Asset Management (ID - AM) : The Data, ID - AM-1: Physical Devices and Systems

Note:
AWS services italicized in the "AWS Services/Resources" column are out of scope for FedRAMP Moderate and/or ISO 9001/27001/27018.
AWS services in bold in the "AWS Services/Resources" column have been validated by an independent assessor to align to the CSF based on FedRAMP Moderate and/or ISO 9001/27001/27018 accreditation.
Category Subcategory Informative References AWS Services/Resources NIST 800-53 Controls Alignment AWS Responsibility Customer Responsibility
Asset Management (ID.AM): The data, ID.AM-1: Physical devices and systems · CIS CSC 1 AWS Certifications, AWS Resource Tagging, CM-8 AWS is wholly responsible to implement a physical inventory control program. N/A - Customers do not have any responsibility in the AWS Cloud for the
personnel, devices, systems, and within the organization are inventoried · COBIT 5 BAI09.01, BAI09.02 AWS Config, AWS Config Rules, AWS Cloud inventory of AWS physical devices and systems.
facilities that enable the organization to · ISA 62443-2-1:2009 4.2.3.4 Formation, AWS CloudTrail, AWS CloudWatch Implementation:
achieve business purposes are identified · ISA 62443-3-3:2013 SR 7.8 Logs, Customer Responsibility People - All AWS employees and contractors who procure, receive, install, Customers are only responsible for this control for the physical assets they
and managed consistent with their · ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 operate, and dispose of physical devices and systems are trained on company own and operate outside of the Cloud (e.g., servers, computers, network
relative importance to business · NIST SP 800-53 Rev. 4 CM-8, PM-5 policies and procedures. They undergo a background check upon hiring (depth and equipent, mobile devices, IoT devices, peripheals, etc.).
objectives and the organization’s risk process varies based on country of hiring, role in AWS, and AWS region
strategy. supporting). Employees and contractors who do not comply with established
policies and procedures may face disciplinary actions, up to and including
termination of employment or contract.
Processes - AWS has established polcies and processes for the management of
physical devices and systems, which include user responsibilities for assigned
hardware (e.g., laptops); logisticians for procurement, receiving, inventory, and
destruction/disposition; datacenter operators for installation, management, and
removal; and IT operations staff for installation, management, and disposition of
other devices (e.g., printers).
Technology - AWS employes various technologies to streamline and automate

physical asset receipt, inventory, destruction, and shipment.
PM-5 N/A N/A

ID.AM-2: Software platforms and · CIS CSC 2 AWS Organizations, AWS Certifications, AWS CM-8 AWS is responsible for developing, documenting, reviewing, and updating at an AWS customers are responsible for developing, documenting, reviewing,
applications within the organization are · COBIT 5 BAI09.01, BAI09.02, BAI09.05 Resource Tagging, AWS Config, AWS Config organization-defined frequency an inventory of software components for our cloud and updating at an organization-defined frequency an inventory of
inventoried · ISA 62443-2-1:2009 4.2.3.4 Rules, AWS Cloud Formation, AWS CloudTrail, infrastructure. AWS is responsible verifying that the inventory: software components for their systems hosted in AWS. AWS customers
· ISA 62443-3-3:2013 SR 7.8 AWS CloudWatch Logs, Customer Responsibility 1) Accurately reflects the current system are responsible verifying that the inventory: 1) Accurately reflects the
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, 2) Includes all components within the authorization boundary current system, 2) Includes all components within the authorization
A.12.5.1 3) Is at the level of granularity deemed necessary for tracking and reporting boundary, 3) Is at the level of granularity deemed necessary for tracking
· NIST SP 800-53 Rev. 4 CM-8, PM-5 4) Includes the information prescribed by the configuration management policy and reporting, and 4) Includes the information prescribed by the
that is deemed necessary to achieve effective information system component configuration management policy that is deemed necessary to achieve
accountability. effective information system component accountability.
PM-5 N/A N/A

ID.AM-3: Organizational · CIS CSC 12 AWS Certifications, Customer Responsibility, AC-4 Several network fabrics exist at Amazon, each separated by boundary protection AWS customers are responsible for configuring their systems and all
communication and data flows are · COBIT 5 DSS05.02 AWS S3, AWS EC2 devices that control the flow of information between fabrics. The flow of interconnected systems to enforce their approved information flow
mapped · ISA 62443-2-1:2009 4.2.3.4 information between fabrics is established by approved authorizations, which exist policies. This can be accomplished through configuration of Amazon
· ISO/IEC 27001:2013 A.13.2.1, A.13.2.2 as ACL residing on these devices. ACLs are defined, approved by appropriate Virtual Private Cloud (Amazon VPC) network Access Control Lists
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, Amazon’s Information Security team, and managed and deployed using AWS’s (ACL) for controlling inbound/outbound traffic at the subnet level and
PL-8 ACL-management tool. Amazon VPC security groups for controlling traffic at the instance level.
Approved firewall rule sets and access control lists between network fabrics restrict
the flow of information to specific information system services. ACLs and rule sets More information on configuring Amazon VPC is available at
are reviewed and approved and are automatically pushed to boundary protection http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Securit
devices on a periodic basis (at least every 24 hours) to ensure rule sets and access y.html.
control lists are up to date.
AWS implements least privilege throughout its infrastructure components. AWS
prohibits all ports and protocols that do not have a specific business purpose. AWS
follows a rigorous approach to minimal implementation of only those features and
functions that are essential to use of the device. Network scanning is performed,
and any unnecessary ports or protocols in use are corrected.
CA-3 A. There are no system interconnections. AWS customers are responsible for documenting, authorizing, reviewing,
B. There are no system interconnections. and updating Interconnection Security Agreements (ISAs) for connections
C. There are no system interconnections. between their system and other systems that include the following
information for each connection: 1) Interface characteristics, 2) Security
requirements, and 3) The nature of the information communicated. AWS
customers are responsible for reviewing and updating ISAs with at a
frequency defined by their security assessment and authorization policy.
CA-9 Several network fabrics exist at Amazon, each separated by boundary protection AWS customers are responsible for documenting and authorizing internal
devices that control the flow of information between fabrics. The flow of system connections for organization-defined system components or
information between fabrics is established by approved authorizations, which exist classes of components. For each internal connection, the interface
as access control lists (ACL) residing on these devices. ACLs are defined, characteristics, security requirements, and the nature of the information
approved by appropriate Amazon’s Information Security team, managed and communicated should be documented in accordance with the security
deployed using AWS ACL-manage tool. assessment and authorization policy.
the flow of information to specific information system services. Access control
lists and rule sets are reviewed and approved, and are automatically pushed to
boundary protection devices on a periodic basis (at least every 24 hours) to ensure
rule-sets and access control lists are up-to-date.

functions that are essential to use of the device. Network scanning is performed and
any unnecessary ports or protocols in use are corrected.
PL-8 AWS gives customers ownership and control over their content by design through AWS customers are responsible for developing an information security
simple, but powerful tools that allow customers to determine where their content architecture for the information system that: 1) Describes the overall
will be stored, how it will be secured in transit or at rest, and access to their AWS philosophy, requirements, and approach to be taken with regard to
environment will managed. protecting the confidentiality, integrity, and availability of organizational
information, 2) Describes how the information security architecture is
AWS has implemented global privacy and data protection best practices in order to integrated into and supports the enterprise architecture, and 3) Describes
helping customers establish, operate and leverage our security control environment. any information security assumptions about and dependencies on external
These security protections and control processes are independently validated by services.
multiple third-party independent assessments.
AWS customers are responsible for reviewing and updating the
information security architecture at an organization-defined frequency to
reflect updates in the enterprise architecture. Planned information security
architecture changes must be reflected in the security plan, the security
Concept of Operations (CONOPS), and organizational
procurements/acquisitions.
ID.AM-4: External information systems · CIS CSC 12 AWS Certifications, Customer Responsibility AC-20 AWS creates and maintains written agreements with third parties (e.g., contractors AWS customers are responsible for establishing terms and conditions with
are catalogued · COBIT 5 APO02.02, APO10.04, DSS01.02 or vendors) in accordance with the work or service to be provided (e.g., network other organizations owning, operating, and/or maintaining external
· ISO/IEC 27001:2013 A.11.2.6 services agreement, service delivery agreement, or information exchange information systems. Consistent with any trust relationships established
· NIST SP 800-53 Rev. 4 AC-20, SA-9 agreement) and implements appropriate relationship management mechanisms in with these external organizations and in accordance with their access
line with their relationship to the business. Agreements cover, at a minimum, the control policy AWS customers are responsible for authorizing individuals
following: to: 1) Access their system from an external information system and 2)
• Legal and regulatory requirements applicable to AWS Process, store, or transmit organization-controlled information using
• User awareness of information security responsibilities and issues external information systems.
• Arrangements for reporting, notification, and investigation of information
security incidents and security breaches
• Target and unacceptable levels of service (e.g., SLA, Operational Level
Agreement [OLA])
• Service continuity requirements (e.g., Recovery Time Objective [RTO]), in
accordance with AWS business priorities
• Protection of Intellectual Property Rights (IPR) and copyright assignment of
AWS
• Conditions for renegotiation/termination of the agreement.
SA-9 AWS creates and maintains written agreements with third parties (e.g., contractors AWS customers are responsible for: 1) Requiring that providers of
or vendors) in accordance with the work or service to be provided (e.g., network external information system services comply with organizational
services agreement, service delivery agreement, or information exchange information security requirements and employ organization-defined
agreement) and implements appropriate relationship management mechanisms in security controls in accordance with applicable federal laws, Executive
line with their relationship to the business. Agreements cover, at a minimum, the Orders, directives, policies, regulations, standards, and guidance, 2)
following: Defining and documenting government oversight and user roles and
• Legal and regulatory requirements applicable to AWS responsibilities with regard to external information system services, and
• User awareness of information security responsibilities and issues 3) Employing organization-defined processes, methods, and techniques to
• Arrangements for reporting, notification, and investigation of information monitor security control compliance by external service providers on an
security incidents and security breaches ongoing basis.
Agreement [OLA])
AWS
ID.AM-5: Resources (e.g., hardware, · CIS CSC 13, 14 AWS Tagging, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement AWS customers are responsible for developing a contingency plan for
devices, data, and software) are · COBIT 5 APO03.03, APO03.04, procedures to respond to a serious outage or degradation of AWS services, their system that: 1) Identifies essential missions and business functions
prioritized based on their classification, APO12.01, BAI04.02, BAI09.02 including the recovery model and its implications on the business continuity plan. and associated contingency requirements, 2) Provides recovery objectives,
criticality, and business value · ISA 62443-2-1:2009 4.2.3.6 restoration priorities, and metrics, 3) Addresses contingency roles,
· ISO/IEC 27001:2013 A.8.2.1 responsibilities, and assigned individuals with contact information, 4)
· NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO Addresses maintaining essential missions and business functions despite
SC-6 27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA an information system disruption, compromise, or failure, 5) Addresses
eventual, full information system restoration without deterioration of the
security safeguards originally planned and implemented, and 6) Is
reviewed and approved by organization-defined personnel or roles in
accordance with the contingency planning policy.
AWS customers are responsible for distributing copies of the contingency

plan to organization-defined key contingency personnel (identified by
name and/or by role) and organizational elements. Contingency planning
activities must be coordinated with incident handling activities. The
contingency plan must be reviewed at a frequency defined in the
contingency planning policy and updated to address changes to their
organization, system, or environment of operation and problems
encountered during implementation, execution, or testing.
AWS customers are responsible for communicating contingency plan

changes to organization-defined personnel and for protecting the
contingency plan from unauthorized disclosure and modification.
RA-2 AWS treats all customer content and associated assets as highly confidential. AWS AWS customers are responsible for: 1) Categorizing their information and
Cloud services are content agnostic in that they offer the same high level of their information system in accordance with applicable federal laws,
security to all customers, regardless of the type of content being stored. We are Executive Orders, directives, policies, regulations, standards, and
vigilant about our customers’ security and have implemented sophisticated guidance, 2) Documenting the security categorization results (including
technical and physical measures against unauthorized access. AWS has no insight supporting rationale) in the security plan for the information system, and
as to what type of content the customer chooses to store in AWS, and the customer 3) Ensuring the security categorization decision is reviewed and approved
retains complete control of how they choose to classify their content, where it is by the AO or authorizing official designated representative.
stored, how it is used, and how it is protected from disclosure.
AWS has implemented data handling and classification requirements that provide
specifications around:
• Data encryption
• Content in transit and during storage
• Access
• Retention
• Physical controls
• Mobile devices
• Handling requirements
SA-14 N/A N/A

SC-6 AWS operates, manages, and controls the infrastructure components, from the host AWS customers are responsible for configuring their systems to protect
operating system and virtualization layer down to the physical security of the the availability of resources by allocating organization-defined resources
facilities in which the services operate. AWS endpoints are tested as part of AWS by priority, quota, or other organization-defined security safeguard.
compliance vulnerability scans.
AWS Cloud services are managed in a manner that preserves their confidentiality, More information on configuring for fault tolerance and high availability
integrity, and availability. AWS has implemented secure software development is available at http://media.amazonwebservices.com/architecture
procedures that are followed to ensure that appropriate security controls are center/AWS_ac_ra_ftha_04.pdf.
incorporated into the application design. As part of the application design process,
new applications must participate in an AWS Security review, which includes
registering the application, initiating application risk classification, participating in
architecture review and threat modeling, performing code review, and performing a
penetration test.
ID.AM-6: Cybersecurity roles and · CIS CSC 17, 19 AWS Certifications, IAM Policies, Customer CP-2 The AWS Business Continuity policy lays out the guidelines used to implement AWS customers are responsible for developing a contingency plan for
responsibilities for the entire workforce · COBIT 5 APO01.02, APO07.06, Responsibility procedures to respond to a serious outage or degradation of AWS services, their system that: 1) Identifies essential missions and business functions
and third-party stakeholders (e.g., APO13.01, DSS06.03 including the recovery model and its implications on the business continuity plan. and associated contingency requirements, 2) Provides recovery objectives,
suppliers, customers, partners) are · ISA 62443-2-1:2009 4.3.2.3.3 restoration priorities, and metrics, 3) Addresses contingency roles,
established · ISO/IEC 27001:2013 A.6.1.1 responsibilities, and assigned individuals with contact information, 4)
· NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11 Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO Addresses maintaining essential missions and business functions despite
27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA an information system disruption, compromise, or failure, 5) Addresses


PM-11 N/A N/A

PS-7 AWS creates and maintains written agreements with third parties (e.g., contractors AWS customers are responsible for: 1) Establishing personnel security
or vendors) in accordance with the work or service to be provided (e.g., network requirements including security roles and responsibilities for third-party
services agreement, service delivery agreement, or information exchange providers, 2) Requiring third-party providers to comply with personnel
agreement) and implements appropriate relationship management mechanisms in security policies and procedures established by their organization, 3)
line with their relationship to the business. Agreements cover, at a minimum, the Documenting personnel security requirements, 4) Requiring third-party
following: providers to notify organization-defined personnel or roles of any
• Legal and regulatory requirements applicable to AWS personnel transfers or terminations of third-party personnel who possess
• User awareness of information security responsibilities and issues organizational credentials and/or badges or who have information system
• Arrangements for reporting, notification, and investigation of information privileges within an organization-defined time period, and 5) Monitoring
security incidents and security breaches provider compliance.
Agreement [OLA])
AWS
Business Environment (ID.BE): The ID.BE-1: The organization’s role in the · COBIT 5 APO08.01, APO08.04, AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement AWS customers are responsible for developing a contingency plan for
organization’s mission, objectives, supply chain is identified and APO08.05, APO10.03, APO10.04, APO10.05 procedures to respond to a serious outage or degradation of AWS services, their system that: 1) Identifies essential missions and business functions
stakeholders, and activities are communicated · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, including the recovery model and its implications on the business continuity plan. and associated contingency requirements, 2) Provides recovery objectives,
understood and prioritized; this A.15.1.3, A.15.2.1, A.15.2.2 restoration priorities, and metrics, 3) Addresses contingency roles,
information is used to inform · NIST SP 800-53 Rev. 4 CP-2, SA-12 responsibilities, and assigned individuals with contact information, 4)
cybersecurity roles, responsibilities, and Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO Addresses maintaining essential missions and business functions despite
risk management decisions. 27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA an information system disruption, compromise, or failure, 5) Addresses


SA-12 Key suppliers are identified and chosen for their ability to provide service to AWS customers are responsible for protecting against supply chain threats
defined requirements. Qualified suppliers are added to the approved supplier list to the information system, system component, or information system
maintained by the AWS supplier management team. Through the use of established service by employing organization-defined security safeguards as part of a
assessment procedures, AWS continuously monitors suppliers to ensure that they comprehensive, defense-in-breadth information security strategy.
are conforming to specific AWS requirements. The extent of assessment for a
supplier is dependent upon the significance of the product and/or service purchased
and, where applicable, upon previously demonstrated performance.
All purchased materials and services intended for use in production processes are
specified in purchasing documents. All component/material specification
documents are reviewed and approved by management personnel prior to use.
Additional requirements not specified on component/material specifications are
conveyed via purchase orders or contracts. Purchase orders and/or contracts convey
the degree of control AWS establishes with their suppliers to ensure quality
product and/or service.
AWS maintains standard contract review and signature processes that include legal
reviews that focus on protecting AWS resources.
ID.BE-2: The organization’s place in · COBIT 5 APO02.06, APO03.01 AWS Certifications, Customer Responsibility PM-8 N/A N/A
critical infrastructure and its industry · ISO/IEC 27001:2013 Clause 4.1
sector is identified and communicated · NIST SP 800-53 Rev. 4 PM-8
ID.BE-3: Priorities for organizational · COBIT 5 APO02.01, APO02.06, APO03.01 Customer Responsibility PM-11 N/A N/A
mission, objectives, and activities are · ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 SA-14 N/A N/A
establishedDependencies
ID.BE-4: and communicated
and critical ·· NIST
COBITSP5 800-53 Rev.BAI04.02,
APO10.01, 4 PM-11, SA-14
BAI09.02 AWS Certifications, AWS Best Practices & CP-8 The AWS business continuity plan details the three-phased approach that AWS has N/A
functions for delivery of critical services · ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, Reference Architectures, Customer Responsibility developed to recover and reconstitute the AWS infrastructure:
are established A.12.1.3 • Activation and Notification Phase
· NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, • Recovery Phase
PM-8, SA-14 • Reconstitution Phase
This approach ensures that AWS performs system recovery and reconstitution
efforts in a methodical sequence, maximizing the effectiveness of the recovery and
reconstitution efforts and minimizing system outage time due to errors and
omissions.
AWS maintains a ubiquitous security control environment across all regions. Each
data center is built to physical, environmental, and security standards in an active-
active configuration, employing an n+1 redundancy model to ensure system
availability in the event of component failure. Components (N) have at least one
independent backup component (+1), so the backup component is active in the
operation even if all other components are fully functional. In order to eliminate
single points of failure, this model is applied throughout AWS, including network
and data center implementation. All data centers are online and serving traffic; no
data center is “cold.” In case of failure, there is sufficient capacity to enable traffic
to be load-balanced to the remaining sites.
PE-11 The AWS data center electrical power systems are designed to be fully redundant N/A
and maintainable without impact to operations, 24 hours a day. Power to AWS data
centers is provided through local power providers. In the event of disruption, UPS
units provide backup power or critical and essential loads in the facility and
generators are used to provide backup power for the entire facility.
Each Availability Zone is designed as an independent failure zone. Automated
processes move customer traffic away from the affected area in the case of a
failure.
PE-9 Access to power equipment, power cabling, and transmission lines are restricted to N/A
authorized personnel and are positioned to prevent intentional or accidental
damage.
PM-8 N/A N/A
SA-14 N/A N/A
ID.BE-5: Resilience requirements to · COBIT 5 BAI03.02, DSS04.02 AWS Certifications, AWS Best Practices & CP-11 N/A N/A
support delivery of critical services are · ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, Reference Architectures, Customer Responsibility CP-2 AWS region fault isolation architecture, Availability Zones (AZ) architecture AWS customers are responsible for developing a contingency plan for
established for all operating states (e.g. A.17.1.2, A.17.2.1 within regions, AWS Certifications, AWS Best Practices & Reference their system that: 1) Identifies essential missions and business functions
under duress/attack, during recovery, · NIST SP 800-53 Rev. 4 CP-2, CP-11, SA- Architectures, Customer Responsibility and associated contingency requirements, 2) Provides recovery objectives,
normal operations) 13, SA-14 restoration priorities, and metrics, 3) Addresses contingency roles,
responsibilities, and assigned individuals with contact information, 4)
Addresses maintaining essential missions and business functions despite
an information system disruption, compromise, or failure, 5) Addresses


SA-13 N/A N/A

SA-14 N/A N/A
Governance (ID.GV): The policies, ID.GV-1: Organizational information · CIS CSC 19 AWS Certifications, AWS Best Practices & AC-1 AWS has established and communicated information security framework and AWS has established and communicated information security framework
procedures, and processes to manage and security policy is established and · COBIT 5 APO01.03, APO13.01, Reference Architectures, Customer Responsibility policies which have integrated the ISO 27001 certifiable framework based on ISO and policies which have integrated the ISO 27001 certifiable framework
monitor the organization’s regulatory, communicated EDM01.01, EDM01.02 27002 controls, American Institute of Certified Public Accountants (AICPA) Trust based on ISO 27002 controls, American Institute of Certified Public
legal, risk, environmental, and · ISA 62443-2-1:2009 4.3.2.6 Services Principles, PCI DSS v3.1 and National Institute of Standards and Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
operational requirements are understood · ISO/IEC 27001:2013 A.5.1.1 Technology (NIST) Publication 800-53 (Recommended Security Controls for National Institute of Standards and Technology (NIST) Publication 800-
and inform the management of · NIST SP 800-53 Rev. 4 -1 controls from all Federal Information Systems). AWS manages third-party relationships in 53 (Recommended Security Controls for Federal Information Systems).
cybersecurity risk. security control families alignment with ISO 27001 standards. AWS Third Party requirements are reviewed AWS manages third-party relationships in alignment with ISO 27001
by independent external standards. AWS Third Party requirements are reviewed by independent
auditors during audits for our PCI DSS, ISO 27001 and FedRAMP compliance. external
auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
compliance.
AU-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
agreements and obligations through the following activities: and policies which have integrated the ISO 27001 certifiable framework
1) Identifies and evaluates applicable laws and regulations for each of the based on ISO 27002 controls, American Institute of Certified Public
jurisdictions in which AWS operates. Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
2) Documents and implements controls to ensure conformity with all statutory, National Institute of Standards and Technology (NIST) Publication 800-
regulatory, and contractual requirements relevant to AWS. 53 (Recommended Security Controls for Federal Information Systems).
3) Categorizes the sensitivity of information according to the AWS information AWS manages third-party relationships in alignment with ISO 27001
security policies to protect from loss, destruction, falsification, unauthorized standards. AWS Third Party requirements are reviewed by independent
access, and unauthorized release. external
4) Informs and continually trains personnel that must be made aware of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
information security policies to protect sensitive AWS information. compliance.
5) Monitors for nonconformities to the information security policies with a process
in place to take corrective actions and enforce appropriate disciplinary action.
AWS maintains relationships with internal and external parties to monitor legal,
regulatory, and contractual requirements. Should a new security directives be
issued, AWS has documented plans in place to implement that directive with
designated timeframes.
AWS provides customers with evidence of its compliance with applicable legal,
regulatory, and contractual requirements through audit reports, attestations,
certifications, and other compliance enablers. Visit
https://aws.amazon.com/compliance/resources/ for more information.
AWS notifies customers of legally binding requests for customer content unless
otherwise prohibited by law. AWS provides customers with the ability to comply
with their legal, regularity and contractual agreements and obligations.
AT-1 AWS has implemented formal, documented security awareness and training policy AWS has established and communicated information security framework
and procedures that address purpose, scope, roles, responsibilities, management and policies which have integrated the ISO 27001 certifiable framework
commitment, coordination among organizational entities, and compliance. The based on ISO 27002 controls, American Institute of Certified Public
security awareness and training policy and procedures are reviewed and updated at Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
least annually, or sooner if required due to information system changes. The policy National Institute of Standards and Technology (NIST) Publication 800-
is disseminated through the internal Amazon communication portal to all 53 (Recommended Security Controls for Federal Information Systems).
employees, vendors, and contractors prior to receiving authorized access to the AWS manages third-party relationships in alignment with ISO 27001
information system or performing assigned duties. standards. AWS Third Party requirements are reviewed by independent
AWS has developed, documented, and disseminated security awareness and role- external
based security training for personnel responsible for designing, developing, auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
implementing, operating, maintaining, and monitoring AWS systems. Training compliance.
includes, but is not limited to, the following information (when relevant to the
employee’s role):
• Workforce conduct standards
• Candidate background screening procedures
• Clear desk policy and procedures
• Social engineering, phishing, and malware
• Data handling and protection
• Compliance commitments
• Security precautions while traveling
• How to report security and availability failures, incidents, concerns, and other
complaints to appropriate personnel
• How to recognize suspicious communications and anomalous behavior in
organizational information systems
• Practical exercises that reinforce training objectives
• International Traffic in Arms Regulations (ITAR) responsibilities
• Contingency planning
• Incident response
AWS captures and retains training records for at least five years.
CM-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
CP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
IA-1 AWS implements formal, documented policies and procedures that provide AWS has established and communicated information security framework
guidance for operations and information security within the organization and the and policies which have integrated the ISO 27001 certifiable framework
supporting AWS environments. Policies address purpose, scope, roles, based on ISO 27002 controls, American Institute of Certified Public
responsibilities and management commitment. All policies are maintained in a Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
centralized location that is accessible by employees. National Institute of Standards and Technology (NIST) Publication 800-
53 (Recommended Security Controls for Federal Information Systems).
Policies are reviewed approved by AWS leadership at least annually or following a AWS manages third-party relationships in alignment with ISO 27001
significant change to the AWS environment. standards. AWS Third Party requirements are reviewed by independent
external
All employees, vendors, and contractors who require a user account must be on- auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
boarded through Amazon’s HR management system. As part of the onboarding compliance.
workflow, the direct manager of the employee, vendor, or contractor requests the
establishment of a user account. Group or shared accounts are not permitted within
the system boundary. The approved request serves as the approval to establish a
user account.
In the event that an active or inactive user does not comply with the above stated
policy, their account will be locked.
IR-1 AWS has implemented a formal, documented incident response policy and AWS has established and communicated information security framework
program. The policy addresses purpose, scope, roles, responsibilities, and and policies which have integrated the ISO 27001 certifiable framework
management commitment. based on ISO 27002 controls, American Institute of Certified Public
AWS uses a three-phased approach to manage incidents: Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
1. Activation and Notification Phase – Incidents for AWS begin with the detection National Institute of Standards and Technology (NIST) Publication 800-
of an event. Events originate from several sources such as: 53 (Recommended Security Controls for Federal Information Systems).
• Metrics and alarms – AWS maintains an exceptional situational awareness AWS manages third-party relationships in alignment with ISO 27001
capability; most issues are rapidly detected from 24x7x365 monitoring and standards. AWS Third Party requirements are reviewed by independent
alarming of real time metrics and service dashboards. The majority of incidents are external
detected in this manner. AWS uses early indicator alarms to proactively identify auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
issues that may ultimately impact customers. compliance.
• Trouble tickets entered by an AWS employee.
• Calls to the 24x7x365 technical support hotline.
If the event meets incident criteria, the relevant on-call support engineer uses
AWS’s event management tool system to start an engagement and page relevant
program resolvers (e.g., AWS Security). The resolvers will perform an analysis of
the incident to determine if additional resolvers should be engaged and to
determine the approximate root cause.
2. Recovery Phase – The relevant resolvers will perform break fix to address the
incident. After addressing troubleshooting, break fix and affected components, the
call leader will assign follow-up documentation and follow-up actions and end the
call engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase complete
after the relevant fix activities have been addressed. The post mortem and deep root
cause analysis of the incident will be assigned to the relevant team. The results of
the post mortem will be reviewed by relevant senior management and actions and
captured in a Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS conducts
incident response testing. This testing provides excellent coverage for the
discovery of previously unknown defects and failure modes. In addition, it allows
the AWS Security and service teams to test the systems for potential customer
impact and further prepare staff to handle incidents such as detection and analysis,
containment, eradication, and recovery, and post-incident activities.
The incident response test plan is executed annually, in conjunction with the
MA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
MP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
PS-1 AWS has implemented formal, documented security awareness and training policy AWS has established and communicated information security framework
and procedures that address purpose, scope, roles, responsibilities, management and policies which have integrated the ISO 27001 certifiable framework
commitment, coordination among organizational entities, and compliance. The based on ISO 27002 controls, American Institute of Certified Public
security awareness and training policy and procedures are reviewed and updated at Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
least annually, or sooner if required due to information system changes. The policyNational Institute of Standards and Technology (NIST) Publication 800-
is disseminated through the internal Amazon communication portal to all 53 (Recommended Security Controls for Federal Information Systems).
employees, vendors, and contractors prior to receiving authorized access to the AWS manages third-party relationships in alignment with ISO 27001
information system or performing assigned duties. standards. AWS Third Party requirements are reviewed by independent
external
AWS has a formal access control policy that is reviewed and updated on an annual auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
basis (or when any major change to the system occurs that impacts the policy). The compliance.
policy addresses purpose, scope, roles, responsibilities and management
commitment. Access control procedures are systematically enforced through
proprietary tools.
Procedures exist so that Amazon employee and contractor user accounts are added,
modified, or disabled in a timely manner and are reviewed on a periodic basis. In
addition, password complexity settings for user authentication to AWS systems are
managed in compliance with Amazon’s Corporate Password Policy.
AWS has established formal policies and procedures to delineate standards for
logical access to AWS platform and infrastructure hosts. Where permitted by law,
AWS requires that all employees undergo a background investigation
commensurate with their position and level of access. The policies also identify
functional responsibilities for the administration of logical access and security.
PE-1 AWS has implemented a formal, documented physical and environmental AWS has established and communicated information security framework
protection policy that is updated and reviewed annually. and policies which have integrated the ISO 27001 certifiable framework
based on ISO 27002 controls, American Institute of Certified Public
Policies are reviewed approved by AWS leadership at least annually or following a Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
significant change to the AWS environment. National Institute of Standards and Technology (NIST) Publication 800-
AWS maintains relationships with internal and external parties to monitor legal, AWS manages third-party relationships in alignment with ISO 27001
regulatory, and contractual requirements. Should a new security directives be standards. AWS Third Party requirements are reviewed by independent
issued, AWS has documented plans in place to implement that directive with external
designated timeframes. auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
compliance.
PL-1 AWS has established formal policies and procedures to delineate standards for AWS has established and communicated information security framework
logical access to AWS platform and infrastructure hosts. Where permitted by law, and policies which have integrated the ISO 27001 certifiable framework
AWS requires that all employees undergo a background investigation based on ISO 27002 controls, American Institute of Certified Public
commensurate with their position and level of access. The policies also identify Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
functional responsibilities for the administration of logical access and security. National Institute of Standards and Technology (NIST) Publication 800-
AWS has a formal access control policy that is reviewed and updated on an annual AWS manages third-party relationships in alignment with ISO 27001
basis (or when any major change to the system occurs that impacts the policy). The standards. AWS Third Party requirements are reviewed by independent
policy addresses purpose, scope, roles, responsibilities and management external
commitment. Access control procedures are systematically enforced through auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
proprietary tools. compliance.
PM-1 AWS has established an information security management program with AWS has established and communicated information security framework
designated roles and responsibilities that are appropriately aligned within the and policies which have integrated the ISO 27001 certifiable framework
organization. AWS management reviews and evaluates the risks identified in the based on ISO 27002 controls, American Institute of Certified Public
risk management program at least annually. The risk management program Accountants (AICPA) Trust Services Principles, PCI DSS v3.1 and
encompasses the following phases: National Institute of Standards and Technology (NIST) Publication 800-
• Identify – The identification phase includes listing out risks (threats and 53 (Recommended Security Controls for Federal Information Systems).
vulnerabilities) that exist in the environment. This phase provides a basis for all AWS manages third-party relationships in alignment with ISO 27001
other risk management activities. standards. AWS Third Party requirements are reviewed by independent
• Assess – The assessment phase considers the potential impact(s) of identified external
risks to the business and its likelihood of occurrence and includes an evaluation of auditors during audits for our PCI DSS, ISO 27001 and FedRAMP
internal control effectiveness. compliance.
• Mitigate – The mitigate phase includes putting controls, processes, and other
physical and virtual safeguards in place to prevent and detect identified and
assessed risks.
• Report – The report phase results in risk reports provided to managers with the
data they need to make effective business decisions and to comply with internal
policies and applicable regulations.
• Monitor – The monitor phase includes AWS Compliance performing monitoring
activities to evaluate whether processes, initiatives, functions, and/or activities are
mitigating the risk as designed.
RA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
CA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
SC-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
SI-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
SA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS has established and communicated information security framework
ID.GV-2: Information Cybersecurity · CIS CSC 19 AWS Certifications, Customer Responsibility PM-1 AWS provides security policies and security training to employees to educate them AWS customers are responsible for developing and implementing a
security roles & responsibilities are · COBIT 5 APO01.02, APO10.03, as to their role and responsibilities concerning cybersecurity. Employees who cybersecurity program that includes roles and responsibilities of internal
coordinated and aligned with internal APO13.02, DSS05.04 violate Amazon standards or protocols are investigated and appropriate disciplinary and external stakeholders, along with methods of communications and
roles and external partners · ISA 62443-2-1:2009 4.3.2.3.3 action (e.g. warning, performance plan, suspension, and/or termination) is coordination.
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, followed. Refer to the AWS Cloud Security Whitepaper for additional details -
A.15.1.1 available at http://aws.amazon.com/security. Refer to ISO 27001 Annex A, domain
· NIST SP 800-53 Rev. 4 PS-7, PM-1, PM-2 7 for additional details. AWS has been validated and certified by an independent
auditor to confirm alignment with ISO 27001 certification standard.
PM-2 N/A N/A

PS-7 AWS creates and maintains written agreements with third parties (e.g., contractors AWS customers are responsible for: 1) Establishing personnel security
or vendors) in accordance with the work or service to be provided (e.g., network requirements including security roles and responsibilities for third-party
services agreement, service delivery agreement, or information exchange providers, 2) Requiring third-party providers to comply with personnel
agreement) and implements appropriate relationship management mechanisms in security policies and procedures established by their organization, 3)
line with their relationship to the business. Agreements cover, at a minimum, the Documenting personnel security requirements, 4) Requiring third-party
following: providers to notify organization-defined personnel or roles of any
• Legal and regulatory requirements applicable to AWS personnel transfers or terminations of third-party personnel who possess
• User awareness of information security responsibilities and issues organizational credentials and/or badges or who have information system
• Arrangements for reporting, notification, and investigation of information privileges within an organization-defined time period, and 5) Monitoring
security incidents and security breaches provider compliance.
Agreement [OLA]) IAM Policies allow customers to achieve detailed, least-privilege access
• Service continuity requirements (e.g., Recovery Time Objective [RTO]), in management by allowing you to create multiple users within their AWS
accordance with AWS business priorities account, assign them security credentials, and manage their permissions.
• Protection of Intellectual Property Rights (IPR) and copyright assignment of IAM Roles allows the customer to temporarily delegate access to users or
AWS services that normally don't have access to your AWS resources by
• Conditions for renegotiation/termination of the agreement. defining a set of permissions to access the resources that a user or service
needs.
ID.GV-3: Legal and regulatory · CIS CSC 19 AWS Certifications, Customer Responsibility AC-1 AWS implements formal, documented policies and procedures that provide AWS customers are responsible for developing, documenting,
requirements regarding cybersecurity, · COBIT 5 BAI02.01, MEA03.01, MEA03.04 guidance for operations and information security within the organization and the maintaining, disseminating, and implementing an access control policy
including privacy and civil liberties · ISA 62443-2-1:2009 4.4.3.7 supporting AWS environments. Policies address purpose, scope, roles, and supporting procedures. AWS customers are responsible for reviewing
obligations, are understood and · ISO/IEC 27001:2013 A.18.1.1, A.18.1.2, responsibilities, and management commitment. All policies are maintained in a and updating the policy and procedures at a frequency defined by their
managed A.18.1.3, A.18.1.4, A.18.1.5 centralized location that is accessible by employees. organization.
· NIST SP 800-53 Rev. 4 -1 controls from all
security control families
AU-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing an audit and accountability
1) Identifies and evaluates applicable laws and regulations for each of the policy along with supporting procedures. AWS customers are responsible
jurisdictions in which AWS operates. for reviewing and updating the policy and procedures at a frequency
2) Documents and implements controls to ensure conformity with all statutory, defined by their organization.
regulatory, and contractual requirements relevant to AWS.
3) Categorizes the sensitivity of information according to the AWS information More information on implementing logging with an AWS account is
security policies to protect from loss, destruction, falsification, unauthorized available at https://aws.amazon.com/whitepapers/security-at-scale-
access, and unauthorized release. logging-in-aws/ and http://aws.amazon.com/cloudtrail/
4) Informs and continually trains personnel that must be made aware of
information security policies to protect sensitive AWS information.
AT-1 AWS has implemented formal, documented security awareness and training policy AWS customers are responsible for developing, documenting,
and procedures that address purpose, scope, roles, responsibilities, management maintaining, disseminating, and implementing a security awareness and
commitment, coordination among organizational entities, and compliance. The training policy along with supporting procedures. AWS customers are
security awareness and training policy and procedures are reviewed and updated at responsible for reviewing and updating the policy and procedures at a
least annually, or sooner if required due to information system changes. The policy frequency defined by their organization.
is disseminated through the internal Amazon communication portal to all
employees, vendors, and contractors prior to receiving authorized access to the
information system or performing assigned duties.
AWS has developed, documented, and disseminated security awareness and role-
based security training for personnel responsible for designing, developing,
implementing, operating, maintaining, and monitoring AWS systems. Training
includes, but is not limited to, the following information (when relevant to the
employee’s role):
CM-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a configuration
1) Identifies and evaluates applicable laws and regulations for each of the management policy along with supporting procedures. AWS customers
jurisdictions in which AWS operates. are responsible for reviewing and updating the policy and procedures at a
2) Documents and implements controls to ensure conformity with all statutory, frequency defined by their organization.
3) Categorizes the sensitivity of information according to the AWS information
security policies to protect from loss, destruction, falsification, unauthorized
access, and unauthorized release.
CP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a contingency planning
1) Identifies and evaluates applicable laws and regulations for each of the policy along with supporting procedures. AWS customers are responsible
jurisdictions in which AWS operates. for reviewing and updating the policy and procedures at a frequency
2) Documents and implements controls to ensure conformity with all statutory, defined by their organization.
IA-1 AWS implements formal, documented policies and procedures that provide AWS customers are responsible for developing, documenting,
guidance for operations and information security within the organization and the maintaining, disseminating, and implementing an identification and
supporting AWS environments. Policies address purpose, scope, roles, authentication policy along with supporting procedures. AWS customers
responsibilities and management commitment. All policies are maintained in a are responsible for reviewing and updating the policy and procedures at a
centralized location that is accessible by employees. frequency defined by their organization.
Policies are reviewed approved by AWS leadership at least annually or following a

significant change to the AWS environment.
All employees, vendors, and contractors who require a user account must be on-
boarded through Amazon’s HR management system. As part of the onboarding
workflow, the direct manager of the employee, vendor, or contractor requests the
establishment of a user account. Group or shared accounts are not permitted within
the system boundary. The approved request serves as the approval to establish a
user account.
In the event that an active or inactive user does not comply with the above stated
policy, their account will be locked.
IR-1 AWS has implemented a formal, documented incident response policy and AWS customers are responsible for developing, documenting,
program. The policy addresses purpose, scope, roles, responsibilities, and maintaining, disseminating, and implementing an incident response policy
management commitment. along with supporting procedures. AWS customers are responsible for
AWS uses a three-phased approach to manage incidents: reviewing and updating the policy and procedures at a frequency defined
1. Activation and Notification Phase – Incidents for AWS begin with the detection by their organization.
of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational awareness
capability; most issues are rapidly detected from 24x7x365 monitoring and
alarming of real time metrics and service dashboards. The majority of incidents are
detected in this manner. AWS uses early indicator alarms to proactively identify
issues that may ultimately impact customers.
the incident to determine if additional resolvers should be engaged and to
incident. After addressing troubleshooting, break fix and affected components, the
call leader will assign follow-up documentation and follow-up actions and end the
call engagement.
discovery of previously unknown defects and failure modes. In addition, it allows
the AWS Security and service teams to test the systems for potential customer
impact and further prepare staff to handle incidents such as detection and analysis,
MA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing an maintenance policy
1) Identifies and evaluates applicable laws and regulations for each of the along with supporting procedures. AWS customers are responsible for
jurisdictions in which AWS operates. reviewing and updating the policy and procedures at a frequency defined
2) Documents and implements controls to ensure conformity with all statutory, by their organization.
MP-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual N/A
agreements and obligations through the following activities:
1) Identifies and evaluates applicable laws and regulations for each of the
jurisdictions in which AWS operates.
2) Documents and implements controls to ensure conformity with all statutory,
PS-1 AWS has implemented formal, documented security awareness and training policy AWS customers are responsible for developing, documenting,
and procedures that address purpose, scope, roles, responsibilities, management maintaining, disseminating, and implementing a personnel security policy
commitment, coordination among organizational entities, and compliance. The along with supporting procedures. AWS customers are responsible for
security awareness and training policy and procedures are reviewed and updated at reviewing and updating the policy and procedures at a frequency defined
least annually, or sooner if required due to information system changes. The policy by their organization.
is disseminated through the internal Amazon communication portal to all
employees, vendors, and contractors prior to receiving authorized access to the
information system or performing assigned duties.
AWS has a formal access control policy that is reviewed and updated on an annual
basis (or when any major change to the system occurs that impacts the policy). The
proprietary tools.
AWS has established formal policies and procedures to delineate standards for
logical access to AWS platform and infrastructure hosts. Where permitted by law,
AWS requires that all employees undergo a background investigation
commensurate with their position and level of access. The policies also identify
functional responsibilities for the administration of logical access and security.
PE-1 AWS has implemented a formal, documented physical and environmental N/A
protection policy that is updated and reviewed annually.
Policies are reviewed approved by AWS leadership at least annually or following a

significant change to the AWS environment.
PL-1 AWS has established formal policies and procedures to delineate standards for AWS customers are responsible for developing, documenting,
logical access to AWS platform and infrastructure hosts. Where permitted by law, maintaining, disseminating, and implementing a security planning policy
AWS requires that all employees undergo a background investigation along with supporting procedures. AWS customers are responsible for
commensurate with their position and level of access. The policies also identify reviewing and updating the policy and procedures at a frequency defined
functional responsibilities for the administration of logical access and security. by the organization.
AWS has a formal access control policy that is reviewed and updated on an annual
basis (or when any major change to the system occurs that impacts the policy). The
proprietary tools.
PM-1 AWS has established an information security management program with N/A
designated roles and responsibilities that are appropriately aligned within the
organization. AWS management reviews and evaluates the risks identified in the
risk management program at least annually. The risk management program
encompasses the following phases:
• Identify – The identification phase includes listing out risks (threats and
vulnerabilities) that exist in the environment. This phase provides a basis for all
other risk management activities.
• Assess – The assessment phase considers the potential impact(s) of identified
risks to the business and its likelihood of occurrence and includes an evaluation of
internal control effectiveness.
• Mitigate – The mitigate phase includes putting controls, processes, and other
physical and virtual safeguards in place to prevent and detect identified and
assessed risks.
• Report – The report phase results in risk reports provided to managers with the
data they need to make effective business decisions and to comply with internal
policies and applicable regulations.
• Monitor – The monitor phase includes AWS Compliance performing monitoring
activities to evaluate whether processes, initiatives, functions, and/or activities are
mitigating the risk as designed.
RA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a risk assessment policy
1) Identifies and evaluates applicable laws and regulations for each of the along with supporting procedures. AWS customers are responsible for
jurisdictions in which AWS operates. reviewing and updating the policy and procedures at a frequency defined
2) Documents and implements controls to ensure conformity with all statutory, by their organization.
CA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a security assessment and
1) Identifies and evaluates applicable laws and regulations for each of the authorization policy along with supporting procedures. AWS customers
jurisdictions in which AWS operates. are responsible for reviewing and updating the policy and procedures at a
SC-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a system and
1) Identifies and evaluates applicable laws and regulations for each of the communications protection policy along with supporting procedures.
jurisdictions in which AWS operates. AWS customers are responsible for reviewing and updating the policy and
2) Documents and implements controls to ensure conformity with all statutory, procedures at a frequency defined by their organization.
SI-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a system and information
1) Identifies and evaluates applicable laws and regulations for each of the integrity policy along with supporting procedures. AWS customers are
jurisdictions in which AWS operates. responsible for reviewing and updating the policy and procedures at a
SA-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual AWS customers are responsible for developing, documenting,
agreements and obligations through the following activities: maintaining, disseminating, and implementing a system and services
1) Identifies and evaluates applicable laws and regulations for each of the acquisition policy along with supporting procedures. AWS customers are
jurisdictions in which AWS operates. responsible for reviewing and updating the policy and procedures at a
ID.GV-4: Governance and risk · COBIT 5 EDM03.02, APO12.02, AWS Certifications, Customer Responsibility PM-10 AWS management leads an information security program that identifies and N/A
management processes address APO12.05, DSS04.02 establishes security goals that are relevant to business requirements. Annual
cybersecurity risks · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, evaluations are performed to allocate the resources necessary for performing
4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3 information security activities within AWS to meet or exceed customer and service
· ISO/IEC 27001:2013 Clause 6 specifications. AWS leadership review input includes:
· NIST SP 800-53 Rev. 4 SA-2, PM-3, PM-7, • Results of audits and reviews.
PM-9, PM-10, PM-11 • Feedback from interested parties.
• Techniques, products, or procedures that could be used in the organization to
improve security, quality, system performance, and effectiveness.
• Status of preventative and corrective actions.
• Vulnerabilities or threats not adequately addressed in the previous risk
assessment.
• Results from effectiveness measurements.
• Follow-up actions from previous leadership reviews.
• Any changes that could affect the ISMS.
• Recommendations for improvement.
• Customer feedback.
PM-11 N/A N/A

PM-3 N/A N/A
PM-7 N/A N/A
PM-9 N/A N/A
SA-2 The output of AWS leadership reviews include any decisions or actions related to AWS customers are responsible for: 1) Determining information security
the following: requirements for the information system or information system service in
• Improvement of the effectiveness of the ISMS. mission/business process planning, 2) Determining, documenting, and
• Update of the risk assessment and risk treatment plan. allocating the resources required to protect the information system or
• Modification of procedures and controls that affect information security, as information system service as part of its capital planning and investment
necessary, to respond to internal or external events that may impact the ISMS. This control process, and 3) Establishing a discrete line item for information
includes changes to business requirements, security requirements, business security in organizational programming and budgeting documentation.
processes affecting the existing business requirements, regulatory or legal
requirements, contractual obligations, levels of risk, and/or criteria for accepting
risk.
• Resource needs.
• Improvement in how the effectiveness of controls is being measured.
Risk Assessment (ID.RA): The ID.RA-1: Asset vulnerabilities are · CIS CSC 4 AWS Certifications, Customer Responsibility CA-2 The AWS Compliance Assessment Team (CAT) maintains a documented audit AWS customers are responsible for conducting security assessments for
organization understands the identified and documented · COBIT 5 APO12.01, APO12.02, schedule of internal and external assessments to ensure implementation and their systems. Within this context and in accordance with their security
cybersecurity risk to organizational APO12.03, APO12.04, DSS05.01, DSS05.02 operating effectiveness of the AWS control environment to meet business, assessment and authorization policy, AWS customers are responsible for:
operations (including mission, functions, · ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, regulatory, and contractual objectives. 1) Developing a security assessment plan that describes the security
image, or reputation), organizational 4.2.3.12 The needs and expectations of internal and external parties are considered controls and control enhancements under assessment, assessment
assets, and individuals. · ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 throughout the development, implementation, and auditing of the AWS control procedures used to determine effectiveness, the assessment environment,
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, environment. Parties include, but are not limited to: the assessment team, and the assessment roles and responsibilities, 2)
RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5  AWS customers, including customers with a contractual interest and potential Assessing security controls in their system and its environment of
customers. operation at an organization-defined frequency to determine the extent to
 External parties to AWS, including regulatory bodies such as the external which the controls are implemented correctly, operating as intended, and
auditors and certifying agents. producing the desired outcome with respect to meeting established
 Internal parties such as AWS services and infrastructure teams, security, legal, security requirements, 3) Producing a security assessment report that
and overarching administrative and corporate teams. documents the results of the assessment, and 4) Providing the results of
the security control assessment to their organization-defined individuals
or roles.
CA-7 AWS conducts monthly monitoring of its security posture through a continuous AWS customers are responsible for developing a continuous monitoring
risk assessment and monitoring process. Additionally, annual security assessments strategy and implementing a continuous monitoring program in
are conducted by an accredited Third-Party Assessment Organization (3PAO) to accordance with their security assessment and authorization policy that
validate that implemented security controls continue to be effective. Security defines: 1) Metrics to be monitored, 2) Frequencies for monitoring and
assessments that include a risk analysis and a Plan of Action and Milestones reporting, and 3) Personnel or roles responsible for conducting and
(POA&M) are submitted to authorizing officials for review and approval. receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1)
Establishing and configuring monitoring for defined metrics, 2)
Monitoring and conducting assessments as organization-defined
frequencies, 3) Conducting ongoing security control assessments, 4)
Conducting ongoing security status monitoring of their organization-
defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response
actions to address the results of the analysis of security-related
information, and 6) Reporting the security status of their organization and
the information system to the organization-defined personnel or roles at
the organization-defined frequency.
CA-8 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for conducting penetration testing on
conducting security-related activities within the system boundary. Activities organization-defined systems or system components at a frequency
include vulnerability scanning, contingency testing, and incident response prescribed by their security assessment and authorization policy.
exercises. AWS performs external vulnerability assessments at least quarterly, and
identified issues are investigated and tracked to resolution. Additionally, AWS
performs unannounced penetration tests by engaging independent third parties to
probe the defenses and device configuration settings within the system.
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and
proactively monitor vendors’ websites and other relevant outlets for new patches.
AWS customers also have the ability to report issues to AWS via the AWS
Vulnerability Reporting website at http://aws.amazon.com/security/vulnerability-
reporting/.
RA-3 AWS performs a continuous risk assessment process to identify, evaluate and AWS customers are responsible for: 1) Conducting an assessment of risk
mitigate risks across the company. The process involves developing and to include the likelihood and magnitude of harm from the unauthorized
implementing risk treatment plans to mitigate risks as necessary. The AWS risk access, use, disclosure, disruption, modification, or destruction of their
management team monitors and escalates risks on a continuous basis, performing information system and the information it processes, stores, or transmits,
risk assessments on newly implemented controls at least every six months. 2) Documenting risk assessment results in the system plan, security
assessment report, or other organization-defined document, 3) Reviewing
risk assessment results at an organization-defined frequency, 4)
Disseminating risk assessment results to organization-defined personnel
or roles, and 5) Updating the risk assessment at an organization-defined
frequency or whenever there are significant changes to the information
system or environment of operation (including the identification of new
threats and vulnerabilities) or other conditions that may impact the
security state of the system.
RA-5 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for: 1) Scanning for vulnerabilities in
conducting security-related activities within the system boundary. Activities their information system and hosted applications at an organization-
include vulnerability scanning, contingency testing, and incident response defined frequency and/or randomly in accordance with their organization-
exercises. AWS performs external vulnerability assessments at least quarterly, and defined process and when new vulnerabilities potentially affecting the
identified issues are investigated and tracked to resolution. Additionally, AWS system/applications are identified and reported; 2) Employing
performs unannounced penetration tests by engaging independent third parties to vulnerability scanning tools and techniques that promote interoperability
probe the defenses and device configuration settings within the system. among tools and automated parts of the vulnerability management process
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and by using standards for: a) Enumerating platforms, software flaws, and
proactively monitor vendors’ websites and other relevant outlets for new patches. improper configurations, b) Formatting and making transparent checklists
AWS customers also have the ability to report issues to AWS via the AWS and test procedures, and c) Measuring vulnerability impact; 3) Analyzing
Vulnerability Reporting website at http://aws.amazon.com/security/vulnerability- vulnerability scan reports and results from security control assessments;
reporting/. 4) Remediating legitimate vulnerabilities within organization-defined
response times in accordance with an organizational assessment of risk;
and 5) Sharing information obtained from the vulnerability scanning
process and security control assessments with organization-defined
personnel or roles to help eliminate similar vulnerabilities in other
information systems (i.e., systemic weaknesses or deficiencies).
Prior to conducting penetration testing or vulnerability scanning activities,

AWS customers are required to request authorization through the
following URL:
https://aws.amazon.com/security/penetration-testing/.
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle):

RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle):
AWS Customers are responsible for meeting scanning requirements on
their databases in accordance with organization-defined frequency and/or
when new vulnerabilities have been identified. Also, AWS Customers are
required to remediate legitimate findings within the organization-defined
timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL

database service. AWS Customers offload database management tasks
such as hardware or software provisioning, setup and configuration,
SA-11 AWS applies a systematic approach to managing change to ensure that all changes AWS customers are responsible for requiring the developer of their
to a production environment are reviewed, tested, and approved. Facilities, information system, system component, or information system service to:
equipment, and software components of production operations are identified 1) Create and implement a security assessment plan, 2) Perform unit,
throughout their lifecycle to ensure that only acceptable components are used in integration, system, and/or regression testing/evaluation at organization-
production. defined depth and coverage, 3) Produce evidence of the execution of the
security assessment plan and the results of the security testing/evaluation,
The development, test and production environments emulate the production system 4) Implement a verifiable flaw remediation process, and 5) Correct flaws
environment and are used to properly assess and prepare for the impact of a change identified during security testing/evaluation.
to the production system environment. In order to reduce the risks of unauthorized
access or change to the production environment, the development, test and
production environments are logically separated. In order to apply changes to the
AWS production environments, AWS service teams must first run a full set of tests
in the test environment, and the testing methodology must be documented.
The AWS service, including application programming interfaces (APIs), are

labeled and marked by identifiers. Facilities, equipment, and software components
are tracked such that quality-impacting issues and errors are traceable to related
components.
SA-5 AWS documents, tracks and monitors its legal, regulatory and contractual AWS customers are responsible for: 1) Obtaining administrator
agreements and obligations. In order to do so, AWS performs and maintains the documentation for their systems, system components, or information
following activities: system services that describes: a) Secure configuration, installation, and
operation of the system, component, or service, b) Effective use and
1) Identifies and evaluates applicable laws and regulations for each of the maintenance of security functions/mechanisms, and c) Known
jurisdictions in which AWS operates vulnerabilities regarding configuration and use of administrative (i.e.,
2) Documents and implements controls to ensure conformity with all statutory, privileged) functions; 2) Obtaining user documentation for their systems,
regulatory and contractual requirements relevant to AWS system components, or information system services that describes: a)
3) Categorizes the sensitivity of information according to the AWS information User-accessible security functions/mechanisms and how to effectively use
security policies to protect from loss, destruction, falsification, unauthorized access those security functions/mechanisms, b) Methods for user interaction that
and unauthorized release enables individuals to use the system, component, or service in a more
4) Informs and continually trains personnel that must be made aware of secure manner, and c) User responsibilities in maintaining the security of
information security policies to protect sensitive AWS information the system, component, or service; 3) Documenting attempts to obtain
5) Monitors for nonconformities to the information security policies with a process information system, system component, or information system service
in place to take corrective actions and enforce appropriate disciplinary action documentation for their systems when such documentation is either
unavailable or nonexistent and taking organization-defined actions in
AWS maintains relationships with internal and external parties to monitor legal, response; 4) Protecting documentation as required and in accordance with
regulatory, and contractual requirements. Should a new security directives be their system and services acquisition policy; and 5) Distributing
issued, AWS has documented plans in place to implement that directive with documentation to organization-defined personnel or roles.
AWS provides Customers with evidence of its compliance with applicable legal,
certifications and other compliance enablers. Visit
aws.amazon.com/compliance/resources for additional information.
SI-2 AWS Security performs regular vulnerability scans on the host operating system, AWS customers are responsible for: 1) Identifying, reporting, and
web application, and databases in the AWS environment using a variety of tools. correcting information system flaws, 2) Testing software and firmware
External vulnerability assessments are conducted by an AWS approved third party updates related to flaw remediation for effectiveness and potential side
vendor at least annually, and identified issues are investigated and tracked to effects before installation, 3) Installing security-relevant software and
resolution. Vulnerabilities that are identified are monitored and evaluated and firmware updates within an organization-defined time period of the
countermeasures are designed, implemented, and operated to compensate for release of the updates, and 4) Incorporating flaw remediation into the
known and newly identified vulnerabilities. organizational configuration management process.
RDS Specific (MySQL, MariaDB, SQL Server and Postgres): AWS

Customers are responsible for identifying, reporting, and patching their
database engines. The RDS service notifies AWS customers through
AWS announcements and email announcements whenever a new version
is available. The customer will be able to go through the management
console or CLI to update their particular RDS engine (Update options:
Update Now or Update in the next maintenance window). The AWS
Customer is responsible performing tests on updated RDS engine versions
before deploying to their environment to mitigate any potential
performance issues.
RDS Specific (Oracle): AWS Customers are responsible for identifying,

reporting, and patching their database engines. The RDS service notifies
AWS customers through AWS announcements and email announcements
whenever a new RDS engine version is available. Please note, RDS
Oracle engines and patches has a vendor dependency. RDS Oracle updates
relies on the vendor to merge AWS customized patches with Oracle
releases to ensure all functionality is kept. Once a merged patch is created
and validated, AWS will make the engine version available for customers.
The customer will be able to go through the management console or CLI
to update their particular RDS engine (Update options: Update Now or
Update in the next maintenance window). The AWS Customer is
responsible for performing tests on updated RDS (Oracle) engine versions
before deploying to their environment to mitigate any potential
performance issues.
SI-4 AWS deploys monitoring devices throughout the environment to collect critical AWS customers are responsible for: 1) Monitoring their information
information on unauthorized intrusion attempts, usage abuse, and network and system to detect: a) Attacks and indicators of potential attacks in
application bandwidth usage. Monitoring devices are placed within the AWS accordance with organization-defined monitoring objectives and b)
environment to detect and monitor for: Unauthorized local, network, and remote connections; 2) Identifying
• Port scanning attacks unauthorized use of the information system through organization-defined
• Usage (CPU, Processes, disk utilization, swap rates, and errors in software techniques and methods; 3) Deploying monitoring devices: a)
generated loss) Strategically within the information system to collect organization-
• Application performance metrics determined essential information and b) At ad hoc locations within the
• Unauthorized connection attempts system to track specific types of transactions of interest to their
AWS provides near real-time alerts when the AWS monitoring tools show organization; 4) Protecting information obtained from intrusion-
indications of compromise or potential compromise, based upon threshold alarming monitoring tools from unauthorized access, modification, and deletion; 5)
mechanisms determined by AWS service and Security teams. Heightening the level of information system monitoring activity whenever
External access to data stored in Amazon S3 is logged. The logs are retained for at there is an indication of increased risk to organizational operations and
least 90 days and include relevant access request information such as the data assets, individuals, other organizations, or the Nation based on law
accessor IP address, object, and operation. enforcement information, intelligence information, or other credible
All requests to KMS are logged and available in the AWS account’s AWS sources of information; 6) Obtaining legal opinion with regard to
CloudTrail bucket in Amazon S3. The logged requests provide information about information system monitoring activities in accordance with applicable
who made the request and under which CMK and will also describe information federal laws, Executive Orders, directives, policies, or regulations; and 7)
about the AWS resource that was protected through the use of the CMK. These log Providing organization-defined information system monitoring
events are visible to the customer after turning on AWS CloudTrail in their information to organization-defined personnel or roles as needed or in
account. accordance with an organization-defined frequency.
SI-5 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for: 1) Receiving information system
conducting security-related activities within the system boundary. Activities security alerts, advisories, and directives from organization-defined
include vulnerability scanning, contingency testing, and incident response external organizations on an ongoing basis, 2) Generating internal security
exercises. AWS performs external vulnerability assessments at least quarterly, and alerts, advisories, and directives as deemed necessary, 3) Disseminating
identified issues are investigated and tracked to resolution. Additionally, AWS security alerts, advisories, and directives to organization-defined
performs unannounced penetration tests by engaging independent third parties to personnel, roles, organizational elements and/or external organizations,
probe the defenses and device configuration settings within the system. and 4) Implementing security directives in accordance with established
AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and time frames or notifying the issuing organization of the degree of
proactively monitor vendors’ websites and other relevant outlets for new patches. noncompliance.
reporting/.
ID.RA-2: Threat and vulnerability · CIS CSC 4 AWS Certifications, Customer Responsibility PM-15 AWS Security teams also subscribe to newsfeeds for applicable vendor flaws and N/A
information is received from · COBIT 5 BAI08.01 proactively monitor vendors’ websites and other relevant outlets for new patches.
information sharing forums and sources · ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 A.6.1.4
PM-16 N/A N/A
· NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-
16 SI-5 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for: 1) Receiving information system
reporting/.
ID.RA-3: Threats, both internal and · CIS CSC 4 AWS Certifications, Customer Responsibility, AWS PM-12 N/A N/A
external, are identified and documented · COBIT 5 APO12.01, APO12.02, Trusted Advisor PM-16 N/A N/A
APO12.03, APO12.04
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
· ISO/IEC 27001:2013 Clause 6.1.2
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12,
PM-16
ID.RA-3: Threats, both internal and · CIS CSC 4 AWS Certifications, Customer Responsibility, AWS
external, are identified and documented · COBIT 5 APO12.01, APO12.02, Trusted Advisor
APO12.03, APO12.04 RA-3 AWS performs a continuous risk assessment process to identify, evaluate and AWS customers are responsible for: 1) Conducting an assessment of risk
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 mitigate risks across the company. The process involves developing and to include the likelihood and magnitude of harm from the unauthorized
· ISO/IEC 27001:2013 Clause 6.1.2 implementing risk treatment plans to mitigate risks as necessary. The AWS risk access, use, disclosure, disruption, modification, or destruction of their
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, management team monitors and escalates risks on a continuous basis, performing information system and the information it processes, stores, or transmits,
PM-16 risk assessments on newly implemented controls at least every six months. 2) Documenting risk assessment results in the system plan, security
SI-5 AWS Security notifies and coordinates with the appropriate service teams when AWS customers are responsible for: 1) Receiving information system
reporting/.
ID.RA-4: Potential business impacts · CIS CSC 4 AWS Certifications, Customer Responsibility PM-11 N/A N/A
and likelihoods are identified · COBIT 5 DSS04.02 PM-9 N/A N/A
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 RA-2 AWS treats all customer content and associated assets as highly confidential. AWS AWS customers are responsible for: 1) Categorizing their information and
· ISO/IEC 27001:2013 A.16.1.6, Clause 6.1.2 Cloud services are content agnostic in that they offer the same high level of their information system in accordance with applicable federal laws,
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA- security to all customers, regardless of the type of content being stored. We are Executive Orders, directives, policies, regulations, standards, and
14, PM-9, PM-11 vigilant about our customers’ security and have implemented sophisticated guidance, 2) Documenting the security categorization results (including
• Data encryption
• Access
• Retention
• Mobile devices
SA-14 N/A N/A

ID.RA-5: Threats, vulnerabilities, · CIS CSC 4 AWS Certifications, Customer Responsibility PM-16 N/A N/A
likelihoods, and impacts are used to · COBIT 5 APO12.02 RA-2 AWS treats all customer content and associated assets as highly confidential. AWS AWS customers are responsible for: 1) Categorizing their information and
determine risk · ISO/IEC 27001:2013 A.12.6.1 Cloud services are content agnostic in that they offer the same high level of their information system in accordance with applicable federal laws,
· NIST SP 800-53 Rev. 4 RA-2, RA-3, PM- security to all customers, regardless of the type of content being stored. We are Executive Orders, directives, policies, regulations, standards, and
16 vigilant about our customers’ security and have implemented sophisticated guidance, 2) Documenting the security categorization results (including
• Data encryption
• Access
• Retention
• Mobile devices
ID.RA-6: Risk responses are identified · CIS CSC 4 AWS Certifications, Customer Responsibility PM-4 N/A N/A
and prioritized · COBIT 5 APO12.05, APO13.02 PM-9 N/A N/A
Risk Management Strategy (ID.RM): ID.RM-1: Risk management processes ·· ISO/IEC
CIS CSC 27001:2013
4 Clause 6.1.3 AWS Certifications, Customer Responsibility PM-9 N/A N/A
The organization’s priorities, constraints, are established, managed, and agreed to · COBIT 5 APO12.04, APO12.05,
risk tolerances, and assumptions are by organizational stakeholders APO13.02, BAI02.03, BAI04.02
established and used to support · ISA 62443-2-1:2009 4.3.4.2
operational risk decisions. · ISO/IEC 27001:2013 Clause 6.1.3, Clause
8.3, Clause 9.3
· NIST SP 800-53 Rev. 4 PM-9
ID.RM-2: Organizational risk tolerance · COBIT 5 APO12.06 AWS Certifications, Customer Responsibility PM-9 N/A N/A
is determined and clearly expressed · ISA 62443-2-1:2009 4.3.2.6.5
· ISO/IEC 27001:2013 Clause 6.1.3, Clause
8.3
· NIST SP 800-53 Rev. 4 PM-9
ID.RM-3: The organization’s · COBIT 5 APO12.02 AWS Certifications, Customer Responsibility PM-11 N/A N/A
determination of risk tolerance is · ISO/IEC 27001:2013 Clause 6.1.3, Clause PM-8 N/A N/A
informed by its role in critical 8.3 PM-9 N/A N/A
infrastructure and sector specific risk · NIST SP 800-53 Rev. 4 SA-14, PM-8, PM-
analysis 9, PM-11 SA-14 N/A N/A
Supply Chain Risk Management ID.SC-1: Cyber supply chain risk · CIS CSC 4 PM-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
(ID.SC): The organization’s priorities, management processes are identified, · COBIT 5 APO10.01, APO10.04, Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
constraints, risk tolerances, and established, assessed, managed, and APO12.04, APO12.05, APO13.02, BAI01.03, Artifacts (AWS service found in the AWS Console for existing customers) or
assumptions are established and used to agreed to by organizational stakeholders BAI02.03, BAI04.02 provided under a signed Non-Disclosure Agreement (NDA).
support risk decisions associated with · ISA 62443-2-1:2009 4.3.4.2
managing supply chain risk. The · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2,
organization has established and A.15.1.3, A.15.2.1, A.15.2.2 SA-12 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
implemented the processes to identify, · NIST SP 800-53 Rev. 4 SA-9, SA-12, PM-9 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
assess and manage supply chain risks. Artifacts (AWS service found in the AWS Console for existing customers) or
provided under a signed Non-Disclosure Agreement (NDA).
SA-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
Artifacts (AWS service found in the AWS Console for existing customers) or
ID.SC-2: Suppliers and third party · COBIT 5 APO10.01, APO10.02, PM-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
partners of information systems, APO10.04, APO10.05, APO12.01, APO12.02, Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
components, and services are identified, APO12.03, APO12.04, APO12.05, APO12.06, Artifacts (AWS service found in the AWS Console for existing customers) or
prioritized, and assessed using a cyber APO13.02, BAI02.03 provided under a signed Non-Disclosure Agreement (NDA).
supply chain risk assessment process · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.2,
4.2.3.3, 4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9, 4.2.3.10,
4.2.3.12, 4.2.3.13, 4.2.3.14 RA-2 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA- Artifacts (AWS service found in the AWS Console for existing customers) or
12, SA-14, SA-15, PM-9 provided under a signed Non-Disclosure Agreement (NDA).
RA-3 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
ID.SC-3: Contracts with suppliers and · COBIT 5 APO10.01, APO10.02, PM-9 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
third-party partners are used to APO10.03, APO10.04, APO10.05 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
implement appropriate measures · ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7 Artifacts (AWS service found in the AWS Console for existing customers) or
designed to meet the objectives of an · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, provided under a signed Non-Disclosure Agreement (NDA).
organization’s cybersecurity program A.15.1.3
and Cyber Supply Chain Risk · NIST SP 800-53 Rev. 4 SA-9, SA-11, SA-
Management Plan. 12, PM-9 SA-11 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
ID.SC-4: Suppliers and third-party · COBIT 5 APO10.01, APO10.03, AU-12 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
partners are routinely assessed using APO10.04, APO10.05, MEA01.01, MEA01.02, Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
audits, test results, or other forms of MEA01.03, MEA01.04, MEA01.05 Artifacts (AWS service found in the AWS Console for existing customers) or
evaluations to confirm they are meeting · ISA 62443-2-1:2009 4.3.2.6.7 provided under a signed Non-Disclosure Agreement (NDA).
their contractual obligations. · ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 AU-2, AU-6, AU- AU-16 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
12, AU-16, PS-7, SA-9, SA-12 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
AU-2 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
AU-6 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
PS-7 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
ID.SC-5: Response and recovery · CIS CSC 19, 20 CP-2 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
planning and testing are conducted with · COBIT 5 DSS04.04 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
suppliers and third-party providers · ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11 Artifacts (AWS service found in the AWS Console for existing customers) or
· ISA 62443-3-3:2013 SR 2.8, SR 3.3, provided under a signed Non-Disclosure Agreement (NDA).
SR.6.1, SR 7.3, SR 7.4
· ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3, CP-4 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
IR-4, IR-6, IR-8, IR-9 Controls (SOC) Audits, which can be verified by the SOC 2 report found in AWS compliance.
IR-3 AWS demonstrates compliance with this control through Service Organization Periodically review the AWS SOC 2 reports to ensure AWS maintains
Note:
Category Subcategory Informative References AWS Services/Resources NIST 800-53 Controls Alignment AWS Responsibility
Access Control Identity Management, PR.AC-1: Identities and credentials are · CIS CSC 1, 5, 15, 16 AWS IAM Policies & Roles/Customer AC-1 AWS implements formal, documented policies and procedures that provide guidance
Authentication and Access Control (PR.AC): managed for authorized devices and users · COBIT 5 DSS05.04, DSS06.03 Responsibility AC-2 for operations
Access privileges andto information
AWS systems security within theonorganization
are reviewed a quarterly basis and the bysupporting
an
Access to assets and associated facilities is Identities and credentials are issued, managed, · ISA 62443-2-1:2009 4.3.3.5.1 AWS environments.
authorized individual. Policies
Explicit address purpose,
re-approval scope, roles,
is required or accessresponsibilities,
to the resourceandis
limited to authorized users, processes, or verified, revoked, and audited for authorized · ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR IA-1 AWS implements
management formal,
commitment. documented
All policies policies and procedures
are maintained that
in a centralized provide
locationguidance
that
automatically
for operationsby revoked.
and information security within the organization and the supporting
devices, and to authorized activities and devices, users and processes 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 IA-10 N/A
is accessible employees.
transactions. Access to physical and logical · ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, AWS environments. Policies address purpose, scope, roles, responsibilities and
IA-11 N/A
assets and associated facilities is limited to A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, management commitment. All policies are maintained in a centralized location that
IA-2 AWS controls access
is accessible by employees. to systems through authentication that requires a unique user
authorized users, processes, and devices, and is A.9.4.3 ID and password. AWS systems do not allow
managed consistent with the assessed risk of · NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-3 Several network fabrics exist at Amazon, eachactions
separated to be byperformed
boundary on the
protection
information
Policies system
are reviewed without
approved identification
by orbetween
AWS leadership authentication.
atfabrics.
least
unauthorized access to authorized activities and IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-4 devices
AWS
AWS
that
controls
has
control
accessthe
implemented to flow
systems of information
through
lock outauthentication thatannually
The flow
requires or following
of
a enforced.
unique user a
transactions. IA-10, IA-11 significant
information
ID andcontrols change
password. between AWS theasystems
to fabrics session
AWS environment.
is established
do not allow
policy that is systematically
by approved
actions toand authorizations,
be authentication
performed onwhich
the exist
The
IA-5 AWS
session lock
as access control is access
retained
lists to systems
until through
established
(ACL)identification
residing on these authentication
identification that requires a
devices. ACLs are defined,procedures unique user
approved
information
ID and password. system without or authentication.
IA-6 are
The
by
AWS
performed.
obfuscation
Allappropriate
employees,
has implemented ofAWS
Amazon’s systems
authentication
vendors, aand
session
dodata
contractors
Information notSecurity
lock outisallow
who
policy
actions
performed
require
team, touser
be performed
thatthroughout
amanaged
is AWS
account
and
systematically
onhelp
to
must
deployedthe
be on-
enforced. protect
usingThe
information
the information
boarded through
AWS ACL-manage systemfrom without
Amazon’sunauthorized identification
HR personnel.
management or authentication.
This
system. is often
As performed
part
tool.until established identification and authentication proceduresof the by the
onboarding client
session
AWS haslock is retained
implemented a session lockbased
out policy that isneedsystematically enforced.
User access
software
workflow,
are performed.or, privileges
thein direct
some manager are
cases, restricted
theofdevice
the on business
operating
employee, system
vendor, andservers
oncontractor
or the and
requests theThe
job responsibilities.
network
session
AWS
devices
Approved lock
employs isof
identified
establishment firewallretained
thea inconcept until
thesets
user
rule AWS of
account. established
and least
inventory.
Group
access oridentification
privilege, allowing
shared
control accounts
lists and
onlyare
between authentication
the necessary
not
network permitted procedures
fabricsaccess
withinfor
restrict
are
the performed.
users to accomplish
system
flow of boundary.
information their
The tojob function.
approved
specific New serves
request
information usersystem
accounts
as the are created
approval
services. to control
have alists
to establish
Access user
minimal
account. access. User access to AWS systems (for
and rule sets are reviewed and approved, and are automatically pushed to boundary example, network, applications,
IA-7 Third party
tools, etc.)
protection
AWS privileged
requires
is designed
devices toon aaccess
documented
protect
periodictheto confidentiality
AWS
approval
basis systems
(at least are
fromeverythe allocated
and authorized
integrity
24 hours) based
to on least
ofpersonnel
transmitted
ensure privilege,
(for
rule-sets
data
approved
example,
In
andthe
through event
access thebycontrol
user'san manager
that authorized
anlists
comparison active aindividual
and/or
or system
inactive prior
owner)
user to access
does and
not provisioning,
validation
comply with theand
of the supervised
active
above user
isstated in by
IA-8 AWS
an
the AWS
HR controls
employee.
system. access toare
Duties
of up-to-date.
systems
and
cryptographic
through
areas
hash
of responsibility
of data
authentication transmitted.
that
(for requires
example,
This
a unique
access
doneuserto
request
policy,
help
ID their
ensure account
the message willsystems
isbenotlocked.
corrupted or altered in totransit. Data that hasthe
been
IA-9 N/Aand
and
AWS
password.
approval,
altered implements
or corrupted changeAWS
inmanagement
dorequest
not allow and actions
approval, bechange
performed on
development,
information
testing and systemleast
deployment,
transit
withoutprivilege
etc.)
is immediately
throughout
identification
must or its
bedosegregated
rejected.
infrastructure
authentication.
across
AWS provides
different
components.manyAWS
individuals
methods
to
PR.AC-2: Physical access to assets is managed · COBIT 5 DSS01.04, DSS05.05 AWS Best Practices, AWS Reference PE-2 Physical
prohibits
for
AWS customers access
all ports
to to all
securely
and AWS
protocols data
handle centers
that
their housing
data:
not have IT
a infrastructure
specific business components
purpose. is
AWS
and protected · ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 Architectures, AWS Config, AWS ConfigRules, reducehas
restricted
implemented
opportunities
to authorized
aan
fordata session lock outor
unauthorized policy that is systematically
unintentional ofmodification
enforced.
orwho
misuse The
andof
follows
session a rigorous
lock
AWS systems. is retainedapproachuntil center
to employees,
minimal
established vendors,and
implementation
identification and contractors
only those features
authentication require
procedures
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, AWS Cloudwatch, CloudWatch Logs, access
functions
-AWS in order
enables
are performed. that are to essential
execute to
customers their
toopen jobs.
use of Access
a secure,
the device.to facilities
encrypted
Network isscanning
channel onlytopermitted
AWS at using
is performed
servers and
A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6, A.11.2.1, CloudTrail, VPC Flowlogs, AWS Big Data and controlled
any unnecessary
HTTPS accessports
(TLS/SSL). pointsorthat requireinmulti-factor
protocols use are corrected.authentication designed to prevent
A.11.2.3, A.11.2.5, A.11.2.6, A.11.2.7, A.11.2.8 Analytics services, Customer Responsibility tailgating and to ensure that only authorized individuals enter an AWS data center.
· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, On a quarterly
-Amazon basis, access
S3 provides a mechanismlists andthatauthorization
enables users credentials
to utilizeofMD5 personnel with to
checksums
PE-5, PE-6, PE-8 access
validatetothatAWS datadata
sent centers
to AWS areisreviewed by the respective
bitwise identical to what isdata center and
received, AreathatAccess
data
Managers
sent by Amazon (AAM). S3 is identical to what is received by the user. When customers
All entrances
choose to provide to AWS theirdataowncenters,
keys forincluding
encryption theandmain entrance,of
decryption theAmazon
loadingS3 dock,
and any(S3
objects roofSSE-C),
doors/hatches,
Amazonare S3secured
does notwith storeintrusion detection
the encryption devices
key providedthatbysound
the
alarms
customer.if the door isS3
Amazon forced
generatesopen andor held
storesopen.
a one-way salted HMAC of the customer
Trained
encryption security
key and guards are stationed
that salted HMACatvalue the building entrance 24/7. If a door or cage
is not logged.
within a data center has a malfunctioning card reader or PIN pad and cannot be
secured electronically,
-Upon initial communication a security withguard is posted at theWindows
an AWS-provided door until it can
AMI, AWSbe repaired.
enables
secure communication by configuring Terminal Services on the instance and
generating a unique self-signed X.509 server certificate and delivering the
certificate’s thumbprint to the user over a trusted channel.
-AWS further enables secure communication with Linux AMIs, by configuring SSH
on the instance, generating a unique host-key and delivering the key’s fingerprint to
PE-3 Physical access
the user over to all AWS
a trusted data centers housing IT infrastructure components is
channel.
restricted to authorized data center employees, vendors, and contractors who require
access in orderbetween
-Connections to execute their jobs.
customer Access toand
applications facilities
Amazon is RDS
only permitted at
MySQL instances
controlled access using
can be encrypted pointsTLS/SSL.
that require multi-factor
Amazon authentication
RDS generates designed
a TLS/SSL to prevent
certificate for
tailgating
each databaseand to ensure which
instance, that onlycanauthorized
be used toindividuals
establish anenter an AWS
encrypted data center.
connection
On a quarterly
using the default basis,
MySQLaccess lists Once
client. and authorization
an encryptedcredentials
connectionofispersonnel with
established, data
access to AWS data centers are reviewed by the respective data
transferred between the database instance and a customer’s application will be center Area Access
Managers (AAM).
encrypted during transfer. If customers require data to be encrypted while “at rest”
All entrances
in the database, to the
AWS data centers,
customer including
application mustthe main entrance,
manage the loading
the encryption dock,
and decryption
and any Additionally,
of data. roof doors/hatches,
customersare secured
can set with intrusion
up controls detection
to have theirdevices
databasethat sound
instances
alarms if theencrypted
only accept door is forced open orfor
connections held open. user accounts.
specific
Trained security guards are stationed at the building entrance 24/7. If a door or cage
within a data center has a malfunctioning card reader or PIN pad
-Content is encrypted with 256-bit keys when customers enable KMS to encrypt S3 and cannot be
secured
Objects,electronically,
EBS Volumes,a RDS security guard Instances,
Database is posted atRedshift
the doorData
untilBlocks,
it can be repaired.
CloudTrail
Log Files, SES Messages, Workspace Volumes, WorkMail Messages, and EMR S3
Storage.
Physical access points to server locations are recorded by closed circuit television
camera
AWS offers(CCTV). Imagestheare
customers retained
ability for an
to add 90 additional
days, unless limited
layer to 30 days
of security by legal
to data at rest
or contractual
in the obligations.
cloud, providing scalable and efficient encryption features. This includes:
• Data encryption capabilities available in AWS storage and database services, such
as EBS, S3, Glacier, Oracle RDS, SQL Server RDS, and Redshift
• Flexible key management options, including AWS Key Management Service,
allowing you to choose whether to have AWS manage the encryption keys or enable
you to keep complete control over your keys
• Dedicated, hardware-based cryptographic key storage using AWS CloudHSM,
PE-4 allowing
Access toyou to satisfy
power compliance
equipment, power requirements
cabling, and transmission lines are restricted to
In addition,personnel
authorized AWS provides
and are APIs for youto
positioned toprevent
integrateintentional
encryptionorand data protection
accidental damage.
with any of the services you develop or deploy in an AWS environment.
PE-5 Referfollowing
The to the following AWS
statements Audithow
outline Reports
each for additionalofdetails:
requirement PCI 3.2,
the control ISO
is met through
27001, implementation:
AWS’ ISO 27017, HIPAA, IRAP, NIST 800-53, SOC 2 COMMON CRITERIA,
SOC 1 & 2 CONTROLS
Crash carts—carts with a monitor that can be plugged into servers—are the only
output devices used within data centers. Crash carts reside only within data center
server rooms, which are protected by physical access devices (badge readers)
requiring a successful badge swipe and PIN to enter. These prevent unauthorized
individuals from obtaining or observing output displayed on crash carts.
While the crash carts enable data center technicians to troubleshoot using a display
device (monitor), data center technicians are not permitted to log into AWS servers
until customer data have been removed. Server and networking rooms are positioned
in the interior of each data center, and there are no exterior windows at data centers.
PE-6 Physical access to all AWS data centers housing IT infrastructure components is
restricted to authorized data center employees, vendors, and contractors who require
access in order to execute their jobs. Access to facilities is only permitted at
controlled access points that require multi-factor authentication designed to prevent
tailgating and to ensure that only authorized individuals enter an AWS data center.
On a quarterly basis, access lists and authorization credentials of personnel with
access to AWS data centers are reviewed by the respective data center Area Access
Managers (AAM).
All entrances to AWS data centers, including the main entrance, the loading dock,
and any roof doors/hatches, are secured with intrusion detection devices that sound
alarms if the door is forced open or held open.
Trained security guards are stationed at the building entrance 24/7. If a door or cage
secured electronically, a security guard is posted at the door until it can be repaired.
PE-8 Due to the fact that our data centers host multiple customers, AWS does not allow
data center tours by customers, as this exposes a wide range of customers to physical
access of a third party.
AWS provides data center physical access to approved employees and contractors
who have a legitimate business need for such privileges. All visitors are required to
present identification and are signed in and escorted by authorized staff.
Cardholder access to data centers is reviewed quarterly. Cardholders marked for

removal have their access revoked as part of the quarterly review.
PR.AC-3: Remote access is managed · CIS CSC 12 AWS Certifications, AWS Best Practices, AWS AC-1 AWS implements formal, documented policies and procedures that provide guidance
· COBIT 5 APO13.01, DSS01.04, DSS05.03 Reference Architectures, AWS IAM (MFA), AC-17 for operations
Remote accessand information
to AWS production security within theisorganization
environments limited to defined and thesecurity
supporting
· ISA 62443-2-1:2009 4.3.3.6.6 AWS Config, AWS ConfigRules, AWS AWS
groups. environments.
The addition Policies
of policies
members address into purpose,
a group must scope,beroles, responsibilities,
reviewed and approved andby
· ISA 62443-3-3:2013 SR 1.13, SR 2.6 Cloudwatch, CloudWatch Logs, CloudTrail, AC-19 AWS
management maintains formal
commitment. All and
policies procedures that provide guidance for operations
authorized
and informationindividuals
security who confirm
within the are
the organization
maintained
user’s needandfor
in a centralized
theaccess to the AWS
supporting
location
environment. that
· ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, VPC Flowlogs, Customer Responsibility AC-20 AWS
is
Remote creates
accessible
access and
by maintains
employees.
requires written
multi-factor agreements
authentication with third
over anparties
approved (e.g., contractors
cryptographic
A.11.2.6, A.13.1.1, A.13.2.1 environments.
or vendors) in The security
accordance policy
with the iswork
published
or by leadership
service to be to provide
provided (e.g., guidance on
network
SC-15 AWS
channel
ISMS does
for not allow collaborative
authentication.
implementation. The mobile computing
device policy devices
providesto have network
guidance on:connections
· NIST SP 800-53 Rev. 4 AC-1, AC-17, AC- services agreement, service delivery agreement, or information exchange agreement)
•to
AWS
and
the of
Use AWS
employs
mobile
implements
information
automated
devices.
appropriate
system.
mechanisms to facilitate the monitoring and control of
relationship management mechanisms inwhich
line with
19, AC-20, SC-15
•remote access
Protection of methods.
devices Auditing
that access occurs
contenton forthewhich
systems Amazonand devices,
isthe
responsible. are their
then
relationship
aggregated to the
and business.
stored Agreements
in a proprietary toolcover, at a minimum,
for review and incident following:
investigation. The
••AWS Remote
Legal and wipe capability.
regulatory
operational requirements
environment, applicable to AWS
••considered Password-guessing
User awareness of protection to
information
include
restrictions.
security
network
responsibilities
and security configuration, is
and issues
confidential information and is required to be protected by employees per
••Amazon Remote synchronization
Arrangements for reporting, requirements.
notification, and investigation of information security
• Securitydata
incidents patch
and
classification
requirements.
security
policies. All remote administrative access attempts are
PR.AC-4: Access permissions are managed, · CIS CSC 3, 5, 12, 14, 15, 16, 18 AWS Certifications, AWS Best Practices, AWS
AC-1 AWS
loggedimplements and limited to abreaches
formal, documented
specific numberpolicies of attempts. and procedures
Auditing logs thatareprovide
reviewedguidance
by
incorporating the principles of least privilege and · COBIT 5 DSS05.04 Reference Architectures, AWS IAM (including •for Target and
operations unacceptable
and information levels of service
security (e.g.,theSLA, Operational Level Agreement
AC-14 the
AWS
[OLA])
AWS Security
controls accessteam to for
systems throughwithin
unauthorized attempts
authentication organization
or suspicious and
that requires the
activity. supporting
In
a unique theuser
event
separation of duties · ISA 62443-2-1:2009 4.3.3.7.3 MFA & federation), AWS CloudFormation, AWS
thatand
ID environments.
suspicious
password. activity
AWS Policies
issystems address
detected, do thepurpose,
not incident scope,
allow actions response roles,
to be responsibilities,
procedures
performed are and
oninitiated.
the
· ISA 62443-3-3:2013 SR 2.1 AWS Config, AWS ConfigRules, Customer AC-16 •N/A Service
management continuity
commitment.requirementsAll (e.g.,
policies Recovery
are Time inObjective [RTO]), in that
information
accordance system
with AWS without
business identification
priorities ormaintained
authentication. a centralized
Remote access locationrequires
· ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, Responsibility AC-2 Access
is privileges
accessible by to AWS
employees. systems are reviewed on a quarterly basis by an
multi-factor
• Protectionindividual. authentication
of Intellectual and the number
Property Rights is of unsuccessful
(IPR) and copyright log-on attempts of is
A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 AC-24 authorized
N/A Explicit re-approval required or access assignment
to the resourceAWS is
limited.
• Conditions All remote
for administrative access attempts
renegotiation/termination are logged, and the logs are
of the agreement.
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC- automatically revoked.
AC-3 reviewed
User access by privileges
the Security areteam for unauthorized
restricted based on business attempts needor suspicious activity. If
and job responsibilities.
3, AC-5, AC-6, AC-14, AC-16, AC-24 suspicious activity isAWS
detected, the incident response
AC-5 AWS
Privileged employsaccess thetoconcept of least
systems privilege,
is assigned based procedures
allowing ononlyleastthe are initiated.
necessary
privilege, access for
approved by
users
an to accomplish
authorized individualtheirpriorjob function.
to access New user accounts
provisioning, and are created
assigned to have user
a different
AC-6 Privileged
AWS
minimal has access
implemented
access. to AWS
User systems
abusiness
access session
to AWS is assigned
lock out policy based
that on
is ofleast privilege,
systematically approved
enforced. by
The
ID
an than used
authorized for normal
individual prior to use.systems
access Duties (e.g.,
and network,
areas applications,
responsibility tools)
(e.g., access
PR.AC-5: Network integrity is protected (e.g., · CIS CSC 9, 14, 15, 18 AWS Certifications, AWS Best Practices, AWS AC-10 AWS
information
requires
request controls
documented
and accessimplements
systems
approval, to systems
approval
change from
management the provisioning,
through
a session authentication
lock
authorized
request afterandaand
period
personnel assigned
that requires
approval,
a different
a unique
of inactivity,
(e.g., user's
change
user
user as
as well
manager
network segregation, network segmentation) · COBIT 5 DSS01.05, DSS05.02 Reference Architectures, AWS IAM (MFA), ID
ID
in the
and/or than
andcase used
password.
system for
of multiplenormal
AWS
owner) business
systems
log-in
and use.
do not
attempts,
validation Duties
allow
and
ofare and areas
actions
limits
thesegregated
active the to of responsibility
inbethe
usernumber performed
of concurrent
Amazon (e.g., access
on thesessions
Human
development,
request and testing
approval, and
change deployment)
management request and across
approval,different
change individuals to
· ISA 62443-2-1:2009 4.3.3.4 AWS CloudFormation, Config, AWS information
that may
Resources
reduce exist.system
system.
opportunities without
The session
for identification
lock is retained or authentication.
until established Remote
identificationaccess requires
and of
· ISA 62443-3-3:2013 SR 3.1, SR 3.8 ConfigRules, AWS CloudTrail, VPC Flowlogs, development,
multi-factor
authentication testing
authentication
procedures andan unauthorized
deployment)
andperformed.
are the number areorsegregated
unintentional
of unsuccessful across modification
different
log-on attempts
or misuse
individuals
is to
AWS
reduce systems.
opportunities for an unauthorized
· ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, AWS VPC, Security Groups, ACL's, Customer limited. All remote administrative access or unintentional
attempts are logged, modification
and the logs or misuse
are of
A.13.2.1, A.14.1.2, A.14.1.3 Responsibility AC-4 AWS systems.
Several
reviewed network fabrics exist
by the Security teamatfor Amazon,
unauthorizedeach separated
attempts by boundary protection
or suspicious activity. If
· NIST SP 800-53 Rev. 4 AC-4, AC-10, SC- SC-7 devices
suspicious
Several thatactivity
network control isthe
fabrics flow
existof
detected, information
atthe incidenteach
Amazon, between
response
separated fabrics.
procedures Theare
by boundary flow of
initiated.
protection
7· information
devices that between
controlformal, fabrics
the flow is
ofestablished
information bybetween
approved authorizations,
fabrics. The flow which exist
of
PR.AC-6: Identities are proofed and bound to CIS CSC, 16 AC-1 AWS
as ACL implements documented policies and procedures that provide guidance
credentials and asserted in interactions · COBIT 5 DSS05.04, DSS05.05, DSS05.07, AWS
information
for operations hasresiding
implemented
between on these
fabrics
and information
devices.
a session ACLs
lock
is established
security out are
bydefined,
policy
within thethat
approved approved
is by appropriate
systematically
authorizations,
organization theenforced.
andusing which
supporting The
exist
AC-16 N/A
Amazon’s
information
as ACL Information
residingsystems on these Security
implements
devices. team,
a ACLs and
session managed
arelock afterand
defined, deployed
aapproved
period ofby inactivity, AWS’s
appropriate asand
well as
DSS06.03 AWS
ACL-management environments. Policies
tool. address purpose, scope, roles, responsibilities,
AC-19 AWS
in
Amazon’s the maintains
case Information
of formal
multiple policies
log-in
Security and
attempts,
team, procedures
and
and managed
limits that
the provide
and
number guidance
deployed
of concurrent
using forAWS’s
operations
sessions
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, management
Approved commitment.
firewall rule sets All
andpolicies
access are maintained
control lists in a centralized location that
AC-2 and
that
Access information
ACL-management
may exist.
privileges security
The totool.
session
AWS within
lock
systems the
is organization
retained
are until
reviewed andbetween
the
established
on a quarterly network
supporting
identification
basis fabrics
AWS
by an andrestrict
4.3.3.7.2, 4.3.3.7.4 is
the accessible
flow offirewall by employees.
information to are
specific information system services. ACLs and rule sets
environments.
authentication
Approved
authorized The rule
individual. security
procedures sets
Explicit policy
and is
performed.
access
re-approval published
control by
lists
is required leadership
between
or to provide
network
access to guidance
thefabrics
resource on
restrict
is
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR AC-24 N/Areviewed
are and approved and are information
automatically pushed toguidance
boundary protection
ISMS
the flow
automatically implementation.
of information
revoked. The mobile
to specific device policy provides
system services. ACLs on: and rule sets
1.4, SR 1.5, SR 1.9, SR 2.1 devices
AC-3 User
•are Use ofon
access
reviewed aprivileges
mobile periodic
anddevices. basis
approved (at
andleast
are restricted every
based24
are automatically onhours)
business to ensure
pushed need andrulejob
to boundary sets and access
responsibilities.
protection
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1 control lists
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-
AWS
•devices
Protectionon aare
employs of up concept
the
devices
periodic to date.
that of
basis least
access
(at privilege,
leastcontent
every 24 allowing
forhours)
whichto only
Amazon
ensure therule
isnecessary
sets andaccess
responsible. accessfor
AWS
users
•control
Remoteto
implements
accomplish
wipe
lists upleast
totheir
arecapability. privilege
date. job function.throughout New user its infrastructure
accounts are components.
created to have AWS
3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA- prohibits
minimal access.
all portsUser and access
protocols to AWSthat do
systems
not have
5, IA-8, PE-2, PS-3
•AWS Password-guessing
implements protection
least privilege restrictions.
throughout its(e.g.,
a specific
network,
infrastructure business
applications,
components.purpose. tools)
AWSAWS
follows
requires
Remoteadocumented
•prohibits rigorous
synchronization
all ports and approach
approval to from
minimal
that the
requirements.
protocols authorized
do notimplementation personnel
have a specific of only(e.g.,
business thoseuser's
features
purpose.manager and
AWS
functions
and/or
•follows
Securitysystem
that
patch
a rigorous are
owner)
essential
and validation
requirements.
approach totouse of the
minimal of the
device.
active Network
implementation user inof scanning
the Amazon
only is performed,
those Human and
features and
any unnecessary
Resources
functions system.
that areports or protocols
essential to use ofinthe usedevice.
are corrected.
Network scanning is performed, and
PR.AC-6: Identities are proofed and bound to · CIS CSC, 16
credentials and asserted in interactions · COBIT 5 DSS05.04, DSS05.05, DSS05.07,
DSS06.03
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2,
4.3.3.7.2, 4.3.3.7.4
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR
1.4, SR 1.5, SR 1.9, SR 2.1
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC- IA-1 AWS implements formal, documented policies and procedures that provide guidance
3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA- IA-2 for operations
AWS controls and access information
to systemssecurity throughwithin the organization
authentication and the
that requires supporting
a unique user
AWS
ID environments.
andcontrols
password. AWS Policies address purpose, scope, to roles, responsibilities theanduser
5, IA-8, PE-2, PS-3 IA-4 AWS
management access
commitment. to systems
systems
All
do
through
policies
not allow
are
actions
authentication be performed
inthat requires aon unique
information
ID andcontrols
password.system AWS without identification ormaintained
authentication. a centralized location that
IA-5 AWS
is
AWSaccessible byaccess
has implemented employees. toasystems
systems
session
do
throughnot allow
lock outauthentication
policy
actions to that be performed
requires aon
that is systematically
the user
unique
enforced. The
information
ID andcontrols
password.system AWS without systems identification
do not allow or authentication.
actions toand be authentication
performed
IA-8 AWS
session
AWS has lock is access
retained
implemented tountil
asystems
session through
established authentication
lock outidentification
policy thatatisleastthat requires aon
systematically
the
unique user
procedures
enforced. The
information
Policies
ID
are and are
password.
performed. systemAWS
reviewed without
approved
systems identification
bydoAWS not allow or authentication.
leadership
actions toand annually
be authentication
performed oron following
the a
PE-2 Physical
session
AWS access
lock is
has implemented to all
retained AWS until
a AWS data
session centers
established housing
identification
lock out policy IT infrastructure components
that is systematically enforced. The is
procedures
significant
information
restricted to change
system
authorized towithout
thedata environment.
identification
center employees, or authentication.
vendors, and contractors who require
PS-3 are performed.
Background
session lock checks
is retainedareare performed
until established as part of AWS’s hiring verification processes.
AWS
User
access has
access
in implemented
orderprivileges
to execute a session
restricted
their jobs.lockbasedoutidentification
Access policy
ontobusinessthat isand
facilities need
is
authentication
systematically
and
only
procedures
enforced.
jobinresponsibilities.
permitted at The
PR.AC-7: Users, devices, and other assets are · CIS CSC 1, 12, 15, 16 AC-11 Background
are
All performed.
AWS employees,
session controls
lock checksvendors,
is access
retained include
tountil
systemseducation,
and established
contractors
through previous
who employment,
require a and
authentication
identification user and,
account
thatauthentication
requires some
must
a unique cases,
be on- user
procedures
AWS
criminal employs
controlled andaccess the
other concept
points
background thatofrequire
least
checks privilege,
multi-factor
as allowing
permitted only
authentication
by law the
and necessary
designed
regulation access
to
forpreventfor
authenticated (e.g., single-factor, multi-factor) · COBIT 5 DSS05.04, DSS05.10, DSS06.10 AC-12 boarded
ID
are
usersand
Limiting
tailgating through
topassword.
performed.
accomplish
the
and length Amazon’s
AWS
to ensure their
of systems
thatjob
sessions HR management
do
function.
only is not not allowuser
New
feasible
authorized system.
actions
from accounts
individuals As
to be
a business part
are
enter of
performedthe
created onboarding
perspective.
an AWS on
to the
have
data Ancenter.
employees
Third
workflow,party commensurate
privileged access with to the
AWS employee’s
systems position
are allocated and level
based of
onaccess
least to AWS
privilege,
commensurate with the risk of the transaction · ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2,
AC-14
information
minimal
example
On
AWS ofthe
a quarterly
controls this direct
system
access. User
would
basis,
access
manager
without
access
besystems
access
to when ofAWS
lists the
identification
to AWS
and
through
employee,
systems
teams
authorization vendor,
or maintain
authentication.
(for example, or
EC2.
credentials contractor
Remote
network,
The ofEC2 requests
access
aapplications,
bastions
personnel withthe
requires
users
(e.g., individuals’ security and privacy risks and 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, facilities.
approved
establishment
multi-factor
tools,
utilize
access etc.)
ato
by
AWS
anof
requires
“run-parallel”
authorized
a user
authentication
data account.
documented
approach
centers
individual
and
are areasGroup
theto number
approval
reviewedexecute orauthentication
prior to
shared
of
from
by some
access
the the accounts
unsuccessful thatare
provisioning,
authorized
commands
respective
requires
not
log-on
personnel
across
data center
and unique
supervised
permitted
attempts
theon (for
fleet
Area is userby
within
for any
Access
other organizational risks) 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 AC-7 ID
an and
theAWS
AWS system
limited. password.
employee.
controls
All AWS
access
boundary.
remote Duties
to
The systems
and
systems
approved
administrative do
throughnot allow
of owner)
request
access actions
responsibility
authentication
serves
attempts as to
the beapproval
(for
that performed
example,
requires toaccess theare
aestablish
unique request
user
a in
user
example,
number
Managers
information ofuser's
reasons,
(AAM).
system managerto and/or
include
without system
information
identification andare
collection,
or authentication.
logged,
validation andthe
of
investigations,
Remote
the logs
active
and
access user
requires
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR AC-8 and
ID approval,
and
account.
reviewed
AWS password.
employsby the changeAWS
Security management
systems
team do request
not
forexecuting allow
unauthorized and approval,
actions
attempts to bechange
performed
or jobs development,
suspicious on the
activity. ofIf
the
All HR
multi-factor
testing
system.
troubleshooting.
entrances
and toautomated
This can
AWS
authentication
deployment, data mechanisms
require
etc.)centers,
and mustthe number
be
to facilitate
including
segregated
a the
of the monitoring
long-running
main
unsuccessful
across entrance,
log-on
different
that
theand thecontrol
loading
attempts
individuals dock,
isto
1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10 information
suspicious system
activity without
istodetected, identification or authentication. Remote access requires
AC-9 remote
N/A
limited.
reduce
access
administrator
and anyopportunities
roof
All methods.
needs
doors/hatches,
remote Auditing
monitor
administrative
for an arethe(in incident
occurs
a separate,
secured
unauthorized access on
with response
the systems
concurrent
intrusion
attempts
or are
unintentional
procedures
and
detection
logged, and
are
devices,
session) devices
modification
initiated.
inthe which
their
logs
orthat are
terminal
are then
sound
misuse of
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, multi-factor
In the event
aggregated
window authentication
that
and an
stored active
in adoesorand the
inactive
proprietary number
user
tool of
does unsuccessful
not
for review comply log-on
with
andorincident the attempts
above is
stated
investigation. andIfThe
IA-1 AWS iffor
alarmsimplements
reviewed the
by
systems.
status.
door
the isAWS
Securityforced
formal, teamopen however
documentedfor orunauthorized
held ensure
open.
policies all sessions
attempts
and procedures are authenticated
suspicious
that activity.
provide guidance
A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4 limited.
policy, All
their
hassecurity remote
account
implemented administrative
will aarebe locked.
session tolockaccess attempts are logged, and the logs are
AWS
have
Trained operational
strong
suspicious
for activity environment,
multi-factor
guards authentication
is implements
detected, stationed
the atout
include
incident thepolicy
network
measuresbuilding
response
that
inand is security
place. systematically
entrance
procedures Refer24/7. to IA-2
are If aenforced.
configuration, (1) for
door
initiated.
The
oriscage
more
· NIST SP 800-53 Rev. 4 AC-7, AC-8, AC- IA-10 N/Aoperations
reviewed
information
considered
details
within
by
aondata
theand
systems
confidential
the MFA
center
information
Security
employed.
has
team for
information security
a malfunctioning andwithin
a unauthorized
session lock
iscard the
required after
reader
organization
attempts
toaor or
period
be ofand
suspicious
protected
PIN pad
the
inactivity,
and by supporting
activity. If per
asbewell
employees
cannot as
9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA- AWS
in the
Amazon environments.
suspicious
case dataactivity
of multiple is Policies
classificationdetected,
log-in address
the
attempts,
policies. purpose,
incident and limitsscope,
response the roles,
procedures
number responsibilities
of are initiated.
concurrent and
sessions
IA-11 N/A haselectronically,
secured
AWS implemented aasecurity
session guardout is posted at the door until it canenforced.be repaired.
4, IA-5, IA-8, IA-9, IA-10, IA-11 management
that may exist. commitment.
The session All islock
lockpolicies retainedare policy
maintainedthat
until established isinsystematically
a centralized
identification location
and that The
IA-2 AWS
is
AWS controls
information
accessible
has access
systems
byprocedures
implementedemployees. toasystems
implementssession through
alock outauthentication
session lock after
policy that requires
that aisperiod of inactivity,
systematically a enforced.
unique user
as well Theas
authentication are performed.
IA-3 ID andcase
in the
Several
information password.
ofsystems
network AWS
multiple
fabrics systems
log-in
exist attempts,
implements do
at Amazon, not and
a session allow
each
lock actions
limits toperiod
the anumber
separated
after bebyperformed
of
of concurrent
boundary
inactivity,on the sessions
protection
as well as
information
thatthemay
Policies exist.
are system
ofreviewed without
The session approved identification
lock is retained
by AWS orlimits
authentication.
until
leadership established
theatfabrics.
least identification and
IA-4 devices
in
AWS
AWS
casethat
controls
hasexist.
control
accessthe
multiple
implemented to flow
log-in
systems of information
attempts,
through and between
outauthentication thatannually
number The flow
of concurrent
requires or offollowing
a enforced.
unique sessions
user a
authentication
significant
information
that
ID may
and change
password.
procedures
between
TheAWS theasystems
tosession
fabrics session
are
AWS lock is
do
lock
isperformed.
environment.
established
retained
not
policy
allow by
until that is systematically
approved
established
actions to authorizations,
be identification
performed onwhichandexist
the
The
IA-5 AWS
session
as accesscontrols
lock
control access
is procedures
retained
lists to systems
until
(ACL) through
established
residing authentication
on identification
these devices.and thatauthentication
ACLs requires
are defined, a unique user
procedures
approved
authentication
information system without areidentification
performed. or authentication.
IA-8 ID
All
by and password.
are appropriate
AWS performed.
controls
employees, AWS
access
vendors,
Amazon’s toasystems
systems
and do
through
contractors
Information notSecurity
allow actions
authentication
who require
team, touser
be performed
that
amanaged requires
account aon
must
and deployed the
unique
be on- user
using
AWS has
information implemented
system without session lock out
identification policy that is
or authentication. systematically enforced. The
IA-9 ID
AWS
N/A andACL-manage
boarded
session password.
through
lock AWS
Amazon’s
is retained systems
tool.until HR do not allow
management
established actions As
system. to be performed
part of the onboardingon the
AWS
User has
access
information
workflow, implemented
theprivileges
system
directwithout a session
are
manager restricted lockbased
identification
of the outidentification
employee, policy that isand
onauthentication.
or business
vendor, need authentication
systematically procedures
enforced.
or contractor requests theThe
Awareness and Training (PR.AT):The PR.AT-1: All users are informed and trained · CIS CSC 17, 18 AWS Certifications, AWS Training, AWS Best AT-2 are
AWS performed.
sessionhas lockimplemented
isofretained formal,
until documented
established security awareness and training policy
AWS employs
has
establishment
Approved firewall thea user
implemented concept
rule account.
sets of
a session
and least lock
Group
access outoridentification
privilege, policyallowing
shared
control that
lists isand
accounts
betweenonly authentication
the necessary
systematically
are not
network procedures
access
enforced.
permitted
fabrics withinfor
The
restrict
organization’s personnel and partners are · COBIT 5 APO07.03, BAI05.07 Practices, AWS Reference Architectures, and
are
users procedures
performed.
to lock
accomplish that address
their purpose, scope, roles, responsibilities, management
provided cybersecurity awareness education and · ISA 62443-2-1:2009 4.3.2.4.2 Customer Responsibility
session
the system
flow
commitment,
is retained
of boundary.
information
coordination
The tojob
until function.
established
approved
specific
among
New
request
information
organizational
usersystem
identification
serves accounts
as the
entities,
and are created
authentication
approval
services.
and
to control
have
procedures
to establish
Access
compliance.
a user
The lists
minimal
are performed.
account.
and access.
rule awareness
sets are User
reviewed access andtoapproved,
AWS systems (forautomatically
example, network, applications,
are trained to perform their cybersecurity-related · ISO/IEC 27001:2013 A.7.2.2, A.12.2.1 security
Third partydevices
privileged and training to policy andand are
procedures are reviewed pushed
onand
toupdated
boundary at
duties and responsibilities consistent with related · NIST SP 800-53 Rev. 4 AT-2, PM-13
tools, etc.)
protection
least annually,
requires
or on
sooner aaccess
documented
periodic
if required
AWS
approval
basis due
systems
(at to
from
least are
the allocated
every
information
authorized
24 system
hours) based
personnel
to ensure
changes.
least privilege,
(for
rule-sets
The policy
approved
example,
In
andthe event
access bycontrol
user'san manager
that authorized
anlists
active are orindividual
and/or system
inactive prior
userowner) to access
does and provisioning,
validation
not comply with theand
of the supervised
active
above user in by
stated
policies, procedures, and agreements. is
thedisseminated
an AWS employee. through theup-to-date.
internal
areasAmazon communication portal to all employees,
HR their
policy, system. accountDuties will beand locked. of responsibility (for example, access request
vendors,
and approval, and contractors
change prior to receiving authorized access to the information
AWS implements leastmanagement
privilege throughout request and its approval,
infrastructure change development,
components. AWS
system
testing or performing
and assigned duties.
prohibits alldeployment,
ports and protocols etc.) must thatbedosegregated
not have aacross specific different
business individuals
purpose. to AWS
AWS
reduce has developed, for
opportunities documented,
an unauthorized and disseminated
or unintentional security awarenessorand role- of
followssecurity
based a rigorous approach
training to minimal
for personnel implementation
responsible for designing,ofmodification
onlydeveloping,
those features misuse and
AWS
functionssystems.
that are essentialmaintaining,
to use of theand device. Network scanning is performed
implementing, operating, monitoring AWS systems. Training and
any unnecessary
includes, but is not portslimitedor protocols
to, the following in use areinformation
corrected. (when relevant to the
employee’s role):
PM-13 Role-based training is provided. Much of this training is provided on an ongoing

