Professional Documents
Culture Documents
CSA Consensus Assessments Initiative Questionnaire
CSA Consensus Assessments Initiative Questionnaire
May 2022
Notices
Customers are responsible for making their own independent assessment of the information
in this document. This document: (a) is for informational purposes only, (b) represents
current AWS product offerings and practices, which are subject to change without notice,
and (c) does not create any commitments or assurances from AWS and its affiliates,
suppliers or licensors. AWS products or services are provided “as is” without warranties,
representations, or conditions of any kind, whether express or implied. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and this
document is not part of, nor does it modify, any agreement between AWS and its
customers.
© 2022 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Contents
Introduction ................................................................................................................................ 4
CSA Consensus Assessments Initiative Questionnaire........................................................... 5
Further Reading ...................................................................................................................... 100
Document Revisions .............................................................................................................. 100
Abstract
The CSA Consensus Assessments Initiative Questionnaire provides a set of questions the CSA anticipates a cloud consumer
and/or a cloud auditor would ask of a cloud provider. It provides a series of security, control, and process questions which can
then be used for a wide range of uses, including cloud provider selection and security evaluation. AWS has completed this
questionnaire with the answers below. The questionnaire has been completed using the current CSA CAIQ standard, v4.0.2
(06.07.2021 Update).
Introduction
The Cloud Security Alliance (CSA) is a “not-for-profit organization with a mission to promote the use of best practices for
providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure
all other forms of computing.” For more information, see https://cloudsecurityalliance.org/about/.
A wide range of industry security practitioners, corporations, and associations participate in this organization to achieve its
mission.
CSA Consensus Assessments Initiative Questionnaire
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
AWS has established formal policies and
procedures to provide employees a common
baseline for information security standards and
guidance. The AWS Information Security Establish, document,
Are audit and Management System policy establishes approve,
assurance policies, guidelines for protecting the confidentiality, communicate, apply,
procedures, and integrity, and availability of customers’ systems evaluate and maintain
standards and content. Maintaining customer trust and audit and assurance Audit and
A&A- established, policies and Assurance Audit &
Yes CSP-owned confidence is of the utmost importance to A&A-01
01.1 documented, procedures and Policy and Assurance
AWS.
approved, standards. Review Procedures
communicated, and update
applied, evaluated, AWS works to comply with applicable federal, the policies and
and maintained? state, and local laws, statutes, ordinances, and procedures at least
regulations concerning security, privacy and annually.
data protection of AWS services in order to
minimize the risk of accidental or unauthorized
access or disclosure of customer content.
Establish, document,
approve,
communicate, apply,
Are audit and
evaluate and maintain
assurance policies,
audit and assurance Audit and
procedures, and
A&A- Policies are reviewed approved by AWS policies and Assurance Audit &
standards Yes CSP-owned A&A-01
01.2 leadership at least annually or as needed basis. procedures and Policy and Assurance
reviewed and
standards. Review Procedures
updated
and update
at least annually?
the policies and
procedures at least
annually.
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
AWS CloudHSM
https://aws.amazon.com
/cloudhsm/
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
Establish, document,
approve,
communicate, apply,
Are cryptography,
evaluate and maintain
encryption, and
policies and Encryption
key management Cryptography,
procedures for and Key
CEK- policies and Policies are reviewed approved by AWS Encryption &
Yes CSP-owned CEK-01 Cryptography, Management
01.2 procedures leadership at least annually or as needed basis. Key
Encryption and Key Policy and
reviewed Management
Management. Review Procedures
and updated at
and update the
least annually?
policies and
procedures at least
annually.
Are cryptography, Define and
encryption, and implement
CEK Roles Cryptography,
key management cryptographic,
CEK- and Encryption &
roles and Yes CSC-owned See response to CEK-01.1 CEK-02 encryption and key
02.1 Responsibiliti Key
responsibilities management
es Management
defined and roles and
implemented? responsibilities.
AWS allows customers to
use their own encryption
mechanisms (for storage
and in-transit) for nearly
all the services, including
S3, EBS and EC2. IPSec
tunnels to VPC are also
encrypted. In addition,
customers can leverage
Are data at-rest AWS Key Management Provide
and in-transit Systems (KMS) to create cryptographic
cryptographically Cryptography,
and control encryption protection to data
CEK- protected using Data Encryption &
NA CSC-owned keys (refer to CEK-03 at-rest and in-transit,
03.1 cryptographic Encryption Key
https://aws.amazon.com using cryptographic
libraries certified Management
/kms/). Refer to AWS libraries certified to
to approved
SOC reports for more approved standards.
standards?
details on KMS.
