsystem
information
asecurity
high-
of theand
lessons
level
control learned
approach
assessments, from
for ongoing
4) the
Conductingincident
incident handling
response
ongoing activities
capability
security into
fits
status intoincident
thereviewed
monitoring response
overall
of procedures,
organization,
their organization- 4)byMeets
security
hosted
training, safeguards
applications
and originally
atresponsible
an of
testing/exercises; planned
organization-defined and implemented,
frequency and
and/or6) Is
randomly in and approved
accordance with their
AWS
the
defined customers
unique metrics,
organization-defined
areCorrelating
requirements
5) personnel the and
and
or
for:implementing
1) Monitoring
organization,
analyzing
roles in which the
security-related
accordance
resulting
their
relate
with tothe changes
information
mission,
information
contingency
accordingly.
system
size, to detect:
structure,
generated
planning and
by a) functions,
policy.
Attacks
andDefines
5) indicators reportable process
of monitoring,
potentialincidents, and6)when
attacks in new metrics
accordance
Provides vulnerabilities
with for potentially
organization-defined
measuring the affecting the objectives
monitoring
assessments
AWS customers
system/applications and are responsible
are 5) Taking
identified forand appropriate
developing
reported; a2) response
contingency
Employing actions
plan fortoincident
vulnerability address
their response
systemthe results
scanning that: capability
tools1)of
andthe
and
withinb) Unauthorized
analysis
Identifiesthe organization,
ofessential
security-relatedlocal, network,
7) Defines
information, and
the remote
resources
and connections;
and
6) Reporting management 2) Identifying
support
the contingency
security status unauthorized
needed
of their use
toorganization
effectively of
AWS customers
techniques
the that aremissions
promote responsible and forbusiness
interoperability functions
distributing
among copies
tools andand associated
of the
automated contingency
parts plan
of the requirements,
to organization-
vulnerability 2)
and information
maintain
Provides
defined
management keyand
the information
recovery system
mature
process
an through
system
objectives,
contingency incident
personnel
byStrategically
using
organization-defined
response
to restoration
the
standards
capability,
organization-defined
priorities,
(identified
for: a)by name and
Enumerating
techniques
and 8)
metrics,
and/or
and
Is reviewed
personnel by3)role)
platforms,
methods;
orAddresses
roles and
and
3)
approved Deploying
atorganizational
software the by
organization-
contingency
flaws, androles,
monitoring
defined frequency.
responsibilities, devices:
organization-defined and a) personnel
assigned within
oractivities
roles.
individuals the
with information
contact system
information, to collect
4)incident
Addresses organization-
maintaining
elements.
improper
determined Contingency
configurations,
essential planning
b) Formatting and must
making be coordinated
transparent with
checklists and handling
test activities.
procedures,
specific and
essential
The
c) Measuring missions
contingency andinformation
plan
vulnerability business
must be
impact;
and b) Atdespite
functions
reviewed 3) at a
Analyzing
ad hocanlocations
frequency information
defined
vulnerability
within
in
scan the
the system
system disruption,
contingency
reports and
to track compromise,
planning
results from policy
types
AWS
or of
failure, transactions
customers
5) to
Addresses of interest
are responsible
eventual, tofortheir
full organization;
distributing
information copies
system 4)ofProtecting
the IRP
restoration toinformation
organization obtained
without deterioration definedfrom incident
of the
and updated
security control
intrusion-monitoring address
assessments; changes
tools from4)byto their
Remediating
unauthorized organization,
legitimate
access, system, or environment
vulnerabilities
modification, andwithin
deletion; of operation
organization-defined
5) and
Heightening
response
security personnel
safeguards (identified
originally plannednameand and/or role) and
implemented, organizational
and 6) Is elements. The IRP by must be
problems
response
the leveland
review ofencountered
times in accordance
information
updated
during with
at a system
implementation,
frequency an
monitoring organizational
defined
execution,
activity
by whenever
the incident
or testing.
assessment thereof reviewed
risk;
is anand
and
5)
indication
approved
Sharing ofpolicy.
increased
organization-defined
information obtained personnel
from or roles
the vulnerability in accordance
scanning process withresponse
theand policy
contingency
security
toplanning
address
control
risk to organizational
system/organizational operations
changes and
orfor assets, encountered
problems individuals, other
during organizations,
plan implementation, or theassessments
Nation basedor
execution,
AWS
with
on customers
organization-defined
lawcustomers
enforcement are responsible
information,personnel communicating
or roles
intelligence to help
information, contingency
eliminate plan
similar
or other changes
vulnerabilities
credibleplan to
sources organization-
in
of other
information;
testing.