PR.AT-2: Privileged users understand roles & · CIS CSC 5, 17, 18 AT-3 basis
AWS via hasday-to-day
implemented interaction. Service teams
formal, documented have documented
security awareness and team-based and
training policy
responsibilities · COBIT 5 APO07.02, DSS05.04, DSS06.03 role-based
and procedures training thatpages
address thatpurpose,
providescope, new employees, contractors and vendors with
PM-13 Role-based
the necessary training
role-based is provided. Much oftraining
security-related thisroles, responsibilities,
training
requiredis provided
to execute
management
on an ongoing
their job
· ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 commitment,
basis via day-to-daycoordination among
interaction. organizational
Service teams have entities, and
documented compliance.
team-based The and
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 functions.
security awareness
role-based training and pages training policy new
that provide and procedures
employees, are reviewedand
contractors andvendors
updatedwithat
· NIST SP 800-53 Rev. 4 AT-3, PM-13 least
the necessary annually,role-based
or sooner if required due totraining
security-related informationrequired system changes.
to execute The
their jobpolicy
is
functions. disseminated through the internal Amazon communication portal to all employees,
vendors, and contractors prior to receiving authorized access to the information
PR.AT-3: Third-party stakeholders (e.g., · CIS CSC 17 PS-7 system or performing assigned
AWS creates and maintains written agreements with third parties (e.g., contractors duties.
suppliers, customers, partners) understand roles · COBIT 5 APO07.03, APO07.06, AWS
or vendors) has developed,
in teams
accordance documented, the and
workdisseminated
service tosecurity awareness and role-
SA-16 AWS Service createwith administrator or
documentation be for
provided (e.g., network
their services and store
& responsibilities APO10.04, APO10.05 based
services security
agreement, training for personnel
service delivery responsibleor
agreement, forinformation
designing, developing,
exchange agreement)
SA-9 the
AWS documents
creates and in internal
maintains AWS writtendocument
agreements repositories.
with third Usingpartiesthese documents,
(e.g., contractors
· ISA 62443-2-1:2009 4.3.2.4.2 implementing,
and implements operating,
appropriate maintaining,
relationship and monitoring
management AWS
mechanisms systems. injobTraining
line with their
teams
or provide
vendors) in initial
accordance training with tothenewwork teamor members
service tothat
be covers
provided their(e.g., duties,
network on-
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, includes,
relationship but is not limited
to the business. to, the
Agreementsfollowing information
cover, at a minimum, (when relevant
the following: to the
call
services responsibilities,
agreement, service delivery
specific monitoring
agreement,tometrics and alarms, alongagreement)
with the
A.7.2.2 •employee’s Legal and role): service
regulatory requirements applicable orAWS
information exchange
intricacies of theappropriate
service theyrelationship
are supporting. Once trained, service in teamlinemembers
· NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16 •and
can
implements
Workforce
User awareness
assume
conduct
on-call
standards security management
ofduties
informationand be paged into responsibilities
an engagement
mechanisms
andasissues
atheresolver.
with their
In addition
•relationship
toLegal
to the
Candidate background
Arrangements
the documentation forbusiness.
reporting,
stored
Agreements
screening procedures
notification, cover,
and at a minimum,
investigation
in the repository, AWS also uses Engagement Drills and of following:
•• Clear
incidents and
desk
and regulatory
policy
security requirements
procedures applicable to AWS
andbreaches
GameDay Exercises to train coordinators and Service Teams in their roles and
••responsibilities. User awareness
Social
Target engineering,
and unacceptableof information
phishing,levelsand security
of malware
service responsibilities and issues
(e.g., SLA, Operational Level Agreement
•• Data
[OLA]) Arrangements
handling and for reporting,
protectionnotification, and investigation of information security
PR.AT-4: Senior executives understand roles & · CIS CSC 17, 19 AT-3 •incidents
AWS Compliance
Service and security
commitments
has continuity
implemented breaches
formal, documented
requirements (e.g., Recovery securityTime awareness
Objective and traininginpolicy
[RTO]),
responsibilities · COBIT 5 EDM01.01, APO01.02, •• Target
and
accordance Security and
procedures unacceptable
precautions
with that
AWS while
address levels
business purpose,of service
traveling scope,
priorities (e.g.,
roles, SLA, Operationalmanagement
responsibilities, Level Agreement
PM-13 Role-based training is provided. Much of this training is provided on an ongoing
APO07.03 •[OLA])
commitment,
basis
How to report
Protection
via day-to-day
security and
ofcoordination
Intellectual availability
among
Property
interaction. Rights
Service
failures,
organizational (IPR)
teams have
incidents,
entities,
and and
copyright
documented
concerns,
compliance.
assignmentand other
team-based The
ofand
AWS
PR.AT-5: Physical and cybersecurity personnel ·· CIS
ISA CSC 17
62443-2-1:2009 4.3.2.4.2 AT-3 ••complaints
AWS
security Service
Conditions continuity
hasawareness
implemented
tofor
appropriate
andrequirements
formal,
personnel
training
renegotiation/termination (e.g.,and
documented
policy Recoverysecurity
procedures
of the Time Objective
awareness
are
agreement. reviewed and [RTO]),
training
and inpolicy
updated at
understand roles & responsibilities ·· COBIT role-based
accordance training
with AWSpages thatpurpose,
business provide
priorities new employees, contractors and vendors with
ISO/IEC527001:2013
APO07.03 A.6.1.1, A.7.2.2 IR-2 and
• How
AWS
least procedures
to recognize
has implemented
annually, orthat address
suspicious
sooner formal,
if requireddocumented
duescope,
communications roles,
andresponsibilities,
security
totraining
information anomalous
awareness
system andmanagement
behavior
changes. trainingin policy
The
·· ISA
NIST62443-2-1:2009
SP 800-53 Rev.4.3.2.4.2
4 AT-3, PM-13 •the
commitment,
organizational
and
is
necessary
Protection
procedures
disseminated
role-based
ofcoordination
Intellectual
information
that
throughaddress
security-related
theProperty
among
systems
purpose,
internal Rights
organizational
scope,
Amazon (IPR)
roles,
required
and
entities, to execute
copyright
and
responsibilities,
communication compliance.
portal
their
assignment
management
job
of AWS
The
toanallongoing
employees,
PM-13 Role-based
functions. training is provided. Much of this training is provided on
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 •• Practical
security
commitment,
vendors,
basis
Conditions
via and for
awareness
exercises renegotiation/termination
and
coordination
contractors
day-to-day that training
reinforce
among
prior
interaction. topolicy and of
training
organizational
receiving
Service
the agreement.
procedures
objectives
authorized
teams have
are and
entities,
access reviewed
documented tocompliance.
the and updated
information
team-based The and
at
Data Security (PR.DS): Information and PR.DS-1: Data-at-rest is protected · CIS
NISTCSC 13, 14 Rev. 4 AT-3, IR-2, PM-13 AWS Certifications, AWS Encryption Services
SP 800-53 MP-8 •N/A
least
security annually,
International or sooner
Traffic if required
intraining
Arms dueand
Regulations to information system
(ITAR) responsibilities changes. The policy
system
role-based orawareness
performing
training and
pages assigned
that policy
duties.
provide new procedures
employees, are reviewed
contractors andvendors
and updated at
with
records (data) are managed consistent with the · COBIT 5 APO01.06, BAI02.01, BAI06.01, (KMS/EBS/S3/EC-2/RDS/REDSHIFT/DYNAM is
• Contingency
least
AWS disseminated
annually,
has developed, orthrough
planning
sooner the
if internal
required
documented, Amazon
due
and communication
totraining
information
disseminated system
security portal
changes.
awareness to allTheemployees,
and policy
organization’s risk strategy to protect the DSS04.07, DSS05.03, DSS06.06 O DB), Customer Responsibility the
vendors, necessary
and role-based
contractors security-related
prior to receiving authorizedrequired
access to execute
to their
the information jobrole-
• Incident
is
based
functions. response
disseminated
security throughfor
training the internal
personnel Amazon
responsible communication
for designing, portal to all employees,
developing,
confidentiality, integrity, and availability of · ISA 62443-3-3:2013 SR 3.4, SR 4.1 system
AWS captures
vendors,
implementing, orand
performingand
contractors
operating, assigned
retains prior toduties.
training
maintaining, records
receiving and for at least five
authorized
monitoring access
AWS years.
to the information
systems. Training
information. · ISO/IEC 27001:2013 A.8.2.3 AWS
system
includes, has developed,
orbut
performing
is not limited documented,
assigned to, the and disseminated
duties.
following information security
(when awareness
relevant and to therole-
· NIST SP 800-53 Rev. 4 MP-8, SC-12, SC- based has
AWS
employee’s security trainingdocumented,
developed,
role): for personnel andresponsible
disseminated for designing,
security awareness developing, and role-
28 implementing,
based
• Workforce security operating,
training
conduct formaintaining,
standardspersonnel responsible and monitoring AWS systems.
for designing, developing, Training
SC-12 includes,
implementing,
•AWS butbackground
establishes
Candidate isoperating,
notandlimited
manages to, the
maintaining,
screening following
cryptographic information
and monitoring
procedures keys for required
AWS(when relevant
systems.
cryptography to the
Training
employee’s
includes,
•employed but role):
within
is customer
notthelimited
system to,boundary.
theandfollowingAWSinformation
produces,
SC-28 AWS
•• Workforce
Cleartreats
desk policy
all
conduct
and procedures
content
standards associated assets ascontrols,
(when
highlyrelevantand distributes
confidential.to theAWS
employee’s
symmetric
Cloud Socialservicescryptographic
role):
engineering,are content keys
phishing, using inU.S.
and malware
agnostic thatNational
they offer Institute
the same of Standards
high level and of security
PR.DS-2: Data-in-transit is protected · CIS CSC 13, 14 AWS Certifications, AWS Encryption Services SC-11 ••N/A
Technology Candidate
Workforce background
(NIST)-approved
conduct screening
standards procedures
· COBIT 5 APO01.06, DSS05.02, DSS06.06 (KMS/CloudHSM/EBS/S3/EC-2/RDS/REDSHI SC-12 to Data handling
all customers, and protection
regardless of key management
the type of contenttechnology
being stored. and We processes in theabout
are vigilant
•• Candidate
AWS
our
Clear desk background
establishes
information
Compliance
customers’
policy andand
system.
commitments
security
procedures
manages
screening
and Anhave cryptographic
procedureskeys
AWS-developed
implemented for required
secure key and
sophisticated cryptography
credential
technical and manager
physicalis
· ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR FT/DYNAMO DB), AWS ELB, Customer •• Clear
employed
used Social engineering,
to desk
Security within
create, policy the
protect,
precautions and phishing,
system
and
procedures
while and malware
boundary.
distribute
traveling AWS has
symmetric produces,
keys andcontrols,
isasused and distributes
to secure and
4.1, SR 4.2 Responsibility measures against unauthorized access. AWS no insight to what type of
•• Social
symmetric
distribute:
content
Data handling
How engineering,
tothe
report
customer
and protection
cryptographic
security and
chooses keys
phishing, using
and
availability
to store U.S.
malware
in National
failures,
AWS, and Institute
incidents,
the customerof Standards
concerns, retains and
andcomplete
other
· ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, ••complaints
Technology Compliance commitments
to(NIST)-approved key management technology
A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3 •control
Data
AWS handling
Security
credentials
of how andneeded
appropriate
they
precautions
protection
choose
while
on hosts
personnel
totraveling
classify their content, where itand processes
is stored, howinitthe
is
AWS
• RSA Howandinformation
Compliance issystem.
howcommitments
public/private
to recognize keys Anfrom
suspicious AWS-developed
communications secure key and credential
and anomalous behavior in manager is
· NIST SP 800-53 Rev. 4 SC-8, SC-11, SC- •used,
used
•organizational How to
tohas
Security
X.509 report
create,
itsecurity
protected
protect,while
precautions
certificatesinformation and
and distribute
disclosure.
availability
travelingsymmetric
systems failures, incidents,
keys and concerns,
is used to secure and other
and
12 AWS
complaints implemented
to appropriate data handling
personnel and classification requirements that provide
distribute:
• How
Cryptographic to report
Practical keys
exercises security
are
thatsecurely
and availability
reinforce stored
training and
failures,
periodically
objectivesincidents, rotated.
concerns, and other
•specifications
• AWS How to recognize
credentials
around: suspicious
needed communications
on hosts and anomalous behavior in
•complaints International
Data
organizational
to appropriate
encryption Traffic
information
in Armspersonnel
Regulations (ITAR) responsibilities
•• RSA How public/private
to recognize
Contingency planning keys systems
suspicious communications and anomalous behavior in
••organizational
Content
• Practical
X.509
Incident
inexercises
transit
certificates
response
and
informationthatduring
reinforce storage
systemstraining objectives
••Cryptographic
•AWS
Access
International
Practical
captures Traffic
keys
exercises are insecurely
that
and retains Arms
reinforce
trainingRegulations
stored
training
records andfor (ITAR)
periodically
objectives
at leastresponsibilities
fiverotated.
years.
••• Contingency
Retention
International planning
Traffic in Arms Regulations (ITAR) responsibilities
••• Incident
Physical
Contingency
controls
response planning
• Mobile
AWS devices
captures and retains training records for at least five years.
•• Handling
Incident response
requirements
SC-8 AWS seeks to maintain data integrity during
captures and retains training records for at least five years. transmission, storage, and processing
of customer content. AWS treats all customer content and associated assets as
critical information. AWS services are content agnostic in that they offer the same
high level of security to all customers, regardless of the type of content being stored.
We are vigilant about our customers’ security and have implemented sophisticated
technical and physical measures against unauthorized access. AWS has no insight as
to what type of content the customer chooses to store in AWS, and the customer
retains complete control of how they choose to classify their content; where it is
stored, used, archived; and how it is protected from disclosure.
Customer-provided content is validated for integrity, and corrupted or tampered data
is not written to storage. Amazon S3 uses checksums internally to confirm the
continued integrity of content in transit within the system and at rest. Amazon S3
provides a facility for customers to send checksums along with data transmitted to
the service. The service validates the checksum upon receipt of the data to determine
that no corruption occurred in transit. Regardless of whether a checksum is sent with
an object to Amazon S3, the service uses checksums internally. When disk
corruption or device failure is detected, the system automatically attempts to restore
normal levels of object storage redundancy. External access to content stored in
Amazon S3 is logged, and the logs are retained for at least 90 days. The logs include
relevant access request information, such as the accessor IP address, object, and
operation.
Like Amazon S3, Amazon Elastic Block Store (Amazon EBS) employs redundant
storage and data validation. To prevent data loss due to failure of any single
hardware component, each Amazon EBS volume is automatically replicated within
the same Availability Zone. Amazon EBS also provides the ability to create point-
in-time snapshots of volumes, which are persisted to Amazon S3. These snapshots
can be used as the starting point for new Amazon EBS volumes and to protect data
for long-term durability.
PR.DS-3: Assets are formally managed · CIS CSC 1 AWS Certifications, AWS Best Practices, AWS CM-8 In order to ensure asset management and inventory maintenance procedures are
throughout removal, transfers, and disposition · COBIT 5 BAI09.03 Reference Architectures, AWS Trusted Advsior, properly executed, AWS assets are assigned an owner and are tracked and monitored
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1 AWS CloudFormation, AWS Config, AWS with AWS proprietary inventory management tools. AWS asset owner maintenance
· ISA 62443-3-3:2013 SR 4.2 ConfigRulesAWS CloudTrail, Customer procedures are carried out by using a proprietary tool with specified checks that
MP-6 Data destruction: Content on drives is treated at the highest level of classification per
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, Responsibility must be completed according to the documented maintenance schedule.
PE-16 AWS policy. Content
Environments used for is destroyed
deliveryon ofstorage devices as part of the by authorized
A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7 AWS has developed andthedocumented antheinventory
AWS services
of systems are managedand devices within the
decommissioning
personnel and Boundary.
are process in
located in anaccordance
AWS with AWS
managed data security
centers. Media standards. handling controls
PR.DS-4: Adequate capacity to ensure · NISTCSC
CIS SP 800-53
1, 2, 13Rev. 4 CM-8, MP-6, PE- AWS Reference Architectures & Best Practices, AU-4 Authorization
AWS deploys monitoring devices throughout the environment to collect critical
AWS
for thehosts
data are
centers securelyare wiped orby overwritten prior to provisioning for Media
reuse. AWS
availability is maintained ·16 COBIT 5 APO13.01, BAI04.04 AWS Trusted Advisor, AWS S3, Customer CP-2 AWS
information
The AWShas developed
on unauthorized
Business andmanaged
Continuity documents
intrusion AWS
policyanlays
in alignment
inventory
attempts,
out the of
usage with
guidelines AWSthe
theabuse, and
used
AWS
Authorization
network
to implement and
media
Protection is securely
Policy. wiped
This or degaussed
policy includes and physically destroyed prior to leaving
· ISA 62443-3-3:2013 SR 7.1, SR 7.2 Responsibility Boundaries
application
procedures forrespond
to Govcloud
bandwidth usage.
to a and East
Monitoring
serious Westprocedures
outage separately.
devices
or
around
are
degradation Forplaced of
access,
continuous marking,
withinservices,
AWS monitoring
the AWS storage,
including
SC-5 AWS
AWS secure
operates, zones.
andmanages,
· ISO/IEC 27001:2013 A.12.1.3, A.17.2.1 transporting,
activities,
environment
the recovery AWS to
model
sanitation.
provides
detect and and itsaandsystem
monitor controls
implications for:the
inventory on
infrastructure
the tobusiness
our FedRAMP components,
continuity accrediated
plan.
from 3PAO the hostfor
To
operatingvalidate AWS’s
system secure
and virtualization wipe processes
layer and
down procedures,
to the third-party auditors
PR.DS-5: Protections against data leaks are · CIS
NISTCSC 13
SP 800-53 Rev. 4 AU-4, CP-2, SC-5 Customer Responsibility for protection may be AC-4 •validation
Several on a monthly
network
Port scanning fabrics
attacks basis.atOnce
exist Amazon, validated, each this listphysical
separated is byprovided security
boundary to our of the
protection
review the guidance within the AWS media protection policy, observe degaussing
implemented · COBIT 5 APO01.06, DSS05.04, DSS05.07, facilitated/enabled by employing AWS services •facilities
Live
Authorizing
devices
Usage
equipment
media in which
that
(CPU, transported
andcontrol the
Official(s).
Processes,
secure theservices
outside
flow
shred disk ofoperate.
bins
of Data AWS
information
utilization, center
located within
endpoints
secure
between
swap zones
rates,fabrics.
AWS andareerrors
facilities,
tested
isTheescortedassoftware
inflow
and
part
byof
of
review
AWS
authorized
historical
DSS06.02 to automatically detect, alert, contain and AC-5 compliance
personnel.
Privileged
AWS to
information
generated providesloss)vulnerability
access an to
between AWS
inventory
fabrics scans.
systems
to
is is assigned
our FedRAMP
established by based on authorizations,
accredited
approved least
3PAO privilege,
for approved
validation
which andby
exist as
Refer
tickets
AWS the
that following
tracked the AWS
destruction Audit Reports
and removal for additional
of storage details:
media PCI
from 3.2,
the ISO
· ISA 62443-3-3:2013 SR 5.2 respond to events and/or incidents and report as AC-6 an
•part
as ACLofCloud
authorized
AWS’
Application
Privileged
27001, residing
ISO
services
access individual
27017,security
on
performance are
these
toNISTAWS
managed
prior
assessment
devices.
metrics
systems
800-53,
to accessin a on
and
ACLs manner
provisioning,
a monthly
2 are
is assigned
SOC COMMON
that preserves
based basis,
defined, and
approved
on least
CRITERIA
their
assigned
supports confidentiality,
acontinuous
different
by appropriate
privilege, approved userby
environment.
integrity, and availability. AWS has
· ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, required and perform leak mitigation - examples •AWS
ID than
monitoring
Amazon’s
an
has used
Unauthorized
authorized
developed
for
Information normal
requirements.
connection
individual
andSecurity
has
business documented
Additionally,
prior attempts
to use.implemented
team,
access Duties
AWS'
and an inventory
and secure
areas
inventory
managed
provisioning, andand
of issoftware
systems
ofdeployed
responsibility
validated
assigned
development
and
a by
using devices
(e.g.,
our
AWS’s
different 3PAOaccess
user
PE-19 Data
N/A
within deletion
procedures the that
system forareblockfollowed
boundary. device to
The based
ensure storage
inventory thatthe (e.g.,
appropriate
is stored Amazon security
in approval,
Amazon’s EBS,controls
Amazon
Infra areRelational
proprietary
A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, are services such as AWS GuardDuty, AWS request
andthan
AWS
ID and
provided
ACL-management
provides
used approval,
tonear
for our tool.
normal change
Authorizing
real-time business management
alertsOfficial(s)
use.when Duties request
onand
AWS and
a monthly
monitoring
areas basis.
oforder change
tools
responsibility show (e.g., access
PS-3 Database
incorporated
Background Service
database. firewall into
checks [Amazon
the areapplication
performedRDS], ephemeral
design.
as part Asof drives):
part
AWS’s In
of between
the application
hiring to ensure
verification design thatprocess,
processes.
A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, Macie, AWS Security Groups, VPC, Config, development,
Approved testing and deployment) are segregated across different individuals to
indications
request
customer
new
Background
and of
approval,
content
applications checks isrule
compromise
must
sets
change
properly
participate
include
and
or erased,access
potential
management
education, in AWS
an
control
compromise,
AWS
request
wipes
previous
lists and based
underlying
Security
employment,
approval,
review,
network
upon
storage threshold
which
and,
change fabrics
inmedia
includes
some
restrict
alarming
upon
cases, re-
A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, ConfigRules, Cloud Watch, CloudTrail, PS-6 reduce
the
The flow
AWS opportunities
ofHuman
information for
Resources
andto an unauthorized
specific
team is areor
information
responsible unintentional
system
for screening modification
services. AWSACLs new or misuse
and hires
rule of
mechanisms
development,
provisioning
registering the
determined
testing
rather than
application,
by
upon AWS
deployment) service
de-provisioning.
initiating
and
application
Security
segregated
Processes
risk
teams.
across that
classification,
different
wipe individuals
content uponin sets
to
A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, CloudFormation, Lambda, SNS, SQS, Big Data SC-13 criminal
AWS
are
accordance
External
reduce
AWS
release
limits
is
and
systems.
reviewed access
opportunities
ofdesigned
an
other
access
withand
asset to
background
to
tocorporate
approved
data system
anpolicy.
forstored
protect
(e.g., volume,and
thein
checks
output
are Employees
Amazon
unauthorized
confidentiality
object)
as permitted
devices
automatically to
isareonly
S3unintentional
or
are less logged.
and
by
pushed
required law
authorized
The
integrity
reliable to
than
and
toboundary
ofreview
logs
modification areparticipating
regulation
persons,
transmitted
processes and in for
protection
retained sign
orthat
alignment
misuse
data
in
an at
for of
A.14.1.3 & Analytics, Machine Learning etc. architecture
employees
with AWS
devices
employment on review
commensurate
aaccess
periodic
contract andand threatwith
toauthorization
basis acknowledge modeling,
the employee’s
request performing position
procedures. tocode and
AWS review,
level and
of
employs performing
accessvarious toonly
AWS re-
a
SC-31
least
AWS
through 90
provision
N/A
penetration
mechanisms
facilities.
days
systems.
theclean andstorage
comparison
test.
to
include
detect theto a(at
ofrelevant least
cryptographic
customers.
addition of
every
access their
Physical24hash
responsibilities
request
unauthorized
hours)of
servers data ensure
information
can
systems
for
transmitted.
reboot
and
rule
compliance
such atsets
asany
devices Thisand
the iswith
data
time
into
access
donefor to
the
· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC- control
company
accessor
help
many lists
ensure
reasonsstandards
IP are(e.g.,
address,
that up
the to
and date.
object,
message
power information
andisconnections
outage, not security
operation.
corrupted
system requirements.
or altered
process in transit.
interruption or Data
failure), thatwhichhasports
been
6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC- SC-7 system
Several
AWS
All personsboundary.
requestsnetwork
implements working
to KMS To
fabrics
least prevent
with
are exist
privilege
AWS
logged at Amazon,
information
andthroughout
available of
each unauthorized
inseparated
must,
its infrastructure
the atAWS
a AWS
minimum,devices,
byaccount’s
boundary
components.
meetallAWSvacant
protection
thehave screening
AWS
corrupted
might
in leave
network ordevices
aaltered
wiping in
are transit
procedure
disabled is byimmediately
in an incomplete
default. rejected.
state. Customers provides do several
not
31, SI-4 devices
prohibits
process that control inthe flow ofS3. information between fabrics. The flow of
SC-8 CloudTrail
AWS
methods
access
informationtofor
seeks all
for pre-employment
block ports
bucket
to and
maintain
customers
betweendevices protocols
Amazon
todata
or
fabrics
background
that
integrity
securely
physical The do
handle
is establishedmedia not
during checks
logged have
their
that and
a specific
requests
transmission,
data:
was
by approved
sign
previously a storage,
provide business
Non-Disclosure
used
authorizations, topurpose.
information
and processing
store
which
AWS
about
another
SI-4 follows
•Agreement
who
of made
customer
Upon
AWS a rigorous
the
initial
deploys (NDA) request
content. approach
prior
communication
monitoring AWSandtodevices
being
to
under
treats minimal
with granted
which
all atcustomer
an implementation
CMK access
AWS-provided
throughout and toenvironment
content
the AWS
will isofinformation.
also
and
Windows only
describe
associated
to those
Amazon features
All
information
assets as exist
personnel
Machine and
customer’s
as ACL
functions
supporting
about
critical the that
AWS
content.
residing
systems
information. are on
resource
Wiping
these
essential
and
AWS devices
that
blocks
devices.
tosecure
usewithin
was
services ofACLs the
protected
are
time
are
theattempts,
the
device.
contentsystem
capacity
defined,
through Network approved
boundary
agnostic the inscanning
use must
of
that bycollect
re-provisioned
the
they appropriate
sign
isterminal
CMK.
critical
is
performed,
offeran These
NDA
the
sufficient
sameprior
and
log
Image
to ensure (AMI),
information that ontheAWS enables
unauthorized
previous intrusion
content communication
cannot be usage
recovered by configuring
abuse,
from aand
new network
volume and
orservices
Amazon’s
to
anybeing
events
high are
level Information
granted
unnecessaryvisible
of access.
ports
security togenerating
the Security
toor protocols
customer
all customers,team, in use
after and
turningmanaged
are
regardless corrected.
on of AWSand
the deployed
CloudTrail
type of contentusing
in theirAWS’s
being account.
stored.
on the instance
application
object. and
bandwidth usage. a unique
Monitoring self-signed
devices areX.509
placed server
within certificate
the AWS and
ACL-management
We are vigilant about tool. our customers’ security andservices
haveaimplemented sophisticated
delivering
environment
Data deletion the for certificate’s
non-block thumbprint
device to the user
services: For over trusted
such aschannel.
Amazon S3restrict
or
Approved
technical firewall
and physical rule sets
measures and access
against control lists
unauthorized between
access. network
AWS fabrics
has noobjects
insight as
• AWS further
Amazon DynamoDB, enablescustomers secure communication never see with Linux
an attached block AMIs device,by configuring
only
the
to flow
what of
type toinformation
of content to
the(forspecific
customer information
chooses system services. ACLs and rule sets
Secure
and
are the Shell
reviewedpath (SSH)
andthat on the
object
approved
instance,
andexample
are automatically a tabletoor
generating astore
unique in AWS,
an item).
pushed
host-key
to When
andand
boundary a the customer
delivering
customer
protection
the
deletes
retains
key’s
an asset complete
fingerprint
in these control
to the user
services, of how overthey choose
a trusted to classify
channel. their content; where it is
devices
stored, on a periodic basisthe (atdeletion
least isevery
of the 24 mapping
hours) to between
ensure rule an asset
sets and identifier
accessor
key andused,
Customer
control theMaster
lists
archived;
underlying Keys and
are up tocontent
(CMKs)
content
date.
how itused
begins protected
for
immediately. from disclosure.
cryptographic Once operations
the mapping in AWS Key
is removed,
Customer-provided
Management
the content is Service
no longer (KMS), is including
accessible validatedand cannot for integrity,
operations byand AWS
beinfrastructure
processed corrupted
byemployees, or tampered
an application. are secured data
AWS
is not implements
written least
to storage. privilege
Amazon controls. throughout
S3 uses checksums its internally components.
to confirm AWS
the
byW both technical and operational By design,
Wa specific no individual AWS employee
prohibits
continued all ports and
integrity protocols that
of content do within
not have business purpose.
AmazonAWS
can gain access to the physicalinCMK transit material in thethe system
service and dueat torest.hardening S3
follows
provides aarigorous
facility approach to minimal sendimplementation ofwithonlydata thosetransmitted
features and
techniques such as for never customers
storing to
plaintext checksums
master keys alongon persistent disk, using but to
functions
the that areservice
essential to W use of thethe device. Network scanning isdata
performed, and
not service.
persisting The them validates
in volatile memory, checksum
and limiting uponwhich receipt of the
users and to determine
systems can
any
that unnecessary
no corruption ports or protocols in use are corrected.
connect to service occurred hosts. In addition, in transit.multi-party
Regardless access of whether controls a checksum
are enforced is sent forwith
an object to Amazon S3, the service uses
operations on the KMS-hardened security appliances that handle plaintext CMKs in checksums internally. When disk
corruption
memory. or deviceM failure is detected, the system automatically
W attempts W to restore
normal levels of object storage redundancy. External access to content stored in
Amazon S3 is logged, and the logs are retained M for at least 90 days. The logs include
relevant access request information, such as the accessor IP address, object, and
PR.DS-6: Integrity checking mechanisms are · CIS CSC 2, 3 AWS Certifications, AWS Resource Tagging, SC-16 N/A
used to verify software, firmware, and · COBIT 5 APO01.06, BAI06.01, DSS06.02 AWS Config, AWS Config Rules, AWS Cloud
information integrity · ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR Formation, AWS CloudTrail, AWS CloudWatch
3.4, SR 3.8 Logs, Customer Responsibility
· ISO/IEC 27001:2013 A.12.2.1, A.12.5.1,
A.14.1.2, A.14.1.3, A.14.2.4 SI-7 AWS seeks to maintain data integrity during transmission, storage, and processing
PR.DS-7: The development and testing · NISTCSC
CIS SP 800-53
18, 20 Rev. 4 SC-16, SI-7 AWS VPC, Security Groups, ACL's/Customer CM-2 of customer
AWS content. AWS
has established formal treats
policies all customer
and procedures contenttoand associated
provide employees assets with as a
environment(s) are separate from the production · COBIT 5 BAI03.08, BAI07.04 Responsibility, AWS EC2, AWS IAM, AWS critical
commoninformation. baseline forAWS information servicessecurity are content standards agnostic andinguidance.
that theyThe offerAWS the same
environment · ISO/IEC 27001:2013 A.12.1.4 CloudTrail, AWS CloudWatch, AWS S3, high
Information level ofSecurity security Management to all customers, System regardless
(ISMS)ofpolicy the type of content
establishes being stored.
guidelines for
· NIST SP 800-53 Rev. 4 CM-2 AWS SNS, AWS Config, AWS AutoScaling, We
protecting are vigilant about our customers’
the confidentiality, integrity, security and have implemented
and availability of customers’sophisticated systems and
AWS Lambda, AWS ELB, AWS RDS technical
content. Maintaining customer trust and confidence is of the utmost importance to as
and physical measures against unauthorized access. AWS has no insight
to
AWS. what type of content the customer chooses to store in AWS, and the customer
retains complete control
AWS works to comply with applicable federal, state, and local laws, statutes, of how they choose to classify their content; where it is
stored,
ordinances, used,and archived;
regulations and how concerningit is protected security, from disclosure.
privacy, and data protection of
Customer-provided
AWS Cloud servicescontent in order is tovalidated
minimize forthe integrity,
risk of and corrupted
accidental or tampered data
or unauthorized
is
access not written
or disclosure to storage. of customer Amazoncontent. S3 uses checksums internally to confirm the
continued integrity of content in transit within the system and at rest. Amazon S3
provides a facility for customers to send checksums along with data transmitted to
PR.DS-8: Integrity checking mechanisms are · COBIT 5 BAI03.05 SA-10 the service.
AWS Service The teams service create validates
administrator the checksum documentation upon receipt for their of the data toand
services determinestore
used to verify hardware integrity · ISA 62443-2-1:2009 4.3.4.4.4 SI-7 that
the
AWS noseekscorruption
documents occurred
in internal
to maintain dataAWS inintegrity
transit.
document Regardless
during repositories. of whether
transmission, Using athese
storage,checksum documents,
and is sent with
processing
· ISO/IEC 27001:2013 A.11.2.4 an
teams
of customer objectprovideto Amazon initial AWS
content. S3, thetreats
training service
to new uses
teamchecksums
all customer members content internally.
that covers Whenjob
their disk duties,
as on-
Information Protection Processes and PR.IP-1: A baseline configuration of ·· CIS
NISTCSC 3, 9, 11Rev. 4 SA-10, SI-7
SP 800-53 CM-2 AWS
corruption
call has established
or
responsibilities, device formalis
failure
service policies
detected,
specific and the
monitoringprocedures
system toand
automatically
metrics and
associated
provide alarms,employees
attempts
assets
along towith
with restore a
the
Procedures (PR.IP): Security policies (that information technology/industrial control · COBIT 5 BAI10.01, BAI10.02, BAI10.03, critical information.
common baseline forAWS information servicessecurity are content standards agnostic and inguidance.
that theyThe offerAWS the same
CM-3 normal
intricacies
AWS
high level levels
applies of aofsystematic
of security
the object
service tostorage
they
all approach
are redundancy.
customers, supporting.
to regardless
managing External
Oncechange access
trained,
ofpolicy
the to
ofcontent
to service
type ensure content teamstored
that allmembers
being in
changesstored.
address purpose, scope, roles, responsibilities, systems is created and maintained BAI10.05 Information
Amazon
can
are Security
S3 on-call
is logged, Management
and the be logs System
are retained (ISMS) for at ownership
least establishes
90asdays. The guidelines
logs include for
management commitment, and coordination · ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 CM-4 We reviewed,
AWS
protecting
assume
areemploys
vigilant
thethe
tested,
aabout
sharedduties
confidentiality,
andour approved.
and
responsibility
customers’ paged
integrity,
The into
AWS
model
security
and
anfor change
andengagement
data
availability have management
implemented
of
a and
customers’
resolver.
approach
security. In addition
sophisticated
systems AWSand
relevant
to
requires
operates,
technical the access
documentation
that
manages,
and physical request
following
and information,
stored
controls
measures steps
in the be
the
against such
repository,
complete as
infrastructure the
before
unauthorizedAWS accessor also
a change
components, IP
uses address,
Engagement
is deployed:
from object,
the host and
Drills
insightand
among organizational entities), processes, and · ISA 62443-3-3:2013 SR 7.6 CM-5 AWS
content.
operation.
GameDay
1. applies
Maintaining a systematic customer approach trust to managing
and confidence is access.
change of theto ensure AWSthat
utmost has no changes
all
importance and to
as
to Document
operating
are what type Exercises
systemofand communicate
and
content to train
virtualization
the coordinators
customer the change
layer
chooses andviato
down Service
the
to appropriate
the
store TeamsAWS,inAWS
physical
in their
security
and thechange
roles
of the
customer
procedures are maintained and used to manage · ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, CM-6 Likereviewed,
AWS.
AWS
management
responsibilities.
facilities
retains
applies
Amazon in which
complete
atested,
S3,
tool. systematic
Amazon and
the services
control
approved.
approach
Elastic
of steps
how operate.
they
The
Block choose
AWS
to managing
Store to
change change
(Amazon
classify
management
to ensure
EBS)
their employs
content;
approach
that all
where
changes
redundantit is
protection of information systems and assets. A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 requires
AWS
are
storage
2. Plan works
reviewed, that
and the
to
data
implementation following
comply
tested, and
validation. with
ofapproved.
the applicable
To be complete
prevent
change The andfederal,
AWS
data before
loss
rollback state,
change
due ato change
and local
management
proceduresfailure isto
of deployed:
laws,any statutes,
approach
minimize single
CM-7 AWS
stored,
1. implements
Document used, archived; the
andregulations
communicateleast
and functionality
how it
the is protected
change principle
viabeforefrom throughout
theprivacy,disclosure. its infrastructure
· NIST SP 800-53 Rev. 4 CM-2, CM-3, CM- ordinances,
requires
hardware
disruption.
components.
AWS
Customer-provided
that
Services
andthe
component,
Network
in following
production each
contentdevices concerning
steps
Amazon
is and beservers
operations
validated
complete
EBS security,
are
forvolume
aremanaged isappropriate
implemented
integrity,
ain change
and a
andwith
automatically
manner
corrupted
isAWS
data deployed:
minimal
thator
change within
protection
replicated
preserves
tampered
of
their
data
4, CM-5, CM-6, CM-7, CM-9, SA-10 CM-9 management
AWS has
Cloud established
tool.
services and maintains company-wide policy that AWS defines roles,
1.
thenot
3.
functionality, Document
same
Test and
theAvailability
change and in ain
communicate
service Zone.order
logically
teams tothe
Amazon minimize
change
segregated,
add EBSAWS the
via
also risk
the of
provides
non-production accidental
appropriate the ability or unauthorized
environment. tochange
create point-for
SA-10 confidentiality,
is
responsibilities
2.
access
AWS Plan written
or to
implementation
Service disclosure integrity
teamsstorage.
and and
ofAmazon
classifications
of
createcustomer the availability.
change
administrator S3foronly
content. uses software
managing
and checksums
rollback
documentation has packages
changesimplemented
internally
procedures to the and toservices
secure
confirm
toproduction
minimize needed
software
the
management
in-time
4.
the
development
continued
environment. Complete
device to atool.
snapshots peerofreview
perform
procedures
integrity
Changes ofvolumes,
its of
tooffunction.
contentthat
AWS the
arewhich
in change
followed
transit
services
are persisted
with
within
and athe
to features
ensure focus to on for
Amazon business
appropriate
system follow
their
andsecure S3. services
These
impact
at security
rest. Amazon
software
and
snapshots
and
controls
store
S3 are
disruption.
the
2.
canPlan documents
begivesimplementation
used asinto in
the internal
starting AWS
the
point document
changefor new and repositories.
rollback
Amazon proceduresUsing these
toby documents,
minimize
PR.IP-2: A System Development Life Cycle to · CIS CSC 18 AWS Certifications, AWS Best Practices, AWS PL-8 technical
AWS
incorporated
provides
development
3. arigor.
customers
facility The
practices, the
for reviewownership
aapplication
customers
which should
toinclude
include
and
design.
to send controlAs a part
checksums
a security code
over ofEBS
review.
risktheir
the
along volumes
content
application
review with prior
and
data to protect
design
todesign
transmitted
launch. through
process, datato
manage systems is implemented · COBIT 5 APO13.01, BAI03.01, BAI03.02, Reference Architectures, AWS Trusted Advsior, SA-10 forTest
teams
disruption.
5.
simple,
new
the
AWS Attain the
provide
long-termbut
applications
service.
Service
change
approval
The
initial
durability.
powerful
teams
in training
for
must
service create
logically
the
tools change
that
participate
validates
segregated,
new
allow
administrator by
in
the
team
an authorized
customers
an AWS
checksum
non-production
members
documentation
that
individual.
to determine
Security
upon
covers
review
receiptfor
environment.
wheretheir
including
their
of the
job duties,
their
services
data tocontent
registering
and
determine
on-
store
4.
call Complete
responsibilities, a peerinreview ofspecific
thesegregated,
change with a focus on and business impact and
BAI03.03 AWS CloudFormation, AWS Config, AWS 3.
In Test
will
that
the
AWS order theto change
bedevelopers
stored,
application,
documents
no validate
corruption how
in itservice
that
initiating
internal
awill
occurred
that
logically
changes
require bein
the
AWS secured follow
application
transit.
accessdocument
monitoring
toin the
transit
risk
Regardless standard ormetrics
non-production
classification,
repositories.
production of change
atenvironments
rest,
whetherUsing
alarms,
environment.
management
andparticipating
aaccess
these
checksum
must
along
to their
documents, in
is
explicitly
with
AWS
the
sent
the
with
SA-11 technical
AWS
intricacies
4.
procedures, applies
Complete rigor.
ofall apeer
the
awill The
systematic
service
changes review
review to they should
approach
of
the are
the
AWS include
to managing
supporting.
change with
environment a code
Once
a focus review.
change
are trained, to service
on business
reviewed ensure on that
team
impact
at least allmembers
achanges
and monthly
· ISA 62443-2-1:2009 4.3.4.3.3 ConfigRulesAWS CloudTrail, Customer environment
architecture
an
teams
request objectprovideto
access review
Amazoninitial
throughmanaged.
andtraining
S3, thethreat
the AWS modeling,
service
to new
access uses
team performing
checksums
members
management code
that
internally.review,
covers
system, havetheir
When and
the job performing
disk duties,
access on- a
SA-12 5.
to
can
technical
Key
basis. Attain An approval
a assume
production
suppliers on-call
rigor.
audit areThe
trail for
environment
duties the
review
identified
of the change
and are
should
and
changes bechosenbyinclude
reviewed,
paged an authorized
foratested,
into
ismonitoring
maintained an
code
their individual.
and
engagement
review.
ability
for a approved.
to
least as ayear.
provide
one Facilities,
resolver. AWSIn
service to addition
defined
· ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, Responsibility penetration
corruption
call
reviewed and test.
responsibilities,
or device
approved service
failureby is
thespecific
detected,
appropriate the system
owner, metrics
automatically
and uponand alarms,
approval attempts
along
obtain to
with restorethe
In
equipment,
to
5.
requirements.
maintains order
the
Attain toapproval
validate
and
documentation
processes software
Qualified that
for stored
the
toservicechanges
components
detect change
suppliers follow
inunauthorized
the by
are anof
repository,the standard
production
authorized
added to AWS
changes the change
operations
also
individual.
approved
made uses
to management
are
Engagement
supplier
the identified
liststored
environment. Drills
maintained Any and
A.14.2.1, A.14.2.5 SA-15 AWS has
maintainsimplemented a systematic global privacy
approach, and
to data
planning protection
and best
developing practices new in order
services to
· NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-4,
normal
intricacies
authentication.
procedures,
throughout
GameDay
In
by
exceptions
helping order
the
levels
AWS
ofall
theirthe
Exercisesof
toenvironment,
validate
are
customers
AWS
supplier
object
service
changes
lifecycle
analyzed that
storage
to they
tomanagement
establish, train the
changes
tobuild
are
teams
AWS
todetermine
ensure redundancy.
coordinators
operate
supporting.
follow maintain
environment
that
team. the
and only
the and
Through
root
External
leverage
Once
service
acceptable
Service
standard
cause. are
the
our
trained,
access
specific
reviewed
Teams
change
use
Appropriate
security
service
of90as
to
components content
change
on
incontrol
their
management
established atteam
actions roles members
management
least
are a
usedand
assessment
are
environment. in forto
in
monthly
taken
SA-17 the
Customers
Amazon
can
standards
AWS
basis.
production. AWS
assume S3
Services
An assume
thaton-call
auditis logged,
inherit
in
trail duties
production
of and
and to
responsibility
the ensure
and
the
changes be
logs
on
operations the
and
paged
are
the
is quality
management
retained
AWS into
are
maintained and
an
Change
managed security
for of
engagement
for at the
least
Management
a in a
least requirements
guest
manner
one operating
days.
a resolver.
that
year. The are
guidelines. logs
In
preserves
AWS met
system with
addition
include their
SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, SI- responsibilities.
procedures,
bring
These the all
AWS
change
security changescontinuously
into
protections to the
compliance and AWS monitors
controlor environment
roll suppliers
back
processes the are
change,
are reviewed
toalsoensure if
independently that on
necessary. atvalidated
they least
are atomonthly
Actions by are
each
(including
relevant
to
confidentiality,
maintains therelease. access
documentation AWS’
updates
processes request and
integrity strategysecurity
information,
stored
toand and
detect for
in thethe
patches),
availability.
unauthorized design
such
repository, asand
other
AWS the AWS
changes development
associated
accessor
has implemented
made uses
to of
application
IP address,
the services
Engagement
secure object,
environment. is
software,
software clearly
and
Drills Anyasand
12, SI-13, SI-14, SI-16, SI-17 SA-3 AWS
basis.
conforming
then
multiple
define maintains
An
taken audit
to
third-party
services ina terms
trail
toaddress
specificsystematic
of the
AWS
independent
of approach
changes
requirements.
remediate
customer isthe
assessments.
use toprocess
planning
maintained
cases, The for
extent
or
service and
people developing
a least
of one
assessment
issue.
performance, year. new AWS
for services
marketing a supplier foris
and
well
operation.
GameDay
AWS as the
applies configuration
Exercises
aanalyzed
systematic to to trainof the AWS-provided
coordinators
approach to and
managing security
Service change group
Teams to infirewalls
their roles and and other
SA-4
development
exceptions
The
the
maintains
dependent
AWS
distribution
development,
AWS maintains
areprocedures
environment
processes
upon the test to and
amanagement,
requirements, systematic
that
to
detect
significance are
determine
production
ensure followed
that
unauthorized
approach
production of the the
andproduct
to
to
root
environments
quality ensure
andcause.
changes
planning
testing, security
and/or appropriate
Appropriate
emulate
made
and
and toensurethe
requirements
service
developing
legal the that
security
actions
production
environment.
purchased new
all
are are
and,
changes
controls
met
services
taken
system
Anywith
where are
for
to
security,
Like
responsibilities.
to
incorporated
bring
environment
each
exceptions the change
Amazon
a production
release. change
are andS3,
into
AWS’s Amazon
environment
the
into
are
analyzed application
compliance
used
strategy toElastic
toensure are and
properly
fornew or
the
logging
Block
reviewed,
design. roll
assess
design Store
As
back features.
tested,
part
and
and the(Amazon
of andthe
change,
prepare
development if and
EBS)
approved.
application
for regulatory
ofemploys
necessary.
the The
impactdesign
services AWS redundant
Actions
of Change
isprocess,
amet
tochange are
clearly
SA-8 applicable,
the
requirements.
storage
AWS
Management
new
then
to
AWS
the operates,
and
applications
taken
production
upon
environment
todata The
approach
address
previously
design
manages,
validation.
must
system and
to ofdetermine
and
requires
participate
demonstrated
all
To
remediate
environment.
that
controls
prevent
that in
the
quality
services
an
the the
In
root
data
following
AWS
process
order orcause.
performance.
and
infrastructure
loss
Securitysecurity
any
due
or
to steps
Appropriate
significant
people
reduce to requirements
failure
components,
be
review complete
issue.
the of
actions
changes
any
including
risks of
are
from to
single
before
are
the
a
taken
current
registering
unauthorized
withto
host
change
define
bring
All
each
services services
the
purchased
release. change
follow AWS’s in
secureterms
into
materials of
andcustomer
compliance
strategy
software services or roll
fordevelopment
the use cases,
back
intended
design and the service
for change,
use
development
practices inperformance,
and ifarenecessary.
production of marketing
Actions
processes
services
controlled is to
through areanda
are
clearly
SI-12 hardware
operating
is
the
access
AWS
distribution deployed
application,
or
treats component,
system
to
changeall the and
to
customer the virtualization
production
initiating each the Amazon
production
content environment:
application
and layer
EBS
environment, down
volume
risk
associated to is
the
classification,
the
assets automatically
physical
development,
as highly security
participating replicated
test
confidential. of
and inthe within
theAWS
then taken
specified
define
project intorequirements,
services
management address
purchasingin terms and
system production
ofremediate
documents.
customer
with the
All and
use testing,
process
component/material
cases,
multi-disciplinary orand
servicepeople legal and
issue.
performance,
participation. regulatory
specification marketing
Requirements documents anda
SI-13
the
facilities
architecture
production
Cloud
requirements.
are
N/Areviewed
distribution
same Availability
in
services which
review
environments
The
and
the
areapproved
requirements,
and
content
design Zone.
services
threat
are
of Amazon
agnostic
byall
production
operate.
modeling,
logically
new in
management
EBS AWS
that
services
and
also
performing
separated.
they or
personnel
testing,
provides
endpointsIn
offer
any and
code
order
the the
are
same
significant
prior
legal
ability
tested
review,
to apply
to
and high as
changes
use.
to
and create
part
changes
level
Additional
regulatory
ofcurrent
performing
toof AWS
to theand
point-
security
service
in-time
compliance
1.
penetration Document specifications
snapshotsvulnerability
andregardless
communicateare scans.
of volumes, established which
the during
are
change via service
persisted thebeingto development,
Amazon
appropriate S3.
AWS taking
These change intoof tests
snapshots
SI-14
AWS
to
services
requirements
requirements.
N/A
account are test.
production
all customers,
legal controlled
not
The
and
environments,
specified
design
regulatory throughof onof
all the AWS
anew type
project
component/material
requirements,
service
ofmanagement
services content orteams
customer any must
specifications
significant
contractual
firstwith
stored.
system run
We are
changes aarefull
conveyed
commitments, toset
vigilant
multi-disciplinary
current about
via
and
can
AWS
management
in
our
participation. thebeCloud
used
test
customers’ as the
services
tool.
environment, starting
security
Requirements areand point
managed the
have
and for innew
testing a manner
implemented
service Amazon
methodology
specifications that EBS
sophisticatedmustvolumes
preserves
are their
betechnical and
documented.
established to protect
confidentiality,
and
during physicaldata
service
purchase
services
requirements orders
are controlled
to or contracts.
meet thethrough Purchase
ahasproject orders
management and/or contracts
system convey
with the degree
multi-disciplinary of
SI-16 for
integrity,
Different
2.
measures
development, long-term
Plan and
instances
implementation
against durability.
availability.
taking running
unauthorized
into ofconfidentiality,
AWS
theonchange
account the
access. same
legal and
AWS
and
integrity
implemented
physical
rollback
has
regulatory noand
secure
machine availability
procedures
insight software
areas
requirements, isolated
to what
to of
minimizethe
development
from
type
customer
service.
ofeach
control AWS
participation.
Service reviews establishes
Requirements
are completed with and their
as service
partsuppliers
of to ensure are
specifications
theappropriate
development quality product
established
process. Prior and/or
duringto service
SI-17 procedures
other
disruption.
The
content
N/A
contractual
service.
development,
viathe
AWS the thatXen
service,
customer are
commitments,
taking
followed
hypervisor.
including
chooses
into
toAWS ensure
andapplication
account torequirements
store
legal
is in that
active
andAWS, in meet
programming
to the Xen
and the security
community,
interfaces
customer
therequirements,
confidentiality,controls
retains
(APIs),which arelaunch,
are provides
complete
integrity,labeled
each
incorporated
awareness
3. Test
control of the
marked thehow
of following
of into
change
by the they the
latest
in
identifiers. requirements
aapplication
choose developments.
logicallyFacilities, must
design.
segregated,
to classify In be regulatory
As
equipment,
their complete:
part
addition, of
non-production
content, the
and the
where application
Amazon
software EC2
environment.
itensure
isas
components
stored,
customer
design
firewall
how process,
itresides
are islegal
PR.IP-3: Configuration change control · CIS CSC 3, 11 AWS Resource Tagging, AWS Config, AWS CM-3 and
AWS
contractual
•tracked availability
maintains
applies of
apeer-review the
standard
systematic
commitments, service.
contract
approach
and Service review
requirements to reviews
and
managing are
signature
toSecurity
meet completed
change the processes
tointerface
confidentiality, part
that
that ofinclude
the
all changes
integrity,
4.Security
new
within
used,
development applications
Completethe
and such Risk
hypervisor
how athat itAssessment
process. must
is participate
layer,
quality-impacting
protected
Prior of between
to the
from
launch, in
change an
the
disclosure.
issues AWS
each physical
with
and
of aerrors
the network
focus on
are
following review,
business
traceable which
requirements and
impact
to includes
relatedtheand
must be
processes are in place · COBIT 5 BAI01.06, BAI06.01 Config Rules, AWS Cloud Formation, AWS •reviews
are
and
registering
instance’s
technical
components.
AWS
reviewed, that
availability
Threat modeling
hasthat thefocus
virtual
rigor.
tested,
implemented
on
ofinterface.
the
application,
The
protecting
and
review
approved.
service.
datastepsinitiating
All
should
AWS
Service
packets
handling
The resources.
AWSpass
reviews
application
includeand must a code
change
are
classification risk
through
review.
management
completed thisas
classification,
requirements layer, approach
partparticipating
of the
thus
that an provide in
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 CloudTrail, AWS CloudWatch & CloudWatch complete:
requires
development the
process. following Prior be access
complete before acode
change isanydeployed:
• Security
architecture
instance’s
•5.
specifications Attain approval design
review
neighborsaround:
reviews
forandhave
the notomore
threat
change launch, by aneach
modeling, toofthat
performing
authorized theinstance
following
individual. requirements
review,
than and
other must
performing
host onbethe a
· ISA 62443-3-3:2013 SR 7.6 Logs, Customer Responsibility
CM-4 • Security
1.
complete:
penetration
Internet Document
Secure risk
code
and and
test.
can
assessment
reviews
a be
communicate
treated as if the theychange are on via separatethe appropriatehosts.
for dataphysical ownership andThe
AWS change physical
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, •AWS
• Threat
management Data employs
Security encryption
modeling
risk tool.
testing
shared
assessment
responsibility model security. AWS
SA-10 Random-Access
•Where
operates,
AWS Content appropriate,
Service
Security manages,
in transit
design teams Memory acreate
and
reviews continuous
during(RAM)
controls storage
administrator is infrastructure
separated
deployment
the documentationusing
methodology similar
components, for ismechanisms.
conducted
their fromservicesthe to host ensure
and store
A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 2. Plan implementation
Threat modeling of the change and rollback procedures to minimize
· NIST SP 800-53 Rev. 4 CM-3, CM-4, SA- ••changes
operating
the
disruption.
• Security
Vulnerability/penetration
Access
documents
Secure are
code automatically
system in
reviews and
internal virtualization
AWS
testing
built, tested,
documentlayer and down pushed to the
repositories. to physical
production,
Using with
security
these the
of the
documents, goal of
PR.IP-4: Backups of information are conducted, CIS CSC 10 CP-4 The
eliminating AWSindesign business
as initial
many reviews
continuity
manual planasdetails
steps possible. the three-phased
Continuous approach that
deployment AWS to has
10 •facilities
• Retention
teams
3. Testprovide
Security the
which
testing
change
the services
in training
aandlogically tooperate.
new
segregated,team members
non-production that covers their jobseeks duties, on-
maintained, and tested periodically · COBIT 5 APO13.01, DSS01.01, DSS04.07 CP-6 developed
Within
•eliminate
call
Secure
Physical anycodeto
the singlereviews
recover
manual
controls
responsibilities, AWS nature
service
reconstitute
region of thisthere
specific
themultiple
are
process
monitoring
AWS infrastructure:
and automate facilities
metrics eachorenvironment.
data
step,centers
allowing called service
· ISA 62443-2-1:2009 4.3.4.3.9 4.
•AWS Vulnerability/penetration
Complete
Security
Activation a peer
testing
and review testing
of the change withtoaidenticalfocus on and business alarms, impactalongand with the
CP-9 Availability
•teams
Each
intricacies Mobile Services
Amazon Zones.
to standardize
devices
of the inNotification
EBS Each
the process
production
volume
service data
they
Phase
center
stored
are and
isoperations is
as
supporting. built
increase
aarefile, the
andefficiency
managed
Once AWS in aphysical,
trained, creates withtwo
manner
service environmental,
which
that they
preserves
copies
team ofdeploy
members thetheir
· ISA 62443-3-3:2013 SR 7.3, SR 7.4 technical
•confidentiality,
and Recovery
security rigor.
Vulnerability/penetration
Phase The
standards reviewin and an should
testing
active-active include a code
configuration. review. System management
PR.IP-5: Policy and regulations regarding the · COBIT •code.
EBS
can
5.
In continuous
Handling
volume
assume
Attain on-call
approval
integrity
requirements
for deployment,
redundancy.
duties
for the and
change Both
be an
availability.
paged
by
entire
copies
an into release
AWS
reside
authorizedan has
in process
engagementimplemented
the same
individual.
is asaAvailability
"pipeline"
a secure software
resolver. containing
Zone,
In addition
ISO/IEC527001:2013
DSS01.04, DSS05.05
A.12.3.1, A.17.1.2, AWS Certifications PE-10 The
• Reconstitution
activities AWS data
arewhile center
performedPhase by electrical AWS power systems
personneltowho are designed
are also cleared to
and be fully
authorized redundant to
physical operating environment for ·A.17.1.3,
ISA 62443-2-1:2009
A.18.1.3 4.3.3.3.1 4.3.3.3.2,
"stages”.
development
however,
to
In
and
This the
order documentation
maintainable
approach
procedures
tosovalidate ensures Amazon
that
without stored that
changes
that impactinare
EBS
AWS the followed
replication
torepository,
follow the system
operations,
performs
ensure
can AWS
standard 24survive appropriate
hourschange hardware
uses
a day.
security
Engagement
management
Power failure; controls
to AWS is work
itDrills not
data
are
and
within
incorporated
suitable AWS data
into centers.
the applicationThere forare design. no alternate
As
andpart ofrecovery
data thecenters
applicationandin reconstitution
the sense
design of
process,
organizational assets are met 4.3.3.3.3,
· NIST4.3.3.3.5, 4.3.3.3.6
SP 800-53 Rev. 4 CP-4, CP-6, CP-9 GameDay
procedures,
centers
efforts
traditional
AWS
new isasaprovided
in
host
applications
anallavailability
Exercises
methodicalchanges
cold/warm/hot
configuration must
to
through totool
train
sequence,the
sites
settings
participate
coordinators
localAWS prolonged
power environment
maximizing
maintained
are
in providers.
monitored
an AWS
outages
Service
the
in application
the
Security
areInor
effectiveness
toevent
validate
disaster
Teams
reviewed
the event
oflevel,
review
inon
acompliance of
Continuity
recovery
their
the
including
roles
at least
disruption,
recovery
of
with
purposes.
aandmonthly
UPS
Operations
AWS
registering and
We
responsibilities.
basis. recommend
Ansituation.
auditbackup that
trail ofyou thereplicate
changes data at
is maintained the for a centers,
least inone and/or
year. create
· ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, units
reconstitution
(COOP)
security
the
backups.
providestandards
application,Amazon
efforts All
and
initiating
EBS
power
and
AWS
automatically
the
provides
or
minimizing
data critical
centers
application
snapshots
and
system
pushed are
riskessential
that
outage
live
to the data loads
host
classification,
capture
time due
fleet.
the
the to
and
Firewall
participating
data storedall AWS
facility
errors and the
and
relevant
policies
onin an Any
A.11.2.2, A.11.2.3 maintains
generators
omissions.
security processes
are
controls used areandtoto detect
provide
applicable unauthorized
backup
across power
all AWS changes
for the made
entire to the
facility. environment.
(configuration
architecture
Amazon EBS review files) are automatically
threat modeling, pushedperforming todatafirewall centers.
code devices AWS
review, personnel
every
and 24(for hours.
performing with a
· NIST SP 800-53 Rev. 4 PE-10, PE-12, PE- exceptions
Each
AWS
approved Availability
maintains arevolume
logical analyzedZone
aaccess
ubiquitous atis a designed
to
are
specific
determine
security
capable
point
ofthe
as an in
controlroot time.
independent
providing cause. If the
environment
remote
volume
Appropriate
failure across
support
is corrupt
zone. actions
toallAutomated
regions.
other are taken
Each as
facilities to
penetration
example, due test.to customer
system failure), or
13, PE-14, PE-15, PE-18 bring
processes the change into compliance ordataroll from
backthe itthe is deleted,
change, ifyou incan therestore
necessary. ofthe
inActions are
data
necessary.
In order
volume
center tomove
from
is built
validate
snapshots.
to
that physical, trafficenvironmental,
changes away
follow from
the standard affected
and security
change area standards
management case an a failure.
active-
then
active taken to address
configuration, andAmazon
employing remediate anEBS thesnapshots
n+1 process
redundancy orare AWSissue.
people objects to system
which IAM
procedures,
Customers
users, groups, alland
assume changes to
responsibility
roles can the beAWS and
assigned production
management
permissions, ofmodel
environment thethat
so
toare
guest ensure
only reviewed
operating
authorized on users
system at least
availability
a monthly.
(including in the
An auditand event trail ofof component
the changes failure.
patches),isother Components
maintained (N)
for aapplication have
least a year. at least one
can
independent access updatesAmazon
backup EBS
security
component backups. (+1), so the backup
associated
component is activeand
software, as
in the
well as the configuration of the AWS-provided security group firewalls other
PE-12 operation
Emergency
security,
The AWSchange evenchanges
data if all follow
other
management,
center electricalcomponents
theand AWS
power logging are fully
incident
systems features. functional.
response
are designed Intoorder
procedures. be fully to eliminate
Exceptions
redundant to
single
the change points of failure,
management this modeltois applied throughout AWS, including network
PE-13 and
Each
and
maintainable
AWS
data center
without
dataimplementation.
center isprocesses
impact
evaluated All
are
todata
documented
operations,
determine
centers
24the
are
and
hours escalated
controls
online
a day.
and that to
Powermust
serving
AWS to
be AWS
traffic;
data
no
management.
centers
implemented is provided to through
mitigate, local power
prepare, monitor, providers.
and respondIn thetoevent natural of disruption,
disasters or UPS
PE-14 data
Each
units provide center
AWS is
data“cold.”
backup center In is
power case
evaluated
of failure,
or Controls to
critical and determine
there is sufficient
the
essential loads controls capacitythat
in the facility must
to enable
beand traffic
malicious
to
implemented be actsto
load-balanced that may
mitigate, to the occur.
prepare,
remaining monitor,
sites. implemented
and respond to to address
natural environmental
disasters or risks
PE-15 Each
Refer
generators
can AWS
to theare
include, data
following
butused center
aremay to is
AWS
notprovide evaluated
limited Audit
backup
to, the to
Reportsdetermine
power
following: the
forforadditional controls
entiredetails: that must
facility.HKMA TM-G-1, be
malicious
implemented
PCI 3.2, ISOacts
Availability tothat
27001, mitigate,
Zone ISOis occur.
prepare,
27017,
designed Controlsmonitor,
HIPAA,as an implemented
andand
IRAP,
independent respond
NIST to address
to
800-53,
failure natural SOC
zone. environmental
disasters
2 COMMON
Automated or risks
PE-18 Each
• AWS
can AWS data
include, data
centers
but center
are not2isequipped
are evaluated
limited to, with to determine
the sensors
following: themastercontrols shutoffthat must
valves beto detect
malicious
CRITERIA,
processes acts
move tothat
SOC 1may
customer & occur.
CONTROLS
traffic Controls
away implemented
from the respond
affected to to address
area in the environmental
case of to adetect risks
failure.
PR.IP-6: Data is destroyed according to policy · COBIT 5 BAI09.03, DSS05.06 AWS Certifications, Customer Responsibility MP-6 •implemented
the
Data
can AWSpresence
destruction:
data centers
include,
of
but
mitigate,
water.
areContent
are
not
prepare,
Mechanisms
on drives
equipped
limited to,
monitor,
with are
the
in
is treated
sensors
following:
and
place atand to
theremove
highest
master natural
water
level in
shutoff ofdisasters
order
classification
valves to or
prevent per
· ISA 62443-2-1:2009 4.3.4.4.4 malicious
any additional actsof that
water may damage. occur. Controls implemented to
as address environmental risks
•AWS
the
• AWS
can
policy.
presence
Automatic data centers
include,
Content
butwater
fire
water.
are are
not
detection
is destroyed
Mechanisms
equipped
limitedand to,with
onarestorage
in
sensors
the following:
suppression
place devices
equipmentandto remove
master part water
has shutoff
been
of the invalves
order to
installed
to detect
prevent
to reduce
· ISA 62443-3-3:2013 SR 4.2 decommissioning
any
the additional
presence of water.processdamage. in
Mechanisms accordance are in with
place AWS to security
remove standards.
water in order to prevent
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, ••risk
AWS AWS and data
hosts
Automatic notify centers
are
fire the
securelyAWSare equipped
detection Security
wiped or with
and suppression Operationssensors
overwritten and master
Center
prior
equipment toand shutoff
hasemergency
provisioning
been installed valves
for to reduce
responders
reuse.
to detect
AWS in
any
the additional
presence
event of aoffire. water
water. damage.
TheMechanisms
fire detection are in place
system uses tosmoke
remove waterprior
detection insensors
order to(e.g.,
prevent
A.8.3.2, A.11.2.7 •media
risk and is notify
Theadditional
data securely
center the wiped
AWS
electrical or degaussed
Security
power Operations
systems and physically
areCenter designed destroyed
and emergency to leaving
responders in
· NIST SP 800-53 Rev. 4 MP-6 any
Very
AWS
the Early
secure
event ofSmoke
azones.water
fire. The damage.
Detection fire detectionApparatus system [VESDA], pointtodetection
be fully
source redundant
detection) in and
all data
maintainable
•Very
center Automatic without
fire
environments, detection impact
mechanical and tosuppression
operations,
and electrical 24uses
equipmenthours smoke a has
infrastructure day.been UPS unitssensors
installed
spaces, provide
chiller
(e.g.,
to in reduce
rooms,
To
backup validate
Earlypower AWS’s
Smoke in secure
Detection wipe an processes
of Apparatus and
[VESDA], procedures,
forpoint third-party
source detection) auditors allin data
risk
and generator
review
center and thenotify
guidance
environments, thethe
equipment AWS event
within Security
rooms.
mechanical the AWS
electrical
Operations
These
and areas
media
electrical
failureCenter
are
protection protected critical
and
infrastructure policy, byand
emergency eitheressential
observe
spaces, responders
wet-pipe, loads
degaussing
chiller rooms, in
the
the facility.
event ofandData
a fire. centers
The fireuse generators
detection system to provide
uses backup
smoke power
detection for the entire
double-interlocked
equipment
and
facility. generator secure
equipment pre-action,
shred rooms. bins orThesegaseous
located sprinkler
within
areas areAWS systems.
protected facilities,
by either andsensors
review
wet-pipe, (e.g.,
historical
Very
• The Early data
thatcenterSmokeelectrical Detection Apparatus
power systems [VESDA],
are designed point tosource
be fully detection)
redundant in and
all data
•tickets
double-interlocked
center Availability tracked
environments, Zones theare destruction
pre-action, physically
mechanical
or gaseous
and
and removal
separated sprinkler
electrical within of storage
systems.
a
infrastructure
media
metropolitan spaces,
fromregion the and
provideand in
chiller rooms,are
•maintainable
environment.
The dataflood
different centerwithout electrical
plains.
impact to operations,
power systems are 24 designed
hours a day. to be UPS fully unitsredundant
and
backup
Data generator
powerwithout
deletion equipment
in
for the
block event rooms.
device of toanbased These
electrical areas
storage are
failure
24(e.g., protected
for acritical
Amazon by and
EBS, either wet-pipe,
essential
Amazon loads
Relational in
•maintainable
Each Availability
double-interlocked Zone impact
pre-action, is designed operations, as an hours
independent day.
failure UPS units
zone. provide
for Automated
the
Database
backup facility.
power Data
Service centers
[Amazon
incustomer
the event use of anorelectrical
generators
RDS], gaseous
ephemeral to sprinkler
provide
failuredrives): for systems.
backup In area
critical power
order and tothe ensure
essentialthe thatentire in
ofloads
•processes
The
facility.
customer
the data
facility.
move
center
content
Data centers electrical
is properly
traffic
power away
erased, AWS
use generators systems from are the affected
designed
wipes underlying
to provide to
backup power be in
fully
storage
case
redundant
for media
the entire
a failure.
uponandre-
maintainable
• Climate control
provisioning
facility. without
rather is than impact
required upontode-provisioning.
operations,
maintain 24 hours
a constant Processes a day.that
operating UPS units
temperature
wipe provide
content forupon servers
backup
and
release
• Climate other powerhardware,
of control in
an assetis(e.g., the event
which
required of
volume, an
prevents electrical
overheating
object) are
to maintain failure for
and
less reliable
a constant critical
reduces
operating and
the
than temperature essential
possibility
processes that loads
of
foronly inre-
servers
the
and facility.
service
provision other outages. Datastorage
clean
hardware, centers
Data which touse
centers generators
are conditioned
customers.
prevents to provide
Physical
overheating toservers backup
maintain
and power
canatmospheric
reduces reboot for
at any
the possibility the entire
conditions
time offor at
facility.
specified
many
servicereasons levels.
outages. (e.g., Personnel
Data powercenters andare
outage, systems system
conditioned monitor
process and
to maintain control
interruption temperature
atmosphericor failure), and
which at
conditions
•humidity
mightClimate
specified leave control
at appropriate
a wiping
levels. is required
Personnel levels.
procedure to maintain
This
and systems is
in an incomplete a
provided constant
monitor and at operating
N+1
state. and
Customers
control also temperature
uses
temperature free
do notand for
have as
cooling servers
and
primary
access
humidity other hardware,
tosource
block
at of
devices
appropriate which
cooling or prevents
when
physical
levels. Thisandmediaoverheating
iswhere
provided it iswas
that atand
available reduces
previously
N+1 and basedalsothe on
used possibility
uses local
tofreestorecooling of
another as
service
primaryoutages.
environmental
customer’s sourcecontent. ofData
conditions. centers
Wiping
cooling when areand
blocks conditioned
atwhere
the time it istocapacity
maintain
available atmospheric
is based
re-provisioned
on local conditions
is sufficient at
specified
•to Availability levels.
ensure that the
environmental Zones Personnel and systems monitor
previous content cannot be recovered from a new volumeand
conditions. are physically separated within and acontrol
metropolitan temperature region and or are in
humidity
• Availability Zones are physically separated within a metropolitan region and are as
different
object. at
flood appropriate
plains. levels. This is provided at N+1 and also uses free cooling in
primary
•Data
Each
different source
Availability
deletionfloodfor of cooling
Zone iswhendesigned and where
as an
non-block device services: For services such as Amazon S3 or
plains. it is
independent available based
failure on
zone. local
Automated
environmental
processes
Amazon moveconditions.
DynamoDB,
• Each Availability customerZone istraffic
customers designed away
never asfrom
see antheattached
an independent affectedblock area device,
failure inzone.
the case onlyofobjects
Automated a failure.
•processes
Availability
and the path move toZonesthat
customer are physically
object (for example
traffic away separated a table
from within
the or an aitem).
affected metropolitan
area When in thea regioncustomer
case ofand are in
deletes
a failure.
different
an asset inflood theseplains. services, the deletion of the mapping between an asset identifier or
• Each
key andAvailability
the underlying Zonecontent is designed beginsasimmediately.
an independent Once failure zone. Automated
the mapping is removed,
processes
the contentmove is nocustomer longer accessible traffic away and from cannot thebeaffected
processed areabyinan theapplication.
case of a failure.
PR.IP-7: Protection processes are continuously · COBIT 5 APO11.06, APO12.06, DSS04.05 AWS Certifications, Customer Responsibility CA-2 The AWS Compliance Assessment Team (CAT) maintains a documented audit
improved · ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, CA-7 schedule
AWS of internal
conducts and external
monthly monitoring assessments to ensure
of its security implementation
posture and
through a continuous risk
4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8 operating effectiveness
assessment and monitoring of the AWS control
process. environment to
Additionally, meet business,
· ISO/IEC 27001:2013 A.16.1.6, Clause 9, CP-2 The AWS Business
regulatory, Continuity
andancontractual policy
objectives. lays out the annual security
guidelines used assessments
to implementare
conducted
procedures by accredited
to respond Third-Party
toa aformal,
serious outage Assessment Organization (3PAO) to
Clause 10 IR-8 AWS
The needs
validate hasthat
implemented
and expectations
implemented of internal
security andorexternal
documented
controls
degradation
incident
continue
of are
parties
be
AWS
toresponse
services,
policy
considered
effective. and including
Securityprogram.
the recovery model
The policy addresses and its
purpose, implications
scope, on
roles, the business continuity plan.
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, PL-2 throughout
assessments the
thatdevelopment,
include analysis and responsibilities,
a riskimplementation, and auditing
a Plan of Actionof and
themanagement
and AWS control
Milestones
IR-8, PL-2, PM-6 commitment.
environment.
(POA&M) areParties include,
submitted but are notofficials
to authorizing limited to:for review and approval.
PM-6 N/A
AWS uses a three-phased approach to manage
 AWS customers, including customers with aincidents:
contractual interest and potential
Refer
1. to the following
Activation
customers. AWS Audit
and Notification PhaseReports for additional
– Incidents for AWSdetails:
begin withPCI the
3.2,detection
ISO
27001,
of an ISO
event. 27017,
Events NIST
originate800-53,
from SOC 2
several COMMON
sources suchCRITERIA
as:
 External parties to AWS, including regulatory bodies such as the external auditors
•and
Metrics and alarms
certifying agents.– AWS maintains an exceptional situational awareness
capability; most issues are rapidly detected from 24x7x365 monitoring
 Internal parties such as AWS services and infrastructure teams, security, legal, and alarming
of
andWreal time metrics
overarching and service and
administrative dashboards.
corporateThe majority of incidents are detected
teams. W
in this manner. AWS Wuses early indicator alarms to proactively identify issues that
may ultimately impact customers.
AC-21 W
CA-7 If W
the event meets incident criteria, the relevant on-call support engineer uses AWS’s
SI-4 event
W Wmanagement tool system to start an engagement and page relevant program
AWS Certifications, Customer Responsibility CP-12 resolvers
N/A (e.g., AWS Security). The resolvers will perform an analysis of the
incident to determine if additional M resolvers should be engaged and to determine W the
CP-13 N/AW M
approximate root cause.
CP-2 W WM
CP-7 incident.
W After addressing troubleshooting, break fix and affected W components, W the
IR-7 call
W leader will assign follow-up documentation W and follow-up actions and end the
call engagement. W W W
IR-8 3.WReconstitution Phase – The call leader will declare the recovery phase complete
IR-9 after
WWthe relevant fix activities W have been addressed. W The post mortem and deep root
PE-17 cause analysis of theW
W incidentW W MM
will be assigned toWthe relevant
W team. The results WW of
theWpost mortem will be reviewed W by relevant senior management and actions and
AWS Certifications, Customer Responsibility CP-4 W
WW in a Correction of Errors (COE) document
captured Wtracked to completion.
and W
IR-3 ToWensure the effectiveness ofWthe AWS incident W W responseW plan, AWS conducts W
M
incident
W response testing.
W W This testing provides excellent coverage for the discovery
PM-14 N/AW W
of previously unknown M defects and failure modes.WIn addition, W it allowsWthe AWS
AWS Certifications, Customer Responsibility PS-1 W
W
Security and service teams to test the systems for potential customer impact and
M W W W
PS-2 further
W prepare MWasWdetection W and analysis,
W staff to handle incidents such W containment,
PS-3 eradication,
W Wand recovery, and post-incident activities. W M
M incident response testWplan isW
The executed annually,Win conjunction with the incident
PS-4 W W
response plan. W The test plan includes multiple scenarios, potential W vectors of attack,
PS-5 andW
W the inclusion of theW systems integrator in reporting and coordination (when W W
PS-6 applicable),
W as wellW as varying reporting/detection avenues (i.e. cus W
W W W W W
PS-7 W W
W W
PS-8 W W
SA-21 N/A W W
W W W W
W W W
AWS Certifications, Customer Responsibility RA-3 W
W W W
RA-5 W W WW
W W
SI-2 W
W W
M M M M M MA-2 W
W
W WW
W
W W W
W W
M M M WW
M
W WW
W W W
W
W W
W
W
W
W
repairs of industrial control and information organizational assets is performed and logged in DSS01.05
system components is performed consistent with a timely manner, with approved and controlled · ISA 62443-2-1:2009 4.3.3.3.7
policies and procedures. tools · ISO/IEC 27001:2013 A.11.1.2, A.11.2.4,
A.11.2.5, A.11.2.6
· NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-
5, MA-6
MA-3 AWS monitors and performs preventative maintenance of electrical and mechanical
MA-5 equipment
AWS to maintain
monitors the continued
and performs operability
preventative of systems
maintenance within AWS
of electrical data
and mechanical
centers. to maintain the continued operability of systems within AWS data
equipment
MA-6 AWS
In order monitors andmaintenance
to ensure performs preventative
proceduresmaintenance
are properly of electrical
executed, AWSand assets
mechanical
are
centers.
equipment toowner
maintain the
PR.MA-2: Remote maintenance of · CIS CSC 3, 5 AWS Certifications, AWS IAM, CloudTrail, MA-4 AWS
assigned
In monitors
order anensure
to and are continued
andmaintenance
performs tracked andoperability
preventative
monitored
procedures
ofwith
maintenance systems
are properly of
AWS within
electricalAWS data
and assets
proprietary
executed, AWS mechanical
inventory
are
organizational assets is approved, logged, and · COBIT 5 DSS05.04 AWS CloudWatch & CloudWatch Logs, AWS centers.
equipment
management toowner
maintain
tools. AWS the continued operability ofare
systems within
byAWS data
assigned
In anensure
order to and areasset
maintenance
owner
tracked and procedures
monitored
procedures withcarried
AWS out method
proprietary of using
inventory
performed in a manner that prevents · ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, Config, AWS Config Rules, Customer centers.
a proprietary
management tool with
tools. AWS specified
asset checks
owner thatare properly
must
procedures
executed,
be completed
are carried out
AWS assets
according
by method
are
toofthe
using
unauthorized access 4.3.3.6.7, 4.3.3.6.8 Responsibility assigned
Inproprietaryan owner
order to ensure and are
maintenancetracked and monitored
procedures with AWS proprietary inventory
adocumented
management
maintenance
tool with
tools. AWS
schedule.
specified
asset checks
owner thatare
procedures
properly
must are
executed,
be completed
carried out
AWS assets
according
by method
are
toofthe
using
· ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, assigned
Third-party an auditors
owner and
testare tracked
AWS and monitored
equipment with AWS
maintenance proprietary
controls inventory
by validating that
A.15.2.1 adocumented
proprietary
management
the asset owner
maintenance
tool
tools.with
AWS
schedule.
specified checks
asset equipment
is documented owner that must
and thatprocedures be completed
are carried
themaintenance
condition according
out by
ofcontrols
the assetsbyare
method to the
ofthat
visually using
Third-party
documented auditors test AWS
maintenance validating
· NIST SP 800-53 Rev. 4 MA-4 ainspected
proprietary
the tool
is with
according
asset owner theschedule.
to specified
documented checks
documented
and thatcondition
must be policy.
that maintenance
the completed
ofcontrols according
the assets are to the
visually
Third-party
documented auditors test
maintenance AWS equipment maintenance by validating that
inspected
the according
asset owner to theschedule.
is documented documented
and that maintenance
conditionpolicy.
themaintenance ofcontrols
the assets
Third-party auditors test AWS equipment byare visuallythat
validating
inspected
the according
asset owner to the documented
is documented and that maintenance
the conditionpolicy.
of the assets are visually
inspected according to the documented maintenance policy.
Protective Technology (PR.PT): Technical PR.PT-1: Audit/log records are determined, · CIS CSC 1, 3, 5, 6, 14, 15, 16 AWS Resource Tagging, AWS Config, AWS AU-1 AWS documents, tracks, and monitors its legal, regulatory, and contractual
security solutions are managed to ensure the documented, implemented, and reviewed in · COBIT 5 APO11.04, BAI03.05, DSS05.04, Config Rules, AWS Cloud Formation, AWS agreements and obligations through the following activities:
security and resilience of systems and assets, accordance with policy DSS05.07, MEA02.01 CloudTrail, AWS CloudWatch & CloudWatch 1) Identifies and evaluates applicable laws and regulations for each of the
consistent with related policies, procedures, and · ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, Logs, Customer Responsibility jurisdictions in which AWS operates.
agreements. 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 2) Documents and implements controls to ensure conformity with all statutory,
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR regulatory, and contractual requirements relevant to AWS.
2.10, SR 2.11, SR 2.12 3) Categorizes the sensitivity of information according to the AWS information
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, security policies to protect from loss, destruction, falsification, unauthorized access,
A.12.4.3, A.12.4.4, A.12.7.1 and unauthorized release.
· NIST SP 800-53 Rev. 4 AU Family 4) Informs and continually trains personnel that must be made aware of information
security policies to protect sensitive AWS information.
regulatory, and contractual requirements. Should a new security directives be issued,
AWS has documented plans in place to implement that directive with designated
timeframes.
AU-2 AWS deploys monitoring devices throughout the environment to collect critical
information on unauthorized intrusion attempts, usage abuse, and network and
application bandwidth usage. Monitoring devices are placed within the AWS
environment to detect and monitor for:
• Port scanning attacks
• Usage (CPU, Processes, disk utilization, swap rates, and errors in software
generated loss)
• Application performance metrics
• Unauthorized connection attempts
AWS provides near real-time alerts when the AWS monitoring tools show
indications of compromise or potential compromise, based upon threshold alarming
mechanisms determined by AWS service and Security teams.
External access to data stored in Amazon S3 is logged. The logs are retained for at
least 90 days and include relevant access request information such as the data
accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s AWS
CloudTrail bucket in Amazon S3. The logged requests provide information about
who made the request and under which CMK and will also describe information
about the AWS resource that was protected through the use of the CMK. These log
events are visible to the customer after turning on AWS CloudTrail in their account.
AU-3 AWS deploys monitoring devices throughout the environment to collect critical
AU-4 information
AWS deploys onmonitoring
unauthorized devicesintrusion attempts,
throughout theusage abuse, and
environment network
to collect and
critical
application
information bandwidth
onmonitoring
unauthorized usage.intrusionMonitoring devicesusage
attempts, are placedabuse,within and the AWS
network and
AU-5 AWS
environment deploys to detect and devices
monitor throughout
for: devices the environment to collect critical
application bandwidth
information onmonitoring
unauthorized usage. Monitoring
intrusion attempts, are placed
usage abuse,within and the AWS
network and
AU-6 •environment
AWS Port deploys
scanning attacks
to detect and devices
monitor throughout the environment
for: devices are placed within the AWS to collect critical
application
•AWS bandwidth usage. Monitoring
AU-7 • Usage
information
environment
(CPU,
Port deploys
scanning Processes,
onmonitoring
unauthorized
to attacks
detect and
disk
devices
monitor
utilization,
intrusion attempts,
throughout
for: devices
swap therates,
usage and
abuse,
environment errors toin
and software
network
collect and
critical
AU-8 •generated
application
••information
AWS Usage
Port scanning
loss)
(CPU,
information
bandwidth
Processes,
on unauthorized
attacks
systems
usage.disk
use
Monitoring
utilization,
intrusion
internal attempts,swap
system clocks
are
rates, placed
and
usagesynchronized errorswithin
abuse, and network in the
software AWS
via Network and
environment
generated
application Application loss) toperformance
bandwidthdetect and metrics
monitor for:
AU-9 •• Application
Time Usage (CPU,
Protocol
Unauthorized
Port scanning Processes,
(NTP)
connection
attacks orusage.
a disk Monitoring
comparable
attempts utilization, source devices
swap are placed
to rates,
generate andtimeerrorswithin inaudit
stamps thefor
software AWS auditfrom
•AWS
environment has implemented
toperformance
detect and processes
metrics
monitor tofor:
protect audit information and tools
AU-10 •generated
records.
AWS
•unauthorized
AWS Usage provides
Unauthorized
Port scanning
has
loss)
Third-party
(CPU, near
Processes,
access,
implemented connection
attacks
testing
real-timethedisk
modification, ofalerts
attempts
AWS’s
non-repudiation when
utilization,
and time the
deletion. stamps
swap AWS
control
validates
rates,
Auditmonitoring
and
through errors
records thattools
thecontain
system
in
use ofshow
software time
set ofisdata
aasources.
central log
•indications
configured
generated
elements Application to
of
loss)
in performance
automatically
ordercompromise
to support metrics
orsynchronize
potential
necessary with
compromise,
analysis approved based
requirements. stratum-1
upon In time
threshold
addition, alarming
audit
AU-11 •AWS
archival
• Application
Amazon Usage provides
(CPU,
Unauthorizedstorage
Simple near
Processes,
system. real-time
connection
Storage disk
The alerts
central
attempts
Service when
utilization,
(Amazon the
log archivalswap
S3) AWS rates,monitoring
and
system protects
Application errors tools
Programmingin show
software
against an Interfaces
mechanisms
•indications
records
generated are of
loss) determined
performance
available
compromise by orAWS
metrics
to authorized potential service forand
userscompromise, Security
inspection teams.
oraction
based analysis
upon on demand
threshold and in
alarming
individual
AWS
(APIs) provides
providefalsely near
both denying
real-time
bucket- having
andalerts performed
when S3
object-level theis aaccess
particular
AWS monitoring
controls, with based
tools on the
show
defaults that
AU-12 •External
response
AWS Unauthorized access
to
deploys to data
connection
security-related
monitoring stored in
attempts
or Amazon
business-impacting logged.
events. The logs toare retained foronly at
•mechanisms
attributes
indications
permit Application ofdetermined
attached
authenticated performance
compromise eachbydevices
to access orAWS
metrics
logby file
potential
throughout
theservice
as well
bucket and
as
compromise,
and/orthethe
Securityenvironment
authlog
object teams.
based auditing
upon
creator.
collect
that
threshold
critical
is performed.
alarming
least
AWS
information
•External 90 days
provides
Unauthorized access onand near include
real-time
unauthorized
to data
connection relevant
stored alerts
intrusion
in
attempts access
Amazon when request
the
attempts,
S3 is AWS information
usage
logged. monitoring
abuse,
The logssuch
and tools
are asretained
network the data
show and for at
PR.PT-2: Removable media is protected and its · CIS CSC 8, 13 MP-2 The
Environments
mechanisms
External fundamental
access used data
determined
to data for type
thebyor
stored in
AWS the
delivery central
of
service
in operation.
Amazon the log
AWS archival
andisSecurity
S3 services
logged, system are
teams.
and upontheis a
managed
logslog. A by
are AWS log is a
authorized
retained for
accessor
indications
application
least 90 IP of
days address,
compromise
bandwidth
and object,
include usage. and
relevant potential
Monitoringaccess compromise,
devices
request based
aremonitoring
placed
information within
such threshold
the alarming
use restricted according to policy · COBIT 5 APO13.01, DSS05.02, DSS05.06 AWS
chunk
personnel
External
at
Allleast
mechanisms
environment
provides
of90
requests
arbitrary
and
access
days.
to
near
areto
The
KMS
determined
tocompromise
detect
real-time
data
located
data logs
areand
with in the
stored
include
logged
by
AWS
AWS
monitor
alerts
in following
and
when
managed
Amazon
relevant
available
service
for:
the
S3 isAWS
attributes
data
access
and inlogged.
attached:
centers.
request
the
Security AWS The Media
teams. logs
information,
account’s areasretained
tools
handling the data
show
AWSsuchcontrols
asfortheat
· ISA 62443-3-3:2013 SR 2.3 accessor
•indications
for
least Logthe
90Id:
dataIP
days address,
of
Unique
centers
and object,
identifier
are
include managedorand
(assigned
relevant operation.
potential
by by
AWS
access compromise,
the in system)
requestalignment based
information with upon
thesuch threshold
AWS Media alarming
data
CloudTrail
External
••mechanisms
All Port
Log
accessor access
scanning
requests
Group: to
IPattacks
bucket to
KMS
address,
determined
the
in are
data
group
Amazon object,
stored
logged
by
that AWS
the inS3. and
and
log
The
Amazon operation.
logged
available
service
belongs S3
and to
requests
isSecurity
inlogged.
the AWS provide
Theaccount’s
teams. logs areasretained
information the data
AWS about
for at
· ISO/IEC 27001:2013 A.8.2.1, A.8.2.2, Protection
accessor Policy.
IPtheaddress, This object,policy includes
andutilization,
operation. procedures around access, marking, storage,
who
•least
CloudTrail Usagemade
90 days
(CPU, bucketrequest
and include
Processes,
in are and
Amazon under
relevant
disk S3. which
access
The CMK
loggedrequest
swap isand willand
information
rates,
requests also describe
Theerrors
provide such in as
information information
the data
software about
A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9 •External Name:
transporting,
All requests access
(any toand tosanitation.
KMS data
user-defined stored text,in
logged Amazon
does
and not
available S3
need tologged.
in be
the unique)
AWS logs are retained for at
about
accessor
generated
who
•least Start90the
made AWS
IP
days
time: address,
loss)
the and
the resource
request object,
include
time at and that and
under
relevant
which wasthe protected
operation.
which
access
log CMK
began through
request and
recording willthe
information useaccount’s
also ofsuch
describe
(inclusive) the CMK. AWSThese
asinformation
the data log
· NIST SP 800-53 Rev. 4 MP-2, MP-3, MP- CloudTrail bucket
events
•All
about
•accessor areIP
requests
Application
End the
time: visible
AWS address,
the tointhe
toperformance
KMS
resource
time
Amazon
are
object,
at customer
logged
that
which metrics
and was
S3. and The
after
protected
theoperation.
log
logged
turning
available
stopped
requests
throughonthe
in
recordingAWS AWS
the
provide
CloudTrail
use account’s information
of the CMK.
(exclusive) -inAWStheir
must These
be
about
account.log
greater
4, MP-5, MP-7, MP-8 who made the request and under which CMK and will also describe information
MP-3 CloudTrail
•than
events
All Unauthorized
are
requests
Environments the start bucket
visible
totimeKMS
used toinfor
connection Amazon
the
are the attempts
customer
logged
delivery S3. and The
after logged
turning
available
of the AWS requests
on
in theAWS
servicesAWS provide
CloudTrail
areaccount’s information
managed inAWStheir
by about
account.
authorized
aboutmade
who the AWS the resource
request andthat under waswhich protected CMK through
and willthealsouse describe
of the CMK. These log
information
AWS
•CloudTrail
personnel provides
Searchable andbucket
Keys:near
are in
A real-time
locatedAmazon
set of
in alerts
S3.
Key-Value
AWS Thewhen
managedlogged thedata
pairs. AWS
requests
Keys monitoring
are
centers. provide
strings
Media of tools
information
up
handlingtoshow50 about
characters
controls
MP-4 eventsthe
Environments
about areAWS visible used tofor
resource thethe customer
thatdelivery after
of theturning
AWS onservices
AWS CloudTrail
areupon managed in bytheir account.
authorized
indications
who
in
for made
length
the dataand of
the compromise
request
values
centers are
are and or was
under
strings
managed potential
of by
protected
which
up to
AWS 200 in
through
compromise,
CMK and
characters
alignment willthe
based
inuse
also
with
of
describe
length.
the
thethreshold
The
AWS
CMK. These
information
Searchable
media alarming log
personnel
events areAWS and
visible are located indelivery
AWSafter managed data centers. Media handling controls
MP-5 Environments
mechanisms
about
Keys
for theallow
protection the
data you
policy. used
centers toto
determined
resource thethe
for
define
This
are policy
customer
by
that
the
managed
AWS was
dimensions
includes
by
of the
service
protected
AWS
turning
AWS
and
along
procedures
on
Security
inthrough which
alignment
AWS
services
for
CloudTrail
are
teams.
theaccess
use
your
with of
logsmanaged
theare
control,
the AWS CMK.in their
by
organized
media
media Theseaccount.
authorized
andlog
MP-7 personnel
External
From
events
provide
marking, seeker:
are and
access
visible
values
storage, aretoto
for located
datathepolicy
those
transportation, in AWS
stored
customer
dimensions.in Amazon managed
after
and S3
turning
There
sanitation. data
areis on nocenters.
logged.
AWS
schemata The Medialogs
CloudTrail handling
aresystem
incontrol,
the in theircontrols
retained for at
- account.
rather,
protection
for
leastthe 90datadays policy.
centers This
and include areset managed
relevant includes
bydataAWS
access procedures
in alignment
request for access
information withisthe such AWS as themedia
media data
MP-8 each
Live
N/A
marking, log
media can have
transported
storage, any
transportation, of
outside keys. of center
and sanitation. secure zones escorted by authorized
protection
accessor
Portable
Logs media
personnel. IP policy.
are storage address,
symmetrically This
devices object,policy
(e.g. and
encrypted includes
operation.
external using procedures
hard drives,
AES-128 for
floppy access
encryption disks, control,
beforestorage media tapes,
transmitting
PR.PT-3: Access to systems and assets is · CIS CSC 3, 11, 14 AC-3 Live
User access transported
privileges outside
arelogged of data center secure zones is escorted by authorized
marking,
All
themrequests
compact
personnel. to and storage,
discs, to KMS transportation,
digital
storing are
them video inrestricted
discs,
S3. and
and based
USB sanitation.
available on business
flash/thumb in the AWS needaccount’s
drives, and diskettes
AWSexcept for
controlled, incorporating the principle of least · COBIT 5 DSS05.02, DSS05.05, DSS06.06 CM-7 AWS
Live
Logs media
CloudTrail
AWS
those employs
implements
that
are are
securely thetransmitted
transported
bucket
part concept
in
the
of Amazon
an outside
least of least
functionality
approved to privilege,
ofS3device,
S3. data
Theover center
logged
principle
ansuch allowing
secure
requests
as athroughout
encrypted flash only
zones
provide
card
SSL/TLS isthe its necessary
escorted
information
that by(see
infrastructure
is part
session access
authorized
of about
acontrol for
functionality · ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, users
personnel.
who made
components.
networking
SC-8 to accomplish
for the request
Network
router)
information their
are and job
devices
not
related under function.
permitted
to and which forNew
servers
protection CMK
use are
of userand accounts
will
implemented
within
data in the also are
system
transit). withcreated
describe minimal
boundary. to have
information
PR.PT-4: Communications and control ·4.3.3.5.3,CIS CSC 8, 12,4.3.3.5.5,
4.3.3.5.4, 15 4.3.3.5.6, AWS Certifications, AWS VPC, Security AC-17 Remote
minimal access
access. toUser
AWS production
access to environments is limited to defined security
networks are protected ·4.3.3.5.7,
COBIT 5 DSS05.02, APO13.01 Groups, ACL's, VPC Flowlogs, Customer
about the
functionality,
Access
groups. to
The
AWS
audit and resource
logs
addition service
and
of
that
teams
tools
members isAWS
was add
restricted
into
systems
protected
only
a grouptothrough
software (e.g.,
onlymust
network,
the use of
packages
authorized
be reviewed
applications,
and theservices
users. and
CMK.Once
approved atools)
These
needed
log by islogfor
4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, AC-18 Remote
requires
events areaccess
documented to AWS production
approval from environments
theturning
authorized on is limited
personnel to(e.g.,
defined user's security
manager
·4.3.3.6.3,
ISA 62443-3-3:2013 SR 4.3.3.6.6,
3.1, SR 3.5, SR Responsibility the
stored,
authorizeddevicethe visible
to
name, perform
individuals
to the
start its
who
customer
time,function.
end time,
confirm
after
the oruser’s
data cannot need
AWS CloudTrail
beaccess
for changed. to the
in their
environment.
account.
4.3.3.6.4, 4.3.3.6.5, AC-4 groups.
and/or system
Several The
network addition
owner)
fabrics ofand members
validation
exist at Amazon,intoofa the group
eachactive must user
separated be in reviewed
theboundary
by Amazon and approvedHuman
protection by
3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR Remote
authorized access requires
individuals multi-factor authentication need over an approved cryptographic
4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1,
7.1, SR 7.6 CP-8
Resources
devices
The
channel AWS that system.
forbusiness
authentication. thewho
control continuity flowconfirmofplan the
information
details
user’s
thebetween for
three-phased
access
fabrics. to the
The
approach flow environment.
of AWS has
that
4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 Baselining
information of groups
between (e.g.,
fabrics reviewing
is established of existing
by approved members in the
authorizations, group for their
which exist
·· ISO/IEC 27001:2013 A.13.1.1, A.13.2.1, SC-19 developed
AWS
Voice employs toInternet
recover
automated and reconstitute
mechanisms istheto90AWS
facilitate infrastructure:
bythe monitoring andis control of byas
ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR
A.14.1.3 remote ACLover
continued
•asActivation access
need
residing and
for
methods.
Protocol
onaccess)
theseAuditing
Notification devices.(VoIP)
occurs
Phase
every
ACLs
occurs
not are
on
employed
days
defined,
the systems
thewithin
manager
approved the by
andgovernment
devices,
system
and boundary;
enforced
appropriate
which arethe then
1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR SC-20 such,
the Since this
permissions
AWS control
does is
toolnot not
which applicable.
resolve provides
to team,
GC.CA automated
domain notification
names for to the manager. users,
·1.9, SR
NIST SPSR
800-53 •Amazon’s
Recovery Information
Phase inSecurity and
tool managed
for reviewand anddeployed
incident using AWS’s
1.10, 1.11, Rev. 4 AC-4,
SR 1.12, AC-17,
SR 1.13, SRAC-
2.1, SC-21
aggregated
implementation
ACL-management
Customer
and
provided
stored
of DNSSEC a proprietary
content isisvalidated
tool. not applicable. fornetwork
integrity, and corrupted
investigation.
or tamperedisdata
The
18, CP-8, •AWS Reconstitution Phase
SR 2.2, SRSC-7, SC-19,
2.3, SR 2.4, SC-20,
SR 2.5, SC-21,
SR 2.6,SC-22,
SR 2.7 Approved
operational
firewall
environment,
rule that sets and access
to include
control
and
listsrecovery
between
security
network
configuration,
SC-23,
· SC-24,27001:2013
ISO/IEC SC-25, SC-29, SC-32, SC-36,
A.9.1.2 SC-22 is
This notapproach
considered
DNS written
systems to storage.
ensures
confidential
and devices Amazon
AWS
information
within S3and
the utilizes
performs
system checksums
system
is required
boundary to be internally
and
collectively
protected byfabrics
to confirm
reconstitution
provide employees restrict
the per
the
effortsflowinof
continued information
aintegrity
methodical of contenttoservice,
specific
sequence, in transitinformation
maximizing within system
the
the system services.
effectiveness and ataccess ACLs
ofrest.
the Amazonand ruleS3
recovery sets
and
·SC-37, SC-38,
NIST SC-39, Rev.
SP 800-53 SC-40, SC-41,CM-7
4 AC-3, SC-43 SC-23 Amazon
name/address
AWS is
are reviewed
data
designed classification
resolution
and to protect
approved
policies.
the
and are
are All
faulttolerant,
confidentiality remote
automatically andadministrative
and implement
integrity
pushed of internal/external
transmitted attempts data are
provides
reconstitution
logged
role a facility
separation.
and efforts for
to andacustomers
minimizing istoimplemented
sendsystemchecksums outage time to
along with
due boundary
to data
errors protection
transmitted
andweighted to
through
devices thealimited
on comparison
periodic
Fault tolerance
specific
basis
number
of a cryptographic of attempts.
24hash
by multiple
of data Auditing servers
transmitted. logs are
using
Thisreviewed doneby
isdetermine to
the
the service.
omissions.
round-robin
help AWS
ensure
The
Security
DNS service
(rrDNS).
team for (at
validates least
Monitoring
unauthorized theevery
checksum
and attemptshours)
alarming upon ortosuspicious
of ensure
receipt
DNS ofrulethe
servers sets
data
activity.
Dataisthat
andtoIn
in access
place,
the been
event
control
that
that no
AWS
which lists that
corruption
maintains
suspicious
monitors
the
areactivity
up tomessage
occurred
a ubiquitous
CPU, date. inis not corrupted
transit.
security Regardless
control
or altered
ofarewhether
environment
in transit.
a checksum
across all sent
regions. is has
to sent Each with
corrupted
AWS orAmazon
implements altered inload, is detected,
transit and is disk the
space.
immediately incident Alerts response
rejected. generated
AWS procedures
provides and are initiated.
several
an
data object
center
appropriate
methods
to
for builtleast
ispersonnel
customers to S3, privilege
when
to
thealarm
physical, service
securely
throughout
environmental,
thresholds
handle their
its
utilizes checksums are
infrastructure
and
data: security
surpassed internally components.
standards
(i.e. high in an AWS
to confirm
errors the
active-
rates,
prohibits
continued
active all portsseparation
integrity and protocols
ofemploying
content forin that
transitdo andnot
within have thea system
specific andbusiness
at rest.purpose.
When AWS
disk
Uponconfiguration,
•utilization).
follows initial Role
a rigorous communication
approach with an
system
istoexternal
minimal
n+1
an redundancy
devices
AWS-provided
implementation
model
within
Windows to ensure
the
of only
system
Amazon
those
system
boundary
Machine is
corruption
availability
implemented
Image (AMI),
or
inbydevice
the
AWS event
internal failure
enables ofandcomponentdetected, the
failure.
DNS system automatically
Components
servers. Internal (N)
DNS haveattemptsatfeatures
isterminal least
separated to one and
restore
from
functions
normal
independent
External thatbackup
levels
DNS are
of essential
object
services. storage
component
A DNS tosecure
use ofcommunication
the
redundancy.
(+1), device.
sozonethe External
backup Network byaccess
configuring
componentscanning
a to content is performed,
iscertificate
active stored
in the
services
in and
on
any the instance
unnecessary and generating aMaster
unique transfers
self-signed atX.509
with serverDNS slave. Slave andzones
Amazon
operation
are then
delivering
S3 even
propagated
the if ports
is logged all via
certificate’sotherorNotify
and protocols
the logs
components
thumbprint AXFR/IXFRin use
are arethe
to
are
retained fully
tocorrected.
user
for least
functional.
multiple
over a DNS 90 Indays,
trusted order
slave
channel.
including
to eliminate
zones. External
relevant
single access
ispoints request
ofexternally
failure,secure information,
this
bymodel issuch
applied as the accessor IP address,
throughout object, and
•DNS
AWS
operation.
hosted
further enables UltraDNS.
communication with LinuxAWS, AMIsincluding by configuring network
and dataShell
Secure center (SSH) implementation.
on the instance, All generating
data centersa are unique online and serving
host-key traffic; nothe
and delivering
data center
key’s is “cold.”
fingerprint to the Inuser caseover of failure,
a trusted there is sufficient capacity to enable traffic
channel.
Customer Master Keys (CMKs) used for cryptographic operations in AWS Key
Management Service (KMS), including operations by AWS employees, are secured
by both technical and operational controls. By design, no individual AWS employee
can gain access to the physical CMK material in the service due to hardening
techniques such as never storing plaintext master keys on persistent disk, using but
not persisting them in volatile memory, and limiting which users and systems can
connect to service hosts. In addition, multi-party access controls are enforced for
operations on the KMS-hardened security appliances that handle plaintext CMKs in
memory.
SC-24 Network devices, including firewall and other system boundary devices are
SC-25 configured
N/A to fail securely in the event of an operational failure. Boundary firewalls
and load balancer devices are set to fail to deny all until the device’s functionality is
SC-29 N/A
restored.
SC-32 N/A
SC-36 N/A
SC-37 N/A
SC-38 N/A
SC-39 Amazon EC2 currently uses a highly customized version of the Xen hypervisor,
SC-40 taking
N/A advantage of paravirtualization (in the case of Linux guests). Because
paravirtualized guests rely on the hypervisor to provide support for operations that
SC-41 N/A
normally require privileged access, the guest operating system has no elevated
SC-43 N/A
access to the CPU. The CPU provides four separate privilege modes: 0-3, called
SC-7 rings.
SeveralRing 0 is the
network mostexist
fabrics privileged and 3 each
at Amazon, the least. The host
separated operatingprotection
by boundary system
executes in Ring
devices that 0. However,
control the flow ofrather than executing
information betweeninfabrics.
Ring 0 The
as most
flowoperating
of
systems do, the
information guest fabrics
between operating system runsbyinapproved
is established a lesser-privileged Ring which
authorizations, 1 and exist
applications
as in the
ACL residing onleast
theseprivileged Ring 3.are
devices. ACLs This explicit
defined, virtualization
approved of the physical
by appropriate
resources leads
Amazon’s to a clear
Information separation
Security team,between guest instances
and managed and the
and deployed hypervisor,
using AWS’s
resulting in additional
ACL-management tool.security given the separation between the two.
the flow of information to specific information system services. ACLs and rule sets
are reviewed and approved and are automatically pushed to boundary protection
devices on a periodic basis (at least every 24 hours) to ensure rule sets and access
control lists are up to date.
functions that are essential to use of the device. Network scanning is performed, and
PR.PT-5: Mechanisms (e.g., failsafe, load · COBIT 5 BAI04.01, BAI04.02, BAI04.03, CP-7 The AWS business continuity plan details the three-phased approach that AWS has
balancing, hot swap) are implemented to achieve BAI04.04, BAI04.05, DSS01.05 developed to recover and reconstitute the AWS infrastructure:
resilience requirements in normal and adverse · ISA 62443-2-1:2009 4.3.2.5.2 • Activation and Notification Phase
situations · ISA 62443-3-3:2013 SR 7.1, SR 7.2 • Recovery Phase
· ISO/IEC 27001:2013 A.17.1.2, A.17.2.1 • Reconstitution Phase
· NIST SP 800-53 Rev. 4 CP-7, CP-8, CP- This approach ensures that AWS performs system recovery and reconstitution
11, CP-13, PL-8, SA-14, SC-6 efforts in a methodical sequence, maximizing the effectiveness of the recovery and
reconstitution efforts and minimizing system outage time due to errors and
omissions.
CP-8 The AWS business continuity plan details the three-phased approach that AWS has
CP-11 developed
N/A to recover and reconstitute the AWS infrastructure:
CP-13 • Activation and Notification Phase
N/A
• Recovery Phase
PL-8 AWS gives customers
• Reconstitution Phase ownership and control over their content by design through
SA-14 simple,
This but
N/A approach powerful
ensurestools
that that
AWS allow customers
performs systemto recovery
determineand where their content
reconstitution
SC-6 will be in
efforts stored, how it will
a methodical be secured
sequence, in transitthe
maximizing or at rest, and access
effectiveness of thetorecovery
their AWS and
AWS operates,
environment willmanages,
managed. and controls the infrastructure components, from the host
reconstitution
operating system efforts
and and minimizing
virtualization system
layer downoutage
to thetime due tosecurity
physical errors and
of the
omissions.
facilities inimplemented
which the services operate.and AWS endpoints arebest
tested as partin
oforder
AWSto
AWS has
maintains global
a ubiquitous privacy data protection practices
security control environment across all regions. Each
compliance
helping vulnerability
customers scans.
establish, operate and leverage our security control environment.
data center
AWS Cloud isservices
built to are
physical, environmental,
managed manner and
in a processes that security standards in an active-
These
active security protections
configuration, and control
employing an n+1 redundancy arepreserves
model
their confidentiality,
independently
to ensure validated
system by
integrity,
multiple and availability.
third-party AWS has
independent implemented
assessments. secure software development
availability
procedures that in theareevent of component
followed to ensure failure. Components
that appropriate (N) have
security at least
controls are one
independent
incorporated backup
into thecomponent
application(+1),
design.so the backup
As part component
of the applicationis active
designinprocess,
the
operation even if all other components are fully functional.
new applications must participate in an AWS Security review, which includes In order to eliminate
single points of failure, this model is applied throughout AWS, including
registering the application, initiating application risk classification, participating networkin
architecture review and threat modeling, performing code review, and performing a
data center is
penetration “cold.” In case of failure, there is sufficient capacity to enable traffic
test.
Customer Responsibility
AWS customers are responsible for developing, documenting,