Refer to AWS: Overview
of Security Processes
Whitepaper for
additional details -
available at:
http://aws.amazon.com/
security/security-
learning/
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
This is a customer
responsibility. AWS
customers are
responsible for the
Are appropriate management of the data Use encryption
data protection they place into AWS algorithms that are
encryption services. AWS has no appropriate for data
algorithms used protection, Cryptography,
insight as to what type of
CEK- that consider data considering the Encryption Encryption &
NA CSC-owned content the customer CEK-04
04.1 classification, classification of data, Algorithm Key
chooses to store in AWS
associated risks, associated risks, and Management
and encryption and the customer retains usability of the
technology complete control of how encryption
usability? they choose to classify technology.
their content, where it is
stored, used and
protected from
disclosure.
Are standard
change Establish a standard
management change management
procedures procedure, to
established to AWS customers are accommodate
review, approve, responsible for managing changes from internal
implement and encryption keys within and external sources, Cryptography,
Encryption
CEK- communicate Shared CSP for review, approval, Encryption &
Yes See response to CEK-01.1 their AWS environments CEK-05 Change
05.1 cryptography, and CSC implementation Key
according to their Management
encryption, and and communication Management
key management internal policy of cryptographic,
technology requirements. encryption and key
changes that management
accommodate technology
internal and changes.
external sources?
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
AWS allows customers to
use their own encryption
mechanisms for nearly all
the services, including S3,
Are changes to EBS and EC2. IPSec
cryptography-, tunnels to VPC are also Manage and adopt
encryption- and encrypted. In addition, changes to
key management- customers can leverage cryptography-,
related systems, AWS Key Management encryption-, and key
policies, and Systems (KMS) to create management-related
procedures, and control encryption systems (including Encryption Cryptography,
managed and
CEK- Shared CSP keys (refer to policies and Change Cost Encryption &
adopted in a Yes See response to CEK-01.1 CEK-06
06.1 and CSC https://aws.amazon.com procedures) that fully Benefit Key
manner that fully
/kms/). Refer to AWS account for Analysis Management
accounts
SOC reports for more downstream
for downstream
details on KMS. Refer to effects of proposed
effects of
AWS: Overview of changes, including
proposed changes,
Security Processes residual risk, cost,
including residual
Whitepaper for and benefits analysis.
risk, cost, and
benefits analysis? additional details -
available at:
http://aws.amazon.com/
security/security-
learning/
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
AWS has established an information security
management program with designated roles
and responsibilities that are appropriately
aligned within the organization. AWS
management reviews and evaluates the risks
identified in the risk management program at
least annually. The risk management program
encompasses the following phases:
• Security Risk
Assessment
• Threat modeling
• Security design reviews
• Secure code reviews
• Security testing
•
Vulnerability/penetration
testing
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
This is a customer
responsibility. AWS
customers are Develop systems,
responsible for the products, and
management of the data business practices
Are systems,
they place into AWS based upon a
products, and
services. AWS has no principle
business practices
of privacy by design Data Security
based on privacy insight as to what type of Data Privacy
DSP- and industry best and Privacy
principles NA CSC-owned content the customer DSP-08 by Design
08.1 practices. Ensure that Lifecycle
by design and chooses to store in AWS and Default
systems' privacy Management
according to and the customer retains settings are
industry best complete control of how configured by default,
practices? they choose to classify according to all
their content, where it is applicable laws and
stored, used and regulations.
protected from
disclosure.
Develop systems,
products, and
business practices
Are systems' This is a customer based upon a
privacy settings responsibility. AWS principle
configured by of privacy by design Data Security
customers are Data Privacy
DSP- default and and industry best and Privacy
NA CSC-owned responsible to adhere to DSP-08 by Design
08.2 according to all practices. Ensure that Lifecycle
regulatory requirements and Default
applicable systems' privacy Management
laws and in the jurisdictions their settings are
regulations? business are active in. configured by default,
according to all
applicable laws and
regulations.
This is a customer
Is a data responsibility. AWS
protection impact customers are Conduct a Data
assessment responsible for the Protection Impact
(DPIA) conducted management of the data Assessment (DPIA)
when processing they place into AWS to evaluate the
personal services. AWS has no origin, nature,
data and insight as to what type of particularity and Data Data Security
DSP- evaluating the severity of the risks Protection and Privacy
NA CSC-owned content the customer DSP-09
09.1 origin, nature, upon the processing Impact Lifecycle
chooses to store in AWS
particularity, and of personal data, Assessment Management
severity of risks and the customer retains according to any
according complete control of how applicable laws,
to any applicable they choose to classify regulations and
laws, regulations their content, where it is industry
and industry best stored, used and best practices.
practices? protected from
disclosure.