AWS
defined Changes
personnel to the
are IRPprotecting
responsible mustfor be communicated
distributing copies toplan
organization-defined
of the contingency incident response
to organization-
information
6) Obtaining
personnel
defined key legal and
systems
(identified
contingency
for
(i.e.,
opinion
by name systemic
withand/or
personnel regard thetocontingency
weaknesses
role)information
(identified andby or deficiencies).
namesystem
organizational
from unauthorized
and/ormonitoring
elements.
by role) and
disclosure
activities
organizational
and
in accordance
modification.
with applicable federal laws, Executive Orders,
elements.
Prior to Contingency
conducting planning
penetration activities
testing or must directives,
vulnerabilitybe coordinated policies,
scanning with or
activities,
regulations;
incident AWS handling andactivities.
customers
7)
are
Providing
AWScontingency
The organization-defined
customers are
plan responsible information
must be reviewed for protecting a system
atthe the IRP
frequency monitoring
from
defined information
unauthorized
in the contingency to organization-
disclosure and policy
planning
required
defined
modification. to request
personnel orauthorization
roles as needed through or in followingwith
accordance URL: an or
organization-defined frequency.
and updated to address changes to their
https://aws.amazon.com/security/penetration-testing/. organization, system, environment of operation and
problems encountered during implementation, execution, or testing.
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): RDS Specific (Postgres,
AWS
MySQL,customers are SQL
MariaDB, responsible
Server, for communicating
Aurora, contingency
Oracle): AWS Customersplan
arechanges to organization-
responsible for meeting
defined personnel
scanning and for
requirements on protecting the contingency
their databases plan
in accordance from
with unauthorized disclosure
organization-defined and
frequency
modification.
and/or when new vulnerabilities have been identified. Also, AWS Customers are required to
remediate legitimate findings within the organization-defined timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL database service. AWS
Customers offload database management tasks such as hardware or software provisioning, setup
and configuration, software patching, operating a reliable, distributed database cluster, or
partitioning data over multiple instances as you scale.
AWS customers are responsible for implementing an incident handling capability for security
incidents that includes
AWS customers preparation,
are responsible for detection
developing andananalysis,
Incidentcontainment,
Response Plan eradication,
(IRP) that:and recovery
in
1) accordance
Provides their with their incident
organization withresponse
a roadmappolicy. In addition, AWS
for implementing customers
its incident are responsible
response capability,for2)
N/A
coordinating
Describes theincident
structurehandling activities of
and organization with
thecontingency planning
incident response activities;
capability, 3) incorporating
Provides a high-
lessons
level learnedfor
approach from
howongoing incident
the incident handling
response activities
capability into
fits intoincident response
the overall procedures,
organization, 4) Meets
training,
the unique and testing/exercises;
requirements of the and implementing
organization, whichthe resulting
relate changes
to mission, accordingly.
size, structure, and functions,
AWS customers
5) Defines are responsible
reportable incidents, 6) for: 1) Receiving
Provides metricsinformation
for measuringsystemthe security
incident alerts, advisories,
response capability
and directives
within from organization-defined
the organization, externaland
7) Defines the resources organizations
management on support
an ongoing
neededbasis, 2) Generating
to effectively
internal
maintainsecurity
and maturealerts,
anadvisories, and directives
incident response as deemed
capability, and 8) Isnecessary,
reviewed3)and Disseminating
approved by security
alerts, advisories, andpersonnel
organization-defined directivesortoroles.
organization-defined personnel, roles, organizational elements
and/or external organizations, and 4) Implementing security directives in accordance with
established
AWS customers time frames or notifying
are responsible the issuing organization
for distributing copies of the of IRPthetodegree of noncompliance.
organization defined incident
response personnel (identified by name and/or role) and organizational elements. The IRP must be
review and updated at a frequency defined by the incident response policy to address
system/organizational changes or problems encountered during plan implementation, execution, or
testing. Changes to the IRP must be communicated to organization-defined incident response
personnel (identified by name and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure and
modification.
AWS customers are responsible for reviewing and analyzing audit records at an organization-
defined frequency for indications of organization-defined inappropriate or unusual activity and
reporting these findings to organization-defined personnel or roles in accordance with their audit
and accountability policy.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing
AWS customers a continuous monitoring
are responsible program inan
for implementing accordance with theircapability
incident handling security assessment
for securityand
authorization
incidents that policy
includesthat defines: 1)detection
preparation, Metrics toand be analysis,
monitored, 2) Frequencies
containment, for monitoring
eradication, and
and recovery
AWS customers
reporting, 3) are
and with responsible
Personnel or rolesfor responsible
tracking and documenting
for information system security
in accordance
incidents. their incident response policy. Inconducting
addition, AWS and receiving
customers continuous
are responsible for
N/A
monitoring
coordinating analysis
incidentinformation. Pursuant
handling activities to this
with continuous
contingency monitoring
planning program,
activities; AWS customers
incorporating
are responsible
AWS
lessons learned for:
customers are1)
from Establishing
responsible
ongoing for:and
incident configuring
1)handling
Monitoring monitoring
their
activities informationfor defined
into incident system metrics,
responseto detect: 2) a)
Monitoring
procedures, Attacks
and conducting
indicators ofassessments
potential as and
organization-defined
attacks thefrequencies, 3) Conducting ongoing security
training,
AWS and testing/exercises;
customers are responsible forinimplementing
accordanceawith
developing organization-defined
resulting
contingency changes
plan monitoring
system that:objectives
accordingly.
