af

HOW TO OPEN THIS ARTIFACT

•

0b
Please scroll through to next page to view the artifact downloaded. To access any supporting
attachments, click the paperclip icon in the left of this document and double click the file
you would like to open.

2c
o If you do not see a paperclip icon, right click and select “Show Navigation Pane Buttons”.
o Use latest version of Adobe Acrobat Reader (Windows | Mac | Additional guidance)

54
TERMS AND CONDITIONS

41
You hereby agree that you will not distribute, display, or otherwise make this document available to an
individual or entity, unless expressly permitted herein. This document is AWS Confidential Information
(as defined in the AWS Customer Agreement), and you may not remove these terms and conditions

-fa
from this document, nor take excerpts of this document, without Amazon’s express written consent.
You may not use this document for purposes competitive with Amazon. You may distribute this
document, in its complete form, upon the commercially reasonable request by (1) an end user of your
service, to the extent that your service functions on relevant AWS offerings provided that such

bc
distribution is accompanied by documentation that details the function of AWS offerings in your service,
provided that you have entered into a confidentiality agreement with the end user that includes terms
not less restrictive than those provided herein and have named Amazon as an intended beneficiary, or
93
(2) a regulator, so long as you request confidential treatment of this document (each (1) and (2) is
deemed a “Permitted Recipient”). You must keep comprehensive records of all Permitted Recipient
requests, and make such records available to Amazon and its auditors, upon request.
d-

You further (i) acknowledge and agree that you do not acquire any rights against Amazon’s Service
Auditors in connection with your receipt or use of this document, and (ii) release Amazon’s Service
2e

Auditor from any and all claims or causes of action that you have now or in the future against Amazon’s
Service Auditor arising from this document. The foregoing sentence is meant for the benefit of Amazon’s
Service Auditors, who are entitled to enforce it. “Service Auditor” means the party that created this
4

document for Amazon or assisted Amazon with creating this document.

9-
92
-6
4c
b7
e2
f9
 af
0b
2c
54
AWS Quality

41
-fa
Management System
Overview bc
93
d-
4 2e
9-
92
-6
4c
b7
e2

Proprietary and Confidential Information - Trade Secret

f9

©2015 Amazon.com, Inc. or its affiliates

 af
Contents

0b
1. Abstract ........................................................................................................................................... 4
2. Overview ......................................................................................................................................... 4
3. Supplier Evaluation of AWS .............................................................................................................. 4

2c
4. AWS Quality Management System ................................................................................................... 5
4.1 Scope ....................................................................................................................................... 5

54
4.1.1 AWS Services .................................................................................................................... 6
4.1.2 Locations .......................................................................................................................... 6

41
4.1.3 AWS Assets ....................................................................................................................... 6
4.2 Planning of the Quality Management System ........................................................................... 6

-fa
4.2.1 Quality Management System Objectives ........................................................................... 6
4.2.2 Quality Management System Changes .............................................................................. 7

bc
4.2.3 Continuous Improvement of Quality Management System ............................................... 7
4.3 Support of the Quality Management System ............................................................................ 7
93
4.3.1 Commitment to Quality .................................................................................................... 7
4.3.2 Resources ......................................................................................................................... 7
d-

4.3.3 Competence ..................................................................................................................... 7

4.3.4 Training & Awareness ....................................................................................................... 8
2e

4.3.5 Communication ................................................................................................................ 8

4.3.6 Documented Information ................................................................................................. 8
4

4.4 Operation of the Quality Management System ....................................................................... 10

9-

4.4.1 Planning.......................................................................................................................... 10
4.4.2 Design and Development ................................................................................................ 10
92

4.4.3 Service Identification and Traceability............................................................................. 10

4.4.4 Control of externally provided processes, products and Services .................................... 10
-6

4.4.5 Product and Service Provision – Service and Component Verification ............................. 10
4.4.6 Sales (Contract Review) .................................................................................................. 11
4c

4.4.7 Customer Support........................................................................................................... 11

4.4.8 Incident & Interruption Response ................................................................................... 11
b7

4.4.9 Release of products and Services .................................................................................... 12

4.4.10 Control of nonconforming outputs.................................................................................. 12
e2

4.4.11 Purchasing Controls ........................................................................................................ 12

4.5 Performance Monitoring of the Quality Management System ................................................ 12
f9

Amazon – Confidential Page 2 of 32

 af
4.5.1 AWS Audit Program ........................................................................................................ 12
4.5.2 Management Review ...................................................................................................... 13

0b
4.6 Improvement within the Quality Management System ........................................................... 13
4.6.1 Preventive Action ........................................................................................................... 13

2c
4.6.2 Corrective Action ............................................................................................................ 14
4.6.3 Continual Improvement .................................................................................................. 14

54
Appendix A: Mapping of GxP requirements to AWS third party validated certifications.......................... 15

41
-fa
bc
93
d-
4 2e
9-
92
-6
4c
b7
e2
f9

Amazon – Confidential Page 3 of 32

 af
1. Abstract
The objective of this whitepaper is to provide customers of Amazon Web Services (AWS) insight into

0b
how AWS implements, operates and monitors good commercial IT practices in the development of AWS
products for our customers. Ensuring the quality and security of AWS products for our customers is at
the core of this focus. As customers utilize AWS products as components of their regulated IT systems,

2c
including systems that operate regulated medical device software and computerized systems supporting
Good Laboratory Practices, Good Clinical Practices and Good Manufacturing Practices (“GxP”),

54
customers need perform evaluation of the product they are purchasing1 and evaluate the supplier of the
product. This whitepaper provides insight into AWS quality management system. This information can
be leveraged by a GxP customer during the performance of their supplier evaluation to establish that

41
AWS can reliably deliver the AWS Products to the published interface specifications and Service Level
Agreements (SLAs).

-fa
2. Overview
Amazon Web Services (AWS) is a secure cloud services2 platform that offers a broad set of infrastructure
services, such as compute, storage, database, analytics, application and deployment services that are

bc
delivered as a utility: on-demand with pay-as-you-go-pricing. AWS Products are all available online
through a self-service management console, https://aws.amazon.com/account.
AWS Products are user-configurable, general purpose in nature, and delivered to commercial IT quality
93
and security standards like ISO, NIST, SOC and others. This is similar to other general purpose IT
products and services such database engines, operating systems, programming languages, internet
d-

service providers, etc. Many organizations categorize AWS products as COTS infrastructure software
products, which is consistent with the US federal government’s use of AWS Products as a COTS item
through FedRAMP. Under FedRAMP, which inherits definitions from the US Federal Acquisition
2e

Regulation (FAR), COTS items are products or services that are offered and sold competitively in
substantial quantities in the commercial marketplace based on established catalog, offered without
modification or customization, and offered under standard commercial terms and conditions. AWS
4

customers with GxP requirements are responsible for categorizing AWS products using their applicable
9-

industry designations such as Category 1 under Good Automated Manufacturing Practices (GAMP) and
Pharmaceutical Inspection Co-operation Scheme (PIC/S) guides for computerized systems in regulated
92

GxP environments or, under medical device quality frameworks, Software of Unknown Provenance
(SOUP), “black box” OTS components, or general purpose computing resources. .
-6

3. Supplier Evaluation of AWS

GxP Customers need to evaluate and select their potential suppliers, contractors, and consultants on the
4c

basis of their ability to meet specified requirements. In order to ensure the quality and security of AWS
Products, AWS operates an industry-leading management control framework that conforms to current
quality, security, and trust standards for commercial IT organizations. Compliance assessments of AWS
b7

controls are conducted on a recurring basis by qualified third-party auditors, and compliance reports

1
Refer to the AWS Whitepaper “Considerations for using AWS Products in GxP systems” for additional information
e2

on approach to evaluation of AWS Products.