maintaining,
AWS customers disseminating,
are responsible and implementing
for managing accounts an accessassociated
control policywith
and supporting
their procedures. on AWS customers are responsible for
AWSapplications
customers
reviewing and updating
hosted
are responsible AWS.
the policy
AWS
forand customers
developing,
procedures
are responsible
documenting,
at a frequency
for
properly
maintaining,using AWS Identity
disseminating, andimplementing
and Access Management (IAM) toand
an identification create
N/A
defined
and by their
manage user organization.
accounts and to enforce access within their Amazon
authentication policy along with supporting procedures. AWS
N/A Compute Cloud (Amazon EC2) instances and all applications
Elastic
customers are responsible for reviewing and updating the policy and
they
AWS install.
customers
procedures are responsible
at a frequency defined forbyconfiguring their systems to
their organization.
uniquely identifyare
AWS customers andresponsible
authenticate fororganizational
configuring their userssystems
(or processes
to
AWS
acting
uniquelycustomers
on identify
behalf of inandtheauthenticate
users).context of managing their user accounts are
AWS customers
responsible for: areIdentifying
1) responsible and fororganization-defined
managing
selecting information
system
specific
accounts; system
2)
and/or
types of devices
identifiers by: 1) before
Receiving establishing
authorizationlocal, from
remote, and/or
organization network
defined
AWS
The customers
Assigning
master
connections account
account
in are responsible
managers
and
accordance IAM for
with for
accounts managing
system accounts;
are used
their identification information
by 3)
customers system
Specifying to
andorauthentication
personnel
authenticators
authorized
manage or
their roles
users, by:
AWS toservices.
1)
group assign
Verifying,
and an
roleindividual,
They as part
membership,
can of
be group,
the role,
initial
access
configured device
authenticator
authorizations,
with varying
N/A
policy. 2) Selecting an identifier that identifies an individual, group,
identifier,
distribution,
and other
levels the identity
attributes
of permissions, as and ofare
theused
required individual,
for each group,
to setaccount;
up role,
4)
and design orthe
Requiringdevice
system as
role, or device,
receiving
approvals
documented the
from 3) Assigning
IAM Best2)the
inauthenticator,
customer-defined
the identifier
Establishing
personnel
Practices Guidetoinitial
orthe intended
roles individual,
authenticator
available for ataccount content
group,
for
creation role, or device,
authenticators
requests; defined 4) Preventing
5) Monitoring by theiraccount reuseusage;
organization,
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html.of identifiers
3) Notifying
6) Ensuringfor an that
account
organization-defined
authenticators
managers when: have time period,
sufficient
a) Accounts and
strength
are no 5)
of Disabling
longer required,the
mechanism for
b) identifier
their are
Users after
intended
an organization-defined
use,
An 4) Establishing
terminated
AWS is and
or transferred,
account time
andperiod
implementing
the initial c) of administrative
Individual
account inactivity.
created system
whenusage aprocedures
or need-to-
customer for
initial authenticator
know changes;
purchases
AWS services
customers 7)are distribution,
Authorizing
from AWS. access
responsible for configuring
This
for lost/compromised
based on:
account a)
is used
theirAfor orservice
valid damaged
systemsaccesstoand
authenticators,
authorization,
data b)and
billing.mechanisms
implement After for revoking
Intended
initial system
AWS
for authenticators,
usage,creation,
account
authentication andto a 5)it Changing
c)cryptographic
Otheris theattributes
AWS default
as
module
AWS
content
requiredcustomers
customer’sofby their are
authenticators responsible
organization
responsibility prior
toofuseor for
toIAM configuring
information
associated
to create their installation,
system
mission/business
unique systems
accounts tounder
6)
functions;
that meet
uniquely the
identifyrequirements
and authenticate applicable federal
non-organizational laws, Executive
users (or
N/A
Establishing
8)
theReviewing
AWSdirectives,
Orders, minimum
account accounts
for and maximum
for compliance
organizational
policies, lifetime
with
users. restrictions
account
IAM users and
management
can be reuse
granted
processes
conditions
requirements
permissions acting
for aon behalf
toatauthenticators,
frequency
access ofregulations,
resources defined
standards,
non-organizational
7) and
Changing/refreshing
by their
data
and
users).
organization;
as required.
guidance
authenticators
IAM also9) at
and
for
N/A authentication.
such
Establishing
provides a processtime
functionality to intervals
fordefine
reissuinguserby authenticator
shared/group
groups and group type,
account 8) Protecting
credentials
permissions.
authenticator
when individuals content from unauthorized
are removed from the group. disclosure and modification,
9)
TheRequiring
accounts individuals
that customers to take
createandon having devices implement
their Amazon EC2 instances specific
or
security safeguards
More information
applications ontoimplementing
are distinctly protect authenticators,
separate these
and theand
arefunctions 10)using
Changing
responsibility IAM of is
the
authenticators
available at
customer for group/role accounts when membership to
to http://docs.aws.amazon.com/IAM/latest/User
manage. those
Guide/best-
accounts changes.
practices.html.
N/A
N/A
N/A
N/A
N/A