for their 1)
control
and assessments, 4)
b) Unauthorized Conducting
local, network, ongoing
and remotesecurity status monitoring
connections; 2) Identifyingof their organization-
unauthorized use of
Identifies
AWS essential
customers aremissions
responsibleand for
business functions
implementing anand associated
incident contingency
handling capability requirements,
forby security 2)
defined
the metrics,system
information 5) Correlating
through and analyzing
organization-definedsecurity-related
techniques information
andAddresses generated
methods; 3) Deploying
Provides
incidents recovery
that objectives,
includes restoration
preparation, priorities,
detection and metrics, 3) contingency roles,
assessments
monitoring and monitoring,
devices:
responsibilities, and a) 5) Taking
Strategically
assigned individualswithin theand
appropriate
with
analysis,
response
information
contact
containment,
system
information, 4)
eradication,
actionstotocollect
address
Addresses
and recovery
the results
organization-
maintaining
of the
in accordance
analysis
determined with their
of security-related
essential incident response
information, andpolicy.
ad6)hoc In addition,
Reporting AWSthe
thewithin
security customers
status are
ofto
theirresponsible
specific for
organization
essential missions
coordinating andinformation
incident handling
and b) At
businessactivities
functions despite
with anlocations
information
contingency planning system system
disruption,
activities;
track
compromise,
incorporating
and the
types ofinformation
transactions system to the
of interest organization-defined
tofull
theirinformation
organization; 4)personnel
Protecting orinformation
roles at theobtained
organization-from
or failure,
lessons 5) Addresses
learned from eventual,
ongoing incident handling system
activities restoration
into incident without
response deterioration
procedures, of the
defined frequency. tools from unauthorized access, modification, and deletion; 5) Heightening
intrusion-monitoring
security
training, safeguards originally planned and implemented, and 6)changes
Is reviewed and approved by
the level and testing/exercises;
of information
organization-defined systemand
personnel or
implementing
monitoring activity
roles in accordance
thewhenever
resulting
with thethere is anaccordingly.
contingency indication
planningofpolicy.
increased
risk to organizational operations and assets, individuals, other organizations, or the Nation based
on lawcustomers
AWS enforcement are information,
responsible for intelligence
distributinginformation,
copies of the or other credibleplan
contingency sources of information;
to organization-
6) Obtaining
defined legal opinion
key contingency with regard
personnel to information
(identified by namesystemand/ormonitoring
by role) and activities in accordance
organizational
with applicable
elements. federal laws,
Contingency planningExecutive
activitiesOrders,
must directives,
be coordinated policies,
with or regulations;
incident handlingandactivities.
7)
Providing
The organization-defined
contingency information
plan must be reviewed at a system
frequency monitoring
defined in information to organization-
the contingency planning policy
defined
and personnel
updated or roles
to address as needed
changes to theiror in accordancesystem,
organization, with an ororganization-defined
environment of operation frequency.
and
problems encountered during implementation, execution, or testing.
AWS customers are responsible for communicating contingency plan changes to organization-
defined personnel and for protecting the contingency plan from unauthorized disclosure and
modification.
AWS customers are responsible for implementing and configuring an audit reduction and report
generation
AWS capability
customers that: 1) Supports
are responsible on-demand an
for implementing audit review,
incident analysis,
handling and reporting
capability for security
requirements
incidents that and after-the-fact
includes investigations
preparation, of security
detection and analysis,incidents and 2)eradication,
containment, Does not alter
and the
recovery
original
in content
accordance or time
with their ordering
incident of audit records.