2
A web service is a self-contained, reusable software module that makes its functionality available to other
software modules over internet protocols using standardized messaging formals like XML, JSON and plain text.
f9

Amazon – Confidential Page 4 of 32

 af
from these assessments are made available to customers to enable them to evaluate AWS as a supplier.
The AWS Compliance reports identify the scope of AWS products and regions assessed, as well the

0b
assessor’s attestation of conformance. A supplier evaluation can be performed by leveraging these
reports and certifications. To further facilitate this, Appendix A documents a mapping of AWS operated
and independently validated controls to GxP requirements.

2c
Controls Assessment Auditor Compliance Report
Criteria
ISO 27001 ISO/IEC 17021 & EY CertifyPoint https://aws.amazon.com/compliance/iso-

54
27006 27001-faqs/
ISO 9001 ISO/IEC 17021 EY CertifyPoint https://aws.amazon.com/compliance/iso-
9001-faqs/
SOC 1 AT 801 & EY https://aws.amazon.com/compliance/soc-

41
SOC 2 AT 101 Controls, faqs/
SOC 3 TSP Sec. 100
Trust &

-fa
Attestation
FedRAMP/NIST NIST 800-53a Veris Group https://www.fedramp.gov/marketplace/com
800-53r4 pliant-systems/amazon-web-services-aws-

bc
eastwest-us-public-cloud/
PCI-DSS v3.1 PCI DSS Security Coalfire https://aws.amazon.com/compliance/pci-
Level 1 Audit Procedure dss-level-1-faqs/
93
4. AWS Quality Management System
d-

Amazon Web Services (AWS) is responsible for ensuring that good commercial IT practices are utilized in
the design, development and operation of the AWS Products. AWS considers maintaining customer trust
2e

and confidence is of the utmost importance and therefore defines the quality attributes for the AWS
products in terms of Availability, Integrity and Confidentiality. AWS quality manual system addresses
the elements necessary for AWS to implement quality management including the organizational
4

structure, responsibilities, procedures, processes, and resources.

9-

This document describes the process approach of AWS for planning for quality, application to work
activities, verification, and improvement. The following information is extracted directly from the AWS
92

Quality Manual. The Quality Manual is reviewed, updated and approved at least annually or more
frequently if a major change has occurred. In addition, it is reviewed annually by AWS independent third
party auditors as a part of AWS ongoing ISO 9001 certification3.
-6

4.1 Scope
AWS has established a quality management system which meets or exceeds the best practice guidelines
4c

established by the International Organization for Standardization (ISO). The quality management system
applies to the development and operations of AWS Products (Services), including the AWS Services, AWS
Infrastructure, and assets which support the development and operations of AWS Services. The key
b7

standards applicable to the quality management system include:

• ISO 9001:2008
• ISO/IEC 27001:2013
e2

3
http://aws.amazon.com/compliance/iso-9001-faqs/
f9

Amazon – Confidential Page 5 of 32

 af
• ISO/IEC 27017
• ISO/IEC 27018:2014

0b
4.1.1 AWS Services
The AWS Services in the scope of the quality management system are listed within the ISO column on

2c
the following AWS webpage: https://aws.amazon.com/compliance/services-in-scope/.
4.1.2 Locations

54
The AWS Cloud infrastructure is built around Regions and Availability Zones (AZs). AWS Regions provide
multiple, physically separated and isolated Availability Zones which are connected with low latency, high
throughput, and highly redundant networking. These Availability Zones offer AWS customers an easier

41
and more effective way to design and operate applications and databases, making them more highly
available, fault tolerant, and scalable than traditional single datacenter infrastructures or multi-
datacenter infrastructures. For customers who specifically need to replicate their data or applications

-fa
over greater geographic distances, there are AWS Local Regions. An AWS Local Region is a single
datacenter designed to complement an existing AWS Region. Like all AWS Regions, AWS Local Regions
are completely isolated from other AWS Regions. Refer to the AWS Global Infrastructure webpage for a

bc
complete list of locations: https://aws.amazon.com/about-aws/global-infrastructure/.
4.1.3 AWS Assets
The scope of AWS quality management system also encompass the assets supporting the development
93
and operations of AWS Services, and include the following:
• Documented information including, but not limited to, source code, system documentation and
d-

operational policies and procedures.

• Software assets including, but not limited to, client and server applications.
2e

• Hardware assets including, but not limited to, servers, network components, racks, desktop and
laptop computers, and storage media.
• Human resource assess including, but not limited to, Amazon employees, vendors, and
4

subcontractors supporting AWS Services.

9-

• Real estate assets including, but not limited to, corporate buildings and datacenters.

4.2 Planning of the Quality Management System

92

The AWS planning process defines service requirements, requirements for projects and contracts, and
ensures customer needs and expectations are met or exceeded. Planning is achieved through a
combination of business and service planning, project teams, quality improvement plans, review of
-6

service-related metrics and documentation, internal and supplier audits, and employee training. The
AWS quality system is documented to ensure that planning is consistent with all other requirements.
4c

4.2.1 Quality Management System Objectives

This AWS Quality Management System seeks to meet the following objectives:
b7

• General Quality Objectives: AWS shall preserve confidentiality, integrity and availability of AWS
assets.
• Business Objectives: AWS shall provide services that support customer requirements (i.e.
e2

customer security and compliance requirements).

f9

Amazon – Confidential Page 6 of 32

 af
• Legal or Regulatory and Contractual Quality Objectives: AWS shall meet applicable regulatory
requirements by safeguarding personally identifiable information. AWS shall meet contractual

0b
quality obligations.

4.2.2 Quality Management System Changes

2c
On a periodic basis, no less frequently than once annually or when a major change has occurred, the
AWS Quality Management System (QMS) is reviewed for alignment with AWS goals and objectives.
Resulting changes to the QMS are reviewed, updated, and approved.

54
4.2.3 Continuous Improvement of Quality Management System
AWS’s risk management and assessment approach defines the periodic process of maintaining and

41
continuously improving the quality management system. Through the use of reviews, evaluations, and
risk management techniques, the objectives related to information security and quality are met. These
objectives work to:

-fa
• Help protect interested parties, including internal stakeholders and external stakeholders from
expensive and disruptive incidents by identifying, prioritizing, and managing risks to the
environment.

bc
• Conduct risk assessment activities and facilitate the risk management process to drive informed
business decision making based on identified risks.
• Support the QMS and help protect the confidentiality, integrity, and availability of AWS services
93
and assets.

4.3 Support of the Quality Management System

d-

4.3.1 Commitment to Quality

2e

AWS Leadership Team is responsible for ensuring an effective quality management system is
established, maintained and communicated throughout the organization. The AWS Leadership Team
demonstrates a commitment to quality by establishing and maintaining a systematic approach to
4

defining and satisfying quality objectives, reviewing resourcing needs, and conducting management
reviews. The quality objectives are demonstrated through the continual improvement efforts to meet
9-

the requirements set by various accreditations. Additionally, AWS maintains a Quality Policy and a
supporting Quality Manual which is reviewed, updated, approved and published at least annually or
92

more frequently if a major change should occur.

