CSA Consensus Assessments Initiative Questionnaire

CSA Consensus Assessments
Initiative Questionnaire (CAIQ)
May 2022
Notices
Customers are responsible for making their own independent assessment of the information
in this document. This document: (a) is for informational purposes only, (b) represents
current AWS product offerings and practices, which are subject to change without notice,
and (c) does not create any commitments or assurances from AWS and its affiliates,
suppliers or licensors. AWS products or services are provided “as is” without warranties,
representations, or conditions of any kind, whether express or implied. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and this
document is not part of, nor does it modify, any agreement between AWS and its
customers.
© 2022 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Contents
Introduction ................................................................................................................................ 4
CSA Consensus Assessments Initiative Questionnaire........................................................... 5
Further Reading ...................................................................................................................... 100
Document Revisions .............................................................................................................. 100
Abstract
The CSA Consensus Assessments Initiative Questionnaire provides a set of questions the CSA anticipates a cloud consumer
and/or a cloud auditor would ask of a cloud provider. It provides a series of security, control, and process questions which can
then be used for a wide range of uses, including cloud provider selection and security evaluation. AWS has completed this
questionnaire with the answers below. The questionnaire has been completed using the current CSA CAIQ standard, v4.0.2
(06.07.2021 Update).
Introduction
The Cloud Security Alliance (CSA) is a “not-for-profit organization with a mission to promote the use of best practices for
providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure
all other forms of computing.” For more information, see https://cloudsecurityalliance.org/about/.
A wide range of industry security practitioners, corporations, and associations participate in this organization to achieve its
mission.
CSA Consensus Assessments Initiative Questionnaire
CSP SSRM CSC Responsibilities CCM CCM CCM
Questi CSP Implementation Description CCM Control
Question CAIQ Control (Optional/Recommen Control Control Domain
on (Optional/Recommended) Specification
Answer Ownership ded) ID Title Title
AWS has established formal policies and
procedures to provide employees a common
baseline for information security standards and
guidance. The AWS Information Security Establish, document,
Are audit and Management System policy establishes approve,
assurance policies, guidelines for protecting the confidentiality, communicate, apply,
procedures, and integrity, and availability of customers’ systems evaluate and maintain
standards and content. Maintaining customer trust and audit and assurance Audit and
A&A- established, policies and Assurance Audit &
Yes CSP-owned confidence is of the utmost importance to A&A-01
01.1 documented, procedures and Policy and Assurance
AWS.
approved, standards. Review Procedures
communicated, and update
applied, evaluated, AWS works to comply with applicable federal, the policies and
and maintained? state, and local laws, statutes, ordinances, and procedures at least
regulations concerning security, privacy and annually.
data protection of AWS services in order to
minimize the risk of accidental or unauthorized
access or disclosure of customer content.
Establish, document,
approve,
communicate, apply,
Are audit and
evaluate and maintain
assurance policies,
audit and assurance Audit and
procedures, and
A&A- Policies are reviewed approved by AWS policies and Assurance Audit &
standards Yes CSP-owned A&A-01
01.2 leadership at least annually or as needed basis. procedures and Policy and Assurance
reviewed and
standards. Review Procedures
updated
and update
at least annually?
the policies and
procedures at least
annually.
AWS has established a formal audit program

that includes continual, independent internal
and external assessments to validate the
implementation and operating effectiveness of
the AWS control environment.
Internal and external audits are planned and

Are independent performed according to a documented audit
audit and schedule to review the continued performance Conduct
assurance of AWS against standards-based criteria, like independent audit
assessments the ISO/IEC 27001 and to identify improvement and assurance
A&A- Independent Audit &
conducted Yes CSP-owned opportunities. A&A-02 assessments
02.1 Assessments Assurance
according to according to
relevant Compliance reports from these assessments relevant standards at
standards at least are made available to customers, enabling least annually.
annually? them to evaluate AWS. You can access
assessments in AWS Artifact:
https://aws.amazon.com/artifact. The AWS
Compliance reports identify the scope of AWS
services and regions assessed, as well the
assessor’s attestation of compliance.
Customers can perform vendor or supplier
evaluations by leveraging these reports and
certifications.
Are independent AWS internal and external audit and assurance
audit and uses risk-based plans and approach to conduct Perform independent
assurance assessments at least annually. audit and assurance
Risk Based
A&A- assessments assessments Audit &
Yes CSP-owned AWS Compliance program covers sections A&A-03 Planning
03.1 performed according to Assurance
including but not limited to assessment Assessment
according to risk- risk-based plans and
based methodology, security assessment and results, policies.
plans and policies? and non-conforming controls.
Is compliance
AWS maintains Security, Governance, Risk and Verify compliance
verified regarding
Compliance relationships with internal and with all relevant
all relevant
external parties to verity, monitor legal, standards,
standards,
regulations, Requirement
A&A- regulations, regulatory, and contractual requirements. Audit &
Yes CSP-owned A&A-04 legal/contractual, s
04.1 legal/contractual, Assurance
and statutory Compliance
and statutory Should a new security directive be issued, AWS requirements
requirements has documented plans in place to implement applicable to the
applicable to the that directive with designated timeframes. audit.
audit?
Is an audit
management Internal and external audits are planned and
performed according to the documented audit Define and
process defined
scheduled to review the continued implement an Audit
and implemented
performance of AWS against standards-based Management process
to support audit
criteria and to identify general improvement to support audit
planning,
opportunities. Standards-based criteria planning, risk analysis,
risk analysis,
includes but is not limited to the ISO/IEC 27001, security control
security control Audit
A&A- assessment, Audit &
assessments, Yes CSP-owned Federal Risk and Authorization Management A&A-05 Management
05.1 conclusion, Assurance
conclusions, Program (FedRAMP), the American Institute of Process
remediation
remediation Certified Public Accountants (AICPA): AT 801 schedules, report
schedules, (formerly Statement on Standards for generation, and
report generation, Attestation Engagements [SSAE] 16), and the review of past
and reviews of International Standards for Assurance reports and
past reports and Engagements No.3402 (ISAE 3402) professional supporting evidence.
supporting standards.
evidence?
In alignment with ISO 27001, AWS maintains a Establish, document,
Is a risk-based Risk Management program to mitigate and approve,
corrective action manage risk. AWS management has a strategic communicate, apply,
plan to remediate business plan which includes risk identification evaluate and maintain
audit findings a risk-based
and the implementation of controls to mitigate
A&A- established, corrective action Audit &
Yes CSP-owned or manage risks. AWS management re- A&A-06 Remediation
06.1 documented, plan to remediate Assurance
evaluates the strategic business plan at least
approved, audit findings, review
communicated, biannually. This process requires management and
applied, evaluated, to identify risks within its areas of responsibility report remediation
and maintained? and to implement appropriate measures status to relevant
designed to address those risks. stakeholders.
AWS has established a formal audit program
that includes continual, independent internal
and external assessments to validate the
implementation and operating effectiveness of
the AWS control environment.
Internal and external audits are planned and