maintaining,
AWS disseminating,
customers and implementing
are responsible for establishinganand
access control policy
documenting
and
usagesupporting procedures.
restrictions, AWS customers requirements,
configuration/connection are responsibleandfor
AWS customers
reviewing are
and updatingresponsible forand
theforpolicy establishing
procedures andat documenting
a frequency
implementation
usage guidance
restrictions, each type
configuration/connection of remote access
requirements, allowed to
AWS
definedcustomers
by their
their systems are responsible
organization.
in guidance
accordance for establishing and and
termspolicy. conditions
implementation
with other organizations forwith
owning,
their access control
organization-controlled
operating, and/or mobile AWS
maintainingdevices in
N/A
customers
accordance are
withresponsible forcontrol
theirsystems.
access authorizing remote
policy. AWS access to their
external information
systems prior Consistent with any customers are
trust relationships
responsible
established fortoauthorizing
with
allowing such
these externalthe connections.
connection
organizations of and
mobile devices to their
in accordance with
systems
their priorcontrol
access to allowing
policysuch
AWSconnections.
customers are responsible for
authorizing individuals to: 1) Access their system from an external
information system and 2) Process, store, or transmit organization-
controlled information using external information systems.
maintaining,
for identifyingan user access
actions control
that canpolicy
be
and supporting
performed procedures.
on their systems AWS without customers are responsible
identification for
or authentication and
N/A
reviewing andtheupdating the policy andfor procedures at a frequency
documenting supporting rationale these actions in their security
AWS
definedcustomers are responsible for managing accounts associated with
plan. by their organization.
their
N/A applications hosted on AWS. AWS customers are responsible for
properly using AWS Identity and Access Management (IAM) to create
AWS customers are responsible for configuring their systems to
and manage user accounts and to enforce access within their Amazon
enforce
AWS logical access
customers based on approved authorizations andandin
Elastic Compute are Cloudresponsible
(Amazonfor EC2)defining,
instancesdocumenting,
and all applications
accordance with
implementing their access
separation control
of duties policy.
they
AWS install.
customers are responsible forfor individuals
enforcing the with access
principle of to their
least
systems orforinformation.
privilege users Implementation onofbehalf
this separation should be
AWS
based customers
on are(orresponsible
validonaccess
processes
authorization
acting
for decisions
limiting the of users)
number
forauthorizations
specific
by
ofusers granting
concurrent
or
AWS
access customers
based
sessions to their in the
explicit
systems context of managing
authorizations. Accesstheir user accounts are
should
individuals
for as
responsible
provide for:defined
only 1) by in
theIdentifying
minimum theaccordance
AWS
and
with their
customer’s
levelselecting
of accesssystem
access
oraccess accounts;
permissions
control
control policy.
policy.
2)
required
Assigning
to accomplish account managers
assigned tasks for system
based accounts;
on their 3) Specifying
organization’s mission and
The enforcement
authorized
business of this and
users, group
needs. requirement can be accomplished
role membership, access authorizations,by
establishing
and other
AWS customers groups
attributesareasand permissions
required
responsible for
foreach within IAM,their
account;
configuring as Requiring
4) discussed
systems and at all
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html.
approvals
More from customer-defined
information
interconnected onresponsible
IAM accessfor:personnel
authorizations or roles for account
isinformation
available atflow
AWS customerssystemsare to enforce their approved
1) Monitoring and controlling
creation requests;
policies. This canatbe 5) Monitoring
accomplished account
through usage;
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html. 6) Notifying
configuration of at account
Amazon
communications
AWS customers the external
areAccounts
responsible boundary
for of the system and key
managers
Virtual when:Cloud
Private a) (Amazon no developing,
areVPC) longer
networkrequired,documenting,
Access b)Control
Users are Lists
internal boundaries
maintaining, within the system, 2) Implementing subnetworks
terminated
N/Apublicly
(ACL) ordisseminating,
transferred,
for controlling and andc) implementing
inbound/outbound Individual an
system
traffic at access
usage
the control
subnetor need-to-
levelpolicy
and
for
and supporting accessible
procedures. system AWS components
customers that
are are physically
responsible foror
know
Amazon
AWS changes; 7)are
VPC security
customers Authorizing
groups
responsible access
for based on:
controlling
for establishing a)
traffic
and Aatdocumenting
valid access
the instance
logically
reviewingseparated
and b) from
updating internal
the policyorganizational
and procedures networks, and 3)
at a attributes
frequency
authorization,
level.
usage restrictions, Intended system
configuration/connectionusage, andrequirements,
c) Other as
andthrough
Connecting
AWS
definedcustomersto external
are networks
responsible or
for information
managing systems
accounts only
associated with
requiredby by
implementation
their organization.
theirguidance
organization forAWS.or associated mission/business
organization-controlled mobile functions;
devices
managed
their
N/A interfaces
applications
8) accordance
Reviewing accounts
consisting
hosted on of
for compliance
boundary
AWS protection
customers
withVPC account are devices
responsible
management forin
arranged
More
in information
accordance
properly usingwithwith on
their configuring
access
organizational and Amazon
control policy.
security AWS is customers
architecture. available atare
requirements atAWS
aare Identity
frequency defined Access
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Secu
AWS customers
responsible for responsible
authorizing the for
Management
by their oforganization;
configuring
connection their
mobile
(IAM)
systems
devices andtototo
9) create
their
and manage
Establishing user accounts and to enforce access within their Amazon
rity.html.
enforce
systems
More
Elastic prioratoprocess
logical
information
Compute access
allowing for such
based
on securing
Cloud
reissuing
(Amazon onan shared/group
approved
connections.
Amazon
EC2) VPC isand
instances
accountand
authorizationsavailable
all
credentials
atin
applications
when individuals
accordance are removed from the group.
they install. with their access control policy.
http://docs.aws.amazon.com/Amazon VPC/latest/User
Guide/VPC_Security.html.
More information on implementing these functions using IAM is
AWS customers
available in the context of managing their user accounts
at http://docs.aws.amazon.com/IAM/latest/User are
Guide/best-
responsible
practices.html. for: 1) Identifying and selecting system accounts; 2)
Assigning account managers for system accounts; 3) Specifying
authorized users, group and role membership, access authorizations,
and other attributes as required for each account; 4) Requiring
approvals from customer-defined personnel or roles for account
creation requests; 5) Monitoring account usage; 6) Notifying account
managers when: a) Accounts are no longer required, b) Users are
terminated or transferred, and c) Individual system usage or need-to-
know changes; 7) Authorizing access based on: a) A valid access
authorization, b) Intended system usage, and c) Other attributes as
required by their organization or associated mission/business functions;
8) Reviewing accounts for compliance with account management
requirements at a frequency defined by their organization; and 9)
Establishing a process for reissuing shared/group account credentials
when individuals are removed from the group.
More information on implementing these functions using IAM is

available at http://docs.aws.amazon.com/IAM/latest/User Guide/best-
maintaining,
for configuringantheir identification
systems toand
authentication
uniquely identify policy along
andresponsible with supporting
authenticate procedures. AWS
AWS customers
customers are
are responsible fororganizational
managing users (or
information processes
systemand
acting on behalf
identifiers by: of users). for reviewing and updating the policy
AWS at a1)frequency
customers
procedures Receiving
are responsible authorization
defined theirfrom
forbymanaging organizationsystem
information
organization. defined
personnel
authenticatorsor roles
by:are to
1)andassign
Verifying, an individual,
as group, role, or device
AWS
The customers
master
identifier, 2)account
Selecting responsible
anIAM forpart
accounts
identifier that
of the
configuring
are usedinitial
identifies their
by an
authenticator
systems to group,
customers
individual,
distribution,
uniquely
manage their the
identifyAWS identity
and of the
authenticate
services. individual,
They group, role,with
non-organizational
can be configured or device
users (or
varying
N/A
role, or
receiving device,
the 3) Assigning
authenticator, the identifier to the intended individual,
processes
levels of
group, role,acting
permissions, on behalf
or device, and of2)non-organizational
are
4) Preventing
Establishing
used toreuse
set upof initial
and authenticator
users).
design
identifiers the
for system
an
content
as
AWS
for customers
authenticators are responsible
defined by their fororganization,
screening personnel
3) Ensuring prior to
that
documented in the
organization-defined IAM time Best Practices
period, and 5)Guide available at according
granting
AWS access
authenticators
customers toare
have their systems
sufficient
responsible and
strength of Disabling
rescreening
for configuring
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html. mechanism their
thefor
personnel identifier
their to
systems
afterto
intended
an
use,organization-defined
4) Establishing and time
conditions period
implementing of administrative
requiring inactivity.
rescreening andinattheir
procedures an access
for
enforce
AWS a sessionare
customers lock after
responsible a period of inactivity
for configuring defined
their systems to
initial
control authenticator
policy frequency.
distribution, for lost/compromised or damaged
An AWS
terminate
AWS user or
account
customers
upon
is the
sessions
are
receiving
after
responsible
a request
initialconditions
account
for or from
created
trigger a user.
when This
a customer
events occursession
incan be
authenticators,
lock should
purchases and
be retained
services for
from revoking
until
AWS. the useridentifying
authenticators,
This reestablishes
account
user
is used
actions
5) Changing
access that
usingdefault
accordance
performed
content
AWS
with
on theirtheir
of authenticators
customers
established are
identification
access
systems prior
responsible
and
control
without
to
policy.
identification
information
for configuring
authentication system or for
their
procedures.
service
authentication
installation,
systems
and
to 6)and
data billing.
documenting After
the initial
supporting AWS account
rationale forcreation,
these it is the
actions inAWS
Establishing
enforce
AWS a limit
customers
customer’s minimum
ofareinvalid
responsibility and tomaximum
login
responsible useattempts lifetime
for defining,
IAM to by
create restrictions
a user within
documenting,
unique atheir
accountsand
period security
andreuse of
under
plan.
conditions for authenticators, 7) Changing/refreshing authenticators
time as
approving
the defined
N/AAWS account
in
system for their access
use organizational control
notification messages policy.
users. IAM Upon
based can be grantedat
exceeding
on approved
users the
policy-defined
language
permissions consistentnumber
to access time
with of intervals
invalid
their access
resources by
login
and data authenticator
attempts
control type,
policy. IAM also take
as required.the system 8) Protecting
must
AWS
actions customers
authenticator
to either are responsible
content
lock from
the account for
unauthorized
or developing,
delay disclosure
the nextdocumenting,
and
login modification,
prompt in
provides functionality to define user groups and group permissions.
maintaining,
9) Requiring
accordance
N/A
AWS disseminating,
individuals
with
customers the
are access
responsible and and
to control
take implementing
having devices
forpolicy.
configuring antheir
identification
implement
systems tospecific and
authentication
security
display asafeguards
system policytonotification
along
protect with supporting
authenticators, procedures.
and 10)prior AWS
Changing
N/A accounts
The thatuse customers create or on warning banner
their Amazon EC2 to grantingor
instances
customers
authenticators
IAM does are
thatnot responsible
fordistinctly
group/role
currently for
support reviewing
accounts
account whenand updating
due tothe
membership
lockout policy
to
failed those and
access
applications
AWS provide
customers are areprivacy
responsible and
separate security
forbyand notices
are
configuring the consistent
responsibility
their systems withoflogin
tothe
procedures
accounts
attempts.
applicable AWSat
changes. a frequency
customers defined
can implement their organization.
account lockout through
uniquely tofederal
customer identifymanage. laws,
and Executive organizational
authenticate Orders, directives, policies,
userssystems
(or processes
AWS
identitycustomers
federation
regulations, are
standards, toresponsible
their
and existing
guidance.forAD/LDAP.
configuring their to
acting
uniquely on identify
behalf ofandusers).
authenticate
AWS customers are responsible fororganization-defined
managing information specific
system and/or
types of devices
identifiers by: before
use1)notification
Receiving establishing
authorization local, remote, theand/or
screennetwork
The master
AWS
The system
customers
connections account are responsible
and IAM must be managing
for
accounts arefrom
retained usedon organization
information
by customers defined
untilto users
system
personnel
acknowledge
authenticators
manage or in
their theaccordance
roles
by:are
AWS toservices.
usage
1) assign with
anThey
conditions
Verifying,
their
individual,
as and
part
identification
take group,
explicitly
of configured
the initial
and
role, orauthentication
device
actions
authenticator to login.
AWS
policy. customers
identifier, 2) the
Selecting responsible
anofidentifier forcan that
be
configuring their with
systems varying
to group,
distribution,
levels of permissions,
uniquely
N/A identify identity
and and theused
are
authenticate individual,
to setidentifies
upgroup,
non-organizationaland designan individual,
role, orthe
users device
system
(or as
role, or
receiving device,
the 3) Assigning
inauthenticator, the identifier to the intended individual,
documented
processes
group, role,acting
or
theonIAM
device, behalf
4)
Bestof2)Practices
Establishing
non-organizational
Preventing reuse
Guide
of
initial authenticator
available
users).
identifiers
at
for an
content
AWS
for customers are
authenticators responsible
defined by their fororganization,
providing basic
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html. security that
3) Ensuring awareness
training to users time
(including period,
managers, and 5) Disabling
senior
authenticators have sufficient strength of mechanism for their intended executives, the identifier
and after
an
use,organization-defined
contractors):
An AWS 1)
4) Establishing As
account is and part time
of period
initial
implementing
the initial of
training inactivity.
for
account administrative new users,
created when aprocedures 2) When
customer for
required
initial byservices
information
authenticator
purchases system
distribution,
from AWS. This changes, andis3)used
for lost/compromised
account At afor frequency
orservice
damaged defined
and
by
datatheir organization
authenticators,
billing. After forthereafter.
andinitial revoking
AWS account authenticators,
creation,5)it Changing
is the AWS default
content
customer’sof authenticators
responsibility prior to usetoIAM information
to createsystem uniqueinstallation,
accounts under 6)
Establishing
the AWS account minimum and maximumusers.
for organizational lifetimeIAMrestrictions
users can be andgranted
reuse
conditions
permissionsfor to authenticators,
access resources 7) and
Changing/refreshing
data as required. IAM authenticators
also at
provides functionalitytime intervals
to define userby authenticator
groups and group type, 8) Protecting
permissions.
authenticator content from unauthorized disclosure and modification,
9) Requiring individuals to take and having
The accounts that customers create on their Amazon EC2 instances or devices implement specific
security safeguards
applications to protect
are distinctly authenticators,
separate and are theand 10) Changing
responsibility of the
authenticators
customer to manage. for group/role accounts when membership to those
accounts changes.
N/A
AT-3: AWS customers are responsible for providing role-based
security
N/A training to personnel with assigned security roles and
responsibilities: 1) Before authorizing access or performing assigned
duties, 2) When required by information system changes, and 3) At a
frequency defined by their organization thereafter.
AWS customers are responsible for: 1) Establishing personnel security

requirements
AWS customersincluding security roles
are responsible and responsibilities
for requiring the developer forofthird-
their
party providers,
information 2) Requiring
system, system third-party or
component, providers to comply
information systemwithservice
AWS customers
personnel security arepolicies
responsible for: 1) Requiring
and procedures that providers of
to provide
external organization-defined
information system servicestraining onestablished
comply the correct
with
by
usetheir
and
organizational
organization,
operation 3) implemented
Documenting
of security
the personnel
security security requirements,
and/or4)
information
Requiring third-party requirements
providers to and functions,
notifyemploy controls,
mechanisms.
security controls
personnel or rolesinofaccordance
any personnel withtransfers
applicableor federal laws, of
terminations Executive
third-
Orders,
party directives,
personnel who policies,
possessregulations,
organizational standards, and guidance,
credentials 2)
and/or badges
Defining
or who haveandinformation
documenting government
system oversight
privileges withinand user roles and
an organization-
responsibilities
defined with and
time period, regard to external information
5) Monitoring system services,
provider compliance.
and 3) Employing organization-defined processes, methods, and
techniques
AWS to monitor
customers security control
are responsible compliance
for providing by external
role-based service
security
providerstoon
training an ongoing
personnel withbasis.
assigned security roles and responsibilities:
N/A
1) Before authorizing access or performing assigned duties, 2) When
AWS customers
required are responsible
by information for providing
system changes, and 3)role-based security
At a frequency defined
training
AWS to personnel
customers
by their organization with assigned
are responsible
thereafter. for security
providingroles and responsibilities:
incident response
1) Beforetoauthorizing
training informationaccess
systemorusers
performing assigned
consistent duties, 2)roles
with assigned When and
N/A
required by information system changes, and 3) At time a frequency defined
responsibilities: 1) Within an organization-defined period of
N/Atheir organization
by
assuming an incident thereafter.
response role or responsibility, 2) When required
by system changes, and 3) At an organization-defined frequency
thereafter.
AWS customers are responsible for establishing and managing

cryptographic
AWS customerskeys
arefor required cryptography
responsible for configuringemployed withintotheir
their systems
system the
protect in accordance withand/or
confidentiality organization-defined requirements for key
integrity of organization-defined
N/A
generation, distribution, storage, access, andsystem
destruction.
information at rest in accordance with their and
AWS customers are
communications responsible
protection for establishing and managing
policy.
cryptographic keys for required cryptography employed within their
systemcustomers
AWS in accordance with organization-defined
can employ requirements
Server Side Encryption (SSE) withfor key
generation,
Amazon distribution,
S3-Managed storage,
Keys access,SSE
(SSE-S3), andwith
destruction.
AWS KMS-Managed
Keys (SSE-KMS), or SSE with customer-provided keys (SSE-C).
More information on these encryption options is available at

http://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-
encryption.html.
AWS customers are responsible for implementing mechanisms to

protect the confidentiality and integrity of transmitted information.

reviewing, and updating at an organization-defined frequency an
inventory of system components for their systems. AWS customers are
responsible verifying that the inventory: 1) Accurately reflects the
N/A
current system, 2) Includes all components within the authorization
N/A
boundary, 3) Is at the level of granularity deemed necessary for
tracking
AWS and reporting,
customers and 4) Includes
are responsible the information
for allocating audit record prescribed
storage by
the configuration
capacity
AWS in accordance
customers management
are with thepolicy
responsible audit that is deemed
record
for developing storage necessaryplan
requirements
a contingency to for
achieve
defined
their effective
in
system their
that: information
audit system
and accountability
1) Identifies essential component
policy. and
missions accountability.
AWS customers are responsible for configuring their business
systems to
functions and
protectcustomers associated
against orare limit contingency requirements,
the effectsforofconfiguring
organization-defined 2) Provides
types ofall
AWS
recovery objectives, responsible
restoration priorities, and their systems
metrics, 3) and
Addresses
denial of servicesystems
interconnected attackstobyenforce
employing their organization-defined
approvedindividuals
informationwith security
flow
contingency
safeguards. roles, responsibilities, and assigned
AWS customers
policies. This canare be responsible
accomplished forthrough
defining,configuration
documenting, ofandAmazon
contact information, 4) Addresses maintaining essential missions and
implementing
Virtualcustomers
AWS Private separation
Cloud of duties
(Amazon
aredespite
responsible forfor
VPC) individuals
network
enforcing Access
the with access
Control
principle of to their
Lists
least
business functions
More information on best an information
practices for resiliencysystem disruption,
against denial ofbe
systems
(ACL) for
privilege orforinformation.
controlling
users Implementation
inbound/outbound
(or processes onof
actingeventual, this separation
traffic
behalf atof the subnet
users) should
by level and
granting
compromise,
N/A
serviceonattacks orisfailure,
available 5) Addresses
at for controlling full information system
based
Amazon
access validonsecurity
VPC
based access
explicit authorization
groups
authorizations. decisions
Access forauthorizations
traffic specific
at theusers
instanceor
should
restoration without deterioration of the security
https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.p
AWS customers are responsible forcustomer’s
screening personnel safeguards originally
prior policy.
to
individuals
level.
provide for as
onlydefined by the AWS
the minimum access control
planned
df.
granting and
access implemented,
toare
their and level
systems Is of
6)and access or
reviewed
rescreening
permissions
andpersonnel
approvedaccording
byrequired
to
AWS
to customers
accomplish
organization-defined assigned responsible
tasks based
personnel orforroles
developing
on their
in and documenting
organization’s
accordance with mission
the and
The
Moreenforcement
access information
agreements ofon
for conditions
this requirement
configuring
their systemsrequiring
can be
Amazon
hosted rescreening
VPC
onaccomplished
AWS. Inand at
byatan AWS
is organization-defined
available
addition,
business
AWS
contingency needs.
customers are
planning responsible
policy. for implementing
establishing groups andfrequency.
permissions within IAM, as discussed
customers
cryptographic
N/A
are responsible
uses and typeforofensuring
cryptographythat all of their
required for each at
personnel usesign
in
rity.html.
access
More agreements
information
accordance before
on
with applicableIAMreceiving
access
federal access
authorizations
laws, to their
Executive is system,
available
Orders, atdirectives,
a
at
AWS
AWS customers
customers are responsible
are defined
responsible for distributing
for:personnel
1) Monitoring copies of
andpolicy the
controlling
recurring
contingency frequency
regulations,
planattothe by the
policies, and standards.
organization-defined key security
contingency and when
personnel
communications
accesscustomers
agreements arehave external
been boundary of the system andmustat key
AWS
(identified
internal by name
boundaries
responsible
and/or
within byupdated.
the
for and
role)
system,
Access
implementing agreements
organizational
2)ofImplementing
mechanisms
elements.
subnetworks
be
to
reviewed
protect the
Contingency
AWS and
customers updated
confidentiality
planning at anand
activities
are responsible integrity
must transmitted
for: 1)beMonitoring
coordinated frequency.
information.
with
their incident
information
for publicly accessible system components that are physically or
handlingtoseparated
system
logically activities.
detect: a)from The
Attackscontingency
and indicators
internal plan must
organizational of potential
be reviewed
networks, attacks
andat ain
3)
frequency defined
accordance
Connecting with organization-defined
to externalin thenetworks
contingency planning
monitoring
or information policyobjectives
systems andonly
updated
and b)to
through
address changes
Unauthorized
managed local,
interfaces to their
network,
organization,
consisting and remote
of boundary system,
connections;
or environment
protection 2) Identifying
devices of
arranged
operation
unauthorized
in accordance anduseproblems
with oforganizational
the information
encountered system
duringarchitecture.
security through
implementation,
organization- execution,
or testing.
defined techniques and methods; 3) Deploying monitoring devices: a)
Strategically
More information withinonthe information
securing systemVPC
an Amazon to collect organization-
is available at
AWS customers
determined are responsible
essential informationfor
http://docs.aws.amazon.com/Amazon andcommunicating
b) At ad hoc locations
VPC/latest/User contingency within plan
the
changestototrack
system organization-defined
specific types of personnel
Guide/VPC_Security.html. transactions and offor protecting
interest to their the
contingency plan
organization; from unauthorized
4) Protecting information disclosure
obtainedand from modification.
intrusion-
monitoring tools from unauthorized access, modification, and deletion;
5) Heightening the level of information system monitoring activity
whenever there is an indication of increased risk to organizational
operations and assets, individuals, other organizations, or the Nation
based on law enforcement information, intelligence information, or
other credible sources of information; 6) Obtaining legal opinion with
regard to information system monitoring activities in accordance with
applicable federal laws, Executive Orders, directives, policies, or
N/A
AWS customers are responsible for employing integrity verification

tools to
AWS monitor and
customers detect unauthorized
are responsible changesdocumenting,
for developing, to organization-
and
defined software,
maintaining underfirmware, and information
configuration within
control a current their information
baseline
system.
configuration of their systems.
AWS customers are responsible for requiring the developer of their

information
AWS customers system, are system
responsible component,
for employing or information
integritysystem verificationservice
to:
tools1) to
Perform
monitorconfiguration
and responsible managementchanges
detect unauthorized during system, component,
to organization-
AWS
or customers
service design,are development, for developing, documenting, and 2)
defined
maintaining software,under firmware,
configuration and implementation,
information
control within
a current
and/or
theiroperation,
baseline information
Document,
AWS
system. customers manage, are responsible
and control for
the implementing
integrity of changes
a configuration
to
configuration
controlofprocess
change theirconfiguration
systems.
in accordance
AWS customers are responsible foritems withunder
analyzing theirchanges
configuration
configurationto their systems
management,
management
to determine policy
3) Implement
potential that includes
security only organization-approved
the following
impacts prior to elements:
change changes
1)
implementation. to the
AWS
system, customers
Determinationcomponent, ofaretheorresponsible
types
service, 4)forDocument
of changes defining, documenting,
to the information
approved changes approving,
system tothat
the
and
AWS
are enforcing
customers physical
configuration-controlled,
system, component, areor and logical
responsible
service 2)andReviewaccess
for: ofrestrictions
the1)potential
Establishing
all proposed
security associated
and documenting
configuration-
impacts with
of
changes
configuration
controlled
such to changes
changes, their and systems.
settings 5) for information
ITsecurity
toresponsible
the
Track products employed
system
flaws andand within
flaw approval theirorsystems
resolution
AWS customers are for configuring their system towithin
provide
using
the
only organization-defined
disapproval
system,
essential of such
component, changes
capabilities or security
with
service
and to andconfiguration
explicit
prohibit reportconsideration
or findings
restrict checklists
the to for that reflect
security
organization-
use of
AWS
the most customers
restrictive aremoderesponsible
consistent for developing,
with operational documenting,
requirements, and 2)
impact
defined
functions, analyses,
personnel.
ports, 3) Documentation
protocols, and/or of
services configuration
as defined change
in their decisions
implementing
AWS customers
Implementing atheconfiguration
are responsible
approved management
for requiring
configuration planthefor
settings, 3)their
developer systems
ofapproved
Identifying, theirthat:
associated
configuration
1) Addresses with the
management
roles, information policy.
responsibilities, system, and 4) Implementation
configuration of
management
information
documenting, system,
configuration-controlled
AWS customers andare system
approving component,
changes
responsible anyfor deviations
to developing or information
the information from anestablished system
system,
information 5) service
security
processes
to: 1) Perform
configuration and settings
procedures,
configuration 2) management
Establishes aduring
process for
system, identifying
component,
Retention
architecture
AWS offor
customers
configuration records
the
items are offor
informationorganization-defined
responsible
throughout system
for
the that:
requiring
system 1)the system
development changes
Describes
developer
components
to
thethe
life of overall
their
cycle
or service
based
information
philosophy, design,
on organization-defined
system development,
requirements, for implementation,
operational
an organization-defined
and approach to requirements,
be and/or
time
taken period.
with regard 4) to and
operation,
and 2)
information
for
AWS managing
Document, customers system,
the
manage, system
configuration
are responsible
and control component,
offor the
the requiring
integrityor information
configuration thechanges
of items,
developer system
to 3) service
Defines
of their
Monitoring
protecting andconfidentiality,
the controlling changes
integrity, to the and configuration
availability settings
of in
to:
the 1) Perform
configuration
information
organization-defined configuration
system, itemssystemfor the management
information
component,
configuration items or during
system
information
under system,
and and
configuration component,
places
system the
service
accordance
AWS customers
organizational with the
are configuration
responsible
information, 2) formanagement
Describes protectinghow policy
against
the supply
information supporting
chain
security
or service
configuration
to: 1) Create design,items development,
under configuration implementation, management, and/or andoperation,
4) to2)
Protects
management,
procedures.
threats
AWS
Document,
the
to the
architecture
customers
configuration isand
3)
manage,
implement
Implement
information
integrated
are responsible
and
management control
a and
only
system,
into security
for
the
plan
system
supports assessment
organization-approved
requiring
integrity
for
component,
theof
unauthorized
plan,
enterprise
the or 2)
developer
changes
Perform
changes
information
architecture,
to
disclosure of their
and
the
unit,
system
and 3)integration,
system, component,
service
Describes bysystem,
employing
any and/or
orinformation
service, 4)regression
Document
security testing/evaluation
approved
assumptions changes
securityabout at to the
safeguards
information
modification.
AWS partcustomers
system,
as
system,
ofcomponent, are system
depth
or service
component,
configuration
responsible and for
coverage,
and items
requiring
the
orunder
3)information
potential the configuration
Produce developer
security
system
evidence ofand
impacts
service
their
of the
of
dependencies
to follow
management,
information aaofdocumented
comprehensive,
on Implement
3)
system, external defense-in-breadth
services.
development
only process
organization-approved information
that: 1) Explicitly
changessecurity to the
execution
such changes,
AWS
strategy. customers theand are5)system
security Track
responsible component,
assessment
securityfor: plan
flaws
1) orandinformation
and
Managing the
flawresults system
resolution
their systems service
of thewithin
security
using
addresses
system,
to produce security
component,
testing/evaluation, a design requirements,
4) or service,
specification
Implement 4) 2)
aand Identifies
Document
security
verifiable the
approvedstandards
architecture
flaw changes
remediation andprocess,
that: tools
to
1) the
Is
theorganization-defined
an system, component, or service
System and
Development report findings
Life Cycleto organization-
(SDLC)
AWS
used
system,
consistent
and
customers
5)inCorrect
the development
component,
with aresupportive
and
flaws
responsible
or process,
service
identified and
of for
during3) reviewing
including
Documents
the
their potential
organization’s
security
and
the updating
following
the specific
security impacts
security
testing/evaluation. tool ofthat
the
defined
incorporates
information
requirements,personnel.information
security
descriptions, security
architecture
and considerations,
criteria
at an organization-defined
explicitly 2) Defining
orresolution
byengineering
reference andin
frequency
options
such
AWS
architecture and tool
changes,
customers thatand configurations
are
is 5) responsible
Tracksecurity
established used
securityfor
within inandthe
applying
flaws development
and
is ansecurity
flaw
integrated process,
part withinandthe
of their
documenting
to reflect
acquisition
4) Documents, updates information
contract in for
manages, the the
enterprise
information roles and
architecture.
system, responsibilities
Planned
system throughout
component,
information
to the or
the
principles
AWS
the system,
organization’s
SDLC, in3)
customers component,
the specification,
enterprise
areservice
Identifying orand ensures
service
design,
architecture,
responsible
individuals forand the
2)
properly
having
integrity
development,
report findings
Accurately
handling
information
of implementation,
changes
to
andand organization-
completely
retaining
security roles
security
information
process
defined
and architecture
and/or system
personnel.
modification
describes the tools
requiredof changes
used
their inin must
accordance
development.
systems.
security be
functionality reflected
withand applicable
inthetheallocation
security federalplan,
of laws,the
their
and information
N/Aresponsibilities,
security
Executive Concept
Orders,among within
ofdirectives,their
Operations system
and 4) Integrating
policies,
(CONOPS), and information
the organizational
regulations,
and output
organizational
standards, from
information the
security
system
security controls
in
risk accordance
management withphysical
applicable
process and
into logical
federal
SDLC components,
laws, Executive
activities. andOrders,
3)
guidelines,
N/A
AWS
Expresses customers and individual
how organizational
are regulations,
responsible mission/business
security forfunctions,
reviewing needs:
the 1) Security
development
mechanisms, and services
directives,
functional policies,
requirements, 2) Security standards,
strength and operational
requirements,
process,
AWS
work standards,
customers
together
requirements. to are tools,
provide and
responsible toolforoptions/configurations
required configuring
security andata3)
their systems
capabilities an Security
to
unified
assurance
implement
approach torequirements,
organization-definedorganization-defined
protection. 4) Security-related
frequency tofail-safe
determine documentation
if the process,
procedures to protect standards,
its
N/A
requirements,
tools, andfrom
memory tool 5) Requirements
options/configurations
unauthorized code forexecution.
protecting
selectedsecurity-related
and employed can
AWS
satisfycustomers
documentation, 6)
organization-definedareDescription
responsible offor
security theimplementing
information system
requirements. a configuration
development
change
environment control and process
environmentin accordance
in which withthetheir
system configuration
is intended to
management
operate, and 7) policy that includes
Acceptance criteria. the following elements: 1)
Determination of the types of changes to the information system that
AWS customers are responsible for analyzing changes to their systems
are configuration-controlled, 2) Review of all proposed configuration-
to determine
AWS customers potential security impacts
aretoresponsible for requiring prior tothe change
developer implementation.
of their
controlled changes the information system and approval or
information
disapproval system,
of such
AWS customers are responsible for system
changes component,
with explicit
testing orconsideration
information
their contingency system
for security service
plan at an
to: 1) Perform
impact analyses,
organization-defined configuration
3) Documentation
frequency management
using during system,
of organization-defined
configuration change component,
decisions
tests to
N/A
or service design, development, implementation, and/or operation, 2)
associated with the information system,
determine the effectiveness of the plan and the organizational readiness 4) Implementation of approved
AWS
Document, customers manage,
configuration-controlled are responsible
and control
changes for
theto conducting
integrity
the
to execute the plan. AWS customers are responsible for reviewing the of
information backups
changes system, of
to user-level,
5)
system-level,
Retention
N/A of and
records systemof documentation
configuration items
results of contingency plan testing and initiating corrective actions (including
under security
configuration
changes to the
information)
management,
information
when needed. at3)aImplement
system frequency defined in their contingency
only organization-approved
for an organization-defined time period. planningto the
changes
policy.
system,AWS component, customers are responsible
or service, 4) Document for protecting
approvedthe changes to the
confidentiality,
system, component, integrity, and availability
or service and the potential of backup securityinformation
impacts at of
storage locations.
such changes, and 5) Track security flaws and flaw resolution within
the system, component, or service and report findings to organization-
defined personnel.
N/A
N/A
N/A
N/A
N/A
N/A
AWS customers are responsible for conducting security assessments

for their
AWS systems.are
customers Within responsiblethis context and in accordance
for developing a continuous with their
security assessment
monitoring strategy and
and authorization
implementing policy,
a continuous AWS customers monitoringplan are
AWS
responsiblecustomers for: 1) areDeveloping
responsible a for developing
security assessment a contingency
plan for
program
their system in accordance
that: 1) Identifies with their security
essential assessment
missions and and that
business authorization
AWS
describes
policy customers
thatthe defines: are
security 1)responsible
controls
Metrics and
to for developing
becontrol
monitored, an
enhancements Incident
2) Frequencies underResponsefor
functions
Plan (IRP)
assessment, andthat:associated
assessment contingency
procedures used requirements,
to determine 2) Provides
effectiveness, the
AWS
monitoring
recovery customers and
objectives, are responsible
reporting, restoration for
and 3)priorities, developing
Personnel andor roles a security
metrics, responsible
3) plan for
Addresses fortheir
1) Provides
assessment
systems
conducting that: their
and Isorganization
environment,
1) receiving
consistent the withthe
assessment
with
continuous a roadmap team,for
organization’s
monitoring and implementing
the
analysis assessment
enterpriseinformation. itsroles
N/A
contingency
incident response roles, responsibilities,
capability, 2) Describes and assigned
the individuals
structure andsystem with and
and responsibilities,
architecture,
Pursuant to this 2) Explicitly 2) Assessing
continuous defines
monitoring security
the controls
authorization
program, AWS in their
boundary
customers for the are
contact
organization information,
its environment of the 4) Addresses
incident
of Establishing
operation response
at an maintaining
capability, essential
3) information
Provides missions a high- and
system,
responsible
business 3)functions
Describes
for: 1) the operational
despite an andorganization-defined
information context
configuring systemof the monitoring
disruption,
frequencyfor to
system
defined
level
determine
in approach
terms 2) ofthe for how
extent and
missions to andthe
which incident
the controlsresponse capability
are4)implemented fits into
thecorrectly, the
metrics,
compromise,
overall
operating
Monitoring
organization,or failure,
as intended, 4)and 5)business
Meets
conducting
Addresses processes,
thesystem
producing uniquethe
assessments
eventual, requirements
desired
Provides
fulloutcome
as organization-
information
of the
security
with respect system
categorization
defined
restoration frequencies,
withoutof thedeterioration
information
3) Conducting of theongoing including
security security supporting
control
organization,
to meeting5)established
rationale,
assessments, which
Describes
4) Conductingrelate the to
security mission,
requirements,
operational
ongoing size,
environment
security 3)safeguards
structure,
status Producing and
for
monitoring
originally
thefunctions,
a security
information 5)
planned
Defines andreport
reportableimplemented, incidents, and 6) Is
thereviewed andfor approved by of their
assessment
system and
organization-defined relationshipsthat metrics,with6)
documents
personnel oror
5) Provides results
connections
Correlating
roles in
metrics of
to the
and
accordance other
analyzingmeasuring
assessment,
information,
with security-
the
the6)4)
and
incident
Providing
Provides
related response
antheoverview
information capability
resultsgeneratedofofthe within
thesecurity
security the organization,
control
by assessmentsrequirements assessment 7)
for the
and monitoring, Defines
their5)the7)
to system,
contingency
resources and
organization-defined planning
management policy.
individuals support or needed
roles. to effectively maintain and
Identifies
Taking appropriate any relevant overlays,
response actionsif applicable,
to address8)the Describes
results ofthe thesecurity
mature
controls an inincident
place orresponse
planned capability,
for meeting andand8)6)
those IsReporting
reviewedthe
requirements, and include
analysis
AWS
AWS
approved
of
customers
customers
by
security-related
are
are responsible
responsible
information,
for distributing
for defining
personnel
information
copies of sharing thetosecurity
astatus
rationale
of their forplan
the tailoring
organization decisions,
and the isand 9) or roles.
Iscontingency
reviewed toand approved
circumstances
contingency
AWS customers where to
are user discretion
responsible forinformation
required.
developing key system
aAWScontinuous the
customerspersonnel are
by the authorizing
responsible forname official
facilitating personnel or
bydesignated
or roles
information atrepresentative
the organization-defined priorauthorized
to plan
(identified
monitoring
AWS customers bystrategy are and/or
and
responsible role)
implementing for
for: and asharing
organizational
continuous
distributing
1) Monitoring
by enabling
copies their elements.
monitoring
of the
informationIRP to
implementation.
frequency.
users to determine whether
Contingency
program
organization
system to indetect:planning
accordance
defined withaccess
activities
incident
a) Attacks their must
response
and
authorizations
security
indicators bepersonnel
coordinated
assessment
ofon potential
assignedwith
and
(identified attacks
to the
incident
authorization
byinname
N/A that
sharing
handling
policy partner
activities.
defines:match 1) the
The access
contingency
Metrics to restrictions
plan
be monitored, must bethereviewed
2) information.
Frequencies atand aforAWS
and/or
accordance
In role)
addition, and organizational
with
AWS organization-defined
customers are elements.
responsible The
monitoring IRP
for must be review
objectives
distributing copies b) and
ofor
customers
N/A
frequency are responsible for implementing automated mechanisms
monitoring
updated
Unauthorized
the security at defined
aandfrequency
local,
plan
innetwork,
reporting,
tototheir
thedefined
contingency
and
3)
and the planning
byPersonnel
remote incident or
connections;
personnel
policy
roles
response and
responsible updated
policy
2)sharing
or roles, Identifying toforto
reviewing
manual
address
conducting processes
changes and to assist users
organization, in
formaking system, information
ora analysis
environment of during
AWS
address
the customers
unauthorized
security
decisions based usereceiving
plan are
system/organizational
on oftheir
at responsible
the continuous
information
access
changes
control
monitoring
developing
systemorfrequencies,
problems
policy. through contingency
encountered information.
organization-
and updating plan for
the
operation
Pursuant
their
plan
defined
N/A system toand
implementation,this
techniques problems
that: continuous
1)and encountered
Identifies
execution,
methods; monitoring
essential
or during
testing.
3)the program,
missions
Deploying implementation,
Changes AWS
andtobusiness
monitoring customers
the IRP execution,
devices: must area)be
security
or testing.andplan to address changes to information
responsible
functions
communicated
Strategically for: to1)
associated
within Establishing contingency
the information and configuring
requirements,
systemincident monitoring
response
to identified
collect 2)organization-
Provides for defined
personnel
system/environment
AWS customers are of operation
responsible or providing
for problems an incident during
response plan
metrics,
recovery
(identified
determined 2) Monitoring
objectives,
by name
essential and/or and role)
restoration
information conducting
priorities,
and
and b)assessments
and
organizational
At ad hocmetrics, as organization-
3) Addresses
elements.
locations within
implementation
support
AWS resource,
customers or
are security
which responsible control
is integral for assessments.
to the organizational
communicating
developing anAWS Incidentcustomers
incident
contingency Response arethe
defined
contingency
system
responsible
frequencies,
to track roles,
for specific
protecting
3) Conducting
responsibilities,
typestheir of ongoing
and
transactions
security assigned
plan
security
of
from interest control
individuals to
unauthorized with plan
their
response
changes
Plan (IRP)
assessments, tocapability, that
that:
4) offers advice
personnel and assistance
andstatusfor to users
protecting ofof
the the
contact
AWS
organization;
disclosure
information
information,
customersortheir4) Conducting
arefor
Protecting
modification.
system
4) Addresses
responsible
the an
ongoing for
information
handling
security
maintaining
protecting
identifying
and obtained
reporting
essential
the
thefromIRP
of
monitoring
missions
information
from
intrusion-
security
their
and
incidents.
contingency
1) Provides
business
unauthorized
involved
monitoring plan
functions
in tools
an from
organization
disclosure
fromdespite
information unauthorized
metrics,
andsystem
unauthorized with
5)
information
modification. disclosure
aaccess,
roadmap
Correlating
contamination systemandforand modification.
implementing
analyzing
disruption,
modification,because security-
AWS
and its
does
deletion;
N/A
incident response capability, 2)
related
compromise,
not
5) manage information
Heightening orthe
customerfailure,generated
level data 5)ofor byDescribes
Addresses assessments
determine
information itsthe
eventual,
system structure
andfull
categorization. andAWS
monitoring,
information
monitoring activity5)system
has no
AWS
Takingcustomers
organization
restoration
insight
whenever appropriate
into without
the
there isare
of sensitivity
the responsible
anincident
response
deterioration
indication ofresponse
actionsfor
customer
of testing
tocapability,
ofincreased
the address
security
data their
riskthe
and contingency
3) Provides
to results
safeguards
must plan
athehigh-
oforiginally
consequently
organizational at an
level
analysis
planned
AWS
treat approach
all
operations of and
and
customers
customer forare how
security-related
implemented,
data
assets, frequency
asthe
responsible incident
sensitive.
individuals, 6)using
information,
and forIsother
As organization-defined
response
reviewed
testing andthe
such, capability
6)and
only
organizations, Reporting
aapproved
incident customer
orfits tests
the
response
the into
bycan
Nation to
the
security
determine
overall
status on
capability
determine
based lawtheenforcement
oforganization,
their
for
whether effectiveness
organization
their 4)
system
data Meets
personnel atof
andanthe
hasinformation,
been the
or plan
unique
roles
spilled and
information
in
on the
requirements
accordance organizational
an Amazon
intelligence system of
to
with
frequency
EC2
information, the
thethe readiness
using
instance,or
N/A
to execute the plan. Block AWS customers are
organization,
contingency
an Amazon
other credible which
planning
Elastic
sources relate
personnel
policy.
tests to determine
to
Store mission,
of information; or roles
(Amazon atresponsible
size,
6)the structure,
the
incident
EBS)
Obtaining volume, for
andreviewing
response
legal functions,
or an Amazon
opinion the
with5)
AWS
results
Defines customers
ofreportable
contingency are responsible
plan testing
incidents, 6) for developing,
and
Provides initiating documenting,
metricscorrective for actions
frequency.
effectiveness
S3 object.
regard to and documenting
information system the
monitoring results. activities in measuring
accordance the
with
maintaining,
when
incident needed.
response disseminating,
capability and
within implementing
the organization, aariskpersonnel 7)policies,
Defines security
AWS
applicablecustomersfederalare laws,responsible
Executive forOrders,
distributing
assigning directives, copies designation
of the orthe
to all
policy
resources
contingency
positions
Upon along and
and
determining with
plan supporting
management
establishing
to organization-defined
that theyscreeningprocedures.
support
have needed
criteria
a spill AWS
key
within tofor customers
effectively
contingency
individuals
their environment, are
maintain
personnel
filling and
those
the
regulations;
AWS customers and 7)
are Providing
responsible organization-defined
for screening personnel information prior tosystem
responsible
mature
(identified
positions.
AWS anaccess
customerInbyfor
incident reviewing
addition,
nameisare response
and/or
AWS
responsible and updating
bycapability,
customers
role)
for and
notifying the
and
are policy
organizational
responsible
the and procedures
8) Isorganization-defined
reviewed elements.
for or and
reviewing at a
monitoring
granting
AWS customers information
to their to organization-defined
systems and rescreening personnel
personnel roles as to
according
frequency
approved defined byresponsible
their for
organization. upon atermination of anincidentindividual's
Contingency
and
personnel
needed or by
revising or
employment:
in position
planning
roles
accordance and risk
activities
designations
isolating
with
conditions mustpersonnel
ancontaminated beatcoordinated
requiring orsystems
frequency
rescreeningroles. with defined
or system
frequency.
and at an in their
AWS
handling
personnel customers
components. activities.
security
organization-defined arepolicy.
Theresponsible
contingency
frequency. for: 1) plan Reviewing
must be reviewed and confirming at a
1)
AWSDisabling
ongoing
frequency customers information
operational
definedare are responsible
need
inresponsible system
for current
the contingency access
for developing to
distributing
logical
planning the individual
andpolicycopies
physical who
of access
and the
updated has
IRP to been
to
AWS
terminatedcustomers within the frequency for
defined in their and documenting
personnel security
organization
authorizations
address
AWS
access changes
customers
agreements defined
to toinformation
are for incident
their
responsible
their systems/facilities
response
organization,
systems for personnel
system,
eradicating
hosted on or when
AWS.
the (identified
individuals
environment
information
In addition, byofname are
from
AWS
AWS
policy,
and/or
reassignedcustomers
2) and
role) orand are
Terminating/revoking
transferred responsible
organizational to other for:
any
elements. 1)
positions Establishing
authenticators/credentials
ThewithinIRP the
mustpersonnel
organization,
be review securityand
2)
operation
the
customers
contaminated are problems
responsible
system encountered
orforsystem
ensuring during
component,
that implementation,
all ofidentifying
their personnel execution,
requirements
associated
AWS
updated
Initiatingcustomerswith including
the
arebefore
atorganization-defined
acomponents
frequency security
individual,
responsible
defined 3) roles
for:
transfer
by the 1)and
Conducting or responsibilities
Implementing
incident an
reassignment exit
response interview
a formalforother
actions
policy third-
that
to
sign
within
or testing.
systems
access agreements
or thatreceiving
have been accesssubsequently
to their system,
contaminated,at a4) and
party
includes
sanctions
address
an providers,
a discussion
process
organization-defined 2)for
system/organizational Requiring
or
personnel third-party
time-period, failing
changes (3)to
or providers
comply
Modifying
problems security toencountered
with comply
topics,
established
access with during
N/A
performing
recurring
personnel frequency
other
security organization-defined
definedand
policies byorganizational
the personnel
procedures actions security
in accordance
established policy
by their and
withwhen their
Retrieving
information
plan
authorization
AWS customers
customers all
implementation, security-related
security
as needed
are policies
execution,
to
responsible and
correspond procedures
or testing.
with
for communicating information
and
Changes
any 2)
changes Notifying
to thein
contingencysystem-
IRP
operational
must be
incident
access
AWS
organization,
related response
agreements
property, 3)to arepolicy.
have
Documenting
5) Retaining been updated.
responsible for:
personnel
access toAccess
1) Conducting
security
organizational agreements an must 4)
assessment
requirements,
information beplan
of
communicated
need
changes
reviewed
risk
due
toperiodtoto
and
include
the reassignment
updated
theare
personnel
organization-defined or or roles
transfer,
personnel
at an organization-defined within
incident
and and (4)an
of for
response
Notifying
protecting
frequency. personnelthe and
Requiring
information
AWS
time customers
(identified third-party
contingency by systems
whenname alikelihood
providers
formerly
responsible
formal
and/or
personnel
and
employee
role) to
or
magnitude
and notify
controlled
for: 1) by
Scanning
sanctions
organizational
roles within the harm
terminated
for
process
the
from is
elements.
time
the
individual,
vulnerabilities
initiated,
period defined in
to
AWS
unauthorized
personnel
and
their or plan
customers
6)information
include
in their Notifying
identifying
personnel
access,
roles from
can ofthe use,
any
appropriate
system
security
unauthorized
perform
and
individual
traditional
disclosure,
personnel
personnel
hosted
policy.
disclosure
ofoverwrite
disruption,
transfers
applications
sanctioned theor
and
termination
and at
the
modification.
practices
modification,
terminations
an
on
within
organization-
reason oforthird-
for thethe
AWS
Amazon customers
destruction EC2 theirare
of instances responsible
andpersonnel
information Amazon for:
system 1)
EBS Identifying,
andvolumes the reporting,
in order
information to and
sanitize
it badges
party
frequency
defined personnel defined
frequency who in possess
and/ortheir organizational
randomly for in security credentials
policy. and/or
sanction.
AWS
correcting
the customers
environment, information are
as
or well
responsible
system
as flaws,
subsequently 2)accordance
protecting
Testing
terminate the with
IRP from
software their
and firmware
N/A
processes,
or who
unauthorizedhave stores,
organization-defined information
disclosure
transmits,
process system
and
2)privileges
and Documenting
when
modification. newwithin risk anthe
vulnerabilities
Amazon
assessment
organization-potentially
EC2
results
updates
instance
in the system related
or delete to the
plan, flaw remediation
Amazon
security EBS for
assessment volume.effectiveness
report, Toordestroy
other and anpotential
Amazonside
organization- S3
defined
affecting time period,
the system/applications and 5) Monitoring provider
are identified and compliance.
reported; 2) and
effects
object the
defined beforecustomer
document, installation,
3)mustReviewing 3) Installing
delete therisk security-relevant
encryption
assessment key software
that controls
results at an access
Employing
firmware vulnerability
updates within scanning
an tools
organization-defined and techniques time that
period promote
of the
to it and then
organization-defined delete the Amazon
frequency, S3
4) object,
Disseminating which will
risk break the key
interoperability
release of the among
updates, tools
and 4) and automated
Incorporating partsremediation
flaw of theassessment
vulnerability
into the
and object mapping.
results to organization-defined personnelfor: or roles, and 5) Updating the
management
organizational process
configuration by usingmanagement standards a) Enumerating
process. platforms,
risk assessment
software flaws, and at animproperorganization-defined
configurations, frequency
b) Formatting or whenever and there
AWS customers
are significant are responsible
changes to the information for determining systemwhich orand of their AWS
environment of
making
RDS transparent
Specific (MySQL, checklists MariaDB, and test SQL procedures, c) Measuring
assets
operation contains
vulnerability (including spillage the or if the spillage
identification ofServer
extends
new threats and Postgres):
to their and on-premises AWS
Customers
assets, as well
vulnerabilities) areimpact;
responsible
asorfor other
3) Analyzing
conducting for identifying,
conditions
vulnerability
forensic
that may andreporting, scan and
remediation
reports patching and their
activities stateinof
results
database from security control assessments; 4) impact
Remediating the security legitimate
the system. within organization-defined response times in through
accordance
vulnerabilities
engines.
with The
their RDS
organization’sservice notifies
spillage AWS
policies. customers
AWS announcements and email announcements whenever a new
accordance
version with an organizational
is available. The customer assessment will be ableof to risk;
go throughand 5) the Sharing
information obtained
management console or from CLI thetovulnerability
update their particular scanning process RDS engine and
security control
(Update options:assessmentsUpdate Nowwith organization-defined
or Update in the next maintenance personnel or
roles to help
window). Theeliminate
AWS Customer similar vulnerabilities
is responsible performing in other information tests on
systems (i.e.,
updated RDS systemicengine versions weaknesses beforeordeploying
deficiencies). to their environment to
mitigate any potential performance issues.
Prior to conducting penetration testing or vulnerability scanning
activities,
RDS Specific AWS customers
(Oracle): AWS areCustomers
required toare request
responsible authorization for
through the following
identifying, reporting, URL: and patching their database engines. The RDS
service notifies AWS customers through AWS announcements and
email announcements whenever a new RDS engine version is
RDS Specific
available. Please (Postgres,
note, RDS MySQL, OracleMariaDB,engines and SQL Server,has
patches Aurora,
a vendor
Oracle): RDSRDS
dependency. Specific Oracle (Postgres,
updates MySQL, relies on MariaDB, the vendorSQL to merge Server, AWS
Aurora, Oracle):
customized patches AWS withCustomers
Oracle releases are responsible
to ensure for all meeting
functionality scanning is
requirements
kept. Once a merged on theirpatch databases in accordance
is created and validated, with organization-
AWS will make
defined
the engine frequency
version and/or available when for new vulnerabilities
customers. The customer have been will be able
identified. Also, AWS Customers are
to go through the management console or CLI to update their particular required to remediate legitimate
findings within the organization-defined
RDS engine (Update options: Update Now or Update in the next timeframe.
maintenance window). The AWS Customer is responsible for
DynamoDB Specific: This service is a fully managed cloud NoSQL
N/A
N/A
N/A
AWS customers are responsible for: 1) Approving and monitoring
nonlocal maintenance and diagnostic activities; 2) Allowing the use of
nonlocal maintenance and diagnostic tools in accordance with their
maintenance policy and as documented in their SSP; 3) Employing
strong authenticators in the establishment of nonlocal maintenance and
diagnostic sessions; 4) Maintaining records for nonlocal maintenance
and diagnostic activities; and 5) Terminating session and network
connections when nonlocal maintenance is completed.