4.3.2 Resources
-6

AWS Leadership Team ensures that resources, infrastructure, and processes are identified and assigned
to appropriate tasks as needed to execute the requirements of the quality management system. Each
functional task is assigned to employees whose responsibilities are summarized and documented in job
4c

descriptions. Job descriptions establish the requirements of the task to be performed as well as the
education and skill requirements.
b7

4.3.3 Competence
AWS strives to hire the best, pre-employment screening of AWS employees is conducted
e2

commensuration with the employee’s position and level of access to the AWS facilities and in alignment
f9

Amazon – Confidential Page 7 of 32

 af
with applicable local laws. Additionally, annual formal evaluation of resourcing and staffing is
completed, including assessment of employee’s qualification alignment with AWS objectives.

0b
4.3.4 Training & Awareness
Personnel at all levels of the organization are experienced and receive training in the skill areas of the

2c
jobs and other assigned training. Training needs are identified to ensure that training is continuously
provided and is appropriate for each operation (process) affecting quality. Personnel required to work
under special conditions or require specialized skills are trained to ensure their competency. Records of

54
training and certification are maintained to verify that individual have appropriate training.
4.3.5 Communication

41
AWS maintains various internal and external communication venues relevant to the quality
management system. Although non-exhaustive the list below gives insight into the general types of
communication including, what is communicated, when it’s communicate, with whom it is

-fa
communicated, and how it’s communicated.
Communication What is When to With Whom to How is it communicated
Type Communicated Communicate Communicate
Service Guides Service Monthly Internal & https://aws.amazon.com/

bc
documents, External documentation/
user guides. Stakeholders
93
Customer Usage, Billing, Ongoing Internal & Accessed through
Dashboard and customer External customer portal
specific Stakeholders
d-

information
Security Security and Ongoing Internal & http://blogs.aws.amazon.
2e

Incidents Compliance External com/security/

information Stakeholders
AWS Blog Leading Ongoing Internal & https://aws.amazon.com/
4

information on External blogs/aws/

AWS Services Stakeholders
9-

and offerings
Metrics Review Overall service weekly Internal Internal forum
92

health Stakeholders
Process Process Ongoing Internal Internal forum
documents Stakeholders
-6

Policies Internal Ongoing Internal Internal forum

Policies Stakeholders
4c

4.3.6 Documented Information

4.3.6.1 Document Hierarchy
b7

The quality system is documented through a combination of procedures and instructions. The diagram
below provides an overview of the relationship of the documentation within AWS.
e2
f9

Amazon – Confidential Page 8 of 32

 af
The Quality Manual is a summary of
Quality
AWS quality system and provides an

0b
Manual overview of how the quality
objectives are addressed.
Policies &
Policies and Procedures that

2c
Procedures
describe key aspects of the
company’s quality system are

54
Work Instructions referenced throughout the Quality
Manual. Additional procedures may
be available within AWS teams.

41
Records & Evidence These additional procedures are
usually more specific in nature and
may contain procedures that are

-fa
Figure 1 - AWS Quality System Document Hierarchy
team or service-specific. The
content of policies and procedures
are version controlled and approved by the appropriate AWS personnel.

bc
Work instructions are documented as drawings, facility and equipment specifications, application
security protocols, threat models, and other team-maintained documentation. The content of these
documents are maintained by the appropriate AWS personnel as evidenced by the system(s)
93
maintaining the documentation.
Records and evidence generated by AWS quality system are archived as appropriate for the type and
d-

format of record. These records include, but are not restricted to, contracts, customer support records,
including customer complaints, trouble tickets, configuration management items, employee records,
and customer agreements.
2e

4.3.6.2 Document Controls

AWS quality and security policies and procedures are subject to approval, version control and
4

distributions by the appropriate technical authorities and/or members of management.

9-

Approved documents are periodically reviewed and, when necessary, supporting data is
evaluated to ensure the document is adequately fulfilling its intended use.
Revisions to approved documents are reviewed and approved the teams who initiated the
92

original review and approval process, unless otherwise specified. Invalid or obsolete
documents are identified and removed from use.
The technical documentation related to service-specific development and service operations are also
-6

part of the company’s quality system.

4c

4.3.6.3 Recordkeeping
Records are maintained to demonstrate conformance with security and quality objectives and the
effective operation of the quality system. Key records providing evidence of meeting security and
b7

quality objectives are maintained by AWS Security Assurance. Other records are maintained in Service
team repositories. The records are organized for easy retrieval by individuals with appropriate
authorizations. The records are stored and maintained to ensure their confidential, integrity and
e2

availability.
f9

Amazon – Confidential Page 9 of 32

 af
4.4 Operation of the Quality Management System

0b
4.4.1 Planning
Processes in support of production operations are defined in production documents, planned with work
orders and tickets, and performed by appropriately trained employees. These processes are carried out

2c
using formalized instructions, established workmanship criteria, and appropriate equipment. Production
operations documents also include requirements for the appropriate safety and environmental
requirements.

54
Procedures that control datacenter facilities, utilities, and environment are also established and
documented to ensure that acceptable conditions exist for performing environmentally sensitive

41
processes. Defined alert limits for environmental control exists and there are clear procedures for
responding when the limits are exceeded. Critical equipment functionality is verified prior to including
in production operations.

-fa
Records of process activities identify the person(s) performing the activities, and the date the activities
occurred. Records are also retained as part of the service version history.

4.4.2 Design and Development

bc
AWS’s strategy for design and development of services is to clearly define services in terms of customer
use cases, service performance, marketing and distribution requirements, production and testing, and
93
legal and regulatory requirements. The design of all new services or any significant changes to current
services are controlled through a project management system with multi-disciplinary participation.
Requirements and service specifications are established during service development, taking into account
d-

legal and regulatory requirements, customer contractual commitments, and requirements to meet the
confidentiality, integrity and availability of the service in alignment with the quality objectives
established within the quality management system. Service reviews are completed as part of the
2e

development process, these reviews include evaluation of security, legal and regulatory impacts and
customer contractual commitments. AWS Leadership Team is responsible for administration and
maintenance of service design.
4

4.4.3 Service Identification and Traceability

9-

Facilities, equipment, and software components of production operations are identified throughout
their lifecycle to ensure that only acceptable components are used in production. AWS service,
92

including application programming interfaces (APIs), are labeled and marked by identifiers. Facilities,
equipment, and software components are tracked such that quality-impacting issues and errors are
traceable to related components.
-6

4.4.4 Control of externally provided processes, products and Services

4c

AWS proactively informs customers of any subcontractors who would have access to customer
personally identifiable information prior to functional access being provisioned via the AWS website:
Third-Party Access. AWS requires our subcontractor provide at least the same level of quality as AWS.
b7

4.4.5 Product and Service Provision – Service and Component Verification

4.4.5.1 Inspection and Testing
e2

Incoming equipment, software, and supplies, including AWS created software code, used in the AWS
production environment are inspected or verified to established requirements prior to use. Purchasing
f9

Amazon – Confidential Page 10 of 32

 af
efforts are made to partner with suppliers to assure that all incoming parts and materials meet
purchasing specifications. Incoming supplies are not released into the production environment until it

0b
is verified to be in conformance with the specifications. Final inspection and testing is performed on
AWS service prior to their release to general availability. The final service release review procedure
includes a verification that all acceptance data is present and that all specifications were met. Once in

2c
production, AWS services undergo a regime of continuous monitoring.
4.4.5.2 Test Equipment
Test equipment, such as datacenter temperature probes, security scanning devices and software test

54
suites, used to verify service conformance with requirements are selected based on their applicability
and sensitivity of measurement for the criteria being evaluated. Test equipment are maintained and
operated by personnel with appropriate experience. Where appropriate and necessary, test equipment