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
Are processes,
This is a customer
procedures, and
responsibility. AWS Define, implement
technical
customers are and evaluate
measures defined,
responsible for the processes,
implemented, and
management of the data procedures and
evaluated to
they place into AWS technical
ensure any
services. AWS has no measures that ensure
transfer of
any transfer of Data Security
personal or insight as to what type of Sensitive
DSP- personal or sensitive and Privacy
sensitive data is NA CSC-owned content the customer DSP-10 Data
10.1 data is protected Lifecycle
protected from chooses to store in AWS Transfer
from unauthorized Management
unauthorized and the customer retains access and only
access and only complete control of how processed within
processed within they choose to classify scope as permitted
scope (as their content, where it is by the
permitted by stored, used and respective laws and
respective protected from regulations.
laws and disclosure.
regulations)?
This is a customer
responsibility. AWS
Are processes, customers are Define and
procedures, and responsible for the implement,
technical management of the data processes,
measures defined, they place into AWS procedures and
implemented, and services. AWS has no technical measures
Personal
evaluated to to enable data Data Security
insight as to what type of Data Access,
DSP- enable data subjects to request and Privacy
NA CSC-owned content the customer DSP-11 Reversal,
11.1 subjects to access to, Lifecycle
chooses to store in AWS Rectification
request access to, modification, or Management
and the customer retains and Deletion
modify, or delete deletion of their
personal complete control of how personal data,
data (per they choose to classify according to any
applicable laws their content, where it is applicable laws and
and regulations)? stored, used and regulations.
protected from
disclosure.
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
AWS customers are
responsible for the
Are processes, management of the data
procedures, and (including adhering to Define, implement
technical AWS has established a formal Data Subject applicable laws and and evaluate
measures defined, Access Request (DSAR) according to General regulations) they place processes,
implemented, and Data Protection Regulation (GDPR) For this they into AWS services. AWS procedures and
evaluated to have to call AWS and open a Harbinger ticket has no insight as to what technical Limitation of
Data Security
ensure personal measures to ensure Purpose in
DSP- Shared CSP by contacting a CS Team Manager, who will type of content the and Privacy
data is processed Yes DSP-12 that personal data is Personal
12.1 and CSC work with Legal to open a ticket which includes customer chooses to Lifecycle
(per applicable processed according Data
continual, independent internal and external store in AWS and the Management
laws and to any applicable Processing
regulations assessments to validate the implementation customer retains laws and regulations
and for the and operating effectiveness of the AWS control complete control of how and for the purposes
purposes declared environment. they choose to classify declared to the data
to the data their content, where it is subject.
subject)? stored, used and
protected from
disclosure.
Note: AWS customers are responsible for the
management of the data they place into AWS
Are processes, services. AWS has no insight as to what type of Define, implement
procedures, and content the customer chooses to store in AWS and evaluate
technical and the customer retains complete control of processes,
measures defined, how they choose to classify their content, procedures and
implemented, and where it is stored, used and protected from technical
evaluated for the measures for the Data Security
disclosure. Personal
DSP- transfer and sub- transfer and sub- and Privacy
NA DSP-13 Data Sub-
13.1 processing of processing of Lifecycle
AWS does not utilize third parties to provide processing
personal data personal data within Management
within the service services to customers. There are no the service
supply chain subcontractors authorized by AWS to access supply chain,
(according to any any customer-owned content that you upload according to any
applicable laws onto AWS. To monitor subcontractor access applicable laws and
and regulations)? year-round please refer to regulations.
https://aws.amazon.com/compliance/sub-
processors/.
Are processes,
Define, implement
procedures, and
and evaluate
technical
AWS does not utilize third parties to provide processes,
measures defined,
services to customers. There are no procedures and
implemented, and
subcontractors authorized by AWS to access technical
evaluated to Data Security
measures to disclose Disclosure
DSP- disclose details to any customer-owned content that you upload and Privacy
NA DSP-14 the details of any of Data Sub-
14.1 the data owner of onto AWS. To monitor subcontractor access Lifecycle
personal or sensitive processors
any personal or year-round please refer to Management
data access by
sensitive data https://aws.amazon.com/compliance/third- sub-processors to
access by sub- party-access/. the data owner prior
processors before
to initiation of that
processing
processing.
initiation?
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
Is authorization
Obtain authorization
from data owners
from data owners,
obtained, and the
and manage
associated risk Data Security
associated risk Limitation of
DSP- managed, and Privacy
NA Customer data is not used for testing. DSP-15 before replicating or Production
15.1 before replicating Lifecycle
using production Data Use
or using Management
data in non-
production data in
production
non-production
environments.
environments?