maintaining, disseminating, and implementing an audit and
accountability policy along with supporting procedures. AWS
customers are responsible for reviewing and updating the policy and
procedures at a frequency defined by their organization.
More information on implementing logging with an AWS account is

available at https://aws.amazon.com/whitepapers/security-at-scale-
logging-in-aws/ and http://aws.amazon.com/cloudtrail/
AWS customers are responsible for defining auditing requirements,

verifying that their systems can perform such auditing, providing a
rationale for why the selected audit settings are adequate, and
implementing and audit solution that tracks events at a frequency
defined by their audit and accountability policy.

generate audit records
AWS customers containingfor
are responsible information
allocating thatauditestablishes
record storagewhat
type of event
capacity occurred, with
in accordance whenthe theaudit
eventrecord
occurred, where the event
storage
AWS customers
occurred, are responsibleevent,fortheconfiguring theirrequirements
systems tothe
alert
defined inthe
personnel
source
their auditofand theaccountability outcome
policy.of the event, and
identity
AWS ofasany
customersdefined in
individuals their
are responsibleorauditforand
subjects accountability
associated
reviewing andwith policy inaudit
the event.
analyzing the
event ofatananaudit
records processing failure.frequency
organization-defined AWS customers are responsible
for indications of
AWS
for customers
configuring are responsible
their systems for implementing
to take additional and configuring
actions when an
an audit
audit reduction inappropriate
andoccurs
report generation or unusual
capability activity
that: 1)and reporting
Supports on-
processing
AWS
these findingsfailure
customers to are based
responsible
organization-definedon
forthe requirements
configuring
personnel theirdefined
systems
or roles into:
their
1)
in accordance
demand
Use and audit
auditinternal review,
accountability
system analysis,
clockspolicy. and reporting
to generate requirements
time stamps auditand
forsystems after-
records
with
AWS their
the-fact audit
customers and
are accountability
investigations responsible
of security forpolicy.
configuring
incidents and their
2) Does not alterto the
and 2) Record
protect audit time stamps
information foraudit
and audit records
tools fromthat can be mapped
unauthorized access,to
original content
AWS customers
Coordinated or time ordering
are responsible
Universal Time (UTC) of audit records.
for configuring
or Greenwich their systems
Mean Timeto(GMT)
modification,
protect against and deletion.
anare
individual (or process actingaudit
on behalf
and that
AWS meet the
customers granularity
responsible of time measurement
for retaining recordsoffor
defined an a period
within the
individual)
audit and
defined falsely
byaccountability
their denying
audit having performed
andpolicy.
accountability policy actions
to as defined
provide support in
AWS
their customers
audit are responsible
and accountability for configuring their systems to: 1)for
after-the-fact
Provide audit investigations
record generation ofpolicy.
security incidents
capabilities for theand to meet events
auditable regulatory
N/A
and organizational information
defined in AU-2a for all systemretention
components requirements.
where audit capabilities
are deployed/required based on the audit and accountability policy, 2)
Allow organization-defined personnel or roles to select which auditable
events are to be audited by specific components, and 3) Generate audit
records for the events defined in AU-2d with the content defined in
AU-3.
N/A
N/A
N/A
N/A
N/A
enforce
AWS logical access
customers based on approved
are responsible authorizations
for configuring and in
their system to provide
accordance
only with
essential their access
capabilities andcontrol
to for policy.
prohibit or restrict
AWS customers are responsible establishing andthe use of
documenting
functions,
usage ports, protocols,
restrictions, and/or services asrequirements,
configuration/connection defined in their and
AWS customers
configuration are responsible
management for establishing and documenting
policy.
implementation
usage customers guidance
restrictions,are for each type
configuration/connection of remote access
requirements, allowed
andandtoall
AWS
their systems in guidance responsible
accordance with for configuring
their access in their policy.
control systems AWS
implementation
interconnected systems to for wireless
enforce theiraccess
approvedaccordance
information with
flowtheir
N/A control
customers
access are responsible
policy. AWS for authorizing
customers areremote access
responsible fortooftheir
authorizing
policies. prior
systems This to
can be accomplished
allowing through
such connections. configuration Amazon
AWS
Virtual Private Cloud (Amazon VPC) network Access Control Listsand
wirelesscustomers
access toare responsible
their systems for
prior establishing
to allowing usage
such restrictions
connections.
implementation
AWS
(ACL)customers guidance for
are responsible
for controlling Voice over Internet
for any Domain
inbound/outbound Protocol
traffic atName (VoIP)
System
the subnet (DNS)
level and
technologies
services
Amazon VPCand
they authorizing,
implement
security withinmonitoring,
groups their
for systems
controlling andtraffic
controlling
hosted on AWS.the use of
Within
AWS
VoIP customers
within are responsible
theirpursuant
systems. for configuring theirat the
systemsinstance
to
this
level.context
perform dataand
origin to their system
authentication andintegrity
communications
AWS customers
protection policy, are
AWSresponsible
customers forand
are
data
ensuring
responsible
verification
that information
for sources.
configuring
on
systems
DNS
DNS resolution
collectively responses
providing name received from
resolution authoritative
services to their organization
AWS
to:
More1) customers
Provide are responsible
additional
informationand data
on configuring for
origin configuring
authentication
Amazon their
andsystems
VPC is availableintegrity
at to
are fault-tolerant
protect the authenticity
verification have
artifacts along implemented
of communications internal/external
with the authoritative sessions. role
name resolution data
separation.
the system returns in response to external name/address resolution
rity.html.
queries and 2) Provide the means to indicate the security status of child
zones and (if the child supports secure resolution services) to enable
verification of a chain of trust among parent and child domains, when
operating as part of a distributed, hierarchical namespace.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AWS customers are responsible for: 1) Monitoring and controlling
communications at the external boundary of the system and at key
internal boundaries within the system, 2) Implementing subnetworks
for publicly accessible system components that are physically or
logically separated from internal organizational networks, and 3)
Connecting to external networks or information systems only through
managed interfaces consisting of boundary protection devices arranged
in accordance with organizational security architecture.
More information on securing an Amazon VPC is available at

http://docs.aws.amazon.com/Amazon VPC/latest/User
Guide/VPC_Security.html.
N/A
N/A
N/A
N/A
AWS customers are responsible for developing an information security
architecture
N/A for the information system that: 1) Describes the overall
philosophy, requirements, and approach to be taken with regard to
AWS customers
protecting are responsible
the confidentiality, for configuring
integrity, their systems
and availability of to
protect the availability
organizational of resources
information, by allocating
2) Describes how the organization-defined
resources byispriority,
architecture quota,
integrated intoorand
other organization-defined
supports security
the enterprise architecture,
safeguard.
and 3) Describes any information security assumptions about and
dependencies on external services.
More information on configuring for fault tolerance and high
availability
AWS is available
customers at
are responsible for reviewing and updating the
http://media.amazonwebservices.com/architecture
information security architecture at an organization-defined frequency
center/AWS_ac_ra_ftha_04.pdf.
to reflect updates in the enterprise architecture. Planned information
security architecture changes must be reflected in the security plan, the
security Concept of Operations (CONOPS), and organizational
Note:
Anomalies and Events (DE.AE): DE.AE-1: A baseline of network · CIS CSC 1, 4, 6, 12, 13, 15, 16 AWS Best Practices, AWS Reference Architectures, AC-4 Several network fabrics exist at Amazon, each separated by boundary
Anomalous activity is detected in a operations and expected data flows · COBIT 5 DSS03.01 AWS Cloudwatch, CloudTrail, VPC Flowlogs, AWS protection devices that control the flow of information between fabrics.
timely manner and the potential impact for users and systems is established · ISA 62443-2-1:2009 4.4.3.3 Config, AWS Organizations, AWS Firewall Manager, The flow of information between fabrics is established by approved
of events is understood. and managed · ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, AWS PrivateLink, AWS Systems Manager, AWS authorizations, which exist as ACL residing on these devices. ACLs are
A.13.1.1, A.13.1.2 OpsWorks, Amazon Macie, AWS Managed Services, defined, approved by appropriate Amazon’s Information Security team,
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, AWS IoT Defender and managed and deployed using AWS’s ACL-management tool.
SI-4 Approved firewall rule sets and access control lists between network
fabrics restrict the flow of information to specific information system
services. ACLs and rule sets are reviewed and approved and are
automatically pushed to boundary protection devices on a periodic basis
(at least every 24 hours) to ensure rule sets and access control lists are
up to date.
AWS implements least privilege throughout its infrastructure
components. AWS prohibits all ports and protocols that do not have a
specific business purpose. AWS follows a rigorous approach to minimal
implementation of only those features and functions that are essential to
use of the device. Network scanning is performed, and any unnecessary
ports or protocols in use are corrected.
CA-3 A. There are no system interconnections.

B. There are no system interconnections.
C. There are no system interconnections.
CM-2 AWS has established formal policies and procedures to provide

employees with a common baseline for information security standards
and guidance. The AWS Information Security Management System
(ISMS) policy establishes guidelines for protecting the confidentiality,
integrity, and availability of customers’ systems and content.
Maintaining customer trust and confidence is of the utmost importance
to AWS.
AWS works to comply with applicable federal, state, and local laws,
statutes, ordinances, and regulations concerning security, privacy, and
data protection of AWS Cloud services in order to minimize the risk of
accidental or unauthorized access or disclosure of customer content.
SI-4 AWS deploys monitoring devices throughout the environment to collect

critical information on unauthorized intrusion attempts, usage abuse,
and network and application bandwidth usage. Monitoring devices are
placed within the AWS environment to detect and monitor for:
• Usage (CPU, Processes, disk utilization, swap rates, and errors in
software generated loss)
AWS provides near real-time alerts when the AWS monitoring tools
show indications of compromise or potential compromise, based upon
threshold alarming mechanisms determined by AWS service and
Security teams.
External access to data stored in Amazon S3 is logged. The logs are
retained for at least 90 days and include relevant access request
information such as the data accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s
AWS CloudTrail bucket in Amazon S3. The logged requests provide
information about who made the request and under which CMK and
will also describe information about the AWS resource that was
protected through the use of the CMK. These log events are visible to
the customer after turning on AWS CloudTrail in their account.
DE.AE-2: Detected events are · CIS CSC 3, 6, 13, 15 AWS Best Practices, AWS Reference Architectures, AU-6 AWS deploys monitoring devices throughout the environment to collect
analyzed to understand attack · COBIT 5 DSS05.07 AWS Cloudwatch, CloudTrail, VPC Flowlogs, Amazon critical information on unauthorized intrusion attempts, usage abuse,
targets and methods · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, Athena, AWS Config, Amazon GuardDuty, Amazon S3, and network and application bandwidth usage. Monitoring devices are
4.3.4.5.8 Amazon Machine Learning, Amazon SageMaker, placed within the AWS environment to detect and monitor for:
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, Amazon Macie, AWS Managed Services, AWS Systems • Port scanning attacks
SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2 Manager • Usage (CPU, Processes, disk utilization, swap rates, and errors in
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, software generated loss)
A.16.1.4 • Application performance metrics
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, • Unauthorized connection attempts
SI-4 AWS provides near real-time alerts when the AWS monitoring tools
Security teams.
CA-7 AWS conducts monthly monitoring of its security posture through a

continuous risk assessment and monitoring process. Additionally,
annual security assessments are conducted by an accredited Third-Party
Assessment Organization (3PAO) to validate that implemented security
controls continue to be effective. Security assessments that include a
risk analysis and a Plan of Action and Milestones (POA&M) are
submitted to authorizing officials for review and approval.
IR-4 AWS will notify customers of a security breach in accordance with the
terms outlined in the service agreement with AWS. AWS’s commitment
to all AWS customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any
customer data (i.e., any personal data that is uploaded to a customer’s
AWS account) on AWS’s equipment or in AWS’s facilities and this
unlawful or unauthorized access results in loss, disclosure, or alteration
of customer data, AWS will promptly notify the customer and take
reasonable steps to reduce the effects of this security incident.
AWS defines, administers, and monitors security for the underlying
cloud infrastructure (i.e., the hardware, the facilities housing the
hardware, and the network infrastructure).
Because AWS manages the infrastructure and the security controls that
apply to it, AWS can:
• Identify potential incidents affecting the infrastructure.
• Determine if any access to customer data resulted from an incident.
• Determine if access was actually unlawful or unauthorized (it would
be unauthorized if it was in breach of AWS' Security Policies).
If an incident happens within AWS’s sphere of knowledge and control
and this incident results in loss, disclosure, or alteration of customer
content, AWS will promptly notify the customer. AWS does this
regardless of whether the customer's content is sensitive or not, because
AWS does not know what the customer content is and protects all
customer content in the same robust way.
Security teams.
DE.AE-3: Event data are · CIS CSC 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, AWS Best Practices, AWS Reference Architectures, AU-6 AWS deploys monitoring devices throughout the environment to collect
aggregated and correlated from 16 AWS Cloudwatch, CloudWatch Logs, CloudTrail, VPC critical information on unauthorized intrusion attempts, usage abuse,
multiple sources and sensors · COBIT 5 BAI08.02 Flowlogs, Amazon GuardDuty, Amazon S3, Amazon and network and application bandwidth usage. Monitoring devices are
· ISA 62443-3-3:2013 SR 6.1 Athena, AWS Systems Manager, AWS Managed placed within the AWS environment to detect and monitor for:
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.7 Services, AWS IoT Device Defender, Amazon Macie • Port scanning attacks
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, • Usage (CPU, Processes, disk utilization, swap rates, and errors in
IR-5, IR-8, SI-4 software generated loss)
Security teams.

IR-8 AWS has implemented a formal, documented incident response policy
and program. The policy addresses purpose, scope, roles,
responsibilities, and management commitment.
AWS uses a three-phased approach to manage incidents:
1. Activation and Notification Phase – Incidents for AWS begin with
the detection of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational
awareness capability; most issues are rapidly detected from 24x7x365
monitoring and alarming of real time metrics and service dashboards.
The majority of incidents are detected in this manner. AWS uses early
indicator alarms to proactively identify issues that may ultimately
impact customers.
If the event meets incident criteria, the relevant on-call support engineer
uses AWS’s event management tool system to start an engagement and
page relevant program resolvers (e.g., AWS Security). The resolvers
will perform an analysis of the incident to determine if additional
resolvers should be engaged and to determine the approximate root
cause.
2. Recovery Phase – The relevant resolvers will perform break fix to
address the incident. After addressing troubleshooting, break fix and
affected components, the call leader will assign follow-up
documentation and follow-up actions and end the call engagement.
3. Reconstitution Phase – The call leader will declare the recovery
phase complete after the relevant fix activities have been addressed. The
post mortem and deep root cause analysis of the incident will be
assigned to the relevant team. The results of the post mortem will be
reviewed by relevant senior management and actions and captured in a
Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS
conducts incident response testing. This testing provides excellent
coverage for the discovery of previously unknown defects and failure
modes. In addition, it allows the AWS Security and service teams to test
Security teams.
DE.AE-4: Impact of events is · CIS CSC 4, 6 AWS Best Practices, AWS Reference Architectures, CP-2 The AWS Business Continuity policy lays out the guidelines used to
determined · COBIT 5 APO12.06, DSS03.01 AWS CloudFormation, AWS Cloudwatch, CloudTrail, implement procedures to respond to a serious outage or degradation of
· ISO/IEC 27001:2013 A.16.1.4 VPC Flowlogs, AWS Config, AWS Organizations, AWS AWS services, including the recovery model and its implications on the
· NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI- Firewall Manager, AWS Systems Manager, AWS business continuity plan.
4 OpsWorks, Amazon Macie, AWS Managed Services,
AWS IoT Defender, Amazon GuardDuty, Amazon
Machine Learning, Amazon SageMaker, AWS WAF, Refer to the following AWS Audit Reports for additional details: PCI
AWS Shield 3.2, ISO 27001, ISO 27017, NIST 800-53, SOC 2 COMMON
CRITERIA
RA-3 AWS performs a continuous risk assessment process to identify,

evaluate and mitigate risks across the company. The process involves
developing and implementing risk treatment plans to mitigate risks as
necessary. The AWS risk management team monitors and escalates
risks on a continuous basis, performing risk assessments on newly
implemented controls at least every six months.

Security teams.
DE.AE-5: Incident alert thresholds · CIS CSC 6, 19 AWS Best Practices, AWS Reference Architectures, IR-4 AWS will notify customers of a security breach in accordance with the
are established · COBIT 5 APO12.06, DSS03.01 AWS Cloudwatch, AWS Config, CloudTrail, VPC terms outlined in the service agreement with AWS. AWS’s commitment
· ISA 62443-2-1:2009 4.2.3.10 Flowlogs, Amazon GuardDuty, AWS Trusted Advisor, to all AWS customers is as follows:
· ISO/IEC 27001:2013 A.16.1.4 AWS OpsWorks, AWS Managed Services, AWS IoT If AWS becomes aware of any unlawful or unauthorized access to any
· NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8 Defender, AWS IoT Device Management customer data (i.e., any personal data that is uploaded to a customer’s
IR-8 AWS has implemented a formal, documented incident response policy

and program. The policy addresses purpose, scope, roles,
responsibilities, and management commitment.
1. Activation and Notification Phase – Incidents for AWS begin with
the detection of an event. Events originate from several sources such as:
• Metrics and alarms – AWS maintains an exceptional situational
awareness capability; most issues are rapidly detected from 24x7x365
monitoring and alarming of real time metrics and service dashboards.
The majority of incidents are detected in this manner. AWS uses early
indicator alarms to proactively identify issues that may ultimately
impact customers.
If the event meets incident criteria, the relevant on-call support engineer
uses AWS’s event management tool system to start an engagement and
page relevant program resolvers (e.g., AWS Security). The resolvers
will perform an analysis of the incident to determine if additional
resolvers should be engaged and to determine the approximate root
cause.
2. Recovery Phase – The relevant resolvers will perform break fix to
address the incident. After addressing troubleshooting, break fix and
affected components, the call leader will assign follow-up
documentation and follow-up actions and end the call engagement.
3. Reconstitution Phase – The call leader will declare the recovery
phase complete after the relevant fix activities have been addressed. The
post mortem and deep root cause analysis of the incident will be
assigned to the relevant team. The results of the post mortem will be
reviewed by relevant senior management and actions and captured in a
Correction of Errors (COE) document and tracked to completion.
To ensure the effectiveness of the AWS incident response plan, AWS
conducts incident response testing. This testing provides excellent
coverage for the discovery of previously unknown defects and failure
modes. In addition, it allows the AWS Security and service teams to test
Security Continuous Monitoring DE.CM-1: The network is · CIS CSC 1, 7, 8, 12, 13, 15, 16 AWS Best Practices, AWS Reference Architectures, AC-2 #N/A
(DE.CM): The information system and monitored to detect potential · COBIT 5 DSS01.03, DSS03.05, DSS05.07 AWS Cloudwatch, AWS CloudTrail, VPC Flowlogs,
assets are monitored at discrete intervals cybersecurity events · ISA 62443-3-3:2013 SR 6.2 Amazon Athena, AWS Config, Amazon GuardDuty,
to identify cybersecurity events and · NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, Amazon S3, AWS WAF, Amazon Machine Learning,
verify the effectiveness of protective CM-3, SC-5, SC-7, SI-4 Amazon SageMaker, AWS Managed Services, Amazon
measures. Macie, AWS IoT Defender, AWS Shield, Amazon SNS
AU-12 AWS deploys monitoring devices throughout the environment to collect

Security teams.

CM-3 AWS applies a systematic approach to managing change to ensure that
all changes are reviewed, tested, and approved. The AWS change
management approach requires that the following steps be complete
before a change is deployed:
1. Document and communicate the change via the appropriate AWS
change management tool.
2. Plan implementation of the change and rollback procedures to
minimize disruption.
3. Test the change in a logically segregated, non-production
environment.
4. Complete a peer review of the change with a focus on business
impact and technical rigor. The review should include a code review.
5. Attain approval for the change by an authorized individual.
In order to validate that changes follow the standard change
management procedures, all changes to the AWS environment are
reviewed on at least a monthly basis. An audit trail of the changes is
maintained for a least one year. AWS maintains processes to detect
unauthorized changes made to the environment. Any exceptions are
analyzed to determine the root cause. Appropriate actions are taken to
bring the change into compliance or roll back the change, if necessary.
Actions are then taken to address and remediate the process or people
issue.
SC-5 AWS operates, manages, and controls the infrastructure components,

from the host operating system and virtualization layer down to the
physical security of the facilities in which the services operate. AWS
endpoints are tested as part of AWS compliance vulnerability scans.
AWS Cloud services are managed in a manner that preserves their
confidentiality, integrity, and availability. AWS has implemented secure
software development procedures that are followed to ensure that
appropriate security controls are incorporated into the application
design. As part of the application design process, new applications must
participate in an AWS Security review, which includes registering the
application, initiating application risk classification, participating in
architecture review and threat modeling, performing code review, and
performing a penetration test.
SC-7 Several network fabrics exist at Amazon, each separated by boundary

protection devices that control the flow of information between fabrics.
The flow of information between fabrics is established by approved
authorizations, which exist as ACL residing on these devices. ACLs are
defined, approved by appropriate Amazon’s Information Security team,
and managed and deployed using AWS’s ACL-management tool.
Approved firewall rule sets and access control lists between network
fabrics restrict the flow of information to specific information system
services. ACLs and rule sets are reviewed and approved and are
automatically pushed to boundary protection devices on a periodic basis
(at least every 24 hours) to ensure rule sets and access control lists are
up to date.
AWS implements least privilege throughout its infrastructure
components. AWS prohibits all ports and protocols that do not have a
specific business purpose. AWS follows a rigorous approach to minimal
implementation of only those features and functions that are essential to
use of the device. Network scanning is performed, and any unnecessary
ports or protocols in use are corrected.

Security teams.
DE.CM-2: The physical · COBIT 5 DSS01.04, DSS01.05 AWS Artifact CA-7 AWS conducts monthly monitoring of its security posture through a
environment is monitored to detect · ISA 62443-2-1:2009 4.3.3.3.8 continuous risk assessment and monitoring process. Additionally,
potential cybersecurity events · ISO/IEC 27001:2013 A.11.1.1, A.11.1.2 annual security assessments are conducted by an accredited Third-Party
· NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, Assessment Organization (3PAO) to validate that implemented security
PE-20 controls continue to be effective. Security assessments that include a
PE-20 N/A
PE-3 Physical access to all AWS data centers housing IT infrastructure
components is restricted to authorized data center employees, vendors,
and contractors who require access in order to execute their jobs.
Access to facilities is only permitted at controlled access points that
require multi-factor authentication designed to prevent tailgating and to
ensure that only authorized individuals enter an AWS data center. On a
quarterly basis, access lists and authorization credentials of personnel
with access to AWS data centers are reviewed by the respective data
center Area Access Managers (AAM).
All entrances to AWS data centers, including the main entrance, the
loading dock, and any roof doors/hatches, are secured with intrusion
detection devices that sound alarms if the door is forced open or held
open.
Trained security guards are stationed at the building entrance 24/7. If a
door or cage within a data center has a malfunctioning card reader or
PIN pad and cannot be secured electronically, a security guard is posted
at the door until it can be repaired.
Physical access points to server locations are recorded by closed circuit

television camera (CCTV). Images are retained for 90 days, unless
limited to 30 days by legal or contractual obligations.

open.
DE.CM-3: Personnel activity is · CIS CSC 5, 7, 14, 16 AWS Artifact, AWS Best Practices, AWS Reference AC-2 #N/A
monitored to detect potential · COBIT 5 DSS05.07 Architectures, AWS CloudTrail, AWS CloudWatch,
cybersecurity events · ISA 62443-3-3:2013 SR 6.2 Amazon GuardDuty, AWS Managed Services, Amazon
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3 Macie, AWS IAM
· NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-
13, CA-7, CM-10, CM-11
AU-12 AWS deploys monitoring devices throughout the environment to collect

Security teams.
AU-13 N/A
CM-10 AWS maintains a systematic approach, to planning and developing new

services for the AWS environment, to ensure the quality and security
requirements are met with each release. AWS’ strategy for the design
and development of services is to clearly define services in terms of
customer use cases, service performance, marketing and distribution
requirements, production and testing, and legal and regulatory
requirements. The design of all new services or any significant changes
to current services follow secure software development practices and
are controlled through a project management system with multi-
disciplinary participation. Requirements and service specifications are
established during service development, taking into account legal and
regulatory requirements, customer contractual commitments, and
requirements to meet the confidentiality, integrity and availability of the
service. Service reviews are completed as part of the development
process. Prior to launch, each of the following requirements must be
complete:
• Security Risk Assessment

• Threat modeling
• Security design reviews
• Secure code reviews
• Security testing
• Vulnerability/penetration testing
AWS implements open source software or custom code within its

services. All open source software to include binary
or machine-executable code from third-parties is reviewed and
approved by the Open Source Group prior to
implementation, and has source code that is publicly accessible. AWS
service teams are prohibited from implementing code from third parties
unless it has been approved through the open source review. All code
developed by AWS is available for review by the applicable service
team, as well as AWS Security. By its nature, open source code is
available for review by the Open Source Group prior to granting
CM-11 AWS operates, manages, and controls the infrastructure components,
from the host operating system and virtualization layer down to the
physical security of the facilities in which the services operate. AWS
endpoints are tested as part of AWS compliance vulnerability scans.
AWS Cloud services are managed in a manner that preserves their
confidentiality, integrity, and availability. AWS has implemented secure
software development procedures that are followed to ensure that
appropriate security controls are incorporated into the application
design. As part of the application design process, new applications must
participate in an AWS Security review, which includes registering the
application, initiating application risk classification, participating in
architecture review and threat modeling, performing code review, and
performing a penetration test.
DE.CM-4: Malicious code is · CIS CSC 4, 7, 8, 12 AWS Best Practices, AWS Reference Architectures, SI-3 Amazon assets (e.g., laptops) are configured with anti-virus software
detected · COBIT 5 DSS05.01 AWS Config, AWS Cloudwatch, CloudTrail, VPC that includes email filtering and malware detection.
· ISA 62443-2-1:2009 4.3.4.3.8 Flowlogs, AWS CodePipeline, Amazon Inspector, AWS
· ISA 62443-3-3:2013 SR 3.2 SDKs, AWS X-Ray, AWS Managed Services, Customer
· ISO/IEC 27001:2013 A.12.2.1 Responsibility
· NIST SP 800-53 Rev. 4 SI-3, SI-8
SI-8 Amazon assets (e.g., laptops) are configured with anti-virus software
that includes email filtering and malware detection.
DE.CM-5: Unauthorized mobile · CIS CSC 7, 8 AWS Artifact, AWS Best Practices, AWS Reference SC-18 AWS has defined JavaScript as the only acceptable mobile code that is
code is detected · COBIT 5 DSS05.01 Architectures, Amazon Inspector, AWS SDKs, AWS used within the system. JavaScript is used to implement certain features
· ISA 62443-3-3:2013 SR 2.4 CodeStar, AWS X-Ray, AWS CodePipeline, AWS within the IAM service. Other forms of mobile code are not approved
· ISO/IEC 27001:2013 A.12.5.1, A.12.6.2 Config, AWS OpsWork, AWS Managed Services by AWS.
· NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-44
SC-44 N/A
DE.CM-5: Unauthorized mobile · CIS CSC 7, 8 AWS Artifact, AWS Best Practices, AWS Reference
code is detected · COBIT 5 DSS05.01 Architectures, Amazon Inspector, AWS SDKs, AWS
· ISA 62443-3-3:2013 SR 2.4 CodeStar, AWS X-Ray, AWS CodePipeline, AWS
· ISO/IEC 27001:2013 A.12.5.1, A.12.6.2 Config, AWS OpsWork, AWS Managed Services
· NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-44

Security teams.
DE.CM-6: External service · COBIT 5 APO07.06, APO10.05 AWS Artifact, AWS Best Practices, AWS Reference CA-7 AWS conducts monthly monitoring of its security posture through a
provider activity is monitored to · ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 Architectures, AWS CloudTrail, VPC Flow Logs, continuous risk assessment and monitoring process. Additionally,
detect potential cybersecurity · NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, Amazon Macie, Amazon GuardDuty, AWS Managed annual security assessments are conducted by an accredited Third-Party
events SA-9, SI-4 Services Assessment Organization (3PAO) to validate that implemented security
PS-7 AWS creates and maintains written agreements with third parties (e.g.,
contractors or vendors) in accordance with the work or service to be
provided (e.g., network services agreement, service delivery agreement,
or information exchange agreement) and implements appropriate
relationship management mechanisms in line with their relationship to
the business. Agreements cover, at a minimum, the following:
• Legal and regulatory requirements applicable to AWS
• User awareness of information security responsibilities and issues
• Arrangements for reporting, notification, and investigation of
information security incidents and security breaches
• Target and unacceptable levels of service (e.g., SLA, Operational
Level Agreement [OLA])
• Service continuity requirements (e.g., Recovery Time Objective
[RTO]), in accordance with AWS business priorities
• Protection of Intellectual Property Rights (IPR) and copyright
assignment of AWS
SA-4 AWS maintains a systematic approach to planning and developing new

services for the AWS environment to ensure that quality and security
requirements are met with each release. AWS’s strategy for the design
and development of services is to clearly define services in terms of
customer use cases, service performance, marketing and distribution
requirements, production and testing, and legal and regulatory
requirements. The design of all new services or any significant changes
to current services are controlled through a project management system
with multi-disciplinary participation. Requirements and service
specifications are established during service development, taking into
account legal and regulatory requirements, customer contractual
commitments, and requirements to meet the confidentiality, integrity,
and availability of the service. Service reviews are completed as part of
the development process. Prior to launch, each of the following
requirements must be complete:
• Security risk assessment
• Threat modeling
• Security design reviews
• Secure code reviews
• Security testing
• Vulnerability/penetration testing
SA-9 AWS creates and maintains written agreements with third parties (e.g.,
contractors or vendors) in accordance with the work or service to be
provided (e.g., network services agreement, service delivery agreement,
or information exchange agreement) and implements appropriate
relationship management mechanisms in line with their relationship to
the business. Agreements cover, at a minimum, the following:
• Legal and regulatory requirements applicable to AWS
• User awareness of information security responsibilities and issues
• Arrangements for reporting, notification, and investigation of
information security incidents and security breaches
• Target and unacceptable levels of service (e.g., SLA, Operational
Level Agreement [OLA])
• Service continuity requirements (e.g., Recovery Time Objective
[RTO]), in accordance with AWS business priorities
• Protection of Intellectual Property Rights (IPR) and copyright
assignment of AWS

Security teams.
DE.CM-7: Monitoring for · CIS CSC 1, 2, 3, 5, 9, 12, 13, 15, 16 AWS Artifact, AWS Best Practices, AWS Reference AU-12 AWS deploys monitoring devices throughout the environment to collect
unauthorized personnel, · COBIT 5 DSS05.02, DSS05.05 Architectures, AWS Cloudwatch, CloudTrail, VPC critical information on unauthorized intrusion attempts, usage abuse,
connections, devices, and software · ISO/IEC 27001:2013 A.12.4.1, A.14.2.7, Flowlogs, Amazon Athena, AWS Config, Amazon and network and application bandwidth usage. Monitoring devices are
is performed A.15.2.1 GuardDuty, Amazon S3, AWS WAF, Amazon Machine placed within the AWS environment to detect and monitor for:
· NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, Learning, AWS Managed Services, AWS OpsWorks, • Port scanning attacks
CM-8, PE-3, PE-6, PE-20, SI-4 AWS Systems Manager, AWS Organizations, Amazon • Usage (CPU, Processes, disk utilization, swap rates, and errors in
Inspector, AWS Firewall Manager software generated loss)
Security teams.

CM-3 AWS applies a systematic approach to managing change to ensure that

all changes are reviewed, tested, and approved. The AWS change
management approach requires that the following steps be complete
before a change is deployed:
1. Document and communicate the change via the appropriate AWS
change management tool.
2. Plan implementation of the change and rollback procedures to
minimize disruption.
3. Test the change in a logically segregated, non-production
environment.
4. Complete a peer review of the change with a focus on business
impact and technical rigor. The review should include a code review.
5. Attain approval for the change by an authorized individual.
In order to validate that changes follow the standard change
management procedures, all changes to the AWS environment are
reviewed on at least a monthly basis. An audit trail of the changes is
maintained for a least one year. AWS maintains processes to detect
unauthorized changes made to the environment. Any exceptions are
analyzed to determine the root cause. Appropriate actions are taken to
bring the change into compliance or roll back the change, if necessary.
Actions are then taken to address and remediate the process or people
issue.
CM-8 In order to ensure asset management and inventory maintenance

procedures are properly executed, AWS assets are assigned an owner
and are tracked and monitored with AWS proprietary inventory
management tools. AWS asset owner maintenance procedures are
carried out by using a proprietary tool with specified checks that must
be completed according to the documented maintenance schedule.
AWS has developed and documented an inventory of systems and
devices within the Authorization Boundary.
AWS has developed and documents an inventory of the AWS
Authorization Boundaries for Govcloud and East West separately. For
continuous monitoring activities, AWS provides a system inventory to
our FedRAMP accrediated 3PAO for validation on a monthly basis.
Once validated, this list is provided to our Authorizing Official(s).
AWS provides an inventory to our FedRAMP accredited 3PAO for
validation and as part of AWS’ security assessment and on a monthly
basis, supports continuous monitoring requirements. Additionally,
AWS' inventory is validated by our 3PAO and provided to our
Authorizing Official(s) on a monthly basis.
PE-20 N/A
open.


open.
Security teams.
DE.CM-8: Vulnerability scans are · CIS CSC 4, 20 AWS Artifact, AWS Best Practices, AWS Reference RA-5 AWS Security notifies and coordinates with the appropriate service
performed · COBIT 5 BAI03.10, DSS05.01 Architectures, Amazon Inspector, Amazon RDS, teams when conducting security-related activities within the system
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 Amazon Aurora, Amazon Dynamo DB, AWS Managed boundary. Activities include vulnerability scanning, contingency
· ISO/IEC 27001:2013 A.12.6.1 Services testing, and incident response exercises. AWS performs external
· NIST SP 800-53 Rev. 4 RA-5 vulnerability assessments at least quarterly, and identified issues are
investigated and tracked to resolution. Additionally, AWS performs
unannounced penetration tests by engaging independent third parties to
AWS Security teams also subscribe to newsfeeds for applicable vendor
flaws and proactively monitor vendors’ websites and other relevant
outlets for new patches. AWS customers also have the ability to report
issues to AWS via the AWS Vulnerability Reporting website at
http://aws.amazon.com/security/vulnerability-reporting/.
Detection Processes (DE.DP): DE.DP-1: Roles and · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CA-2 The AWS Compliance Assessment Team (CAT) maintains a
Detection processes and procedures are responsibilities for detection are · COBIT 5 APO01.02, DSS05.01, DSS06.03 Architectures, AWS Managed Services documented audit schedule of internal and external assessments to
maintained and tested to ensure timely well defined to ensure · ISA 62443-2-1:2009 4.4.3.1 ensure implementation and operating effectiveness of the AWS control
and adequate awareness of anomalous accountability · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 environment to meet business, regulatory, and contractual objectives.
events. · NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14 The needs and expectations of internal and external parties are
considered throughout the development, implementation, and auditing
of the AWS control environment. Parties include, but are not limited to:
 AWS customers, including customers with a contractual interest and
potential customers.
 External parties to AWS, including regulatory bodies such as the
external auditors and certifying agents.
 Internal parties such as AWS services and infrastructure teams,
security, legal, and overarching administrative and corporate teams.

PM-14 N/A
DE.DP-2: Detection activities · COBIT 5 DSS06.01, MEA03.03, MEA03.04 AWS Artifact, AWS Best Practices, AWS Reference AC-25 N/A
comply with all applicable · ISA 62443-2-1:2009 4.4.3.2 CA-2 The AWS Compliance Assessment Team (CAT) maintains a
requirements · ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, documented audit schedule of internal and external assessments to
A.18.2.3 ensure implementation and operating effectiveness of the AWS control
· NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7, environment to meet business, regulatory, and contractual objectives.
SA-18, SI-4, PM-14 The needs and expectations of internal and external parties are

PM-14 N/A
SA-18 N/A
Security teams.
DE.DP-3: Detection processes are · COBIT 5 APO13.02, DSS05.02 AWS Artifact, AWS Best Practices, AWS Reference CA-2 The AWS Compliance Assessment Team (CAT) maintains a
tested · ISA 62443-2-1:2009 4.4.3.2 documented audit schedule of internal and external assessments to
· ISA 62443-3-3:2013 SR 3.3 ensure implementation and operating effectiveness of the AWS control
· ISO/IEC 27001:2013 A.14.2.8 environment to meet business, regulatory, and contractual objectives.
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, The needs and expectations of internal and external parties are
SI-3, SI-4, PM-14 considered throughout the development, implementation, and auditing


open.

PM-14 N/A
SI-3 Amazon assets (e.g., laptops) are configured with anti-virus software
that includes email filtering and malware detection.

Security teams.
DE.DP-4: Event detection · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference, AU-6 AWS deploys monitoring devices throughout the environment to collect
information is communicated to · COBIT 5 APO08.04, APO12.06, DSS02.05 AWS Managed Services critical information on unauthorized intrusion attempts, usage abuse,
appropriate parties · ISA 62443-2-1:2009 4.3.4.5.9 and network and application bandwidth usage. Monitoring devices are
· ISA 62443-3-3:2013 SR 6.1 placed within the AWS environment to detect and monitor for:
· ISO/IEC 27001:2013 A.16.1.2, A.16.1.3 • Port scanning attacks
· NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, • Usage (CPU, Processes, disk utilization, swap rates, and errors in
RA-5, SI-4 software generated loss)
Security teams.
CA-2 The AWS Compliance Assessment Team (CAT) maintains a

documented audit schedule of internal and external assessments to
ensure implementation and operating effectiveness of the AWS control
environment to meet business, regulatory, and contractual objectives.
The needs and expectations of internal and external parties are
RA-5 AWS Security notifies and coordinates with the appropriate service
teams when conducting security-related activities within the system
boundary. Activities include vulnerability scanning, contingency
testing, and incident response exercises. AWS performs external
vulnerability assessments at least quarterly, and identified issues are

Security teams.
DE.DP-5: Detection processes are · COBIT 5 APO11.06, APO12.06, DSS04.05 AWS Artifact, AWS Best Practices, AWS Reference, CA-2 The AWS Compliance Assessment Team (CAT) maintains a
continuously improved · ISA 62443-2-1:2009 4.4.3.4 AWS Managed Services documented audit schedule of internal and external assessments to
· ISO/IEC 27001:2013 A.16.1.6 ensure implementation and operating effectiveness of the AWS control
· NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, environment to meet business, regulatory, and contractual objectives.
RA-5, SI-4, PM-14 The needs and expectations of internal and external parties are

PL-2 Customer environments are logically segregated to prevent users and

customers from accessing resources not assigned to them. Customers
maintain full control over who has access to their data. Services which
provide virtualized operational environments to customers (i.e., EC2)
ensure that customers are segregated from one another and prevent
cross-tenant privilege escalation and information disclosure via
hypervisors and instance isolation.
AWS Security Assurance is responsible for familiarizing employees

with the AWS security policies. AWS has established information
security functions that are aligned with defined structure, reporting
lines, and responsibilities. Leadership involvement provides clear
direction and visible support for security initiatives
PM-14 N/A
RA-5 AWS Security notifies and coordinates with the appropriate service
teams when conducting security-related activities within the system
boundary. Activities include vulnerability scanning, contingency
testing, and incident response exercises. AWS performs external
vulnerability assessments at least quarterly, and identified issues are

Security teams.
AWS customers are responsible for configuring their systems and all interconnected
systems to enforce their approved information flow policies. This can be accomplished
through configuration of Amazon Virtual Private Cloud (Amazon VPC) network
Access Control Lists (ACL) for controlling inbound/outbound traffic at the subnet level
and Amazon VPC security groups for controlling traffic at the instance level.
More information on configuring Amazon VPC is available at

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html.
AWS customers are responsible for documenting, authorizing, reviewing, and updating
Interconnection Security Agreements (ISAs) for connections between their system and
other systems that include the following information for each connection: 1) Interface
characteristics, 2) Security requirements, and 3) The nature of the information
communicated. AWS customers are responsible for reviewing and updating ISAs with
at a frequency defined by their security assessment and authorization policy.
AWS customers are responsible for developing, documenting, and maintaining under
configuration control a current baseline configuration of their systems.
AWS customers are responsible for: 1) Monitoring their information system to detect:
a) Attacks and indicators of potential attacks in accordance with organization-defined
monitoring objectives and b) Unauthorized local, network, and remote connections; 2)
Identifying unauthorized use of the information system through organization-defined
techniques and methods; 3) Deploying monitoring devices: a) Strategically within the
information system to collect organization-determined essential information and b) At
ad hoc locations within the system to track specific types of transactions of interest to
their organization; 4) Protecting information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion; 5) Heightening the level of
information system monitoring activity whenever there is an indication of increased
risk to organizational operations and assets, individuals, other organizations, or the
Nation based on law enforcement information, intelligence information, or other
credible sources of information; 6) Obtaining legal opinion with regard to information
system monitoring activities in accordance with applicable federal laws, Executive
Orders, directives, policies, or regulations; and 7) Providing organization-defined
information system monitoring information to organization-defined personnel or roles
as needed or in accordance with an organization-defined frequency.
AWS customers are responsible for reviewing and analyzing audit records at an
organization-defined frequency for indications of organization-defined inappropriate or
unusual activity and reporting these findings to organization-defined personnel or roles
in accordance with their audit and accountability policy.
AWS customers are responsible for developing a continuous monitoring strategy and
implementing a continuous monitoring program in accordance with their security
assessment and authorization policy that defines: 1) Metrics to be monitored, 2)
Frequencies for monitoring and reporting, and 3) Personnel or roles responsible for
conducting and receiving continuous monitoring analysis information. Pursuant to this
continuous monitoring program, AWS customers are responsible for: 1) Establishing
and configuring monitoring for defined metrics, 2) Monitoring and conducting
assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their
organization-defined metrics, 5) Correlating and analyzing security-related information
generated by assessments and monitoring, 5) Taking appropriate response actions to
address the results of the analysis of security-related information, and 6) Reporting the
security status of their organization and the information system to the organization-
defined personnel or roles at the organization-defined frequency.
AWS customers are responsible for implementing an incident handling capability for
security incidents that includes preparation, detection and analysis, containment,
eradication, and recovery in accordance with their incident response policy. In
addition, AWS customers are responsible for coordinating incident handling activities
with contingency planning activities; incorporating lessons learned from ongoing
incident handling activities into incident response procedures, training, and
testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for tracking and documenting information system
security incidents.
AWS customers are responsible for developing an Incident Response Plan (IRP) that:
1) Provides their organization with a roadmap for implementing its incident response
capability, 2) Describes the structure and organization of the incident response
capability, 3) Provides a high-level approach for how the incident response capability
fits into the overall organization, 4) Meets the unique requirements of the organization,
which relate to mission, size, structure, and functions, 5) Defines reportable incidents,
6) Provides metrics for measuring the incident response capability within the
organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved
by organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization
defined incident response personnel (identified by name and/or role) and organizational
elements. The IRP must be review and updated at a frequency defined by the incident
response policy to address system/organizational changes or problems encountered
during plan implementation, execution, or testing. Changes to the IRP must be
communicated to organization-defined incident response personnel (identified by name
and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure
and modification.
AWS customers are responsible for developing a contingency plan for their system
that: 1) Identifies essential missions and business functions and associated contingency
requirements, 2) Provides recovery objectives, restoration priorities, and metrics, 3)
Addresses contingency roles, responsibilities, and assigned individuals with contact
information, 4) Addresses maintaining essential missions and business functions
despite an information system disruption, compromise, or failure, 5) Addresses
eventual, full information system restoration without deterioration of the security
safeguards originally planned and implemented, and 6) Is reviewed and approved by
organization-defined personnel or roles in accordance with the contingency planning
policy.
AWS customers are responsible for distributing copies of the contingency plan to
organization-defined key contingency personnel (identified by name and/or by role)
and organizational elements. Contingency planning activities must be coordinated with
incident handling activities. The contingency plan must be reviewed at a frequency
defined in the contingency planning policy and updated to address changes to their
organization, system, or environment of operation and problems encountered during
implementation, execution, or testing.
AWS customers are responsible for communicating contingency plan changes to

organization-defined personnel and for protecting the contingency plan from
unauthorized disclosure and modification.
AWS customers are responsible for: 1) Conducting an assessment of risk to include the
likelihood and magnitude of harm from the unauthorized access, use, disclosure,
disruption, modification, or destruction of their information system and the information
it processes, stores, or transmits, 2) Documenting risk assessment results in the system
plan, security assessment report, or other organization-defined document, 3) Reviewing
risk assessment results at an organization-defined frequency, 4) Disseminating risk
assessment results to organization-defined personnel or roles, and 5) Updating the risk
assessment at an organization-defined frequency or whenever there are significant
changes to the information system or environment of operation (including the
identification of new threats and vulnerabilities) or other conditions that may impact
the security state of the system.
AWS customers are responsible for tracking and documenting information system
security incidents.
AWS customers are responsible for developing an Incident Response Plan (IRP) that:
1) Provides their organization with a roadmap for implementing its incident response
capability, 2) Describes the structure and organization of the incident response
capability, 3) Provides a high-level approach for how the incident response capability
fits into the overall organization, 4) Meets the unique requirements of the organization,
which relate to mission, size, structure, and functions, 5) Defines reportable incidents,
6) Provides metrics for measuring the incident response capability within the
organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved
by organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization
defined incident response personnel (identified by name and/or role) and organizational
elements. The IRP must be review and updated at a frequency defined by the incident
response policy to address system/organizational changes or problems encountered
during plan implementation, execution, or testing. Changes to the IRP must be
communicated to organization-defined incident response personnel (identified by name
and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure
and modification.
AWS customers are responsible for managing accounts associated with their
applications hosted on AWS. AWS customers are responsible for properly using AWS
Identity and Access Management (IAM) to create and manage user accounts and to
enforce access within their Amazon Elastic Compute Cloud (Amazon EC2) instances
and all applications they install.
AWS customers in the context of managing their user accounts are responsible for: 1)
Identifying and selecting system accounts; 2) Assigning account managers for system
accounts; 3) Specifying authorized users, group and role membership, access
authorizations, and other attributes as required for each account; 4) Requiring
approvals from customer-defined personnel or roles for account creation requests; 5)
Monitoring account usage; 6) Notifying account managers when: a) Accounts are no
longer required, b) Users are terminated or transferred, and c) Individual system usage
or need-to-know changes; 7) Authorizing access based on: a) A valid access
authorization, b) Intended system usage, and c) Other attributes as required by their
organization or associated mission/business functions; 8) Reviewing accounts for
compliance with account management requirements at a frequency defined by their
organization; and 9) Establishing a process for reissuing shared/group account
credentials when individuals are removed from the group.
More information on implementing these functions using IAM is available at

http://docs.aws.amazon.com/IAM/latest/User Guide/best-practices.html.
AWS customers are responsible for configuring their systems to: 1) Provide audit
record generation capabilities for the auditable events defined in AU-2a for all system
components where audit capabilities are deployed/required based on the audit and
accountability policy, 2) Allow organization-defined personnel or roles to select which
auditable events are to be audited by specific components, and 3) Generate audit
records for the events defined in AU-2d with the content defined in AU-3.
AWS customers are responsible for implementing a configuration change control
process in accordance with their configuration management policy that includes the
following elements: 1) Determination of the types of changes to the information system
that are configuration-controlled, 2) Review of all proposed configuration-controlled
changes to the information system and approval or disapproval of such changes with
explicit consideration for security impact analyses, 3) Documentation of configuration
change decisions associated with the information system, 4) Implementation of
approved configuration-controlled changes to the information system, 5) Retention of
records of configuration-controlled changes to the information system for an
organization-defined time period.
AWS customers are responsible for configuring their systems to protect against or limit
the effects of organization-defined types of denial of service attacks by employing
organization-defined security safeguards.
More information on best practices for resiliency against denial of service attacks is
available at https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf.
AWS customers are responsible for: 1) Monitoring and controlling communications at

the external boundary of the system and at key internal boundaries within the system,
2) Implementing subnetworks for publicly accessible system components that are
physically or logically separated from internal organizational networks, and 3)
Connecting to external networks or information systems only through managed
interfaces consisting of boundary protection devices arranged in accordance with
organizational security architecture.
More information on securing an Amazon VPC is available at

http://docs.aws.amazon.com/Amazon VPC/latest/User Guide/VPC_Security.html.
N/A
N/A
N/A
AWS customers are responsible for managing accounts associated with their
applications hosted on AWS. AWS customers are responsible for properly using AWS
Identity and Access Management (IAM) to create and manage user accounts and to
enforce access within their Amazon Elastic Compute Cloud (Amazon EC2) instances
and all applications they install.
AWS customers in the context of managing their user accounts are responsible for: 1)
Identifying and selecting system accounts; 2) Assigning account managers for system
accounts; 3) Specifying authorized users, group and role membership, access
authorizations, and other attributes as required for each account; 4) Requiring
approvals from customer-defined personnel or roles for account creation requests; 5)
Monitoring account usage; 6) Notifying account managers when: a) Accounts are no
longer required, b) Users are terminated or transferred, and c) Individual system usage
or need-to-know changes; 7) Authorizing access based on: a) A valid access
authorization, b) Intended system usage, and c) Other attributes as required by their
organization or associated mission/business functions; 8) Reviewing accounts for
compliance with account management requirements at a frequency defined by their
organization; and 9) Establishing a process for reissuing shared/group account
credentials when individuals are removed from the group.
More information on implementing these functions using IAM is available at

http://docs.aws.amazon.com/IAM/latest/User Guide/best-practices.html.
N/A
AWS customers are responsible for: 1) Using software and associated documentation
in accordance with contract agreements and copyright laws, 2) Tracking the use of
software and associated documentation protected by quantity licenses to control
copying and distribution, and 3) Controlling and documenting the use of peer-to-peer
file sharing technology to ensure that this capability is not used for the unauthorized
distribution, display, performance, or reproduction of copyrighted work.
AWS customers are responsible for establishing, enforcing, and monitoring software
installation policies that govern the installation of software by users based on
organization-defined methods and frequency for monitoring.
AWS customers are responsible for: 1) Implementing malicious code protection

mechanisms at information system entry and exit points to detect and eradicate
malicious code; 2) Updating malicious code protection mechanisms whenever new
releases are available in accordance with organizational configuration management
policy and procedures; 3) Configuring malicious code protection mechanisms to: a)
Perform periodic scans of the information system at an organization-defined frequency
and real-time scans of files from external sources at endpoints and/or network
entry/exit points as the files are downloaded, opened, or executed in accordance with
organizational security policy and b) Either block malicious code, quarantine malicious
code, send an alert to an administrator, and/or take other organization-defined actions
in response to malicious code detection; and 4) Addressing the receipt of false positives
during malicious code detection and eradication and the resulting potential impact on
the availability of the information system.
AWS customers are responsible for employing spam protection mechanisms at

information system entry and exit points to detect and take actions on unsolicited
messages. Spam protection mechanisms must be updated when new releases are
available in accordance with the organizational configuration management policy and
procedures.
AWS customers are responsible for defining acceptable and unacceptable mobile code,
establishing usage restrictions and implementation guidance for acceptable mobile
code, and authorizing, monitoring, and controlling the use of mobile code within their
systems.
N/A
AWS customers are responsible for: 1) Establishing personnel security requirements

including security roles and responsibilities for third-party providers, 2) Requiring
third-party providers to comply with personnel security policies and procedures
established by their organization, 3) Documenting personnel security requirements, 4)
Requiring third-party providers to notify organization-defined personnel or roles of any
personnel transfers or terminations of third-party personnel who possess organizational
credentials and/or badges or who have information system privileges within an
organization-defined time period, and 5) Monitoring provider compliance.
AWS customers are responsible for including the following requirements, descriptions,
and criteria explicitly or by reference in the acquisition contract for the information
system, system component, or information system service in accordance with
applicable federal laws, Executive Orders, directives, policies, regulations, standards,
guidelines, and organizational mission/business needs: 1) Security functional
requirements, 2) Security strength requirements, 3) Security assurance requirements, 4)
Security-related documentation requirements, 5) Requirements for protecting security-
related documentation, 6) Description of the information system development
environment and environment in which the system is intended to operate, and 7)
Acceptance criteria.
AWS customers are responsible for: 1) Requiring that providers of external

information system services comply with organizational information security
requirements and employ organization-defined security controls in accordance with
applicable federal laws, Executive Orders, directives, policies, regulations, standards,
and guidance, 2) Defining and documenting government oversight and user roles and
responsibilities with regard to external information system services, and 3) Employing
organization-defined processes, methods, and techniques to monitor security control
compliance by external service providers on an ongoing basis.
AWS customers are responsible for implementing a configuration change control

process in accordance with their configuration management policy that includes the
following elements: 1) Determination of the types of changes to the information system
that are configuration-controlled, 2) Review of all proposed configuration-controlled
changes to the information system and approval or disapproval of such changes with
explicit consideration for security impact analyses, 3) Documentation of configuration
change decisions associated with the information system, 4) Implementation of
approved configuration-controlled changes to the information system, 5) Retention of
records of configuration-controlled changes to the information system for an
organization-defined time period.
AWS customers are responsible for developing, documenting, reviewing, and updating
at an organization-defined frequency an inventory of system components for their
systems. AWS customers are responsible verifying that the inventory: 1) Accurately
reflects the current system, 2) Includes all components within the authorization
boundary, 3) Is at the level of granularity deemed necessary for tracking and reporting,
and 4) Includes the information prescribed by the configuration management policy
that is deemed necessary to achieve effective information system component
accountability.
N/A
N/A
N/A
AWS customers are responsible for: 1) Scanning for vulnerabilities in their information
system and hosted applications at an organization-defined frequency and/or randomly
in accordance with their organization-defined process and when new vulnerabilities
potentially affecting the system/applications are identified and reported; 2) Employing
vulnerability scanning tools and techniques that promote interoperability among tools
and automated parts of the vulnerability management process by using standards for: a)
Enumerating platforms, software flaws, and improper configurations, b) Formatting
and making transparent checklists and test procedures, and c) Measuring vulnerability
impact; 3) Analyzing vulnerability scan reports and results from security control
assessments; 4) Remediating legitimate vulnerabilities within organization-defined
response times in accordance with an organizational assessment of risk; and 5) Sharing
information obtained from the vulnerability scanning process and security control
assessments with organization-defined personnel or roles to help eliminate similar
vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Prior to conducting penetration testing or vulnerability scanning activities, AWS

customers are required to request authorization through the following URL:
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): RDS
Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): AWS Customers
are responsible for meeting scanning requirements on their databases in accordance
with organization-defined frequency and/or when new vulnerabilities have been
identified. Also, AWS Customers are required to remediate legitimate findings within
the organization-defined timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL database service.
AWS Customers offload database management tasks such as hardware or software
provisioning, setup and configuration, software patching, operating a reliable,
distributed database cluster, or partitioning data over multiple instances as you scale.
AWS customers are responsible for conducting security assessments for their systems.
Within this context and in accordance with their security assessment and authorization
policy, AWS customers are responsible for: 1) Developing a security assessment plan
that describes the security controls and control enhancements under assessment,
assessment procedures used to determine effectiveness, the assessment environment,
the assessment team, and the assessment roles and responsibilities, 2) Assessing
security controls in their system and its environment of operation at an organization-
defined frequency to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to
meeting established security requirements, 3) Producing a security assessment report
that documents the results of the assessment, and 4) Providing the results of the
security control assessment to their organization-defined individuals or roles.
N/A
N/A
N/A
N/A
N/A
N/A
AWS customers are responsible for: 1) Implementing malicious code protection
mechanisms at information system entry and exit points to detect and eradicate
malicious code; 2) Updating malicious code protection mechanisms whenever new
releases are available in accordance with organizational configuration management
policy and procedures; 3) Configuring malicious code protection mechanisms to: a)
Perform periodic scans of the information system at an organization-defined frequency
and real-time scans of files from external sources at endpoints and/or network
entry/exit points as the files are downloaded, opened, or executed in accordance with
organizational security policy and b) Either block malicious code, quarantine malicious
code, send an alert to an administrator, and/or take other organization-defined actions
in response to malicious code detection; and 4) Addressing the receipt of false positives
during malicious code detection and eradication and the resulting potential impact on
the availability of the information system.