41
is calibrated to ensure accuracy of their results.
4.4.6 Sales (Contract Review)

-fa
AWS offers Services for sale under a standardized customer agreement that has been reviewed to
ensure the Services are accurately represented, properly promoted, and fairly priced. When enterprise
and non-standard terms and conditions are requested by customers, these requests are reviewed with

bc
particular regard to their applicability to the cloud computing environment and to the ability of AWS to
fulfill the requested terms and conditions. Under these conditions, terms are negotiated and accepted
in writing prior to commencement of AWS supplying cloud services.
93
4.4.7 Customer Support
Procedures for supporting customers are developed and maintained. Performance of AWS support
operations is verified to specific metrics. Customer reports and complaints of AWS services failing to
d-

meet their quality objectives are immediately investigated and, where required, commercially
reasonable actions are taken to resolve them. The quality system established for AWS customer
2e

support include, but are not limited to, procedures for reviewing and evaluating customer complaints,
engaging necessarily internal AWS resources and teams, and communicating the final disposition of the
issue back to the customer. Where AWS is the first to become aware of a customer-impacting issue,
4

procedures existing for notifying impacted customers according to their contract requirements and / or
via the AWS Service Health Dashboard http://status.aws.amazon.com/
9-

4.4.8 Incident & Interruption Response

92

AWS incident and interruption response capability allows for early incident detection, minimized loss
and destruction, identification of weaknesses, and rapid restoration of AWS information systems. AWS
has established and maintains an Incident Response (IR) Plan to address several objectives:
-6

• Provide AWS with a roadmap for implementing and improving IR capability

• Describe the structure and organization of the IR capability
4c

• Provides a high-level approach for how the Incident Response capability fits into the overall
organization.
• Meet the unique requirements of AWS as a cloud computer service provider.
b7

• Define reportable incidents

• Provide metrics for measuring IR capability
e2

• Define the resources and management support needed to effectively maintain and improve IR
capability
f9

Amazon – Confidential Page 11 of 32

 af
• Communicate the IR process to personnel within AWS

0b
4.4.9 Release of products and Services
AWS maintains a systematic approach to planning and developing services for the AWS environment, to
ensure the quality and security requirements are meet with each release.

2c
4.4.10 Control of nonconforming outputs
AWS Services in production operations are managed in a manner that preserves their confidentiality,

54
integrity and availability. The quality and security requirements are defined and specified to ensure
conformance to the quality objectives with ongoing verification and validation of conformance to quality
assessed (as described in section 3.4.12 Performance Evaluation)

41
4.4.11 Purchasing Controls
Key suppliers are identified and chosen for their ability to provide service and service to defined

-fa
requirements. Qualified suppliers are added to the approved supplier list maintained by the Supplier
Management team. Through the use of established assessment procedures, AWS continuously
monitors suppliers to ensure that they are conforming to specific AWS requirements. The extent of

bc
assessment for a supplier is dependent upon the significance of the product and/or service purchased
and, where applicable, upon previously demonstrated performance.

All purchase materials and services intended for use in production processes are specified in purchasing
93
documents. All component/material specification documents are reviewed and approved by
management personnel prior to use. Additional requirements not specified on component/material
specifications are conveyed via purchase orders or contracts. Purchase orders and/or contracts convey
d-

the degree of control AWS establishes with their suppliers to ensure quality product and/or service.
2e

4.5 Performance Monitoring of the Quality Management System

AWS Leadership Team is committed to tracking metrics to ensure the quality system continues to
operate effectively and in line with the ISO/IEC 9001:2008 standard. Where metrics suggest poor
4

performance or lack of improvement in a certain area(s) of the quality system, management will take
9-

corrective action to improve the metrics.

4.5.1 AWS Audit Program
92

AWS Security Assurance monitors the implementation and maintenance of the quality management
system by performing verification activities through the AWS audit program to ensure compliance,
suitability, and effectiveness of the quality system.
-6

The AWS audit program includes internal audits, third party accreditation audits, and supplier audits.
4c

The objective of these audits are to evaluate the operating effectiveness of the AWS quality
management system. Internal audits are planned and performed periodically. Audits by third party
accreditation are conducted to review the continued performance of AWS against standards-based
b7

criteria and to identify general improvement opportunities. Supplier audits are performed to assess the
supplier’s potential for providing services or material that conform to AWS supply requirements.
e2
f9

Amazon – Confidential Page 12 of 32

 af
4.5.2 Management Review
The quality system and quality objectives are periodically reviewed by leadership team to determine the

0b
effectiveness and suitability of the quality system to meet or exceed customer and service
specifications.

2c
4.5.2.1 Management Review Inputs
Management review input include:
a) Results of audits and reviews

54
b) Feedback from interested parties
c) Techniques, products or procedures, which could be used in the organization to improve quality

41
system performance and effectiveness
d) Status of preventative and corrective actions
e) Vulnerabilities or threats not adequately addressed in the previous risk assessment

-fa
f) Results from effectiveness measurements
g) Follow-up actions from previous management reviews
h) Any changes that could affect the quality system; and

bc
i) Recommendations for improvement
j) Customer feedback

4.5.2.2 Management Review Outputs

93
Review outputs include any decisions or actions related to the following:
a) Improvement of the effectiveness of the quality system
d-

b) Update of the risk assessment and risk treatment plan

c) Modification of procedures and controls that affect quality, as necessary, to respond to internal
or external events that may impact the quality system, including changes to business
2e

requirements, security requirements, business processes affecting the existing business

requirements, regulatory or legal requirements, contractual obligations, levels of risk and/or
4

criteria for accepting risk

d) Resource needs
9-

e) Improvement to how the effectiveness of controls is being measured

92

4.6 Improvement within the Quality Management System

4.6.1 Preventive Action
-6

AWS management is committed to the proactive management of the quality management system
through risk assessment processes, mitigation controls and requirements of the quality management
4c

system to prevent potential nonconformities. The following procedures are followed when taking
preventative actions:
a) Identify potential nonconformities and their causes;
b7

b) Evaluate the need for action to prevent occurrence of nonconformities;

c) Determine and implement preventive action needed;
d) Record results of action taken; and
e2

e) Review of preventive action.

f9

Amazon – Confidential Page 13 of 32

 af
As circumstances require or on an annual basis, AWS management identify changed risks and update
preventive action requirements focusing attention on significantly changed risks.

0b
The priority of preventive actions are determined based on the results of the risk assessment.
4.6.2 Corrective Action

2c
AWS management take action to eliminate the cause of nonconformities within the scope of the quality
management system, in order to prevent recurrence. The following procedure is followed when taking
corrective actions:

54
a) Identify the specific nonconformities;
b) Determine the causes of nonconformities;
c) Evaluate the need for actions to ensure that nonconformities do not recur;

41
d) Determine and implement the corrective action(s) needed;
e) Record results of action(s) taken;

-fa
f) Review of the corrective action(s) taken.