AWS customers are Data retention,
Do data retention, AWS maintains a retention policy applicable to
responsible for the archiving and
archiving, and AWS internal data and system components in
management of the data deletion is managed Data Security
deletion practices order to continue operations of AWS business Data
DSP- Shared CSP they place into AWS in accordance with and Privacy
follow business Yes and services. Critical AWS system components, DSP-16 Retention
16.1 and CSC services, including business Lifecycle
requirements, including audit evidence and logging records, and Deletion
retention, archiving, and requirements, Management
applicable laws, are replicated across multiple Availability Zones
deletion policies and applicable laws and
and regulations? and backups are maintained and monitored.
practices. regulations.
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
Customers control their
customer content. With
AWS, customers:
• Determine where their
customer content will be
stored, including the type
of storage and
geographic region of that
storage.
• Customers can
replicate and back up
their customer content in
more than one region,
and we will not move or
replicate customer
content outside of the
Are processes, customer's chosen
region(s), except as Define and
procedures, and
legally required and as implement,
technical
necessary to maintain processes, Data Security
measures defined Sensitive
DSP- procedures and and Privacy
and implemented NA CSC-owned the AWS services and DSP-17 Data
17.1 technical measures Lifecycle
to protect provide them to our Protection
to protect sensitive Management
sensitive data customers and their end data throughout it's
throughout its users. lifecycle.
lifecycle? • Choose the secured
state of their customer
content. We offer
customers strong
encryption for customer
content in transit or at
rest, and we provide
customers with the
option to manage their
own encryption keys.
• Manage access to their
customer content and
AWS services and
resources through users,
groups, permissions and
credentials that
customers control.
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
The CSP must have
We are vigilant about our customers' privacy. in place, and describe
AWS policy prohibits the disclosure of customer to CSCs the
content unless we’re required to do so to procedure to
comply with the law, or with a valid and manage and respond
binding order of a governmental or regulatory to requests for
Does the CSP
body. Unless we are prohibited from doing so disclosure of
have in place, and
or there is clear indication of illegal conduct in Personal Data by
describe to CSCs,
connection with the use of Amazon products or Law Enforcement
the procedure to
services, Amazon notifies customers before Authorities according
manage
disclosing customer content so they can seek to applicable laws
and respond to Data Security
and regulations. The
DSP- requests for protection from disclosure. It's also important Disclosure and Privacy
Yes CSP-owned DSP-18 CSP must give
18.1 disclosure of to point out that our customers can encrypt Notification Lifecycle
special attention to
Personal Data by their customer content, and we provide Management
the notification
Law Enforcement customers with the option to manage their procedure to
Authorities own encryption keys. interested CSCs,
according to
unless otherwise
applicable laws We know transparency matters to our prohibited, such as a
and regulations? customers, so we regularly publish a report prohibition under
about the types and volume of information criminal law to
requests we receive here: preserve
https://aws.amazon.com/compliance/amazon- confidentiality
information-requests/. of a law enforcement
investigation.
The CSP must have
in place, and describe
to CSCs the
procedure to
manage and respond
Does the CSP give to requests for
special attention disclosure of
to the notification Personal Data by
procedure to Law Enforcement
interested Authorities according
CSCs, unless to applicable laws
Data Security
otherwise and regulations. The
DSP- Shared CSP Disclosure and Privacy
prohibited, such Yes See response to Question ID DSP-18.1 DSP-18 CSP must give
18.2 and CSC Notification Lifecycle
as a prohibition special attention to
Management
under criminal law the notification
to procedure to
preserve interested CSCs,
confidentiality of a unless otherwise
law enforcement prohibited, such as a
investigation? prohibition under
criminal law to
preserve
confidentiality
of a law enforcement
investigation.
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
This is a customer
responsibility.
Customers manage
access to their customer
content and AWS
services and resources.
We provide an advanced
set of access, encryption,
and logging features to
help you do this
effectively (such as AWS
CloudTrail). We do not
access or use customer
content for any purpose
other than as legally
required and for
maintaining the AWS Define and
Are processes, services and providing implement,
procedures, and them to our customers processes,
technical and their end users. procedures and
measures defined
technical measures
and implemented Data Security
Customers choose the to specify and
DSP- to specify and Data and Privacy
NA CSC-owned region(s) in which their DSP-19 document the
19.1 document physical Location Lifecycle
customer content will be physical locations of
data locations, Management
stored. We will not move data, including any
including locales
or replicate customer locations
where data
content outside of the in which data is
is processed or
customer’s chosen processed or backed
backed up?
region(s), except as up.
legally required and as
necessary to maintain
the AWS services and
provide them to our
customers and their end
users.
End of Standard
Further Reading
For additional information, see the following sources:
AWS Compliance Quick Reference Guide
Document Revisions
Date Description
April 2022 Updated CAIQ template and updated responses to individual questions based on CAIQ v4.0.2
July 2018 2018 validation and update
January 2018 Migrated to new template.
January 2016 First publication