AWS customers are responsible for developing a security plan for their systems that: 1)
Is consistent with the organization’s enterprise architecture, 2) Explicitly defines the
authorization boundary for the system, 3) Describes the operational context of the
information system in terms of missions and business processes, 4) Provides the
security categorization of the information system including supporting rationale, 5)
Describes the operational environment for the information system and relationships
with or connections to other information, 6) Provides an overview of the security
requirements for the system, 7) Identifies any relevant overlays, if applicable, 8)
Describes the security controls in place or planned for meeting those requirements, to
include a rationale for the tailoring decisions, and 9) Is reviewed and approved by the
authorizing official or designated representative prior to plan implementation.
In addition, AWS customers are responsible for distributing copies of the security plan
to organization-defined personnel or roles, reviewing the security plan at organization-
defined frequencies, and updating the security plan to address changes to the
information system/environment of operation or problems identified during plan
implementation or security control assessments. AWS customers are responsible for
protecting their security plan from unauthorized disclosure or modification.
N/A

Note:
Response Planning (RS.RP): RS.RP-1: Response plan is · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-10 The AWS business continuity plan details the three-phased approach that AWS has
Response processes and executed during or after an · COBIT 5 APO12.06, BAI01.10 Architectures, CloudFormation, AWS Lambda, developed to recover and reconstitute the AWS infrastructure:
procedures are executed and event · ISA 62443-2-1:2009 4.3.4.5.1 Amazon SNS, Amazon SES, AWS Cloudwatch, AWS • Activation and Notification Phase
maintained, to ensure timely · ISO/IEC 27001:2013 A.16.1.5 CloudTrail, VPC Flowlogs, AWS Config, AWS • Recovery Phase
response to detected · NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8 Organizations, AWS Firewall Manager, AWS • Reconstitution Phase
cybersecurity events. PrivateLink, AWS Systems Manager, AWS OpsWorks, This approach ensures that AWS performs system recovery and reconstitution
Amazon Macie, AWS Managed Services, AWS IoT efforts in a methodical sequence, maximizing the effectiveness of the recovery and
Defender reconstitution efforts and minimizing system outage time due to errors and
omissions.
CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
IR-4 procedures
AWS will notify to respond customers to a serious
of a securityoutagebreach or degradationin accordance of AWS withservices,
the terms
includinginthe
outlined therecovery
service agreementmodel and with its implications
AWS. AWS’s on the business continuity plan.
IR-8 AWS has implemented a formal, documented incidentcommitmentresponse policy to alland AWS
customers
program. Theis aspolicy
follows: addresses purpose, scope, roles, responsibilities, and
Communications (RS.CO): RS.CO-1: Personnel know · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The
If AWSAWS Business
becomes awareContinuity
of any policy lays
unlawful or out the
unauthorized guidelines access used to to
any implement
customer
Response activities are their roles and order of · COBIT 5 EDM03.02, APO01.02, APO12.03 Architectures, AWS IAM, AWS Config, ConfigRules, management
procedures
Refer to the commitment.
tofollowing
respond to
AWS a serious
Audit outage
Reportsorfor degradation
additional of AWS
details: services,
PCI 3.2, ISO
data
AWS uses (i.e., any
a27017,personal
three-phased data that
approach is uploaded to a customer’s AWS account) on
coordinated with internal and operations when a response is · ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 Cloud Watch, CloudTrail, CloudFormation, Lambda, including
27001,
AWS’s ISO the
equipment recovery NIST
or inmodel800-53,
AWS’s itstoimplications
andfacilities
SOC manage
2 COMMON
and thisfor
incidents:
on the business
CRITERIA
unlawful continuityaccess
or unauthorized plan.
external stakeholders, as needed · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, A.16.1.1 Amazon SNS, Amazon SES. 1. Activation and Notification Phase – Incidents AWS begin with the detection
results
of an event. in loss, disclosure,
Events originate or alteration
from several of customer
sources such data,as: AWS will promptly notify
appropriate, to include external · NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
support from law enforcement •the
Refer
customer
Metricsto the
and
andfollowing
alarms take–reasonable
AWS Audit
AWS
steps to
maintains Reports anreduce
exceptional the effects
for additional
of thisawareness
situational
details: PCI
security
3.2, ISO
incident.
agencies. 27001,defines,
AWS ISO 27017, NIST 800-53,
administers, and SOC 2 COMMON
monitors CRITERIA
alarming of real time metrics and service security dashboards. for the Theunderlying
majority of cloud
incidents are
infrastructure
detected in this(i.e., manner. the hardware,
AWS uses theearly facilities
indicator housing alarms theto hardware,
proactively andidentify
the
network
issues that infrastructure).
•Because TroubleAWS tickets manages
enteredthe by infrastructure
an AWS employee. and the security controls that apply to it,
•AWS Callscan: to the 24x7x365 technical support hotline.
• Identify
If the event potential
meets incident incidents affecting
criteria, thethe infrastructure.
relevant on-call support engineer uses
• Determine
AWS’s eventifmanagement
any access totool customer
systemdata resulted
to start from an incident.
an engagement and page relevant
• Determine
program if access
resolvers (e.g.,was AWSactually unlawful
Security). Theorresolversunauthorized (it would
will perform anbe analysis of
unauthorized
the incident toifdetermine it was in breach if additionalof AWS' Security
resolvers Policies).
should be engaged and to determine
If anapproximate
the incident happens root cause. within AWS’s sphere of knowledge and control and this
incident
2. Recovery results Phase in loss,– The disclosure,
relevant resolvers or alteration will of customer
perform breakcontent,
fix to AWS address willthe
promptly After
incident. notifyaddressing
the customer. AWS does this
troubleshooting, break regardless
fix and of whether
affected the customer's
components, the
content
call leader is sensitive
will assign or not,
follow-upbecause AWS does not
documentation and know what the
follow-up customer
actions and end content
the
is and
call protects all customer content in the same robust way.
engagement.
CP-3 To ensure
AWS teststhe theeffectiveness
business continuity of the AWS plan and incident responseprocedures
its associated plan, AWSatconducts least
IR-3 incident
annually
AWS hasresponse ensuretesting.
toimplemented effectiveness This testing
a formal, of theprovides
documented plan andincident excellent
the organizationalcoverage
response for the anddiscovery
readiness
policy to
of previously
execute
program. theThe unknown
plan.
policy Testing defects
addressesconsists andoffailure
purpose, engagement modes.
scope, In addition,
drills
roles, that execute
responsibilities,it allows onand the AWS
activities
IR-8 AWS
Security
that hasand
would implemented
beservice
performed teams a in
formal,
to
antest documented
actualthe outage.
systemsAWS incident
for potential response
documents customer
thepolicy
results,andincluding
impact and
management
program. commitment.
The policy addresses purpose, scope, roles, responsibilities, andcritical
RS.CO-2: Events are reported · CIS CSC 19 AU-6 AWS
furtherdeploys
lessons
AWS prepare
useslearned monitoring
staff
and any
a three-phased to devices
handle
corrective
approach throughout
incidentsactions
to manage such thatas thewere environment
detection
incidents: completed. to collect
and analysis,
consistent with established · COBIT 5 DSS01.03 management
information
containment, oncommitment.
unauthorized
eradication, andintrusion
recovery, attempts,
and post-incidentusage abuse, andwith
activities. network and
1.
AWS Activation and
uses a three-phased Notification approach Phaseto– manage Incidents for AWS
incidents: begin the detection
criteria · ISA 62443-2-1:2009 4.3.4.5.5 application
Theanincident
of event.bandwidth response
Events usage.
test
originate plan Monitoring
fromis executed
several devices
annually,
sources are in placed within the
conjunction withAWS the
· ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 1.
environment Activation and
to Notification
detect Phase –includes
Incidents forsuch
AWS as: begin with the detection
•incident
of Metrics
an event.
response
andEvents alarms plan. –and Themonitor
AWS
originate
test plan
maintains for: an sources multiple
exceptional scenarios,
situational potential
awarenessvectors
· NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8 •ofPort scanning
attack, and theattacks
inclusion offrom several
the systems integrator such as:
in reporting and coordination
•capability;
•alarming Metrics and
Usageapplicable),
(CPU,
most issues
alarms – are rapidly
AWS maintains detected an from 24x7x365
exceptional monitoring
situational awareness and
(when
capability; ofmostrealProcesses,
time
issues
welldisk
as metrics andutilization,
as varying service
are reporting/detecting).
rapidly detected
swap rates, The
reporting/detection
dashboards.
from 24x7x365majority
andavenues
errors in(i.e.
monitoring
software
customer are
of incidents
and
generated
reporting/detecting,
detected in loss) manner. AWS
alarming
•AWS Application
incidentofthisreal time metrics
performance
management
AWSand
metrics
usesservice
planning,
early indicator
dashboards.
testing,
alarms to
and test The results
proactively
majority
are reviewed
identifyare
of incidentsby third-
issues
detected that in may ultimately
this connection
manner. AWS impact usescustomers.
early indicator alarms to proactively identify
••party
issues
Unauthorized
Troubleauditors.
that tickets
may entered byimpact
ultimately
attempts
an AWS employee.
customers.
AWS Callsprovides near real-time alerts when hotline. the AWS monitoring tools show
••indications Trouble to thetickets
of
24x7x365
entered
compromise
technical
by an AWS
or potential
support employee.
compromise, based uponengineer
threshold alarming
•If
mechanisms
the event
Calls to the meets
24x7x365
determined
incident criteria,
technical
bytoolAWS
the relevant
support
service hotline. on-call support uses
AWS’s
If the event event management
meets system to and
startSecurity
an engagementteams. and page relevant
External
program access
resolvers to incident
data
(e.g.,stored
AWS
criteria,
in Amazon the relevant S3 is on-call
logged. support
The logsengineer
are an retainedusesfor at
AWS’s
leastincident 90 event
daystoand management
include if toolSecurity).
relevant systemaccess toThestartresolvers
request aninformation
engagementwill perform
and as
such page analysis
thetorelevant
data
of
the
program resolvers determine(e.g., AWS additional resolvers should will be engaged
performand determine
accessor
the approximateIP address, rootobject,cause. andSecurity).
operation. The resolvers an analysis of
the
AllRecovery incident
requests to to determine
KMS if
are logged additional
and resolvers
available should
in perform
the AWSbreak be engaged
account’s and to determine
2.
the approximate Phase root – Thecause. relevant resolvers will fix to AWS address the
CloudTrail
incident. Afterbucket in
addressing Amazon S3.
troubleshooting,The logged break requests provide
fix and break affected information about
2.
who Recovery
made the Phase
request – The and relevant
under resolvers
which CMK will and perform
will also fixcomponents,
describe address thethe
toinformation
call leaderAfter
incident. will assign follow-up documentation and follow-up actions and end the
about
call leader the AWSaddressing
engagement. resource that troubleshooting,
was protected break through fixtheanduse affected
of the components,
CMK. These the log
call
events will assign
are visible to thefollow-up
customerdocumentation
after turning onand AWS follow-up
CloudTrail actions and end the
in their
3. Reconstitution
call engagement. Phase – The call leader will declare the recovery phase complete
account.
after the relevant fix activities haveleader been addressed.
3. Reconstitution Phase – The call will declareThe thepost mortem
recovery phase andcomplete
deep root
causethe
after analysis
relevant of the incident will
fix activities havebebeen assignedaddressed. to the The relevant post team.
mortem The and results
deep of root
the post
cause mortem
analysis ofwill be reviewed
the incident will by be relevant
assignedsenior to the management
relevant team.and The actions
resultsand of
captured
the post mortemin a Correction will be reviewed of Errors by (COE) relevant document senior and tracked toand
management completion.
actions and
To ensureinthe
captured effectiveness
a Correction of the AWS
of Errors (COE)incident document response
and tracked plan, AWS conducts
to completion.
IR-6 incident
To
AWS ensure response
employees testing.
the effectiveness
are trained Thisof testing
onthehow AWS toprovides
incidentexcellent
recognize response
suspected coverage
plan,
securityAWS for the discovery
incidents
conducts and
of previously
incident
where toresponse
report unknown
them.testing. defects
When This and failure
appropriate,
testing provides modes.
incidents In
areaddition,
excellent reported
coverage ittoallows
relevant
for the the AWS
IR-8 AWS
Security has implemented
and service teams a formal,
tothetest documented
the systems incident
for potential responsecustomer policy anddiscovery
impact and
of
authorities.
program. previously The AWS unknown
policy maintains defects
addresses and
AWS
purpose, failure
Security modes.
scope, Bulletin
roles, In addition,
webpage,
responsibilities,it allows
locatedand theat AWS
RS.CO-3: Information is · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CA-2 The
further
Security AWS prepare
and Compliancestaff to
service
https://aws.amazon.com/security/security-bulletins,teamsAssessment
handle incidents
to test the Team such
systems (CAT) asfor maintains
detection
potential
to notify anda customers
documented
analysis,
customer of audit
impact and
security
shared consistent with response · COBIT 5 DSS03.04 Architectures, AWS IAM, AWS Cloudwatch, AWS management
schedule
containment, of commitment.
internal
eradication, and external
andAWS assessments
recovery, and to ensure
post-incident implementation
activities. and
further
and
AWS prepare
privacy
uses a events staffaffecting
three-phased to handle approach incidentsCloud
to such
manage asincidents:
services. detection
Customers and analysis,
can subscribe to the
plans · ISA 62443-2-1:2009 4.3.4.5.2 CloudTrail, VPC Flowlogs, AWS Config, AWS operating
The incident
containment,
security effectiveness
bulletin response
eradication,
RSS feedof and
test the
plan
to keepAWS
recovery, control
is executed
abreast and environment
ofannually,
post-incident
security in toactivities.
meet business,
conjunction
announcements with
on the the AWS
· ISO/IEC 27001:2013 A.16.1.2, Clause 7.4, Clause Organizations, AWS Firewall Manager, AWS Systems 1.
regulatory,
incident Activation and
response and Notification
contractual
plan.test Theplan testPhase
objectives. –includes
Incidents for AWS begin with the detection
The
Security
of incident
anneeds
event. Bulletin response
Events webpage.
originate The isplan
executed
customer support multiple
annually, team inscenarios,
conjunction
maintains potential
with the
a Service vectors
Health
16.1.2 Manager, AWS OpsWorks, Amazon Macie, AWS The
of
incident attack, and
and expectations
the inclusion The of offrominternal
atthe
several
systems andsources
external
integrator such
parties as:
in scenarios,are considered
reporting to and coordination
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, Managed Services, AWS IoT Defender, AWS •Dashboard
throughout
(when Metrics response
and webpage,
the
applicable), alarms plan.
development,
as –located
AWS
well as
test http://status.aws.amazon.com/,
plan
maintains
implementation,
varying
includes multiple
an exceptionaland
reporting/detection situational
auditing of
avenues the
potential
alert
awareness
AWS
customers
vectorsto
control
(i.e.coordination
customer
of attack,
any
capability; broadly and impacting
most theissues
inclusion availability
of the systems issues. integrator
are reporting/detecting).
rapidly detected from to: in reporting
24x7x365 monitoring and and
PE-6, RA-5, SI-4 CloudFormation, AWS Lambda, Amazon SNS, environment.
(when
In the event
applicable), Parties
of antime include,
AWS
incident,
as metrics
well as AWS but
varying are
requires not limited
reporting/detection
that AWS Security avenues and/or (i.e.
Amazon SES, Amazon Athena, Amazon GuardDuty, alarming