Depending of the nature and severity of the non-conformity, the records of corrective actions may be
reviewed by management during regularly scheduled meetings of the AWS Leadership Team.

bc
4.6.3 Continual Improvement
The AWS Leadership team periodically reviews the scope of the QMS for sustainability, adequacy, and
93
effectiveness via ongoing metrics reviews. Through the continual improvement efforts, enhancements
are identified, resourced, implemented, and reviewed. Management ensure continual improvement to
the effectiveness of the QMS by periodically reviewing the following:
d-

• Service operational metrics

• Cause of Error (COE) reports
• Security and Availability Control Activities
2e

• Audit results
• Risk assessment results
4

• Suggestions and feedback from customers through direct customer engagement

9-
92
-6
4c
b7
e2
f9

Amazon – Confidential Page 14 of 32

 a f
0 b
Appendix A: Mapping of GxP Requirements to AWS third party validated certifications
Like other commercial IT products such as database engines, operating systems and consumer mobile platforms, AWS Products are not
2 c
inherently developed for use in specific GxP systems, rather, they are developed according to current quality and security standards for

5
commercial IT product providers. As part of their supplier assessment of AWS, customers seeking to use AWS Products in their GxP Systems 4
summary of the most common GxP controls AWS has been asked to map to our quality and security controls.
AWS Owned and Operated Controls
4 1
often request a mapping of AWS quality and security controls to the GxP controls the customers are familiar with. This appendix contains a

GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2

-
ISO 27001
Annex
f a
ISO 27001
Mgmt
ISO
27017
ISO
27018
NIST 800-
53r4

Equipment in
Production
Design, capacity,
and location
Equipment (computer
hardware) shall be of
7.1.3
7.1.4

b c
Controls
A.12.1.3
Controls
12.1.3 12.1.3 AU-4
CP-2 (2)

3
appropriate design, capacity, SC-6
and suitable location for its

-9
operation and maintenance.
Equipment in Identification Equipment in production shall 7.1.3 A.8.1.1 8.1.1 8 CM-8
Production be identified by a distinctive A.8.1.2 8.1.2 A.10.5 CM-8 (1)
identification number or code
that shall be recorded.

e d A.8.1.3
A.8.2.1
A.8.2.2
8.1.3
8.2.1
8.2.2
RA-2

Equipment in Maintenance Written procedures shall be

4
7.1.3 2 1.2 CC1.2 A.5.1.1 4.3 5.1.1 5.1.1 AC-1
Production Procedures established and followed for
inspection and maintenance of
equipment. Procedures shall
9 - CC1.4
CC2.1
CC3.2
A.6.2.1
A.6.2.2
A.9.1.1
5.1
5.2
7.5.1
6.2.1
6.2.2
9.1.1
6.2
9.1
9.3.1
AC-17
AT-1
CP-1

9 2
include: assignment of
responsibility, maintenance
schedules, description of
A.9.3.1
A.11.1.5
A.11.2.9
7.5.2
7.5.3
8.1
9.3.1
11.1.5
11.2.9
9.4.1
11.1
11.2.9
IA-1
IR-1
PE-1

- 6
methods of disassembly and
reassembly as necessary to
assure proper maintenance
A.12.1.1
A.13.2.1
A.14.2.1
12.1.1
13.2.1
14.2.1
12.1.1
13.2.1
14
SA-5

4 c A.17.1.2 CLD.6.3.1
CLD.12.1.
5
A.9.2

b 7
e 2
f 9 Amazon – Confidential Page 15 of 32
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Equipment in
Production
Maintenance
Records
records shall be kept of
equipment inspections,
7.1.3 1.2 CC1.2
CC1.4
Controls
A.5.1.1
A.6.2.1
Controls
4.3
5.1
5.1.1
6.2.1 2
5.1.1

4
6.2
AC-1
AC-17
maintenance, and repairs CC2.1
CC3.2
A.6.2.2
A.9.1.1
A.9.3.1
5.2
7.5.1
7.5.2 5
6.2.2
9.1.1

1
9.3.1
9.1
9.3.1
9.4.1
AT-1
CP-1
IA-1

4
A.11.1.5 7.5.3 11.1.5 11.1 IR-1
A.11.2.9 8.1 11.2.9 11.2.9 PE-1
A.12.1.1
A.13.2.1

-
A.14.2.1
A.17.1.2 f a 12.1.1
13.2.1
14.2.1
CLD.6.3.1
12.1.1
13.2.1
14
A.9.2
SA-5

b c CLD.12.1.
5

3
Equipment in Verification Input to and output from 7.1.5 7.1 A.14.1.3 14.1.3 14 SC-21
Production computers shall be checked A.11.2 SI-10
for accuracy. The degree and
frequency of input/output
checks shall be based on the
- 9
Facilities in Access controls
complexity and reliability of
the equipment.
Access to data storage 7.1.3
e 5.1d CC 5.5 A 11.1.2 11.1.1 11.1 PE-2
Production facilities shall be limited to
personnel authorized by

4 2 A 11.1.3
A 11.1.4
11.1.2
11.1.3
11.2.3
11.2.4
PE-3
PE-4

-
supervisors. 11.1.6 PE-5
11.2.3 PE-9

Facilities in Design and

2
Buildings shall be of suitable 9 7.1.3 A 11.2.1
11.2.4

9
Production Construction size, construction, and location
to facilitate cleaning,

Facilities in Environmental 6
maintenance and proper

-
operations
Adequate ventilation shall be 7.1.4 5.8 A.11.1.4 11.1.4 11.1 PE-14
Production

Facilities in
control and
monitoring
Environmental
4 c
provided.

Equipment for adequate 7.1.4 5.8

A.11.2.4

A.11.1.4
11.2.4

11.1.4
11.2.4

11.1
PE-14 (2)

PE-14
Production control and

b
monitoring
7 control over air pressure,
micro-organisms, dust,
humidity, and temperature
A.11.2.4 11.2.4 11.2.4 PE-14 (2)

e 2 shall be provided when

appropriate.

f 9 Amazon – Confidential Page 16 of 32

 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Facilities in
Production
Environmental
control and
Monitoring of facility
environment shall be
7.1.4 5.7
5.8
Controls
A.11.1.4
A.11.2.2
Controls
11.1.4
11.2.2

4 2
11.1
11.2.2
PE-10
PE-11
monitoring appropriate for the type of
equipment and operations.
5.9
5.10
5.11
A.11.2.4
A.15.1.2
5
11.2.4
15.1.2

1
11.2.4
15
PE-12
PE-13
PE-13 (2)

4
PE-13 (3)
PE-14

- f a PE-15
PE-14 (2)
SA-9

Facilities in
Production
Recordkeeping Records of environmental
control and monitoring
activities shall be maintained.
7.1.5 5.7
5.8
5.9
b c
A.11.1.4
A.11.2.2
A.11.2.4
11.1.4
11.2.2
11.2.4
11.1
11.2.2
11.2.4
PE-10
PE-11
PE-12
5.10
5.11

9 3 A.15.1.2 15.1.2 15 PE-13

PE-13 (2)

d - PE-13 (3)
PE-14
PE-15
PE-14 (2)

2 e SA-9

4
Facilities in Lighting Adequate lighting shall be 7.1.3 PE-12
Production
Facilities in
Production
Maintenance
provided in all areas.
Buildings shall be maintained
in a good state of repair

9 - 7.1.3

2
Organization Management Management with executive 5.1 SOC1 1.1
Representative responsibility shall appoint a

9
member of management who,
irrespective of other

6
responsibilities, shall have

c -
authority and responsibility for
ensure the quality system is
established and maintained,

7 4 and reporting on the

performance of the quality
system to management with

b
executive responsibility for
review.

e 2
f 9 Amazon – Confidential Page 17 of 32
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Organization Management
Responsibility
Management shall assure that
personnel, resources, facilities,
5.1
Controls Controls

4 2
equipment, materials and
methodologies are available as
scheduled.