response policy. In addition, AWS customers are responsible for
coordinating incident handling activities with contingency planning activities; incorporating
lessons learned from ongoing incident handling activities into incident response procedures,
training, and testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for developing a contingency plan for their system that: 1)
Identifies
AWS essential
customers aremissions
responsibleand for
business functionsanand
implementing associated
incident handlingcontingency
capability requirements,
for security 2)
Provides recovery
incidents objectives,
that includes restoration
preparation, priorities, and metrics, 3) Addresses contingency roles,
AWS customers
responsibilities, are assigned
and responsible for detection and documenting
tracking and
individuals
analysis, containment,
information eradication, and recovery
systemmaintaining
security
in accordance with
incidents. their incident responsewith contact
policy. information,
In addition, AWS4)customers
Addresses are responsible for
AWS customers
essential missions
coordinating are
incident responsible
and handling for developing
businessactivities
functions despite
with ananIncident Response
information
contingency planning system Plan (IRP)
disruption,
activities; that:
compromise,
incorporating
1) Provides
or failure,
lessons their organization
5) Addresses
learned from ongoing with
eventual, a roadmap for
full information
incident implementing
system into
handling activities its
restoration incident
incidentwithout response
response capability,
deterioration
procedures, of the 2)
Describes the structure
security safeguards
training, and organization
originally planned
and testing/exercises; of the incident
and implemented,
and implementing response capability,
and 6)changes
the resulting Is reviewed 3) Provides
and approved by
accordingly. a high-
level approach for how
organization-defined the incident
personnel response
or roles capabilitywith
in accordance fits the
intocontingency
the overall organization,
planning policy. 4) Meets
the unique requirements of the organization, which relate to mission, size, structure, and functions,
5)
AWSDefines reportable
customers incidents, 6)
are responsible forProvides metrics
distributing for of
copies measuring the incident
the contingency plan response capability
to organization-
within
definedthekeyorganization,
contingency7) Defines (identified
personnel the resourcesby and
name management
and/or by role) support
and needed to effectively
organizational
maintain
elements.and mature anplanning
Contingency incident response
activities capability, and 8) Is reviewed
must be coordinated with incidentand approved by
handling activities.
organization-defined
The contingency planpersonnel or roles. at a frequency defined in the contingency planning policy
must be reviewed
and updated to address changes to their organization, system, or environment of operation and
AWS customers
problems are responsible
encountered for distributingexecution,
during implementation, copies of or thetesting.
IRP to organization defined incident
response personnel (identified by name and/or role) and organizational elements. The IRP must be
review and updated
AWS customers are at a frequency
responsible fordefined by the incident
communicating response
contingency planpolicy to address
changes to organization-
system/organizational
defined personnel and changes or problems
for protecting encountered
the contingency planduring
from plan implementation,
unauthorized disclosure execution,
and or
testing. Changes to the IRP must be communicated to organization-defined incident response
modification.
personnel (identified by name and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure and
modification.
AWS customers are responsible for: 1) Receiving information system security alerts, advisories,
and
N/Adirectives from organization-defined external organizations on an ongoing basis, 2) Generating
internal security alerts, advisories, and directives as deemed necessary, 3) Disseminating security
alerts, advisories, and directives to organization-defined personnel, roles, organizational elements
and/or external organizations, and 4) Implementing security directives in accordance with
AWS customers
established are responsible
time frames for implementing
or notifying an incidentofhandling
the issuing organization capability
the degree for security
of noncompliance.
incidents that includes preparation, detection and analysis, containment, eradication, and recovery
in accordance with their incident response policy. In addition, AWS customers are responsible for
coordinating incident handling activities with contingency planning activities; incorporating
lessons learned from ongoing incident handling activities into incident response procedures,
training, and testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for implementing an incident handling capability for security
incidents that includes preparation, detection and analysis, containment, eradication, and recovery
in accordance with their incident response policy. In addition, AWS customers are responsible for
coordinating incident handling activities with contingency planning activities; incorporating
lessons learned from ongoing incident handling activities into incident response procedures,
training, and testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security assessment and
authorization policy that defines: 1) Metrics to be monitored, 2) Frequencies for monitoring and
reporting, and 3) Personnel or roles responsible for conducting and receiving continuous
monitoring analysis information. Pursuant to this continuous monitoring program, AWS customers
are responsible for: 1) Establishing and configuring monitoring for defined metrics, 2) Monitoring
and conducting assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their organization-
defined metrics, 5) Correlating and analyzing security-related information generated by
assessments and monitoring, 5) Taking appropriate response actions to address the results of the
analysis of security-related information, and 6) Reporting the security status of their organization
and the information system to the organization-defined personnel or roles at the organization-
defined frequency.