AWS AWS incidentof real
customers, management including and
planning, service
customers dashboards.
with
testing, aand contractual
test The
resultsmajority
interest
are ofaffected
and
reviewed
customer are
incidents
potential
service
detected team
in this conduct
manner. AWSa post
AWS reporting/detecting).
mortem
uses early to determine
indicatorthe causetoofproactively
alarms incident, as wellthird-
by
identify as to
Amazon S3, AWS WAF, Amazon Machine Learning, customers.
party
AWS auditors.
document incident
Amazon Inspector, Amazon SageMaker, Amazon issues
 that lessons
External may management
parties
learned. impact
ultimately
to AWS, including
planning, customers.testing, and test results are reviewed by third-
regulatory bodies such as the external
Pinpoint •party
auditors Troubleauditors.
andtickets entered
certifying by an AWS employee.
agents.
• Calls
 Internal to the 24x7x365
parties such as technical
AWS services supportand hotline.
infrastructure teams, security, legal,
If theoverarching
and event meetsadministrative incident criteria, and the relevant
corporate on-call support engineer uses
teams.
the incident to determine if additional resolvers should be engaged and to determine
CA-7 AWS conducts monthly monitoring of its security posture through a continuous risk
the approximate root cause.
CP-2 assessment
The AWS Business and monitoring process. Additionally, annual security assessments are
2. Recovery Phase –ContinuityThe relevant policy
resolvers lays out willthe guidelines
perform breakused fix to implement
to address the
conducted
procedures byto an accredited
respond Third-Party
to a troubleshooting,
serious outageAssessment orbreak
degradation Organization (3PAO) to
IR-4 incident.
AWS will After
notify addressing
customers of a security breach infix and of
accordance AWS
affected services,
withcomponents,
the terms the
validate
including that
the implemented
recovery model security controls
anddocumentation
its implications continue to bebusiness
onfollow-up
the effective. Security
continuity plan.
call leader
outlined will
hasinimplemented
the assign follow-up
service agreement with AWS. and actions and end the
IR-8 AWS
assessments that include a aformal,
risk analysis documented and a AWS’s incident
Plan commitment
response
of Action andpolicy to all
Milestonesand AWS
call engagement.
customers
program. Theisareaspolicy
follows:
PE-6 (POA&M)
Physical
3. AWS
If access
Reconstitution
becomes alladdresses
submitted
toPhase
aware AWS to data
–ofTheanycall
purpose,
authorizing
centers
leaderhousing
unlawful
scope, roles,
officials
will
or declare
unauthorizedIT responsibilities,
forinfrastructure
review
the access
and approval.
recovery
and
tocomponents
phase
any complete
customer is
management
restricted commitment.
to following
authorized datacoordinates
center employees,
RA-5 Refer
AWS
after (i.e.,
data
AWS
to
the
uses
the
Security
relevant
any
a27017, notifies AWS
and
fix activities
personal
three-phased data Audit
that
approach have Reports
been
is uploaded
to with
manage
for
addressed.
to avendors,
theincidents: Theand
additional
appropriate
customer’s post contractors
details:
service
mortem
AWS PCI 3.2,
teams
and
account) whoISO
when
deep
on root
require
27001,
conducting
cause access
ISO
analysis in order
security-related
of the NIST to
or incident execute
800-53,
activities
will their
SOC
be jobs.
2
within COMMON
andtheAccess
tosystem to facilities
CRITERIA
boundary. is only permitted
Activities of at
SI-4 AWS’s
AWS
1.
controlled Activation equipment
deploys access monitoring
and in AWS’s
Notification
points devices
that
facilities
Phase –assigned
throughout Incidents this
the the relevant
unlawful
environment
for AWS orteam.
begin todesignedThe
unauthorized
collect
with theresults access
critical
detection
include
thean
results
information post invulnerability
mortem
loss, onto will
disclosure,
unauthorizedscanning,
be or require
reviewed alteration
intrusion by multi-factor
contingency relevant
of customer
attempts, testing,
senior authentication
usage and incident
management
data, AWSand
abuse, response
will and to prevent
actions
promptly
network and
notify
RS.CO-4: Coordination with · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-2 of
The
tailgating
exercises.
captured AWSevent.
inand
AWS
Events
Business
a and ensure originate
Continuity
performs
Correction that from
only
ofexternal
Errors policy several
authorized lays
vulnerability
(COE)
sources
out the
individuals such
guidelines
assessments
as:
enter used
an
at AWS
least to dataand
implement
quarterly, center.
and
stakeholders occurs consistent · COBIT 5 DSS03.04 Architectures, AWS Config, Cloud Watch, CloudTrail,
the
•application
procedures
On
customer
Metrics
a quarterlyand bandwidth
to alarms
respond
take–reasonable
basis, usage.
AWS
to
access a
steps
Monitoring
maintains
serious
lists andoutage andocument
to reduce
devices
exceptional
or
authorization degradation
the
are and
effects
placedtracked
of
situational
credentials of within
AWS of
to
this completion.
security
the
awareness
services,
personnel AWS with
identified
To ensure issues
incident.
environment
capability; the
mostto are investigated
effectiveness
detect
issues and of theand
are monitor
rapidly AWSfor: tracked
detected incident to resolution.
response plan, Additionally,
AWS conducts AWS
with response plans · ISA 62443-2-1:2009 4.3.4.5.5 CloudFormation, Amazon Pinpoint, AWS Lambda, including
access
performs the
toresponse
AWS recovery
unannounced data model
centers are
penetration and its
reviewed
tests bybyfrom
implications 24x7x365
theexcellent
engaging on the
respectiveindependent
monitoring
business
data continuity
center and
Area plan.
Access
· ISO/IEC 27001:2013 Clause 7.4 Amazon SNS, Amazon SES
incident
•AWS
alarming
ManagersPort defines,
scanning
of real
(AAM).
testing.
administers,
attacks
time metrics This
and andtesting
monitors
service provides
security
dashboards. for the majoritythird
coverage
Theunderlying for cloud
of parties
the
incidents toare
discovery
probe
ofUsage
•infrastructure the(CPU,
previously indefensesunknown
(i.e., and device
defects
the hardware,
Processes, disk configuration
and failure
theearly
utilization, facilities swapsettings
modes. housing
rates,In within
addition,
theto
and the itsystem.
hardware,
errors allows
in andthe theAWS
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 detected
All
AWS
Security
network entrances
Security
and
this manner.
toteams
service
infrastructure). AWSteams data
also
AWS
subscribe
to
uses
centers,
test the including
tosystems
indicator
newsfeeds the
for main
alarms entrance,
for applicable
potential customer thesoftware
proactively
vendor loadingidentify
flawsand
impact dock,
and
generated
issues
Refer
and any that
to the
roofloss)
may ultimately
following
doors/hatches, AWS impact
Audit
are customers.
securedReports with for additional
intrusion details:
detection PCInew
devices 3.2, ISO
that sound
proactively
further
•Because prepare
Application
Trouble AWS monitor
tickets staff
manages
performance
enteredvendors’
to handle
the
by websites
incidents
infrastructure
metrics
an AWS and
such
employee. otheras relevant
detection outlets
and for
analysis,
and the security controls that apply to it, patches.
27001,
alarms
AWS ISO
if the 27017,
door isNIST
forced 800-53,
open orSOC held to2and COMMON
open. CRITERIA
Callscustomers
containment, can:
• Unauthorized
Trained tosecurity
the 24x7x365 also
eradication,
connection
guards
have
are
the
and ability
recovery,
attempts
technical
stationed support atthe
report
thehotline.
issues to
post-incident
building entrance
AWS via the AWS
activities.
24/7. Ifwith a door
Vulnerability
The
AWS
If theincident
• Identify provides
event Reporting
response
potential test
incidents
nearincident website
real-time plan isatexecuted
affecting
alerts http://aws.amazon.com/security/vulnerability-
when annually,
infrastructure.
the AWS in support
conjunction
monitoring tools show the or cage
within
reporting/.
•incident
Determine datameets
a response center
anyplan. has The
criteria,
a malfunctioning
test
the
plan includes
relevant
card on-call
reader
multiple orscenarios,
PIN padengineer
and cannot
potential
uses be
vectors
indications
AWS’s event ofifmanagement
compromiseaccess toor customer
tool potential
system data
to resulted
compromise,
start from
based
anatengagement anupon
incident.
and threshold
itpage alarming
relevant
•secured
of attack,
Determine
mechanisms
electronically,
program resolvers and if the
accessinclusion
determined wasa security
(e.g., AWS of
actually
by AWS the guard
systems
unlawful
serviceThe
Security).
is posted
integrator
or the
in
unauthorized
and resolvers
Security teams.
door
reportinguntil
(it
will perform and
would can be repaired.
ancoordination
beanalysis of
(when
unauthorized
External
the incident applicable),
access if it wasas well
in
to data stored
to determine as
breach varying
of
in Amazon
if additional AWS' reporting/detection
Security
S3 is logged.
should be avenues
Theengaged
logs areand(i.e. customer
retained for at
to determine
If
leastan incident
90 days androot
the approximate happens AWS
include within
cause. reporting/detecting).
AWS’s sphere of knowledge
relevant access request information such as the data and control and this
AWS
incident
accessor
2. Recoveryincident
results
IP address, management
Phase in loss,– object,
The planning,
disclosure,
and
relevant operation.
resolvers testing,
or alteration will and of test
customer
perform results
break arefixreviewed
content, to AWS
address bythe
will third-
party
promptly
All
incident. auditors.
requests notify
After to KMS the customer.
addressing are logged AWS does this
and available
in the and of
fix AWS whether
account’s
affected the
AWS
components,customer's the
content
CloudTrail
call leader willis sensitive
bucket assign or not,
in Amazon
follow-upbecause AWS
S3.documentation does
The logged requests not know
and follow-up what the
provide actions customer
information and end content
aboutthe
is
who and protects all customer content in the
made the request and under which CMK and will also describe information
call engagement. same robust way.
about the AWS resource
3. Reconstitution Phase –that Thewas callprotected
leader will through
declarethe theuse of the CMK.
recovery These log
phase complete
events are visible to the customer after turning
after the relevant fix activities have been addressed. The post mortem and deep root on AWS CloudTrail in their
account.
incident response testing. This testing provides excellent coverage for the discovery
of previously unknown defects and failure modes. In addition, it allows the AWS
IR-4 AWS
furtherwill prepare notifystaff customers
to handle of incidents
a securitysuch breach in accordance
as detection with the terms
and analysis,
IR-8 outlined
AWS hasinimplemented
containment, theeradication,
service agreement and recovery,
a formal, with AWS.
documented AWS’s
incidentcommitment
and post-incident activities.
response to alland
policy AWS
customers
The
program.incident Theis as follows:
response
policy test plan purpose,
addresses is executed annually,
scope, roles, in conjunction with
responsibilities, and the
RS.CO-5: Voluntary · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference PM-15 AWS
If AWS Security
becomes teamsaware alsoofsubscribe
any unlawful to newsfeeds
or unauthorized for applicableaccess vendor
to flaws and
any customer
incident
managementmonitorresponse plan.
commitment. The test plan includes multiple scenarios, potential vectors
information sharing occurs with · COBIT 5 BAI08.04 Architectures, proactively
data (i.e., vendors’ websites and other relevant outlets AWSfor new patches.
external stakeholders to achieve · ISO/IEC 27001:2013 A.6.1.4
of
AWS usesany
attack, and personal
the
a three-phasedinclusion dataapproach
that
of theissystems
uploaded
to manage to incidents:
integratora customer’s
in reporting account)
and on
coordination
AWS’s
(when
1. Activation equipment
applicable), or
as in
and Notification wellAWS’sas varying facilities
Phase and thisfor
–reporting/detection
Incidents unlawful
AWSavenues or unauthorized
begin (i.e.the
with customer access
detection
broader cybersecurity · NIST SP 800-53 Rev. 4 SI-5, PM-15 results in loss, disclosure,
SI-5 reporting/detecting,
AWS
of Security
an event. Eventsnotifies AWS andor
originate alteration
reporting/detecting).
coordinates
from several of
withcustomer
the appropriate
sources data,as:
such AWS will promptly
service teams when notify
situational awareness
•the
AWS customer
conducting
Metricsincidentand and
alarms take–reasonable
security-related
management AWSactivities
planning, stepswithin
maintains to
anreduce
testing, the and
exceptional the
testeffects
system results ofare
boundary.
situational this securityby third-
reviewed
Activities
awareness
incident.
party auditors.
include
capability; vulnerability
most issues scanning,
are rapidly contingency
detected from testing, and incident
24x7x365 monitoringresponse and
AWS defines,
exercises.
alarming ofAWS real administers,
performs
time metrics and
external
and monitors
vulnerability
service security
dashboards. for the
assessmentsTheunderlyingat leastof
majority cloud
quarterly,
incidentsand are
infrastructure
identified
detected this(i.e.,
inissues arethe
manner. hardware,
investigated
AWS uses theearly
and facilities
tracked indicatortohousing
resolution.
alarms theto hardware,
Additionally,
the
AWS
network
performs
issues that infrastructure).
unannounced
may ultimately penetration
impact customers. tests by engaging independent third parties to
•Because
probe
Trouble theAWS defenses
tickets manages and device
entered the
by infrastructure
anconfiguration
AWS employee. andsettings
the security withincontrolsthe system. that apply to it,
AWS can:
• CallsSecurity
to the 24x7x365 teams also subscribe
technical to newsfeeds
support hotline. for applicable vendor flaws and
• Identify
proactively
If the event potential
monitor
meets incident incidents
vendors’ affecting
websites
criteria, thethe and infrastructure.
relevantotheron-call relevant outletsengineer
support for new uses patches.
• Determine
AWS
customers any also accesshavetothe customer
tool systemtodata
ability resulted
toreport
start issues from
to AWS
an engagement an incident.
via
andthe page AWS relevant
• Determine
Vulnerability
program ifReporting
resolvers access (e.g.,was actually
website
AWS at unlawful
Security). Theorresolversunauthorized
http://aws.amazon.com/security/vulnerability- (it would
will perform anbe analysis of
unauthorized
incident toifdetermine
reporting/.
the it was in breach if additionalof AWS' Security
If anapproximate
the incident happens root cause. within AWS’s sphere of knowledge and control and this
incident
2. Recovery results Phase in loss,– The disclosure,
relevant resolvers or alteration will of customer
perform breakcontent,
fix to AWS address willthe
promptly After
fix and of whether
components, the
content
will assign or not,
follow-upbecause AWS does not
documentation and know what the
follow-up customer
actions and end content
the
is and
engagement.
further prepare staff to handle incidents such as detection and analysis,
incident response plan. The test plan includes multiple scenarios, potential vectors
of attack, and the inclusion of the systems integrator in reporting and coordination
(when applicable), as well as varying reporting/detection avenues (i.e. customer
reporting/detecting, AWS reporting/detecting).
AWS incident management planning, testing, and test results are reviewed by third-
party auditors.
Analysis (RS.AN): Analysis is RS.AN-1: Notifications from · CIS CSC 4, 6, 8, 19 AWS Artifact, AWS Best Practices, AWS Reference AU-6 AWS deploys monitoring devices throughout the environment to collect critical
conducted to ensure adequate detection systems are · COBIT 5 DSS02.04, DSS02.07 Architectures, AWS Config, AWS Cloudwatch, AWS information on unauthorized intrusion attempts, usage abuse, and network and
response and support recovery investigated · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 Lambda, AWS Step Functions, AWS OpsWorks, AWS application bandwidth usage. Monitoring devices are placed within the AWS
activities. · ISA 62443-3-3:2013 SR 6.1 Managed Services, AWS CloudFormation environment to detect and monitor for:
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5 • Port scanning attacks
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, • Usage (CPU, Processes, disk utilization, swap rates, and errors in software
SI-4 generated loss)
indications of compromise or potential compromise, based upon threshold alarming
mechanisms determined by AWS service and Security teams.
External access to data stored in Amazon S3 is logged. The logs are retained for at
least 90 days and include relevant access request information such as the data
accessor IP address, object, and operation.
All requests to KMS are logged and available in the AWS account’s AWS
CloudTrail bucket in Amazon S3. The logged requests provide information about
who made the request and under which CMK and will also describe information
about the AWS resource that was protected through the use of the CMK. These log
events are visible to the customer after turning on AWS CloudTrail in their
account.
CA-7 AWS conducts monthly monitoring of its security posture through a continuous risk
IR-4 assessment
AWS and monitoring
will notify customers process. Additionally,
of a security breach inannual security
accordance withassessments
the terms are
conducted
outlined by
thean
innotify accredited
service agreementThird-Party
with AWS. Assessment
AWS’s Organization
commitment (3PAO) to
IR-5 AWS
validate willthat customers
implemented of a security
security controls breach in accordance
continue withtothe
to be effective.
allterms
AWS
Security
customers
outlined in istheasservice
follows:agreement with AWS.
PE-6 Physical
assessments
If AWS becomesaccess that toinclude
all AWS
aware dataanalysis
a risk
of any centers
unlawful housing
and a AWS’s
Plan
or unauthorized
commitment
ITofinfrastructure
Action to all AWS is
components
andtoMilestones
access any customer
customers
restricted is
toare as follows:
authorized data center employees,
SI-4 (POA&M)
AWS
data
If AWS deploys
(i.e., any
becomes
submitted
monitoring
personal
aware data
of
to authorizing
devices
that
any is throughout
uploaded
unlawful
officials
or avendors,
tothe for
customer’s
unauthorized
and and
review
environment contractors
AWS
access toapproval.
tocollect
account)
any
who
critical
customeron
require
information access inunauthorized
onpersonal order into execute their attempts,
intrusion jobs. Access to abuse,
facilities isnetwork
only permitted accessat
RS.AN-2: The impact of the · COBIT 5 DSS02.02 AWS Artifact, AWS Best Practices, AWS Reference CP-2 AWS’s
The
data
controlled AWS equipment
(i.e., Business
any
access
orContinuity
points
AWS’s
data
that that facilities
policy laysand
is uploaded
require out
multi-factor a usage
tothis
the unlawful
guidelines
customer’s
authentication
or and
unauthorized
used
AWS to implement
account)
designed
and
to on
prevent
incident is understood · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 Architectures, AWS CloudFormation, AWS application
results
procedures
AWS’s bandwidth
inequipment
loss,
to disclosure,
respond or intousage.
aor Monitoring
alteration
serious
AWS’s outage devices
of and thisinare
customer
or individuals
degradation placed
data, AWS
of orwithin
AWS will the AWS
promptly
services, notify
IR-4 AWS
tailgating will notify
and customers
todetect
ensure that of a facilities
only security
authorized breach unlawful
accordance
enter unauthorized
with the data access
termscenter.
· ISO/IEC 27001:2013 A.16.1.4, A.16.1.6 Cloudwatch, CloudTrail, VPC Flowlogs, AWS Config, environment
the
including
results customer
in the
loss, to
and
recoverytake and
disclosure, model monitor
reasonable
or and for:
steps
its
alteration to customer
reduce the
implications
of on effects
the
data, ofan
business
AWS
AWS
this
will security
continuity
promptly plan.
notify
outlined
•On in the basis,
a quarterly
Port scanning service
attacks agreement
access lists andwithauthorization
AWS. AWS’s commitment
credentials to all AWS
of personnel with
· NIST SP 800-53 Rev. 4 CP-2, IR-4 AWS Organizations, AWS Firewall Manager, AWS incident.
the customer and take reasonable steps to reduce the effects of this security
customers
•access Usage to(CPU,is as Processes,
AWS follows:
data centers areutilization,
disk reviewed security
byswapthe rates,
respective data center
andunderlying
errors in softwareArea Access
Systems Manager, AWS OpsWorks, Amazon Macie, AWS
incident. defines, administers, and monitors for the cloud
If AWS
Managers loss)
generated becomes
(AAM). aware of any unlawful or unauthorized access to any customer
AWS Managed Services, AWS IoT Defender, Amazon infrastructure
Refer
AWS to the
defines, (i.e.,
following the AWS
administers, hardware, Audit
and the facilities
Reports
monitors for
security housing
additional
for theunderlying
the hardware,
details: PCI and
3.2,
cloud the
ISO
data
•All (i.e.,
entrances
Application any topersonal data
AWS data metrics
performance that is uploaded to a customer’s AWS
centers, including the main entrance, the loading dock, account) on
GuardDuty, Amazon Machine Learning, Amazon network
27001, infrastructure).
AWS’s
•and
Because anyISO
infrastructure roof
UnauthorizedAWS
27017,
equipment (i.e., or NIST
the
doors/hatches,
connection
manages
800-53,
inhardware,
AWS’s SOC
the
are secured
theattempts
infrastructure
2with
COMMON
facilities
facilities housing
andintrusion
this CRITERIA
the hardware,
unlawful
and the security
or unauthorized
detection
controlsdevices andthat
that apply
theaccess
sound
to it,
SageMaker, AWS WAF, AWS Shield network
results
alarmscan: ifinfrastructure).
in loss,door
the disclosure,forcedoropen
is real-time alteration
or held ofopen.
customer data, AWS will promptly notify
AWS
Because provides
AWSand near
manages alerts
the stationed when
infrastructure the
and AWS
thethe monitoring
security toolsthat show
the
Trained
indicationscustomersecurity take reasonable
guards
of compromise are steps
oraffecting
potential to
thereduce
atthe building
compromise, effectscontrols
entrance
based of24/7.
upon this securityapplyortocage
If a door
threshold
it,
alarming
• Identify
AWS can: potential incidents infrastructure.
incident.
•mechanisms
• Identify
AWS
secured
Determine ifdetermined
potential
defines,
electronically,
any access
incidents
administers, a
bytoAWS
customer
and
security
service
affecting
monitors
guard
data
theis
and
security
posted
Security
resulted
infrastructure.
for
at
fromteams.
the
the
an incident.
underlying
door until it cloud
can be repaired.
External
•• Determine
Determine access if any
if to data
access was
access stored in Amazon
actually
to customer dataS3resulted
unlawful is unauthorized
or logged.from The logs are retained
(it would
anhardware,
incident. be for at
infrastructure (i.e., the hardware, the facilities housing the and the
•least
unauthorized90 daysifand
Determine
network infrastructure).
it include
ifaccess was was relevant
in breach
actually of access
AWS'
unlawful request
Security information
Policies). (it
or unauthorized such
wouldas the be data
accessor
If an incident
unauthorized IP address, it wasobject,
ifhappens within
in and
breach operation.
AWS’s
of AWS'sphere of knowledge
Security and control and this
Policies).controls
Because
All AWS manages the infrastructure and thethe security that apply to it,
If
AWS anrequests
incident results
incident
can: bucket
tohappens
KMS
in loss, are logged
disclosure,
within andoravailable
AWS’s sphere ofinknowledge
alteration AWS account’s
of customer content,
and control AWSand will
this
CloudTrail
promptlyresults notify in incustomer.
theloss, Amazon S3. The
AWS ordoeslogged requests
this regardless provide information
of whether the about
customer's
•incident
who Identify
made potential
the request
disclosure,
incidents
and under affecting
which
alteration
theCMK
of customer
infrastructure.
and
content, AWS will
content is notify
sensitive or not, because AWS does not will
know also describe
what information
the customer content
•promptly
Determine
about if anytheaccess
customer. to AWS
customer does
data this regardless
resulted from of
an whether
incident. the customer's
is and the is AWS
protects resource
all customernot,that was protected
content in thedoes through
same robust theway.
use of the
the customer
CMK. These log
•content
Determine
events
sensitive
are visibleif accessto
or was because
actually
the customer
AWS
unlawful
after turning or not know
unauthorized what (it would be content
is and protects
unauthorized if all
it customer
was in content
breach of in the
AWS' sameon
Security
AWSway.
robust CloudTrail in their
Policies).
account.
If an incident happens within AWS’s sphere of knowledge and control and this
incident results in loss, disclosure, or alteration of customer content, AWS will
promptly notify the customer. AWS does this regardless of whether the customer's
content is sensitive or not, because AWS does not know what the customer content
is and protects all customer content in the same robust way.
RS.AN-3: Forensics are · COBIT 5 APO12.06, DSS03.02, DSS05.07 AWS Artifact, AWS Best Practices, AWS Reference AU-7 AWS deploys monitoring devices throughout the environment to collect critical
performed · ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, Architectures, AWS IAM, AWS CloudFormation, IR-4 information
AWS on unauthorized
will notify customers ofintrusion
a security attempts,
breach in usage abuse, and
accordance withnetwork and
the terms
SR 2.12, SR 3.9, SR 6.1 AWS Cloudwatch, CloudTrail, VPC Flowlogs, application
outlined bandwidth
in the usage. Monitoring
service agreement with AWS. devices
AWS’sare commitment
placed withintothe allAWS
AWS
· ISO/IEC 27001:2013 A.16.1.7 Amazon Macie, AWS Managed Services, AWS environment
customers to follows:
is as detect and monitor for:
· NIST SP 800-53 Rev. 4 AU-7, IR-4 Lambda, VPC, AWS IoT Defender, Amazon • Port
If AWS scanning
becomes attacks
aware of any unlawful or unauthorized access to any customer
GuardDuty, Amazon Machine Learning, Amazon • Usage
data (i.e.,(CPU, Processes,
any personal datadisk
thatutilization,
is uploaded swap
to arates, and errors
customer’s AWSinaccount)
softwareon
SageMaker, AWS WAF, AWS KMS, AWS generated
AWS’s loss)
equipment or in AWS’s facilities and this unlawful or unauthorized access
CloudHSM, Amazon WorkSpaces • Application
results in loss,performance
disclosure, ormetrics
alteration of customer data, AWS will promptly notify
• Unauthorized
the customer and connection attempts
take reasonable steps to reduce the effects of this security
incident.
indications
AWS defines, of compromise
administers, or andpotential
monitorscompromise,
security for based upon threshold
the underlying cloud alarming
mechanisms determined
infrastructure by AWSthe
(i.e., the hardware, service and Security
facilities housing theteams.
hardware, and the
External infrastructure).
network access to data stored in Amazon S3 is logged. The logs are retained for at
least 90 days
Because AWSand includethe
manages relevant access request
infrastructure and theinformation such as
security controls theapply
that data to it,
accessor
AWS can: IP address, object, and operation.
•All requests
Identify to KMSincidents
potential are logged and available
affecting in the AWS account’s AWS
the infrastructure.
•CloudTrail
Determinebucketif any in Amazon
access S3. The data
to customer logged requests
resulted fromprovide information about
an incident.
•who made the
Determine if request
access wasand actually
under which CMKorand
unlawful will also describe
unauthorized (it would information
be
about the AWS
unauthorized resource
if it that wasofprotected
was in breach throughPolicies).
AWS' Security the use of the CMK. These log
events
If are visible
an incident happensto thewithin
customer
AWS’s aftersphere
turning of on AWS CloudTrail
knowledge and controlin their
and this
account. results in loss, disclosure, or alteration of customer content, AWS will
incident
RS.AN-4: Incidents are · CIS CSC 19 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
categorized consistent with · COBIT 5 DSS02.02 Architectures, AWS Cloudwatch, Amazon Macie, IR-4 procedures
AWS will notifyto respond
customersto a serious outagebreach
of a security or degradation
in accordanceof AWS withservices,
the terms
response plans · ISA 62443-2-1:2009 4.3.4.5.6 AWS Managed Services, AWS Lambda, AWS IoT includinginthe
outlined therecovery
service model and with
agreement its implications
AWS. AWS’s on the business continuity
commitment plan.
· ISO/IEC 27001:2013 A.16.1.4 Defender, Amazon GuardDuty, Amazon Machine IR-5 AWS will notify customers of a security breach in accordance withtotheallterms
AWS
customers
outlined isthe
asservice
follows:agreement with AWS. AWS’s commitment to all AWS
inimplemented
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8 Learning, Amazon SageMaker, AWS WAF IR-8 AWS
If AWS hasbecomes aware aofformal, documented
any unlawful incident response
or unauthorized access to policy and
any customer
customers
program.
Refer(i.e., to the is
The as follows:
policy addresses purpose, scope, roles, responsibilities, and
data
If AWS anyfollowing
becomes personal
aware
AWS
data
of any
Audit
that Reports for
is uploaded
unlawful or to aadditional
customer’s
unauthorized
details:
AWS
access to
PCI 3.2, ISO
account)
any on
customer
management
27001, ISO
AWS’s equipment commitment.
27017, or NISTAWS’s800-53,facilities
SOC 2 COMMON CRITERIA
data
AWS (i.e., any personalindata that is uploaded andtothis unlawful
a customer’s or unauthorized
AWS account) on access
resultsuses
AWS’s
a three-phased
inequipment
loss, disclosure,
or in AWS’s
approach
or alteration to manage
facilities of and
customerincidents:
data, AWS
this unlawful will promptlyaccess
or unauthorized notify
1.
theActivation
customer and take
and Notification
reasonable Phasesteps– Incidents
reduce for
to customer AWS
thedata,
effects begin with the detection
of this
results
of in loss,
an event. disclosure,
Events originateor alteration
from several of sources such AWS
as: will security
promptly notify
incident.
•the customer
Metrics and and take–reasonable
alarms AWS steps to
maintains an
AWS defines, administers, and monitors security for the underlying cloud
reduce the effects
exceptional of thisawareness
situational security
incident.
infrastructure
AWS defines, (i.e., the hardware,
administers, and the facilities
monitors housing the hardware,cloud and the
alarming of real
network infrastructure). time metrics and service security
dashboards. for theTheunderlying
majority of incidents are
infrastructure
detected in this(i.e., the hardware,
manner. AWS uses theearly
facilities housing
indicator alarmsthetohardware,
the
Because infrastructure).
network AWS manages the infrastructure and the security controls that apply to it,
issues
AWS can: that may ultimately impact customers.
•Because
Trouble
• Identify
AWS
tickets manages
entered the
by infrastructure
an AWS and the security controls that apply to it,
employee.
potential incidents affecting the infrastructure.
•AWS Calls can:
to the 24x7x365 technical support hotline.
•• Identify
If
Determine
the event
if any access
potential
meets incidents
incident
to customer
affecting
criteria, the
data
the resulted from an incident.
infrastructure.
•• Determine
Determine if
AWS’s
if any
access
event ifmanagement
was to
access actually
customer
tool
unlawful
system data or unauthorized
resulted
to Security
start
(it would be
from an incident.
an engagement
•unauthorized
Determine it was was
if access in breach
actually of AWS'
unlawful Policies). (itand page relevant
program
If an incident resolvershappens(e.g.,within
AWS Security).
AWS’s Theor
sphere of
unauthorized
resolvers
knowledge will and would
perform
controlanbeanalysis
and this of
unauthorized
the incident toifdetermine
it was in breach of AWS'
if additional Security
incident results
If anapproximate
incident in loss,within
happens disclosure, or alteration of customer content, AWS
and will
the
promptly notify the cause. AWS’s
rootcustomer. AWS
sphere of knowledge
does this regardless of
and control
whether
this
the customer's
incident
2. Recovery resultsPhasein loss,
–orThe disclosure,
relevant or alteration
resolvers of
willnot customer
perform content,
break to AWS
fixcustomer
address will
the
content is
promptly After sensitive
notifyaddressing not,
the customer. because AWS
AWS does this does know
regardless what
of the
whether content
the customer's
incident.
is and protects all customer troubleshooting,
contentAWS in thedoes break
same fix and
robust way.affected components, the
content
will assign or not, because
follow-up documentation not
andknow what the
follow-up customer
actions content
and end the
is and
engagement.
RS.AN-5: Processes are · CIS CSC 4, 19 AWS Artifact, AWS Best Practices, AWS Reference SI-5 AWS Security notifies and coordinates with the appropriate service teams when
established to receive, analyze · COBIT 5 EDM03.02, DSS05.07 Architectures, Amazon S3, AWS Managed Services, PM-15 conducting
AWS Security security-related
teams also subscribe activitiestowithin the system
newsfeeds boundary.
for applicable Activities
vendor flaws and
and respond to vulnerabilities · NIST SP 800-53 Rev. 4 SI-5, PM-15 AWS Lambda, AWS IoT Defender, Amazon include vulnerability
proactively scanning,websites
monitor vendors’ contingency testing,
and other and incident
relevant outlets forresponse
new patches.
disclosed to the organization GuardDuty, Amazon Macie, AWS OpsWorks, AWS exercises. AWS performs external vulnerability assessments at least quarterly, and
from internal and external CloudFormation, Amazon Inspector, Amazon Machine identified issues are investigated and tracked to resolution. Additionally, AWS
Mitigation (RS.MI): Activities RS.MI-1: Incidents
sources (e.g. internalare
testing, · CIS CSC 19 AWS Artifact,
Learning, AWSSageMaker,
Amazon Best Practices,
AWS AWS
WAF, Amazon IR-4
Reference AWS
performs willunannounced
notify customers of a security
penetration tests bybreach in accordance
engaging independent withthird
the terms
parties to
are performed to prevent contained
security bulletins, or security · COBIT 5 APO12.06 Architectures,
SNS, Amazon CloudFormation, AWS Lambda,
SES, Amazon WorkMail outlined
probe theindefensesthe service andagreement with AWS.settings
device configuration AWS’swithin commitment to all AWS
the system.
expansion of an event, mitigate researchers) · ISA 62443-2-1:2009 4.3.4.5.6 Amazon SNS, Amazon SES, AWS Cloudwatch, AWS customers
AWS Security is asteams
follows: also subscribe to newsfeeds for applicable vendor flaws and
its effects, and eradicate the · ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4 CloudTrail, Amazon VPC, Security Groups, NACLS, If AWS becomes
proactively monitor aware of anywebsites
vendors’ unlawfuland or other
unauthorized
relevant access
outletstoforany newcustomer
patches.
incident. · ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 AWS Config, AWS Organizations, AWS Firewall data
AWS(i.e., any personal
customers also have datathe thatability
is uploaded
to report to issues
a customer’s
to AWSAWS account)
via the AWS on
· NIST SP 800-53 Rev. 4 IR-4 Manager, AWS PrivateLink, AWS Systems Manager, AWS’s
Vulnerabilityequipment Reportingor in AWS’s
website facilities and this unlawful or unauthorized access
at http://aws.amazon.com/security/vulnerability-
AWS OpsWorks, Amazon Macie, AWS Managed results
reporting/.in loss, disclosure, or alteration of customer data, AWS will promptly notify
Services, AWS IoT Defender the customer and take reasonable steps to reduce the effects of this security
incident.
infrastructure (i.e., the hardware, the facilities housing the hardware, and the
Because AWS manages the infrastructure and the security controls that apply to it,
AWS can:
• Determine if access was actually unlawful or unauthorized (it would be
unauthorized if it was in breach of AWS' Security Policies).
RS.MI-2: Incidents are · CIS CSC 4, 19 AWS Artifact, AWS Best Practices, AWS Reference IR-4 AWS will notify customers of a security breach in accordance with the terms
mitigated · COBIT 5 APO12.06 Architectures, AWS CloudFormation, AWS Lambda, outlined in the service agreement with AWS. AWS’s commitment to all AWS
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 AWS Cloudwatch, AWS CloudTrail, AWS Config, customers is as follows:
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 AWS Systems Manager, AWS OpsWorks, Amazon If AWS becomes aware of any unlawful or unauthorized access to any customer
· NIST SP 800-53 Rev. 4 IR-4 Macie, AWS Managed Services, AWS IoT Defender data (i.e., any personal data that is uploaded to a customer’s AWS account) on
AWS’s equipment or in AWS’s facilities and this unlawful or unauthorized access
results in loss, disclosure, or alteration of customer data, AWS will promptly notify
the customer and take reasonable steps to reduce the effects of this security
incident.
Because AWS manages the infrastructure and the security controls that apply to it,
AWS can:
RS.MI-3: Newly identified · CIS CSC 4 AWS Artifact, AWS Best Practices, AWS Reference CA-7 AWS conducts monthly monitoring of its security posture through a continuous risk
vulnerabilities are mitigated or · COBIT 5 APO12.06 Architectures, AWS Managed Services, AWS Lambda, assessment and monitoring process. Additionally, annual security assessments are
documented as accepted risks · ISO/IEC 27001:2013 A.12.6.1 AWS IoT Defender, Amazon GuardDuty, Amazon conducted by an accredited Third-Party Assessment Organization (3PAO) to
· NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5 Macie, Amazon Inspector, Amazon Machine Learning, validate that implemented security controls continue to be effective. Security
Amazon SageMaker, AWS WAF assessments that include a risk analysis and a Plan of Action and Milestones
(POA&M) are submitted to authorizing officials for review and approval.
RA-3 AWS performs a continuous risk assessment process to identify, evaluate and
RA-5 mitigate
AWS risks across
Security theand
notifies company. The process
coordinates with theinvolves
appropriatedeveloping and when
service teams
implementing
conducting risk treatmentactivities
security-related plans to mitigate
within risks
the as necessary.
system boundary. The AWS risk
Activities
Improvements (RS.IM): RS.IM-1: Response plans · COBIT 5 BAI01.13 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The AWS Business
management Continuity
team monitors andpolicy laysrisks
escalates out the
on guidelines
a and
continuous used to implement
basis, performing
Organizational response incorporate lessons learned · ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4 Architectures include vulnerability
procedures to respond scanning, contingency
to a implemented
serious or testing,
outagecontrols
degradation incident
of AWS response
services,
risk assessments
exercises. AWS on newly
performs external vulnerability at least every
assessments at six months.
least quarterly, and
activities are improved by · ISO/IEC 27001:2013 A.16.1.6, Clause 10 including the recovery model and its implications on the business continuity plan.
incorporating lessons learned · NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 identified issues are investigated and tracked to resolution. Additionally, AWS
from current and previous performs unannounced penetration tests by engaging independent third parties to
detection/response activities. probe the defenses and device configuration settings within the system.
Refer to the following AWS Audit Reports for additional details: PCI 3.2, ISO
AWS
27001,Security teams
ISO 27017, also 800-53,
NIST subscribeSOCto newsfeeds
2 COMMON for applicable
CRITERIAvendor flaws and
proactively monitor vendors’ websites and other relevant outlets for new patches.
reporting/.
IR-4 AWS will notify customers of a security breach in accordance with the terms
IR-8 outlined
AWS hasinimplemented
the service agreement with AWS. AWS’s
a formal, documented incidentcommitment
response policy to alland
AWS
customersThe
program. is aspolicy
follows: addresses purpose, scope, roles, responsibilities, and
RS.IM-2: Response strategies · COBIT 5 BAI01.13, DSS04.08 AWS Artifact, AWS Best Practices, AWS Reference CP-2 The
If AWS AWS Business
becomes Continuity
aware policy lays
of any unlawful or out the guidelines
unauthorized used
access to to
anyimplement
customer
are updated · ISO/IEC 27001:2013 A.16.1.6, Clause 10 Architectures management
procedures tocommitment.
respond
data (i.e.,
AWS usesany personalto
a three-phased
a serious
data that is outage
approach uploaded or to
degradation
toimplications
manage a customer’s
incidents:
of AWS
AWSservices,
account) on
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 including
AWS’s the
equipmentrecovery model
or in AWS’sPhase and its
facilities and thisfor on the
unlawful business continuity
or unauthorized plan.
access
1. Activation and Notification – Incidents AWS begin with the detection
results
of in loss,
an event. disclosure,
Events originateor alteration
from several of customer
sources such data,as:
AWS will promptly notify
•the
Refer
customer
Metricsto the
and
andfollowing
alarmstake–reasonable
AWS Audit
AWS
steps to
maintains
Reports anreduce the effects
exceptional
for additional
of thisawareness
situational
details:
security
PCI 3.2, ISO
incident. most issues are rapidly detected from 24x7x365 monitoring and
capability;
27001,
AWS defines, ISO 27017, NIST 800-53,
administers, and SOC 2 COMMON
monitors CRITERIA
alarming of real time metrics and service security
dashboards. for the
Theunderlying
majority of cloud
incidents are
infrastructure
detected in this(i.e., the hardware,
manner. AWS uses theearly
facilities housing
the
network
issues thatinfrastructure).
•Because
TroubleAWS tickets manages
•AWSCallscan:to the 24x7x365 technical support hotline.
• Identify
If the event potential incidents
meets incident affecting
• Determine
systemdata resulted
• Determine
program if access
resolvers was
(e.g., actually
AWS unlawful
Security). Theorresolvers
unauthorized (it would
will perform anbeanalysis of
unauthorized
If an incident happens
the approximate root cause. within AWS’s sphere of knowledge and control and this
incident
2. Recovery Phase – The relevant resolvers will perform break fix to AWS
results in loss, disclosure, or alteration of customer content, address will
the
promptly notify the customer. AWS does this regardless
incident. After addressing troubleshooting, break fix and affected components, of whether the customer's
the
content
follow-up AWS does not
documentation andknow what the
follow-up customer
actions content
and end the
is and protects
call engagement. all customer content in the same robust way.
IR-4 To ensure
AWS will thenotifyeffectiveness
customers of the a security
AWS incident
breach inresponse
accordanceplan,with
AWS theconducts
terms
IR-8 incident
outlined
AWS hasresponse
inimplemented
the servicetesting.
agreement
This testing
a formal, with provides
AWS. AWS’s
documented excellent
incident commitment
coverage
response for
to all
policy the AWS
and discovery
of previously
customers
program. is as
The unknown
follows:
policy defects purpose,
addresses and failure modes.
scope, In addition,
roles, it allows
responsibilities, andthe AWS
Security
If AWS becomes
management and service aware
commitment. teams of any
to testunlawful
the systemsor unauthorized
for potential access
customer
to any impact
customerand
further
data prepare
(i.e., any staff
personal to handle
data incidents
that is
AWS uses a three-phased approach to manage incidents: uploaded such as
to a detection
customer’s and analysis,
AWS account) on
containment,
AWS’s equipmenteradication,
or in and
AWS’s recovery,
facilities and
and post-incident
this unlawful
1. Activation and Notification Phase – Incidents for AWS begin with the detection activities.
or unauthorized access
The
resultsincident
in loss, response
disclosure, test plan
or is executed
alteration
of an event. Events originate from several sources such as: of annually,
customer in
data,conjunction
AWS will with the
promptly notify
incident
the customer
• Metrics response
and andalarms plan.
take The test
–reasonable
AWS plan
steps
maintains includes
to
anreduce multiple scenarios,
the effects
exceptional of thispotential
situational securityvectors
awareness
of
incident.
attack, and
capability; mosttheissues
inclusion of the systems
are rapidly detectedintegrator
from 24x7x365in reporting and coordination
monitoring and
(when
AWS defines,
applicable), administers,
as well as
andvarying
monitors reporting/detection
security for
alarming of real time metrics and service dashboards. The majority of incidents are the underlying
avenues (i.e.
cloud
customer
infrastructure
detected in this(i.e., the
manner. AWS hardware,
reporting/detecting).
AWS usestheearly
facilities housing
the
AWS
network
issues incident
thatinfrastructure).
maymanagement
ultimately impact planning, testing, and test results are reviewed by third-
customers.
party
Because
• Trouble auditors.
AWS
tickets manages
AWS can:
•IfIdentify
the event potential incidents
meets incident affecting
• Determine
systemdata resulted
• Determine
program if access
resolvers was
(e.g., actually
AWS unlawful
Security). Theorresolvers
unauthorized (it would
will perform anbeanalysis of
unauthorized
If anapproximate
the incident happens within AWS’s sphere of knowledge and control and this
root cause.
incident
2. Recovery results
Phasein loss,
– The disclosure, or alteration
relevant resolvers will of customer
perform content,
break fix to AWS
address will
the
promptly After
troubleshooting, regardless
break fix and of whether
components, the
content
follow-up AWS does not
documentation andknow what the
follow-up customer
actions content
and end the
is and
engagement.
incident response plan. The test plan includes multiple scenarios, potential vectors
of attack, and the inclusion of the systems integrator in reporting and coordination
(when applicable), as well as varying reporting/detection avenues (i.e. customer
reporting/detecting, AWS reporting/detecting).
AWS incident management planning, testing, and test results are reviewed by third-
party auditors.
AWS customers are responsible for providing for the recovery and reconstitution of the
information system to a known state after a disruption, compromise, or failure.
AWS customers are responsible for developing a contingency plan for their system that: 1)
Identifies
AWS essential
customers aremissions and for
responsible business functionsanand
implementing associated
incident handlingcontingency
capability requirements,
for security 2)
Provides recovery
incidents objectives,
that includes restoration
preparation, priorities, and metrics, 3) Addresses contingency roles,
AWS customers
responsibilities, are assigned
and responsible for detection
developing
individuals with
andananalysis,
Incident
contact
containment,
Response
information, Planeradication,
(IRP) that:
4)customers
Addresses
and recovery
maintaining
in
1) accordance
Provides with
their their incident
organization response policy. In addition, AWS are responsible for2)
AWS customers
essential missions
coordinating are
and
incident businesswith
responsible
handling foradeveloping
roadmap
functions
activities
for
despite
with
implementing
a an
contingency
information
contingency plan
planning
its incident
for
system their response
system
disruption,
activities;
capability,
that: 1)
compromise,
incorporating
Describes
Identifies
or failure, the structure
essential
5) Addresses and
missions organization
and
eventual, business offunctions
the incident
full information and response
system associated capability,
restoration contingency
without 3)deterioration
Provides a high-
requirements, 2)
of the
lessons learned
level approach from ongoing
for objectives,
how incident
the incident handling
response activities
capability into
fits incident response procedures,
Provides
security
training, recovery
safeguards
and originally
testing/exercises; restoration
planned
and andpriorities,
implemented,
implementing theand andinto
metrics,
resulting
the
6)changes
Is overall organization,
3)reviewed
Addresses and
accordingly.approved4)by
contingency Meets
roles,
the unique requirements
responsibilities, of theindividuals
and assigned
organization-defined personnel organization,
or roles inwith which
contact
accordance relate tothe
mission,
information,
with 4)size, structure,
Addresses
contingency planning and functions,
maintaining
policy.
5) Defines
essential reportable
missions andincidents, 6) Provides
business functions metrics
despite an for measuringsystem
information the incident response
disruption, capability
compromise,
within
or
AWS the 5)
failure, organization,
Addresses
customers 7) Defines
eventual,
are responsible the
full
for resourcescopies
information
distributing and management
systemof restoration support
the contingency withoutneeded
plan to effectively
deterioration of the
to organization-
maintain
security andcontingency
matureoriginally
safeguards
defined key an incident response
planned
personnel andcapability,
implemented,
(identified by name andand/or
8) Is6)reviewed
and byIsrole)
reviewedandorganizational
and approved
and by by
approved
elements. Contingency personnel
personnel or roles.
planningoractivities
roles in must
accordance with the contingency
be coordinated with incidentplanning
handlingpolicy.
activities.
The contingency plan must be reviewed at a frequency defined in the contingency planning policy
AWS
AWS customers
customers
and updated are
are responsible
responsible
to address changes to for distributing
fortheir
distributing copies of
of the
the IRP
copiessystem,
organization, to organization
contingency defined
planoftooperation
or environment incident
organization-
and
response
defined key
problems personnel (identified
contingency
encountered by name
personnel
during and/or by
(identified
implementation, role) andand/or
name
execution, organizational elements.
by role) and
or testing. The IRP must be
organizational
review
elements.andContingency
updated at aplanning
frequency defined must
activities by thebeincident response
coordinated withpolicy to handling
incident address activities.
The
AWScontingency
customers are changes
planresponsible or problems
must be reviewed encountered
at a frequency
for communicating during plan
defined inplan
contingency implementation,
the contingency execution, or
planning policy
changes to organization-
testing.
and
defined Changes
updated
personnel to the
to address IRP must
changes
and for be communicated
to their
protecting theorganization, to organization-defined
system,
contingency plan fromorunauthorized incident
environment disclosureresponse
of operation
andand
personnel
problems (identified byduring
encountered
modification. nameimplementation,
and/or role) and execution,
organizational elements.
or testing.
AWS
AWS customers
customers are
are responsible
responsible for
for protecting the IRP
communicating from unauthorized
contingency disclosure
plan changes and
to organization-
modification.
defined personnel and for protecting the contingency plan from unauthorized disclosure and
modification.
AWS customers are responsible for providing contingency training to system users consistent with
assigned
AWS roles and
customers areresponsibilities.
responsible forTraining must
testing the be provided
incident response within an organization-defined
capability for their system at time
an
period of assuming the
organization-defined role, as required
frequency using by system changes,tests
organization-defined and at
to an organization-defined
determine the that:
incident response
AWS customers
frequency are responsible
thereafter. for developing an Incident Response Plan (IRP)
effectiveness
1) Provides andorganization
their documentingwith the results.
AWS customers are responsible forareviewing
roadmap forandimplementing
analyzing audit itsrecords
incidentatresponse capability, 2)
an organization-
Describes the structure and organization of the incident response capability, 3) Provides
defined frequency for indications of organization-defined inappropriate or unusual activity and a high-
level approach
reporting these for how the
findings incident response capability
to organization-defined fitsorinto
personnel theinoverall
roles organization,
accordance 4) audit
with their Meets
the
and unique requirements
accountability policy.of the organization, which relate to mission, size, structure, and functions,
5) Defines reportable incidents, 6) Provides metrics for measuring the incident response capability
within the organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved by
organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization defined incident
response personnel (identified by name and/or role) and organizational elements. The IRP must be
review and updated at a frequency defined by the incident response policy to address
system/organizational changes or problems encountered during plan implementation, execution, or
testing. Changes to the IRP must be communicated to organization-defined incident response
personnel (identified by name and/or role) and organizational elements.
AWS customers are responsible for protecting the IRP from unauthorized disclosure and
modification.
AWS customers are responsible for requiring their personnel to report suspected security incidents
to the customers
AWS organizational incident response
are responsible capabilityanwithin
for developing Incident an Response
Plan (IRP) that: time period and
forProvides
1) reportingtheir incident information
organization with to organization-defined authorities.
AWS customers are responsible foraconducting
roadmap for implementing
security assessments its incident
for theirresponse
systems.capability,
Within this 2)
Describes
context andthe instructure
accordance andwithorganization
their of theassessment
security incident response and capability,policy,
authorization 3) Provides acustomers
high-
AWSapproach
level customers forarehow
responsible
the incident for response
reporting incidents for
capability fits customer
into thedescribes
overall virtualAWS
storage,organization, machines,
4) Meetsand
are responsible
applications for: 1)
unless caused Developing
by a security assessment plan that the security controls
the
and unique
control requirements
enhancements theAWS
ofunder or an incident
organization,
assessment, which
assessment
isrelate
the result of AWS
to mission,
procedures
action.
size,
used
AWSand
structure,
to determine
customers
functions,are
responsible
5) for providing
Defines reportable a point6)ofProvides
incidents, contact and metrics escalation plan to AWS
for measuring thethe in orderresponse
incident to facilitate
effectiveness,
ongoingthe incident the communications.
assessment environment, the assessment team, and assessment rolescapability and
within
responsibilities,organization,
2) Assessing 7) Defines
security thecontrols
resources in and
theirmanagement
system and its support needed to
environment of effectively
operation at
maintain
an and mature an incident
organization-defined frequency response
to determine capability, the extent and 8)toIswhichreviewedcontrols and approved by
AWS customers should
organization-defined work
personnel with
orand AWS
roles. to develop an agreed upon the reporting process are implemented
and method
correctly, operating as intended, producing the desired
to receive notification of security incidents involving the potential breach of customer data. outcome with respect to meeting
established security requirements, 3) Producing a security assessment report that documents the
AWS customers
results of thethe are responsible
assessment, and 4) for distributing
Providing copiesofofthe
the results thesecurity
IRP to organization
control assessment definedtoincident
their
Throughout
response personnel incident response
(identified byor process,
name and/orAWS willand
role) keep the AWS customer’s
organizational elements.senior The IRP must be
management and other individuals roles.
review and updated at anecessary
frequencyparties defined informed
by the incident of response activities
response policy as totheaddress
investigation
progresses. Under certain
system/organizational circumstances,
changes or problems lawencountered
enforcement agencies
during planmay become involved.
implementation, All or
execution,
requestsChanges
testing. for information
to the IRP by law
mustenforcement
be communicated will betohandled by AWS legal incident
organization-defined counsel. response
The AWS
Security team
personnel will, toby
(identified thenamebest of its ability,
and/or role) and comply with all information
organizational elements. requests as approved by
AWS legal counsel. Delivered materials will be reviewed by AWS Legal to ensure that AWS fully
AWS
complies customers
with theare are responsible
request, and the for developing a continuous monitoring strategy and
AWS customers responsible forAWS Chief the
protecting Information
IRP fromSecurity unauthorized Officer (CISO) will
disclosure and review for
implementing
compliance.
AWS customers a continuous
are responsible monitoring programaincontingency
for developing accordanceplan withfor theirtheirsecurity
systemassessment
that: 1) and
modification.
authorization
Identifies policymissions
essential that defines: and for 1) Metrics
business to be monitored,
functions and 2) Frequencies
associated contingency forrequirements,
monitoring and
AWS customers
reporting, and 3) are responsible
Personnel or restoration implementing
roles responsible foran incident
conducting handling
and capability
receiving for security 2)
continuous
Provides recovery
incidents that objectives,
includes preparation, detection priorities,
and and metrics,
analysis, 3) Addresses
containment, contingency
eradication, roles,
and customers
recovery
AWS customers
monitoring
responsibilities, analysisare responsible
information.
andtheir
assigned for
individuals developing
Pursuant to
with this an Incident
continuous
contact Response
monitoring
information, Plan (IRP)
program,
4)customers
Addressesare that:
AWS
maintaining
in
1) accordance
Provides with
their organization incident response policy. Inmonitoring
addition, AWS responsible for2)
are
N/A responsible
essential
coordinating missions for:
incidentand businesswith
1) Establishing
handling
aand
functions roadmap
configuring
despite for an implementing
information its
for incident
defined
system response
metrics,
disruption, 2)capability,
Monitoring
compromise,
Describes
and
or
AWS conducting
failure, the structure
assessments
5) Addresses
customers arehow
and as activities
organization
eventual,
responsible
with
of
full1)information
for:
thecontingency
Scanning
incident
for
planning
response
frequencies,
system restoration
vulnerabilities
activities;
capability,
3) in
Conducting
without
their
incorporating
3)deterioration
Provides
ongoingsystem
information
asecurity
high-
of theand
lessons
level
control learned
approach
assessments, from
for ongoing
4) the
Conductingincident
incident handling
response
ongoing activities
capability
security into
fits
status intoincident
thereviewed
monitoring response
overall
of procedures,
organization,
their organization- 4)byMeets
security
hosted
training, safeguards
applications
and originally
atresponsible
an of
testing/exercises; planned
organization-defined and implemented,
frequency and
and/or6) Is
randomly in and approved
accordance with their
AWS
the
defined customers
unique metrics,
areCorrelating
requirements
5) personnel the and
and
or
for:implementing
1) Monitoring
organization,
analyzing
roles in which the
security-related
accordance
resulting
their
relate
with tothe changes
information
mission,
information
contingency
accordingly.
system
size, to detect:
structure,
generated
planning and
by a) functions,
policy.
Attacks
andDefines
5) indicators reportable process
of monitoring,
potentialincidents, and6)when
attacks in new metrics
accordance
Provides vulnerabilities
with for potentially
measuring the affecting the objectives
monitoring
assessments
AWS customers
system/applications and are responsible
are 5) Taking
identified forand appropriate
developing
reported; a2) response
contingency
Employing actions
plan fortoincident
vulnerability address
their response
systemthe results
scanning that: capability
tools1)of
andthe
and
withinb) Unauthorized
analysis
Identifiesthe organization,
ofessential
security-relatedlocal, network,
7) Defines
information, and
the remote
resources
and connections;
and
6) Reporting management 2) Identifying
support
the contingency
security status unauthorized
needed
of their use
toorganization
effectively of
AWS customers
techniques
the that aremissions
promote responsible and forbusiness
interoperability functions
distributing
among copies
tools andand associated
of the
automated contingency
parts plan
of the requirements,
to organization-
vulnerability 2)
and information
maintain
Provides
defined
management keyand
the information
recovery system
mature
process
an through
system
objectives,
contingency incident
personnel
byStrategically
using
response
to restoration
the
standards
capability,
priorities,
(identified
for: a)by name and
Enumerating
techniques
and 8)
metrics,
and/or
and
Is reviewed
personnel by3)role)
platforms,
methods;
orAddresses
roles and
and
3)
approved Deploying
atorganizational
software the by
organization-
contingency
flaws, androles,
monitoring
defined frequency.
responsibilities, devices:
organization-defined and a) personnel
assigned within
oractivities
roles.
individuals the
with information
contact system
information, to collect
4)incident
Addresses organization-
maintaining
elements.
improper
determined Contingency
configurations,
essential planning
b) Formatting and must
making be coordinated
transparent with
checklists and handling
test activities.
procedures,
specific and
essential
The
c) Measuring missions
contingency andinformation
plan
vulnerability business
must be
impact;
and b) Atdespite
functions
reviewed 3) at a
Analyzing
ad hocanlocations
frequency information
defined
vulnerability
within
in
scan the
the system
system disruption,
contingency
reports and
to track compromise,
planning
results from policy
types
AWS
or of
failure, transactions
customers
5) to
Addresses of interest
are responsible
eventual, tofortheir
full organization;
distributing
information copies
system 4)ofProtecting
the IRP
restoration toinformation
organization obtained
without deterioration definedfrom incident
of the
and updated
security control
intrusion-monitoring address
assessments; changes
tools from4)byto their
Remediating
unauthorized organization,
legitimate
access, system, or environment
vulnerabilities
modification, andwithin
deletion; of operation
5) and
Heightening
response
security personnel
safeguards (identified
originally plannednameand and/or role) and
implemented, organizational
and 6) Is elements. The IRP by must be
problems
response
the leveland
review ofencountered
times in accordance
information
updated
during with
at a system
implementation,
frequency an
monitoring organizational
defined
execution,
activity
by whenever
the incident
or testing.
assessment thereof reviewed
risk;
is anand
and
5)
indication
approved
Sharing ofpolicy.
increased
information obtained personnel
from or roles
the vulnerability in accordance
scanning process withresponse
theand policy
contingency
security
toplanning
address
control
risk to organizational
system/organizational operations
changes and
orfor assets, encountered
problems individuals, other
during organizations,
plan implementation, or theassessments
Nation basedor
execution,
AWS
with
on customers
lawcustomers
enforcement are responsible
information,personnel communicating
or roles
intelligence to help
information, contingency
eliminate plan
similar
or other changes
vulnerabilities
credibleplan to
sources organization-
in
of other
information;
testing.
AWS
defined Changes
personnel to the
are IRPprotecting
responsible mustfor be communicated
distributing copies toplan
of the contingency incident response
to organization-
information
6) Obtaining
personnel
defined key legal and
systems
(identified
contingency
for
(i.e.,
opinion
by name systemic
withand/or
personnel regard thetocontingency
weaknesses
role)information
(identified andby or deficiencies).
namesystem
organizational
from unauthorized
and/ormonitoring
elements.
by role) and
disclosure
activities
organizational
and
in accordance
modification.
with applicable federal laws, Executive Orders,
elements.
Prior to Contingency
conducting planning
penetration activities
testing or must directives,
vulnerabilitybe coordinated policies,
scanning with or
activities,
regulations;
incident AWS handling andactivities.
customers
7)
are
Providing
AWScontingency
The organization-defined
customers are
plan responsible information
must be reviewed for protecting a system
atthe the IRP
frequency monitoring
from
defined information
unauthorized
in the contingency to organization-
disclosure and policy
planning
required
defined
modification. to request
personnel orauthorization
roles as needed through or in followingwith
accordance URL: an or
organization-defined frequency.
and updated to address changes to their
https://aws.amazon.com/security/penetration-testing/. organization, system, environment of operation and
problems encountered during implementation, execution, or testing.
RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle): RDS Specific (Postgres,
AWS
MySQL,customers are SQL
MariaDB, responsible
Server, for communicating
Aurora, contingency
Oracle): AWS Customersplan
arechanges to organization-
responsible for meeting
defined personnel
scanning and for
requirements on protecting the contingency
their databases plan
in accordance from
with unauthorized disclosure
organization-defined and
frequency
modification.
and/or when new vulnerabilities have been identified. Also, AWS Customers are required to
remediate legitimate findings within the organization-defined timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL database service. AWS
Customers offload database management tasks such as hardware or software provisioning, setup
and configuration, software patching, operating a reliable, distributed database cluster, or
partitioning data over multiple instances as you scale.
AWS customers are responsible for implementing an incident handling capability for security
incidents that includes
AWS customers preparation,
are responsible for detection
developing andananalysis,
Incidentcontainment,
Response Plan eradication,
(IRP) that:and recovery
in
1) accordance
Provides their with their incident
organization withresponse
a roadmappolicy. In addition, AWS
for implementing customers
its incident are responsible
response capability,for2)
N/A
coordinating
Describes theincident
structurehandling activities of
and organization with
thecontingency planning
incident response activities;
capability, 3) incorporating
Provides a high-
lessons
level learnedfor
approach from
howongoing incident
response activities
capability into
fits intoincident response
the overall procedures,
organization, 4) Meets
training,
the unique and testing/exercises;
requirements of the and implementing
organization, whichthe resulting
relate changes
to mission, accordingly.
size, structure, and functions,
AWS customers
5) Defines are responsible
reportable incidents, 6) for: 1) Receiving
Provides metricsinformation
for measuringsystemthe security
incident alerts, advisories,
response capability
and directives
within from organization-defined
the organization, externaland
7) Defines the resources organizations
management on support
an ongoing
neededbasis, 2) Generating
to effectively
internal
maintainsecurity
and maturealerts,
anadvisories, and directives
incident response as deemed
capability, and 8) Isnecessary,
reviewed3)and Disseminating
approved by security
alerts, advisories, andpersonnel
organization-defined directivesortoroles.
organization-defined personnel, roles, organizational elements
and/or external organizations, and 4) Implementing security directives in accordance with
established
AWS customers time frames or notifying
are responsible the issuing organization
for distributing copies of the of IRPthetodegree of noncompliance.
organization defined incident
modification.
AWS customers are responsible for reviewing and analyzing audit records at an organization-
defined frequency for indications of organization-defined inappropriate or unusual activity and
reporting these findings to organization-defined personnel or roles in accordance with their audit
and accountability policy.
implementing
AWS customers a continuous monitoring
are responsible program inan
for implementing accordance with theircapability
incident handling security assessment
for securityand
authorization
incidents that policy
includesthat defines: 1)detection
preparation, Metrics toand be analysis,
monitored, 2) Frequencies
containment, for monitoring
eradication, and
and recovery
AWS customers
reporting, 3) are
and with responsible
Personnel or rolesfor responsible
tracking and documenting
for information system security
in accordance
incidents. their incident response policy. Inconducting
addition, AWS and receiving
customers continuous
are responsible for
N/A
monitoring
coordinating analysis
incidentinformation. Pursuant
handling activities to this
with continuous
contingency monitoring
planning program,
activities; AWS customers
incorporating
are responsible
AWS
lessons learned for:
customers are1)
from Establishing
responsible
ongoing for:and
incident configuring
1)handling
Monitoring monitoring
their
activities informationfor defined
into incident system metrics,
responseto detect: 2) a)
Monitoring
procedures, Attacks
and conducting
indicators ofassessments
potential as and
attacks thefrequencies, 3) Conducting ongoing security
training,
AWS and testing/exercises;
customers are responsible forinimplementing
accordanceawith
developing organization-defined
resulting
contingency changes
plan monitoring
system that:objectives
accordingly.
for their 1)
control
and assessments, 4)
b) Unauthorized Conducting
local, network, ongoing
and remotesecurity status monitoring
connections; 2) Identifyingof their organization-
unauthorized use of
Identifies
AWS essential
customers aremissions
responsibleand for
business functions
implementing anand associated
incident contingency
handling capability requirements,
forby security 2)
defined
the metrics,system
information 5) Correlating
through and analyzing
organization-definedsecurity-related
techniques information
andAddresses generated
methods; 3) Deploying
Provides
incidents recovery
that objectives,
includes restoration
preparation, priorities,
detection and metrics, 3) contingency roles,
assessments
monitoring and monitoring,
devices:
responsibilities, and a) 5) Taking
Strategically
assigned individualswithin theand
appropriate
with
analysis,
response
information
contact
containment,
system
information, 4)
eradication,
actionstotocollect
address
Addresses
and recovery
the results
organization-
maintaining
of the
in accordance
analysis
determined with their
of security-related
essential incident response
information, andpolicy.
ad6)hoc In addition,
Reporting AWSthe
thewithin
security customers
status are
ofto
theirresponsible
specific for
organization
essential missions
coordinating andinformation
incident handling
and b) At
businessactivities
functions despite
with anlocations
information
contingency planning system system
disruption,
activities;
track
compromise,
incorporating
and the
types ofinformation
transactions system to the
of interest organization-defined
tofull
theirinformation
organization; 4)personnel
Protecting orinformation
roles at theobtained
organization-from
or failure,
lessons 5) Addresses
learned from eventual,
ongoing incident handling system
activities restoration
into incident without
response deterioration
procedures, of the
defined frequency. tools from unauthorized access, modification, and deletion; 5) Heightening
intrusion-monitoring
security
training, safeguards originally planned and implemented, and 6)changes
Is reviewed and approved by
the level and testing/exercises;
of information
organization-defined systemand
personnel or
implementing
monitoring activity
roles in accordance
thewhenever
resulting
with thethere is anaccordingly.
contingency indication
planningofpolicy.
increased
risk to organizational operations and assets, individuals, other organizations, or the Nation based
on lawcustomers
AWS enforcement are information,
responsible for intelligence
distributinginformation,
copies of the or other credibleplan
contingency sources of information;
to organization-
6) Obtaining
defined legal opinion
key contingency with regard
personnel to information
(identified by namesystemand/ormonitoring
by role) and activities in accordance
organizational
with applicable
elements. federal laws,
Contingency planningExecutive
activitiesOrders,
must directives,
be coordinated policies,
with or regulations;
incident handlingandactivities.
7)
Providing
The organization-defined
contingency information
plan must be reviewed at a system
frequency monitoring
defined in information to organization-
the contingency planning policy
defined
and personnel
updated or roles
to address as needed
changes to theiror in accordancesystem,
organization, with an ororganization-defined
environment of operation frequency.
and
problems encountered during implementation, execution, or testing.
AWS customers are responsible for communicating contingency plan changes to organization-
modification.
AWS customers are responsible for implementing and configuring an audit reduction and report
generation
AWS capability
customers that: 1) Supports
are responsible on-demand an
for implementing audit review,
incident analysis,
handling and reporting
capability for security
requirements
incidents that and after-the-fact
includes investigations
preparation, of security
detection and analysis,incidents and 2)eradication,
containment, Does not alter
and the
recovery
original
in content
accordance or time
with their ordering
incident of audit records.
response policy. In addition, AWS customers are responsible for
coordinating incident handling activities with contingency planning activities; incorporating
lessons learned from ongoing incident handling activities into incident response procedures,
training, and testing/exercises; and implementing the resulting changes accordingly.
AWS customers are responsible for developing a contingency plan for their system that: 1)
Identifies
AWS essential
customers aremissions
responsibleand for
business functionsanand
implementing associated
incident handlingcontingency
capability requirements,
for security 2)
Provides recovery
incidents objectives,
that includes restoration
preparation, priorities, and metrics, 3) Addresses contingency roles,
AWS customers
responsibilities, are assigned
and responsible for detection and documenting
tracking and
individuals
analysis, containment,
information eradication, and recovery
systemmaintaining
security
in accordance with
incidents. their incident responsewith contact
policy. information,
In addition, AWS4)customers
Addresses are responsible for
AWS customers
essential missions
coordinating are
incident responsible
and handling for developing
businessactivities
functions despite
with ananIncident Response
information
contingency planning system Plan (IRP)
disruption,
activities; that:
compromise,
incorporating
1) Provides
or failure,
lessons their organization
5) Addresses
learned from ongoing with
eventual, a roadmap for
full information
incident implementing
system into
handling activities its
restoration incident
incidentwithout response
response capability,
deterioration
procedures, of the 2)
Describes the structure
security safeguards
training, and organization
originally planned
and testing/exercises; of the incident
and implemented,
and implementing response capability,
and 6)changes
the resulting Is reviewed 3) Provides
and approved by
accordingly. a high-
level approach for how
organization-defined the incident
personnel response
or roles capabilitywith
in accordance fits the
intocontingency
the overall organization,
planning policy. 4) Meets
the unique requirements of the organization, which relate to mission, size, structure, and functions,
5)
AWSDefines reportable
customers incidents, 6)
are responsible forProvides metrics
distributing for of
copies measuring the incident
the contingency plan response capability
to organization-
within
definedthekeyorganization,
contingency7) Defines (identified
personnel the resourcesby and
name management
and/or by role) support
and needed to effectively
organizational
maintain
elements.and mature anplanning
Contingency incident response
activities capability, and 8) Is reviewed
must be coordinated with incidentand approved by
handling activities.
The contingency planpersonnel or roles. at a frequency defined in the contingency planning policy
must be reviewed
and updated to address changes to their organization, system, or environment of operation and
AWS customers
problems are responsible
encountered for distributingexecution,
during implementation, copies of or thetesting.
IRP to organization defined incident
review and updated
AWS customers are at a frequency
responsible fordefined by the incident
communicating response
contingency planpolicy to address
changes to organization-
defined personnel and changes or problems
for protecting encountered
the contingency planduring
from plan implementation,
unauthorized disclosure execution,
and or
modification.
modification.
AWS customers are responsible for: 1) Receiving information system security alerts, advisories,
and
N/Adirectives from organization-defined external organizations on an ongoing basis, 2) Generating
internal security alerts, advisories, and directives as deemed necessary, 3) Disseminating security
alerts, advisories, and directives to organization-defined personnel, roles, organizational elements
and/or external organizations, and 4) Implementing security directives in accordance with
AWS customers
established are responsible
time frames for implementing
or notifying an incidentofhandling
the issuing organization capability
the degree for security
of noncompliance.
incidents that includes preparation, detection and analysis, containment, eradication, and recovery
in accordance with their incident response policy. In addition, AWS customers are responsible for
incidents that includes preparation, detection and analysis, containment, eradication, and recovery
in accordance with their incident response policy. In addition, AWS customers are responsible for
implementing a continuous monitoring program in accordance with their security assessment and
authorization policy that defines: 1) Metrics to be monitored, 2) Frequencies for monitoring and
reporting, and 3) Personnel or roles responsible for conducting and receiving continuous
monitoring analysis information. Pursuant to this continuous monitoring program, AWS customers
are responsible for: 1) Establishing and configuring monitoring for defined metrics, 2) Monitoring
and conducting assessments as organization-defined frequencies, 3) Conducting ongoing security
control assessments, 4) Conducting ongoing security status monitoring of their organization-
defined metrics, 5) Correlating and analyzing security-related information generated by
assessments and monitoring, 5) Taking appropriate response actions to address the results of the
analysis of security-related information, and 6) Reporting the security status of their organization
and the information system to the organization-defined personnel or roles at the organization-
defined frequency.
AWS customers are responsible for: 1) Conducting an assessment of risk to include the likelihood
and magnitude
AWS customersofare harm from the for:
responsible unauthorized
1) Scanning access, use, disclosure,
for vulnerabilities in disruption, modification,
their information system orand
destruction
hosted of their information
applications atresponsible system and thefrequency
an organization-defined information it processes,
and/or randomly stores, or transmits,with2)their
AWS customers
Documenting riskare
assessment for developing
results in new
the systema contingency
plan, security plan for theirinsystem
assessment
accordance
report, that: 1)
Identifies processand
essential missions and when
business vulnerabilities
functions potentially
and associated affecting
contingency the or other 2)
requirements,
system/applications document,
are identified 3) Reviewing
and reported; risk
2) assessment
Employing results at an organization-defined
vulnerability scanning tools and
Provides recovery
frequency, 4) objectives,risk
restoration priorities, andorganization-defined
metrics, 3) Addresses contingency roles,and
techniques thatDisseminating
responsibilities, promote
and assigned
assessment
interoperability
individuals amongresults
toolstoand
with contact automated4)parts
information, ofpersonnel
Addresses
or roles,
the vulnerability
5) Updating the
management risk
process assessment
bybusiness at an organization-defined
using standards for: a) Enumerating frequency
platforms,or whenevermaintaining
thereand
are
essential missions
significant changesand to the functions
information despite
system an information
or environment systemsoftware
ofchecklistsdisruption,
operation
flaws,
(including compromise,
the
improper
or failure,configurations,
5) Addresses b) Formatting
eventual, and making
full information transparent
system restoration and
without test procedures,
deterioration and
of the
identification
c) Measuring of new threats
vulnerability and vulnerabilities)
impact; 3) Analyzing or other conditions
vulnerability scan that may
reports and impact
results the security
from
security
state safeguards
of the system. originally planned and implemented, and 6) Is reviewed and approved by
security control assessments;
organization-defined personnel 4)orRemediating legitimate
roles in accordance vulnerabilities
with the contingencywithin organization-defined
planning policy.
information
AWS customers obtained from the vulnerability
are responsible scanning
for distributing copiesprocess and security plan
of the contingency control assessments
to organization-
with organization-defined
defined key contingency personnelpersonnel(identified
or roles toby help
nameeliminate
and/or similar
by role)vulnerabilities
and organizational in other
information systems (i.e.,
elements. Contingency systemic
planning weaknesses
activities must orbe deficiencies).
coordinated with incident handling activities.
The contingency plan must be reviewed at a frequency defined in the contingency planning policy
Prior to conducting
and updated penetration
to address changes testing
to theiror vulnerabilitysystem,
organization, scanning activities, AWS
or environment customersand
of operation are
required
problemstoencountered
request authorization through the following
during implementation, execution,URL:
or testing.
AWS customers are responsible for communicating contingency plan changes to organization-
RDS Specific
defined (Postgres,
personnel and forMySQL, MariaDB,
protecting SQL Server,
the contingency plan Aurora, Oracle): RDS
from unauthorized Specificand
disclosure (Postgres,
MySQL, MariaDB, SQL Server, Aurora, Oracle): AWS Customers are responsible for meeting
modification.
scanning requirements on their databases in accordance with organization-defined frequency
and/or when new vulnerabilities have been identified. Also, AWS Customers are required to
remediate legitimate findings within the organization-defined timeframe.
DynamoDB Specific: This service is a fully managed cloud NoSQL database service. AWS
Customers offload database management tasks such as hardware or software provisioning, setup
and configuration, software patching, operating a reliable, distributed database cluster, or
partitioning
AWS customers
data are
overresponsible
multiple instances
for implementing
as you scale. an incident handling capability for security
incidents
AWS that includes
customers preparation,
developing andananalysis,
in accordance
1) Provides with
their their incident
organization withresponse policy. In addition, AWS customers are responsible for2)
AWS customers
coordinating are responsible foradeveloping
roadmap for implementing
a contingency planits for
incident response
their system capability,
that: 1)
Describes
Identifies theincident
structure
essential
handling
missions and
activities
and organization
business
with
of thecontingency
incident
functions
planning
and response
associated
activities;
capability,
contingency 3) incorporating
Provides a high-
requirements, 2)
lessons
level learnedfor
approach fromhowongoing incident
response activities
capability into
fits incident
into the response
overall procedures, Meets
organization,
Provides
training, recovery
and objectives,
testing/exercises; restoration
and priorities,
implementing theand metrics,
resulting 3)
changesAddresses contingency4)roles,
accordingly.
the unique requirements
responsibilities, of theindividuals
and assigned organization,
withwhich
contactrelate to mission,
information, 4)size, structure,
Addresses and functions,
maintaining
5) Defines
essential reportable
missions andincidents, 6) Provides
business functions metrics
despite an for measuringsystem
information the incident response
disruption, capability
compromise,
within
or the 5)
failure, organization, 7) Definesfull
Addresses eventual, theinformation
resources and management
system restoration support needed
without to effectively
deterioration of the
maintainsafeguards
security and matureoriginally
an incident response
planned andcapability,
implemented, and and
8) Is6)reviewed
Is reviewedand and
approved by by
approved
organization-defined personnel
organization-defined personnel or or roles
roles.in accordance with the contingency planning policy.
AWS customers
AWS customers are
are responsible
responsible for
for distributing
distributing copies
copies of
of the
the contingency
IRP to organization
plan to defined incident
organization-
responsekey
defined personnel (identified
contingency by name
personnel and/or by
(identified role) andand/or
name organizational elements.
by role) and The IRP must be
organizational
review andContingency
elements. updated at aplanning
frequency defined must
activities by thebeincident response
coordinated withpolicy to handling
incident address activities.
The changes
contingency plan must or problems
be reviewed at aencountered during in
frequency defined plan
theimplementation, execution,
contingency planning or
policy
testing.
and Changes
updated to the IRP
to address musttobetheir
changes communicated
organization, tosystem,
or environment incident response
of operation and
personnel encountered
problems (identified byduring
nameimplementation,
and/or role) and execution,
organizational elements.
or testing.
AWS customers
AWS customers are
are responsible
responsible for
for communicating
protecting the IRP from unauthorized
contingency disclosure
plan changes and
to organization-
modification.
modification.
incidents
AWS that includes
customers preparation,
developingandananalysis,
in accordance
1) Provides theirwith their incident
organization withresponse policy.
a roadmap In addition, AWS
for implementing customers
its incident are responsible
response capability,for2)
coordinating
Describes theincident
structurehandling activities of
and organization with
thecontingency planning
incident response activities;
capability, 3) incorporating
Provides a high-
lessons learnedfor
level approach from
howongoing incident
response activities
capability into
fits incident
into response
the overall procedures,
organization, 4) Meets
the unique requirements of the organization, which relate to mission, size, structure, and functions,
5) Defines reportable incidents, 6) Provides metrics for measuring the incident response capability
within the organization, 7) Defines the resources and management support needed to effectively
maintain and mature an incident response capability, and 8) Is reviewed and approved by
organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to organization defined incident
modification.
Note:
Recovery Planning (RC.RP): Recovery RC.RP-1: Recovery plan is executed · CIS CSC 10 AWS Certifications, Customer Responsibility CP-10 The AWS business continuity plan details the three-phased approach that AWS
processes and procedures are executed and during or after an event · COBIT 5 APO12.06, DSS02.05, DSS03.04 has developed to recover and reconstitute the AWS infrastructure:
maintained to ensure timely restoration of · ISO/IEC 27001:2013 A.16.1.5 • Activation and Notification Phase
systems or assets affected by cybersecurity · NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8 • Recovery Phase
events. • Reconstitution Phase
This approach ensures that AWS performs system recovery and reconstitution
efforts in a methodical sequence, maximizing the effectiveness of the recovery
and reconstitution efforts and minimizing system outage time due to errors and
omissions.
AWS maintains a ubiquitous security control environment across all regions.
Each data center is built to physical, environmental, and security standards in an
active-active configuration, employing an n+1 redundancy model to ensure
system availability in the event of component failure. Components (N) have at
least one independent backup component (+1), so the backup component is
active in the operation even if all other components are fully functional. In order
to eliminate single points of failure, this model is applied throughout AWS,
including network and data center implementation. All data centers are online
and serving traffic; no data center is “cold.” In case of failure, there is sufficient
capacity to enable traffic to be load-balanced to the remaining sites.
outlined in the service agreement with AWS. AWS’s commitment to all AWS
customers is as follows:
If AWS becomes aware of any unlawful or unauthorized access to any customer
data (i.e., any personal data that is uploaded to a customer’s AWS account) on
AWS’s equipment or in AWS’s facilities and this unlawful or unauthorized
access results in loss, disclosure, or alteration of customer data, AWS will
promptly notify the customer and take reasonable steps to reduce the effects of
this security incident.
Because AWS manages the infrastructure and the security controls that apply to
it, AWS can:
promptly notify the customer. AWS does this regardless of whether the
customer's content is sensitive or not, because AWS does not know what the
customer content is and protects all customer content in the same robust way.
IR-8 AWS has implemented a formal, documented incident response policy and
program. The policy addresses purpose, scope, roles, responsibilities, and
management commitment.
1. Activation and Notification Phase – Incidents for AWS begin with the
detection of an event. Events originate from several sources such as:
alarming of real time metrics and service dashboards. The majority of incidents
are detected in this manner. AWS uses early indicator alarms to proactively
identify issues that may ultimately impact customers.
program resolvers (e.g., AWS Security). The resolvers will perform an analysis
of the incident to determine if additional resolvers should be engaged and to
incident. After addressing troubleshooting, break fix and affected components,
the call leader will assign follow-up documentation and follow-up actions and
end the call engagement.
3. Reconstitution Phase – The call leader will declare the recovery phase
complete after the relevant fix activities have been addressed. The post mortem
and deep root cause analysis of the incident will be assigned to the relevant
team. The results of the post mortem will be reviewed by relevant senior
management and actions and captured in a Correction of Errors (COE)
document and tracked to completion.
discovery of previously unknown defects and failure modes. In addition, it
allows the AWS Security and service teams to test the systems for potential
customer impact and further prepare staff to handle incidents such as detection
and analysis, containment, eradication, and recovery, and post-incident
Improvements (RC.IM): Recovery planning RC.IM-1: Recovery plans · COBIT 5 APO12.06, BAI05.07, DSS04.08 AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
and processes are improved by incorporating incorporate lessons learned · ISA 62443-2-1:2009 4.4.3.4 procedures to respond to a serious outage or degradation of AWS services,
lessons learned into future activities. · ISO/IEC 27001:2013 A.16.1.6, Clause 10 including the recovery model and its implications on the business continuity
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 plan.
27001, ISO 27017, NIST 800-53, SOC 2 COMMON CRITERIA
it, AWS can:
RC.IM-2: Recovery strategies are · COBIT 5 APO12.06, BAI07.08 AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
updated · ISO/IEC 27001:2013 A.16.1.6, Clause 10 procedures to respond to a serious outage or degradation of AWS services,
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 including the recovery model and its implications on the business continuity
plan.
it, AWS can:
Communications (RC.CO): Restoration RC.CO-1: Public relations are · COBIT 5 EDM03.02 Customer Responsibility N/A
activities are coordinated with internal and managed · ISO/IEC 27001:2013 A.6.1.4, Clause 7.4
external parties, such as coordinating centers,
Internet Service Providers, owners of attacking
systems, victims, other CSIRTs, and vendors.
RC.CO-2: Reputation after an event · COBIT 5 MEA03.02 Customer Responsibility N/A
is repaired · ISO/IEC 27001:2013 Clause 7.4
RC.CO-3: Recovery activities are · COBIT 5 APO12.06 AWS Certifications, Customer Responsibility CP-2 The AWS Business Continuity policy lays out the guidelines used to implement
communicated to internal · ISO/IEC 27001:2013 Clause 7.4 procedures to respond to a serious outage or degradation of AWS services,
stakeholders and executive and · NIST SP 800-53 Rev. 4 CP-2, IR-4 including the recovery model and its implications on the business continuity
management teams plan.
it, AWS can:
AWS customers are responsible for providing for the recovery and
reconstitution of the information system to a known state after a
disruption, compromise, or failure.
AWS customers are responsible for implementing an incident

handling capability for security incidents that includes preparation,
detection and analysis, containment, eradication, and recovery in
accordance with their incident response policy. In addition, AWS
customers are responsible for coordinating incident handling
activities with contingency planning activities; incorporating lessons
learned from ongoing incident handling activities into incident
response procedures, training, and testing/exercises; and
implementing the resulting changes accordingly.
AWS customers are responsible for developing an Incident Response

Plan (IRP) that:
1) Provides their organization with a roadmap for implementing its
incident response capability, 2) Describes the structure and
organization of the incident response capability, 3) Provides a high-
level approach for how the incident response capability fits into the
overall organization, 4) Meets the unique requirements of the
organization, which relate to mission, size, structure, and functions, 5)
Defines reportable incidents, 6) Provides metrics for measuring the
incident response capability within the organization, 7) Defines the
resources and management support needed to effectively maintain
and mature an incident response capability, and 8) Is reviewed and
approved by organization-defined personnel or roles.
AWS customers are responsible for distributing copies of the IRP to

organization defined incident response personnel (identified by name
and/or role) and organizational elements. The IRP must be review and
updated at a frequency defined by the incident response policy to
address system/organizational changes or problems encountered
during plan implementation, execution, or testing. Changes to the IRP
must be communicated to organization-defined incident response
personnel (identified by name and/or role) and organizational
elements.
AWS customers are responsible for protecting the IRP from

AWS customers are responsible for developing a contingency plan for

their system that: 1) Identifies essential missions and business
functions and associated contingency requirements, 2) Provides
recovery objectives, restoration priorities, and metrics, 3) Addresses
contingency roles, responsibilities, and assigned individuals with
business functions despite an information system disruption,
compromise, or failure, 5) Addresses eventual, full information
system restoration without deterioration of the security safeguards
originally planned and implemented, and 6) Is reviewed and approved
by organization-defined personnel or roles in accordance with the
contingency planning policy.
AWS customers are responsible for distributing copies of the

contingency plan to organization-defined key contingency personnel
(identified by name and/or by role) and organizational elements.
Contingency planning activities must be coordinated with incident
handling activities. The contingency plan must be reviewed at a
frequency defined in the contingency planning policy and updated to
address changes to their organization, system, or environment of
operation and problems encountered during implementation,
execution, or testing.


Plan (IRP) that:

elements.






Plan (IRP) that:

elements.

N/A
N/A




Asset Management (ID - AM) : The Data, ID - AM-1: Physical Devices and Systems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Asset Management (ID - AM) : The Data, ID - AM-1: Physical Devices and Systems

Uploaded by

Copyright:

Available Formats

Note:

Technology - AWS employes various technologies to streamline and automate

PM-5 N/A N/A

PM-5 N/A N/A

AWS implements least privilege throughout its infrastructure components. AWS

AWS customers are responsible for distributing copies of the contingency

AWS customers are responsible for communicating contingency plan

SA-14 N/A N/A

AWS customers are responsible for distributing copies of the contingency

AWS customers are responsible for communicating contingency plan

PM-11 N/A N/A

AWS customers are responsible for distributing copies of the contingency

AWS customers are responsible for communicating contingency plan

AWS customers are responsible for distributing copies of the contingency

AWS customers are responsible for communicating contingency plan

SA-13 N/A N/A

PM-2 N/A N/A

Policies are reviewed approved by AWS leadership at least annually or following a

Policies are reviewed approved by AWS leadership at least annually or following a

PM-11 N/A N/A

Prior to conducting penetration testing or vulnerability scanning activities,

RDS Specific (Postgres, MySQL, MariaDB, SQL Server, Aurora, Oracle):

DynamoDB Specific: This service is a fully managed cloud NoSQL

The AWS service, including application programming interfaces (APIs), are

RDS Specific (MySQL, MariaDB, SQL Server and Postgres): AWS

RDS Specific (Oracle): AWS Customers are responsible for identifying,

SA-14 N/A N/A

Cardholder access to data centers is reviewed quarterly. Cardholders marked for

PM-13 Role-based training is provided. Much of this training is provided on an ongoing

AWS customers are responsible for developing, documenting,

AWS customers are responsible for developing, documenting,

More information on implementing these functions using IAM is

AWS customers are responsible for: 1) Establishing personnel security

AWS customers are responsible for establishing and managing

More information on these encryption options is available at

AWS customers are responsible for implementing mechanisms to

AWS customers are responsible for developing, documenting,

AWS customers are responsible for employing integrity verification

AWS customers are responsible for requiring the developer of their

AWS customers are responsible for conducting security assessments

AWS customers are responsible for developing, documenting,

More information on implementing logging with an AWS account is

AWS customers are responsible for defining auditing requirements,

AWS customers are responsible for configuring their systems to

More information on securing an Amazon VPC is available at

CA-3 A. There are no system interconnections.

CM-2 AWS has established formal policies and procedures to provide

SI-4 AWS deploys monitoring devices throughout the environment to collect

CA-7 AWS conducts monthly monitoring of its security posture through a

CA-7 AWS conducts monthly monitoring of its security posture through a

RA-3 AWS performs a continuous risk assessment process to identify,

SI-4 AWS deploys monitoring devices throughout the environment to collect

IR-8 AWS has implemented a formal, documented incident response policy

AU-12 AWS deploys monitoring devices throughout the environment to collect

CA-7 AWS conducts monthly monitoring of its security posture through a

SC-5 AWS operates, manages, and controls the infrastructure components,

SC-7 Several network fabrics exist at Amazon, each separated by boundary

SI-4 AWS deploys monitoring devices throughout the environment to collect

Physical access points to server locations are recorded by closed circuit

PE-6 Physical access to all AWS data centers housing IT infrastructure

AU-12 AWS deploys monitoring devices throughout the environment to collect

CM-10 AWS maintains a systematic approach, to planning and developing new

• Security Risk Assessment