1 5
4
Organization Management Management shall assure that 5.1 CC1.3 A.7.2.2 7.2 7.2.2 7.2.2 AC-22
Responsibility personnel clearly understand CC1.4 7.3 AT-2
the functions they perform CC2.2
CC2.3
CC2.5

- f a AT-2 (2)
AT-3
AT-4
CP-3

b c IR-2
PL-4
PL-4 (1)

9 3 PS-6

Organization Management
Review
Management with executive
responsibility shall periodically
review the suitability and
7.1.5.1

d -
e
effectiveness of the quality
system including:
nonconformities and
corrective actions, monitoring
and measurement results,

4 2
audit results, customer
satisfaction, issues concerning
suppliers, adequacy of human
9 -
2
resources required to maintain
effective operations, dev/ops

9
process performance and

- 6
conformity of
products/services.

4 c
b 7
e 2
f 9 Amazon – Confidential Page 18 of 32
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Organization Personnel
Qualifications
Personnel shall have the
education, training, and
5.3 CC1.3
CC1.4
Controls
A.7.2.2
Controls
7.2
7.3
7.2.2

4 2
7.2.2 AC-22
AT-2
experience needed to perform
their assigned functions
CC2.2
CC2.3
CC2.5

1 5 AT-2 (2)
AT-3
AT-4

4
CP-3
IR-2

- f a PL-4
PL-4 (1)
PS-6

Organization Personnel Training Training shall be in the 5.3 CC1.3

b c
A.7.2.2 7.2 7.2.2 7.2.2 AC-22

3
particular operations the CC1.4 7.3 AT-2
personnel performs CC2.2 AT-2 (2)

- 9 CC2.3
CC2.5
AT-3
AT-4
CP-3

e d IR-2
PL-4
PL-4 (1)

2 PS-6

Organization Purchasing
Controls -
Consultants
Consultants shall have the
education, training, and

9
experience needed to perform -4
5.3
7.1.1
7.1.2
CC1.3
CC1.4
CC2.2
A.7.2.2
A.15.1.1
A.15.2.2
7.2
7.3
6.1.2
7.2.2
15.1.1
15.2.2
15 PS-7
SA-9 (1)

2
their assigned functions 7.1.6 CC2.3
7.2 CC2.5

Organization Purchasing

6 9
Records about consultants
8.4

7.1.1 CC1.3 A.7.2.2 7.2 7.2.2 15 PS-7

Controls -
Consultants

c -
shall be maintained 7.1.2
7.1.6
7.2
CC1.4
CC2.2
CC2.3
A.15.1.1
A.15.2.2
7.3
6.1.2
15.1.1
15.2.2
SA-9 (1)

Organization Purchasing

7 4 Organization shall establish

8.4

8.4
CC2.5

A.15.1.1 6.1.2 15.1.1 15 PS-7

b
Controls - and maintain procedures to A.15.2.2 15.2.2 SA-9 (1)
Receiving ensure that all purchased or

e 2 otherwise received product

f 9 Amazon – Confidential Page 19 of 32

 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

and services conform to

specified requirements.
Controls Controls

4 2
1 5
Organization Purchasing
Controls - Supplier
Agreements
Purchasing documents shall
include, where possible, an
agreement that the suppliers,
8.4 A.13.2.2
A.13.2.4
A.15.1.2

a 4 13.2.2
13.2.4
15.1.2
13.2.2
13.2.4
15
CM-10
PL-4
PL-4 (1)
contractors, and consultants
agree to notify the
A.15.1.3

- f 15.1.3 PS-6
PS-7

c
organization of changes in the SA-4
product or service so that the SA-4 (1)
organization may determine
whether the changes may
affect the quality of a

3 b SA-4 (2)
SA-9
SA-9 (5)

-9
production product or process.
Organization Purchasing Define the type and extent of 8.4 5.11 A.11.2.4 11.2.4 11.2.4 SA-9
Controls - Supplier control to be exercised over A.15.1.2 15.1.2 15
Management the product, services,
suppliers, contractors, and
consultants, based on the
e d
supplier selection evaluation
results.

4 2
-
Organization Purchasing Evaluate and select potential 8.4
Controls - suppliers, contractors, and
Suppliers
Selection
consultants on the basis of

9
their ability to meet specified

2
requirements, including

9
quality requirements. The
evaluation shall be

-6
documented
Organization Quality Audits Quality system audits shall be 9.2
conducted by personnel who

4 c do not have direct

responsibility for the matters
being audited
Organization

b 7
Quality Audits Audit reports shall be
reviewed by management
having responsibility for the
9.2

e 2 matters audited

f9
Amazon – Confidential Page 20 of 32
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Organization Quality Audits Corrective actions resulting

from audit findings shall be
9.2
Controls Controls

4 2
Organization Quality Audits
taken when necessary
Procedures shall be
established and maintained to
9.2

1 5
4
ensure that quality audits
involving sampling plans are

Organization Quality Policy

written and based on valid
statistical rationale.
Management with executive
responsibility shall establish a
5.2 1.1 CC1.1
CC1.2
A.6.1.1
A.7.2.1
-f
5.1
5.3
a 6.1.1
7.2.1
6.1.1
7.2.1
AC-6 (9)
AU-2
policy and objectives for, and
commitment to, quality.
CC2.4

b c 6.2
7.1
8.1
CLD.6.3.1 AU-2(3)
CA-6
PL-2

9 3 9.2 SA-2
SA-5
SI-6

Organization Quality Unit Management shall identify a

quality unit that is responsible
5.3

d -
for ensuring facilities,
methods, practices, records
and controls are in
2 e
Organization Resourcing
conformance with applicable
standards
There shall be an adequate
- 47.1
number of qualified personnel

2
to perform the product
development and operations 9
Organization Training Plans
functions

6 9
training needs shall be 7.2 CC1.3 A.7.1.1 7.2 7.1.1 7.1 PS-2

-
identified CC1.4 A.7.1.2 7.1.2 A.10.1 PS-3
PS-3 (3)

4 c PS-6
CA-6
PS-8

b 7
e 2
f 9 Amazon – Confidential Page 21 of 32
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Organization Training Records training records shall be

maintained
7.5 CC1.3
CC1.4
Controls
A.7.2.2
Controls
7.2
7.3
7.2.2

4 2
7.2.2 AC-22
AT-2
CC2.2
CC2.3
CC2.5

1 5 AT-2 (2)
AT-3
AT-4

4
CP-3
IR-2

- f a PL-4
PL-4 (1)
PS-6

Product
Development and
Operations
Change Control Changes to products in
production and production
processes shall be controlled,
8.5.6 6.1 CC2.6
CC7.1
CC7.2
b c
A.14.2.2
A.14.2.6
8.1 14.2.2
14.2.6
14 CM-2(3)
CM-3
CM-5
documented, and approved

9 3
CC7.4 CM-5 (1)
CM-5 (5)

d - SA-8
SA-10

e
Product Procedures - Written procedures describing 8.2.1
Development and Customer the handling of customer
Operations Complaints complaints about products
shall be established and
followed, and shall include

4 2
Product Procedures -
provisions for review and
documentation of complaints
Organization shall establish
9 - 8.7.1
Development and
Operations
Nonconforming
Products

9 2
and maintain procedures to
control product that does not
conform to specified

- 6
requirements. Procedures
shall provide for evaluation of
nonconformance, including

4 c
determination of need for an
investigation and notification
of impacted teams and

Product
Development and

b
Deviations 7
Procedures -
customers.
Deviations from written
procedures shall be recorded
SC-7 (4)