AWS customers are responsible for: 1) Conducting an assessment of risk to include the likelihood
and magnitude
AWS customersofare harm from the for:
responsible unauthorized
1) Scanning access, use, disclosure,
for vulnerabilities in disruption, modification,
their information system orand
destruction
hosted of their information
applications atresponsible system and thefrequency
an organization-defined information it processes,
and/or randomly stores, or transmits,with2)their
AWS customers
Documenting riskare
assessment for developing
results in new
the systema contingency
plan, security plan for theirinsystem
assessment
accordance
report, that: 1)
organization-defined
Identifies processand
essential missions and when
business vulnerabilities
functions potentially
and associated affecting
contingency the or other 2)
requirements,
organization-defined
system/applications document,
are identified 3) Reviewing
and reported; risk
2) assessment
Employing results at an organization-defined
vulnerability scanning tools and
Provides recovery
frequency, 4) objectives,risk
restoration priorities, andorganization-defined
metrics, 3) Addresses contingency roles,and
techniques thatDisseminating
responsibilities, promote
and assigned
assessment
interoperability
individuals amongresults
toolstoand
with contact automated4)parts
information, ofpersonnel
Addresses
or roles,
the vulnerability
5) Updating the
management risk
process assessment
bybusiness at an organization-defined
using standards for: a) Enumerating frequency
platforms,or whenevermaintaining
thereand
are
essential missions
significant changesand to the functions
information despite
system an information
or environment systemsoftware
ofchecklistsdisruption,
operation
flaws,
(including compromise,
the
improper
or failure,configurations,
5) Addresses b) Formatting
eventual, and making
full information transparent
system restoration and
without test procedures,
deterioration and
of the
identification
c) Measuring of new threats
vulnerability and vulnerabilities)
impact; 3) Analyzing or other conditions
vulnerability scan that may
reports and impact
results the security
from
security
state safeguards
of the system. originally planned and implemented, and 6) Is reviewed and approved by
security control assessments;
organization-defined personnel 4)orRemediating legitimate
roles in accordance vulnerabilities
with the contingencywithin organization-defined
planning policy.
response times in accordance with an organizational assessment of risk; and 5) Sharing
information
AWS customers obtained from the vulnerability
are responsible scanning
for distributing copiesprocess and security plan
of the contingency control assessments
to organization-
with organization-defined
defined key contingency personnelpersonnel(identified
or roles toby help
nameeliminate
and/or similar
by role)vulnerabilities
and organizational in other
information systems (i.e.,
elements. Contingency systemic
planning weaknesses
activities must orbe deficiencies).
coordinated with incident handling activities.
The contingency plan must be reviewed at a frequency defined in the contingency planning policy
Prior to conducting
and updated penetration
to address changes testing
to theiror vulnerabilitysystem,
organization, scanning activities, AWS
or environment customersand
of operation are
required
problemstoencountered
request authorization through the following
during implementation, execution,URL:
or testing.
https://aws.amazon.com/security/penetration-testing/.
AWS customers are responsible for communicating contingency plan changes to organization-
RDS Specific
defined (Postgres,
personnel and forMySQL, MariaDB,
protecting SQL Server,
the contingency plan Aurora, Oracle): RDS
from unauthorized Specificand
disclosure (Postgres,
MySQL, MariaDB, SQL Server, Aurora, Oracle): AWS Customers are responsible for meeting
modification.
scanning requirements on their databases in accordance with organization-defined frequency
and/or when new vulnerabilities have been identified. Also, AWS Customers are required to
remediate legitimate findings within the organization-defined timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL database service. AWS
Customers offload database management tasks such as hardware or software provisioning, setup
and configuration, software patching, operating a reliable, distributed database cluster, or
partitioning
AWS customers
data are
overresponsible
multiple instances
for implementing
as you scale. an incident handling capability for security
incidents
AWS that includes
customers preparation,
are responsible for detection
developing andananalysis,
Incidentcontainment,
Response Plan eradication,
(IRP) that:and recovery
in accordance
1) Provides with
their their incident
organization withresponse policy. In addition, AWS customers are responsible for2)
AWS customers
coordinating are responsible foradeveloping
roadmap for implementing
a contingency planits for
incident response
their system capability,
that: 1)
Describes
Identifies theincident
structure
essential
handling
missions and
activities
and organization
business
with
of thecontingency
incident
functions
planning
and response
associated
activities;
capability,
contingency 3) incorporating
Provides a high-
requirements, 2)
lessons
level learnedfor
approach fromhowongoing incident
the incident handling
response activities
capability into
fits incident
into the response
overall procedures, Meets
organization,
Provides
training, recovery
and objectives,
testing/exercises; restoration
and priorities,
implementing theand metrics,
resulting 3)
changesAddresses contingency4)roles,
accordingly.
the unique requirements
responsibilities, of theindividuals
and assigned organization,
withwhich
contactrelate to mission,
information, 4)size, structure,
Addresses and functions,
maintaining
5) Defines
essential reportable
missions andincidents, 6) Provides
business functions metrics
despite an for measuringsystem
information the incident response
disruption, capability
compromise,
within
or the 5)
failure, organization, 7) Definesfull
Addresses eventual, theinformation
resources and management
system restoration support needed
without to effectively
deterioration of the
maintainsafeguards
security and matureoriginally
an incident response
planned andcapability,
implemented, and and
8) Is6)reviewed
Is reviewedand and
approved by by
approved
organization-defined personnel
organization-defined personnel or or roles
roles.in accordance with the contingency planning policy.