2
Operations and justified

9 e Amazon – Confidential Page 22 of 32

f
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Product
Development and
Procedures -
Corrective and
Organization shall establish
and maintain procedures for
9.2 8.2 CC2.1
CC2.2
Controls
A.16.1.1
A.16.1.2
Controls
9.1 16.1.1
16.1.2

4 2
16.1.1
16.1.2
AU-5
CP-2 (1)
Operations Preventive Action implementing and
documenting corrective and
preventive actions.
CC2.3
CC2.4
CC2.5
A.16.1.3
A.16.1.4
A.16.1.5 5
16.1.3
16.1.4

1
16.1.5
16.1.3
16.1.4
16.1.5
CP-2 (3)
IR-2
IR-3

4
CC2.6 A.16.1.7 16.1.7 16.1.7 IR-3 (2)
CC5.8 A.17.1.1 A.10.3 IR-4
CC6.1
CC6.2
CC7.3
A.17.1.2

- f a IR-5
IR-6
IR-7 (2)
IR-9

b c IR-9 (1)
IR-9 (2)
IR-9 (3)

3 IR-9 (4)

Product
Development and
Operations
Procedures -
General
There shall be written
procedures for production
process controls to ensure
7.1.3 1.2

d -9 CC1.2
CC1.4
CC2.1
A.5.1.1
A.6.2.1
A.6.2.2
4.3
5.1
5.2
5.1.1
6.2.1
6.2.2
5.1.1
6.2
9.1
AC-1
AC-17
AT-1
products/services meet their
specifications and to ensure
data integrity
2 e CC3.2 A.9.1.1
A.9.3.1
A.11.1.5
7.5.1
7.5.2
7.5.3
9.1.1
9.3.1
11.1.5
9.3.1
9.4.1
11.1
CP-1
IA-1
IR-1

- 4 PE-1
SA-5

2 9
6 9
c -
7 4
2 b
9 e Amazon – Confidential Page 23 of 32

f
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Product
Development and
Procedures -
Inspections
Procedures shall exist to
notify, in writing, responsible
8.2 CC2.1
CC2.2
Controls
A.16.1.1
A.16.1.2
Controls
9.1 16.1.1
16.1.2

4 2
16.1.1
16.1.2
AU-5
CP-2 (1)
Operations management of the company
when inspections occur
CC2.3
CC2.4
CC2.5
A.16.1.3
A.16.1.4
A.16.1.5 5
16.1.3
16.1.4

1
16.1.5
16.1.3
16.1.4
16.1.5
CP-2 (3)
IR-2
IR-3

4
CC2.6 A.16.1.7 16.1.7 16.1.7 IR-3 (2)
CC5.8 A.17.1.1 A.10.3 IR-4
CC6.1
CC6.2
CC7.3
A.17.1.2

- f a IR-5
IR-6
IR-7 (2)
IR-9

b c IR-9 (1)
IR-9 (2)
IR-9 (3)

3 IR-9 (4)

Product
Development and
Operations
Process Validation Organization shall establish
and maintain procedures to
validate that critical processes
8.5.6 6.1

d -9 CC2.6
CC7.1
CC7.2
A.14.2.2
A.14.2.6
8.1 14.2.2
14.2.6
14 CM-2(3)
CM-3
CM-5
are identified and that process
changes are validated prior to
being implemented in
2 e CC7.4 CM-5 (1)
CM-5 (5)

Product
Development and
Product
Development
production processes
Organization shall maintain
plans that describe software
- 8.3
4 A.12.1.2
A.14.2.5
12.1.2
14.2.5
12.1.2
14
CA-2
CM-9
Operations and equipment design and

2
development activities and
define responsibilities for 9 A.14.2.6
A.14.2.8
A.14.3.1
14.2.6
14.2.8
14.3.1
SA-3
SA-4(9)
SA-8
implementation

6 9 SA-10
SA-11

-
SA-11 (1)
SA-11 (2)

4 c SA-11 (8)

b 7
e 2
f 9 Amazon – Confidential Page 24 of 32
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Product
Development and
Product
Development
Organization shall develop a
written hazard analysis for
8.3
Controls
A.12.1.2
A.14.2.5
Controls
12.1.2
14.2.5 2
12.1.2

4
14
CA-2
CM-9
Operations each product to determine the
potential effect of the product
on customer operations
A.14.2.6
A.14.2.8
A.14.3.1 5
14.2.6
14.2.8

1
14.3.1
SA-3
SA-4(9)
SA-8

4
relying on the product SA-10
SA-11

- f a SA-11 (1)
SA-11 (2)
SA-11 (8)

Product
Development and
Operations
Product Validation Organization shall establish
and maintain procedures to
validate that product-related
8.3
7.1.3
1.2 CC1.2
CC1.4
CC2.1
b c
A.5.1.1
A.6.2.1
A.6.2.2
4.3
5.1
5.2
5.1.1
6.2.1
6.2.2
5.1.1
6.2
9.1
AC-1
AC-17
AT-1
software and hardware works
as expected before transfer to

9 3
CC3.2 A.9.1.1
A.9.3.1
7.5.1
7.5.2
9.1.1
9.3.1
9.3.1
9.4.1
CP-1
IA-1
production

d - A.11.1.5
A.11.2.9
A.12.1.1
A.13.2.1
7.5.3
8.1
11.1.5
11.2.9
12.1.1
13.2.1
11.1
11.2.9
12.1.1
13.2.1
IR-1
PE-1
SA-5

2 e A.14.2.1
A.17.1.2
14.2.1
CLD.6.3.1
CLD.12.1.
14
A.9.2

Product Transfer to Establish and maintain

- 48.5.6 6.1 CC2.6 A.14.2.2 8.1
5

14.2.2 14 CM-2(3)
Development and
Operations
Production procedures to ensure

2
validated software and
hardware are accepted and 9 CC7.1
CC7.2
CC7.4
A.14.2.6 14.2.6 CM-3
CM-5
CM-5 (1)

6 9
transferred to the production
environment in a controlled
CM-5 (5)

-
manner.

4 c
b 7
e 2
f 9 Amazon – Confidential Page 25 of 32
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Recordkeeping Access controls Only authorized personnel

shall access the retained
8.5.6 2.1 CC5.2
CC5.4
Controls
A.9.1.2
A.9.2.1
Controls
9.1.2
9.2.1 2
9.1

4
9.2.1
AC-2
AC-2 (1)
records A.9.2.2
A.9.2.4
A.9.4.1 5
9.2.2
9.2.4

1
9.4.1
9.2.2
9.2.4
9.4.1
AC-2 (7)
AC-3
AC-6

4
A.10.9 AC-6 (1)
AC-6 (5)

- f a AC-6 (10)
CA-9
IA-4
IA-4 (4)

b c IA-5
IA-5 (6)
IA-5 (7)

Recordkeeping Approval Written procedures, including 8.5.6 6.1

9 3
CC2.6 A.14.2.2 8.1 14.2.2 14 CM-2(3)
Authority changes, shall be drafted,
reviewed and approved by the
responsible organizational
d - CC7.1
CC7.2
CC7.4
A.14.2.6 14.2.6 CM-3
CM-5
CM-5 (1)

Recordkeeping Approval Format

unit, and shall be reviewed
and approved by quality unit
Document approvals, including 7.5.2

2 e 1.2 CC1.2 A.5.1.1 4.3 5.1.1 5.1.1

CM-5 (5)

AC-1
the date and signature of the
individual(s) approving the
document, shall be
- 4 CC1.4
CC2.1
CC3.2
A.6.2.1
A.6.2.2
A.9.1.1
5.1
5.2
7.5.1
6.2.1
6.2.2
9.1.1
6.2
9.1
9.3.1
AC-17
AT-1
CP-1
documented.

2 9 A.9.3.1
A.11.1.5
A.11.2.9
7.5.2
7.5.3
8.1
9.3.1
11.1.5
11.2.9
9.4.1
11.1
11.2.9
IA-1
IR-1
PE-1

6 9 A.12.1.1
A.13.2.1
A.14.2.1
12.1.1
13.2.1
14.2.1
12.1.1
13.2.1
14
SA-5

c - A.17.1.2 CLD.6.3.1
CLD.12.1.
5
A.9.2

7 4
2 b
9 e Amazon – Confidential Page 26 of 32

f
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Recordkeeping Availability Written procedures shall be

available to personnel at their
7.5.2 1.2 CC1.2
CC1.4
Controls
A.5.1.1
A.6.2.1
Controls
4.3
5.1
5.1.1
6.2.1 2
5.1.1

4
6.2
AC-1
AC-17
points of use CC2.1
CC3.2
A.6.2.2
A.9.1.1
A.9.3.1
5.2
7.5.1
7.5.2 5
6.2.2
9.1.1

1
9.3.1
9.1
9.3.1
9.4.1
AT-1
CP-1
IA-1

4
A.11.1.5 7.5.3 11.1.5 11.1 IR-1
A.11.2.9 8.1 11.2.9 11.2.9 PE-1
A.12.1.1
A.13.2.1

-
A.14.2.1
A.17.1.2 f a 12.1.1
13.2.1
14.2.1
CLD.6.3.1
12.1.1
13.2.1
14
A.9.2
SA-5

b c CLD.12.1.
5

3
Recordkeeping Document Change Organization shall maintain 8.5.6 6.1 CC2.6 A.14.2.2 8.1 14.2.2 14 CM-2(3)
Records records of changes to CC7.1 A.14.2.6 14.2.6 CM-3
documents. Change records
shall include a description of
the change, identification of
- 9 CC7.2
CC7.4
CM-5
CM-5 (1)
CM-5 (5)
the affected documents, the
signature of the approving
individual(s), the approval
e d
date, and when the change
becomes effective.

4 2
-
Recordkeeping Document Approved changes to 8.5.6 6.1 CC2.6 A.14.2.2 8.1 14.2.2 14 CM-2(3)
Distribution documents must be CC7.1 A.14.2.6 14.2.6 CM-3
communicated to the
appropriate personnel in a
timely manner.

2 9 CC7.2
CC7.4
CM-5
CM-5 (1)
CM-5 (5)

Recordkeeping Obsolete
Documents

6 9
Obsolete documents must be
promptly removed from their
7.5.3 1.2 CC1.2
CC1.4

-
points of use or otherwise
prevented from unintended

c
use.
CC2.1
CC3.2

7 4
2 b
9 e Amazon – Confidential Page 27 of 32

f
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Recordkeeping Retention All records required for

compliance shall be retained
3.6
4.7
Controls
A.12.4.1
A.12.4.2
Controls
12.4.1
12.4.2

4 2
12.4.1
12.4.2
AU-2
AU-3
and stored to minize
deterioation and to prevent
loss.
4.8 A.12.4.3

1 5
12.4.3 12.4.3
A.10.3
AU-3 (1)
AU-4
AU-6

4
AU-6 (1)
AU-6 (3)

- f a AU-9
AU-9 (4)
AU-11
AU-12

b c CA-9
RA-5 (8)

Recordkeeping Retention Retained records may be

retained as originals or as true
3.6
4.7

9 3 A.12.4.1
A.12.4.2
12.4.1
12.4.2
12.4.1
12.4.2
AU-2
AU-3
copies such as photocopies,
scans or other accurate
productions of originals.
4.8

d - A.12.4.3 12.4.3 12.4.3

A.10.3
AU-3 (1)
AU-4
AU-6
Where reduction techniques
are used, suitable reader or
copying equipment shall be

2 e AU-6 (1)
AU-6 (3)
AU-9

4
readily available. AU-9 (4)

-
AU-11
AU-12

2 9 CA-9
RA-5 (8)

6 9
c -
7 4
2 b
9 e Amazon – Confidential Page 28 of 32

f
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Recordkeeping Retrievability All records required for

compliance shall be readily
3.6
4.7
Controls
A.12.4.1
A.12.4.2
Controls
12.4.1
12.4.2

4 2
12.4.1
12.4.2
AU-2
AU-3
available for inspection during
their retention period.
4.8 A.12.4.3

1 5
12.4.3 12.4.3
A.10.3
AU-3 (1)
AU-4
AU-6

4
AU-6 (1)
AU-6 (3)

- f a AU-9
AU-9 (4)
AU-11
AU-12

b c CA-9
RA-5 (8)

Recordkeeping Version History a historical file of procedure

versions, including dates of
7.5.3 1.2

9 3
CC1.2
CC1.4
revision, shall be maintained

d - CC2.1
CC3.2

e
Recordkeeping Computer When computer systems are 7.5.3 1.2 CC1.2
Validation used to maintain records and CC1.4
documentation of control
evidence, the computer
2 CC2.1
CC3.2

-4
system shall be validated
Recordkeeping Audit trails Use of secure, computer- 7.5.3 1.2 CC1.2

9
generated, time-stamped CC1.4
audit trails to independently CC2.1

9 2
record the date and time of
operator entries and actions
that create, modify, or delete
CC3.2

6
electronic records.

-
4 c
b 7
e 2
f 9 Amazon – Confidential Page 29 of 32
 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

Recordkeeping Electronic
Signatures
Persons who use electronic
signatures based upon use of
Controls Controls

4 2
identification codes in
combination with passwords
shall employ controls to

1 5
4
ensure their security and
integrity. (a) Maintaining the
uniqueness of each combined
identification code and
password, such that no two
individuals have the same
- f a
combination of identification
code and password.

b c
(b) Ensuring that identification
code and password issuances
are periodically checked,

9 3
recalled, or revised (e.g., to
cover such events as password
aging).

d -
(c) Following loss management
procedures to electronically

2 e
4
deauthorize lost, stolen,

-
missing, or otherwise
potentially compromised
tokens, cards, and other
devices that bear or generate

2
identification code or 9
9
password information, and to
issue temporary or permanent

6
replacements using suitable,

c -
rigorous controls.

(d) Use of transaction

7 4 safeguards to prevent
unauthorized use of passwords
and/or identification codes,

b
and to detect and report in an
immediate and urgent manner

e 2 any attempts at their

unauthorized use to the

f 9 Amazon – Confidential Page 30 of 32

 a f
AWS Owned and Operated Controls

0 b
c
GXP Domain GXP Area GXP Control ISO 9001:2015 SOC 1 SOC 2 ISO 27001 ISO 27001 ISO ISO NIST 800-
Annex Mgmt 27017 27018 53r4

system security unit, and, as

appropriate, to organizational
Controls Controls

4 2
management.

(e) Initial and periodic testing

1 5
4
of devices, such as tokens or
cards, that bear or generate
identification code or
password information to
ensure that they function
properly and have not been
- f a
altered in an unauthorized
manner.

b c
9 3
d -
2 e
- 4
2 9
6 9
c -
7 4
2 b
9 e Amazon – Confidential Page 31 of 32

f
 a f
0 b
2 c
5 4
41
- fa
bc
93
d -
2 e
- 4
2 9
6 9
c -
7 4
2 b
9 e Amazon – Confidential Page 32 of 32