AWS customers
AWS customers are
are responsible
responsible for
for distributing
distributing copies
copies of
of the
the contingency
IRP to organization
plan to defined incident
organization-
responsekey
defined personnel (identified
contingency by name
personnel and/or by
(identified role) andand/or
name organizational elements.
by role) and The IRP must be
organizational
review andContingency
elements. updated at aplanning
frequency defined must
activities by thebeincident response
coordinated withpolicy to handling
incident address activities.
system/organizational
The changes
contingency plan must or problems
be reviewed at aencountered during in
frequency defined plan
theimplementation, execution,
contingency planning or
policy
testing.
and Changes
updated to the IRP
to address musttobetheir
changes communicated
organization, tosystem,
organization-defined
or environment incident response
of operation and
personnel encountered
problems (identified byduring
nameimplementation,
and/or role) and execution,
organizational elements.
or testing.
AWS customers
AWS customers are
are responsible
responsible for
for communicating
protecting the IRP from unauthorized
contingency disclosure
plan changes and
to organization-
modification.
defined personnel and for protecting the contingency plan from unauthorized disclosure and
modification.
AWS customers are responsible for implementing an incident handling capability for security
incidents
AWS that includes
customers preparation,
are responsible for detection
developingandananalysis,
Incidentcontainment,
Response Plan eradication,
(IRP) that:and recovery
in accordance
1) Provides theirwith their incident
organization withresponse policy.
a roadmap In addition, AWS
for implementing customers
its incident are responsible
response capability,for2)
coordinating
Describes theincident
structurehandling activities of
and organization with
thecontingency planning
incident response activities;
capability, 3) incorporating
Provides a high-
lessons learnedfor
level approach from
howongoing incident
the incident handling
response activities
capability into
fits incident
into response
the overall procedures,
organization, 4) Meets
training, and testing/exercises; and implementing the resulting changes accordingly.
the unique requirements of the organization, which relate to mission, size, structure, and functions,
5) Defines reportable incidents, 6) Provides metrics for measuring the incident response capability
within the organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved by
organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization defined incident
response personnel (identified by name and/or role) and organizational elements. The IRP must be
review and updated at a frequency defined by the incident response policy to address
system/organizational changes or problems encountered during plan implementation, execution, or
testing. Changes to the IRP must be communicated to organization-defined incident response
personnel (identified by name and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure and
modification.
Note:
AWS services italicized in the "AWS Services/Resources" column are out of scope for FedRAMP Moderate and/or ISO 9001/27001/27018.
AWS services in bold in the "AWS Services/Resources" column have been validated by an independent assessor to align to the CSF based on FedRAMP Moderate and/or ISO 9001/27001/27018 accreditation.
Category Subcategory Informative References AWS Services/Resources NIST 800-53 Controls Alignment AWS Responsibility
Recovery Planning (RC.RP): Recovery RC.RP-1: Recovery plan is executed · CIS CSC 10 AWS Certifications, Customer Responsibility CP-10 The AWS business continuity plan details the three-phased approach that AWS
processes and procedures are executed and during or after an event · COBIT 5 APO12.06, DSS02.05, DSS03.04 has developed to recover and reconstitute the AWS infrastructure:
maintained to ensure timely restoration of · ISO/IEC 27001:2013 A.16.1.5 • Activation and Notification Phase
systems or assets affected by cybersecurity · NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8 • Recovery Phase
events. • Reconstitution Phase
This approach ensures that AWS performs system recovery and reconstitution
efforts in a methodical sequence, maximizing the effectiveness of the recovery
and reconstitution efforts and minimizing system outage time due to errors and
omissions.
AWS maintains a ubiquitous security control environment across all regions.
Each data center is built to physical, environmental, and security standards in an
active-active configuration, employing an n+1 redundancy model to ensure
system availability in the event of component failure. Components (N) have at
least one independent backup component (+1), so the backup component is
active in the operation even if all other components are fully functional. In order
to eliminate single points of failure, this model is applied throughout AWS,
including network and data center implementation. All data centers are online
and serving traffic; no data center is “cold.” In case of failure, there is sufficient
capacity to enable traffic to be load-balanced to the remaining sites.
IR-4 AWS will notify customers of a security breach in accordance with the terms
outlined in the service agreement with AWS. AWS’s commitment to all AWS
customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any customer
data (i.e., any personal data that is uploaded to a customer’s AWS account) on
AWS’s equipment or in AWS’s facilities and this unlawful or unauthorized
access results in loss, disclosure, or alteration of customer data, AWS will
promptly notify the customer and take reasonable steps to reduce the effects of
this security incident.
AWS defines, administers, and monitors security for the underlying cloud
infrastructure (i.e., the hardware, the facilities housing the hardware, and the
network infrastructure).
Because AWS manages the infrastructure and the security controls that apply to
it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would be
unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control and this
incident results in loss, disclosure, or alteration of customer content, AWS will
promptly notify the customer. AWS does this regardless of whether the
customer's content is sensitive or not, because AWS does not know what the
customer content is and protects all customer content in the same robust way.
IR-8 AWS has implemented a formal, documented incident response policy and
program. The policy addresses purpose, scope, roles, responsibilities, and
management commitment.
AWS uses a three-phased approach to manage incidents:
1. Activation and Notification Phase – Incidents for AWS begin with the
detection of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational awareness
capability; most issues are rapidly detected from 24x7x365 monitoring and
alarming of real time metrics and service dashboards. The majority of incidents
are detected in this manner. AWS uses early indicator alarms to proactively
identify issues that may ultimately impact customers.
• Trouble tickets entered by an AWS employee.
• Calls to the 24x7x365 technical support hotline.
If the event meets incident criteria, the relevant on-call support engineer uses
AWS’s event management tool system to start an engagement and page relevant
program resolvers (e.g., AWS Security). The resolvers will perform an analysis
of the incident to determine if additional resolvers should be engaged and to
determine the approximate root cause.
2. Recovery Phase – The relevant resolvers will perform break fix to address the
incident. After addressing troubleshooting, break fix and affected components,
the call leader will assign follow-up documentation and follow-up actions and
end the call engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase
complete after the relevant fix activities have been addressed. The post mortem
and deep root cause analysis of the incident will be assigned to the relevant
team. The results of the post mortem will be reviewed by relevant senior
management and actions and captured in a Correction of Errors (COE)
document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the
discovery of previously unknown defects and failure modes. In addition, it
allows the AWS Security and service teams to test the systems for potential
customer impact and further prepare staff to handle incidents such as detection
and analysis, containment, eradication, and recovery, and post-incident
Improvements (RC.IM): Recovery planning RC.IM-1: Recovery plans · COBIT 5 APO12.06, BAI05.07, DSS04.08 AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
and processes are improved by incorporating incorporate lessons learned · ISA 62443-2-1:2009 4.4.3.4 procedures to respond to a serious outage or degradation of AWS services,
lessons learned into future activities. · ISO/IEC 27001:2013 A.16.1.6, Clause 10 including the recovery model and its implications on the business continuity
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 plan.
Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO
27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA
IR-4 AWS will notify customers of a security breach in accordance with the terms
outlined in the service agreement with AWS. AWS’s commitment to all AWS
customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any customer
data (i.e., any personal data that is uploaded to a customer’s AWS account) on
AWS’s equipment or in AWS’s facilities and this unlawful or unauthorized
access results in loss, disclosure, or alteration of customer data, AWS will
promptly notify the customer and take reasonable steps to reduce the effects of
this security incident.
AWS defines, administers, and monitors security for the underlying cloud
infrastructure (i.e., the hardware, the facilities housing the hardware, and the
network infrastructure).
Because AWS manages the infrastructure and the security controls that apply to
it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would be
unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control and this
incident results in loss, disclosure, or alteration of customer content, AWS will
promptly notify the customer. AWS does this regardless of whether the
customer's content is sensitive or not, because AWS does not know what the
customer content is and protects all customer content in the same robust way.
IR-8 AWS has implemented a formal, documented incident response policy and
program. The policy addresses purpose, scope, roles, responsibilities, and
management commitment.
AWS uses a three-phased approach to manage incidents:
1. Activation and Notification Phase – Incidents for AWS begin with the
detection of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational awareness
capability; most issues are rapidly detected from 24x7x365 monitoring and
alarming of real time metrics and service dashboards. The majority of incidents
are detected in this manner. AWS uses early indicator alarms to proactively
identify issues that may ultimately impact customers.
• Trouble tickets entered by an AWS employee.
• Calls to the 24x7x365 technical support hotline.
If the event meets incident criteria, the relevant on-call support engineer uses
AWS’s event management tool system to start an engagement and page relevant
program resolvers (e.g., AWS Security). The resolvers will perform an analysis
of the incident to determine if additional resolvers should be engaged and to
determine the approximate root cause.
2. Recovery Phase – The relevant resolvers will perform break fix to address the
incident. After addressing troubleshooting, break fix and affected components,
the call leader will assign follow-up documentation and follow-up actions and
end the call engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase
complete after the relevant fix activities have been addressed. The post mortem
and deep root cause analysis of the incident will be assigned to the relevant
team. The results of the post mortem will be reviewed by relevant senior
management and actions and captured in a Correction of Errors (COE)
document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the
discovery of previously unknown defects and failure modes. In addition, it
allows the AWS Security and service teams to test the systems for potential
customer impact and further prepare staff to handle incidents such as detection
and analysis, containment, eradication, and recovery, and post-incident
RC.IM-2: Recovery strategies are · COBIT 5 APO12.06, BAI07.08 AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
updated · ISO/IEC 27001:2013 A.16.1.6, Clause 10 procedures to respond to a serious outage or degradation of AWS services,
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 including the recovery model and its implications on the business continuity
plan.
Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO
27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA
IR-4 AWS will notify customers of a security breach in accordance with the terms
outlined in the service agreement with AWS. AWS’s commitment to all AWS
customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any customer
data (i.e., any personal data that is uploaded to a customer’s AWS account) on
AWS’s equipment or in AWS’s facilities and this unlawful or unauthorized
access results in loss, disclosure, or alteration of customer data, AWS will
promptly notify the customer and take reasonable steps to reduce the effects of
this security incident.
AWS defines, administers, and monitors security for the underlying cloud
infrastructure (i.e., the hardware, the facilities housing the hardware, and the
network infrastructure).
Because AWS manages the infrastructure and the security controls that apply to
it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would be
unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control and this
incident results in loss, disclosure, or alteration of customer content, AWS will
promptly notify the customer. AWS does this regardless of whether the
customer's content is sensitive or not, because AWS does not know what the
customer content is and protects all customer content in the same robust way.
IR-8 AWS has implemented a formal, documented incident response policy and
program. The policy addresses purpose, scope, roles, responsibilities, and
management commitment.
AWS uses a three-phased approach to manage incidents:
1. Activation and Notification Phase – Incidents for AWS begin with the
detection of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational awareness
capability; most issues are rapidly detected from 24x7x365 monitoring and
alarming of real time metrics and service dashboards. The majority of incidents
are detected in this manner. AWS uses early indicator alarms to proactively
identify issues that may ultimately impact customers.
• Trouble tickets entered by an AWS employee.
• Calls to the 24x7x365 technical support hotline.
If the event meets incident criteria, the relevant on-call support engineer uses
AWS’s event management tool system to start an engagement and page relevant
program resolvers (e.g., AWS Security). The resolvers will perform an analysis
of the incident to determine if additional resolvers should be engaged and to
determine the approximate root cause.
2. Recovery Phase – The relevant resolvers will perform break fix to address the
incident. After addressing troubleshooting, break fix and affected components,
the call leader will assign follow-up documentation and follow-up actions and
end the call engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase
complete after the relevant fix activities have been addressed. The post mortem
and deep root cause analysis of the incident will be assigned to the relevant
team. The results of the post mortem will be reviewed by relevant senior
management and actions and captured in a Correction of Errors (COE)
document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the
discovery of previously unknown defects and failure modes. In addition, it
allows the AWS Security and service teams to test the systems for potential
customer impact and further prepare staff to handle incidents such as detection
and analysis, containment, eradication, and recovery, and post-incident
Communications (RC.CO): Restoration RC.CO-1: Public relations are · COBIT 5 EDM03.02 Customer Responsibility N/A
activities are coordinated with internal and managed · ISO/IEC 27001:2013 A.6.1.4, Clause 7.4
external parties, such as coordinating centers,
Internet Service Providers, owners of attacking
systems, victims, other CSIRTs, and vendors.
RC.CO-2: Reputation after an event · COBIT 5 MEA03.02 Customer Responsibility N/A
is repaired · ISO/IEC 27001:2013 Clause 7.4
RC.CO-3: Recovery activities are · COBIT 5 APO12.06 AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
communicated to internal · ISO/IEC 27001:2013 Clause 7.4 procedures to respond to a serious outage or degradation of AWS services,
stakeholders and executive and · NIST SP 800-53 Rev. 4 CP-2, IR-4 including the recovery model and its implications on the business continuity
management teams plan.
Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO
27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA
IR-4 AWS will notify customers of a security breach in accordance with the terms
outlined in the service agreement with AWS. AWS’s commitment to all AWS
customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any customer
data (i.e., any personal data that is uploaded to a customer’s AWS account) on
AWS’s equipment or in AWS’s facilities and this unlawful or unauthorized
access results in loss, disclosure, or alteration of customer data, AWS will
promptly notify the customer and take reasonable steps to reduce the effects of
this security incident.
AWS defines, administers, and monitors security for the underlying cloud
infrastructure (i.e., the hardware, the facilities housing the hardware, and the
network infrastructure).
Because AWS manages the infrastructure and the security controls that apply to
it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would be
unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control and this
incident results in loss, disclosure, or alteration of customer content, AWS will
promptly notify the customer. AWS does this regardless of whether the
customer's content is sensitive or not, because AWS does not know what the
customer content is and protects all customer content in the same robust way.
Customer Responsibility
AWS customers are responsible for providing for the recovery and
reconstitution of the information system to a known state after a
disruption, compromise, or failure.
N/A
N/A