performed according to a documented audit
schedule to review the continued performance
of AWS against standards-based criteria, like
the ISO/IEC 27001 and to identify improvement
opportunities.
External audits are planned and performed

according to a documented audit schedule to Establish, document,
review the continued performance of AWS approve,
against standards-based criteria and to identify communicate, apply,
Is the remediation improvement opportunities. Standards-based evaluate and maintain
status of audit criteria include, but are not limited to, Federal a risk-based
A&A- findings reviewed Risk and Authorization Management Program corrective action Audit &
Yes CSP-owned A&A-06 Remediation
06.2 and reported to (FedRAMP), the American Institute of Certified plan to remediate Assurance
relevant Public Accountants (AICPA): AT 801 (formerly audit findings, review
stakeholders? Statement on Standards for Attestation and
Engagements [SSAE] 18), the International report remediation
Standards for Assurance Engagements No.3402 status to relevant
(ISAE 3402) professional standards, and the stakeholders.
Payment Card Industry Data Security standard
PCI DSS 3.2.1.
Compliance reports from these assessments

are made available to customers, enabling
them to evaluate AWS. You can access
assessments in AWS Artifact:
https://aws.amazon.com/artifact. The AWS
Compliance reports identify the scope of AWS
services and regions assessed, as well the
assessor’s attestation of compliance.
Customers can perform vendor or supplier
evaluations by leveraging these reports and
certifications.
AWS has established formal policies and Establish, document,
Are application procedures to provide employees a common approve,
security policies baseline for information security standards and communicate, apply,
and procedures guidance. The AWS Information Security evaluate and maintain
established, Management System policy establishes policies and
documented, guidelines for protecting the confidentiality, procedures for
approved, integrity, and availability of customers’ systems application security
Application
communicated, to provide guidance
and content. Maintaining customer trust and and Interface Application &
AIS- applied, evaluated, to the
Yes CSP-owned confidence is of the utmost importance to AIS-01 Security Interface
01.1 and maintained to appropriate planning,
AWS. Policy and Security
guide appropriate delivery and support
Procedures
planning, delivery, of the organization's
and support of the AWS works to comply with applicable federal, application
organization's state, and local laws, statutes, ordinances, and security capabilities.
application regulations concerning security, privacy and Review and update
security data protection of AWS services in order to the policies and
capabilities? minimize the risk of accidental or unauthorized procedures at least
access or disclosure of customer content. annually.
approve,
communicate, apply,
policies and
procedures for
Are application application security
Application
security policies to provide guidance
and Interface Application &
AIS- and procedures Policies are reviewed approved by AWS to the
Yes CSP-owned AIS-01 Security Interface
01.2 reviewed and leadership at least annually or as needed basis. appropriate planning,
Policy and Security
updated at least delivery and support
Procedures
annually? of the organization's
application
security capabilities.
Review and update
the policies and
procedures at least
annually.
AWS maintains a systematic approach, to
planning and developing new services for the
AWS environment, to ensure the quality and
security requirements are met with each
release. The design of new services or any
significant changes to current services follow
Are baseline secure software development practices and are
requirements to controlled through a project management Establish, document Application
secure different system with multi-disciplinary participation. and maintain baseline Security Application &
AIS- Prior to launch, each of the following
applications Yes CSP-owned AIS-02 requirements for Baseline Interface
02.1 requirements must be reviewed:
established, securing Requirement Security
documented, different applications. s
and maintained? • Security Risk Assessment
• Threat modeling
• Security design reviews
• Secure code reviews
• Security testing
• Vulnerability/penetration testing
Are technical and

operational Define and
metrics defined implement technical
and implemented and operational
according to metrics in alignment Application Application &
AIS-
business Yes CSC-owned See response to Question ID AIS-02.1 AIS-03 with business Security Interface
03.1
objectives, objectives, security Metrics Security
security requirements, and
requirements, and compliance
compliance obligations.
obligations?
Define and
Is an SDLC
implement a SDLC
process defined
process for
and implemented
application design,
for application Secure
development,
design, Application Application &
AIS- deployment, and
development, Yes CSP-owned See response to Question ID AIS-02.1 AIS-04 Design and Interface
04.1 operation in
deployment, and Developmen Security
accordance with
operation per t
security
organizationally
requirements defined
designed security
by
requirements?
the organization.
Implement a testing
strategy, including
Does the testing
criteria for
strategy outline
acceptance of
criteria to accept
new information
new information
systems, upgrades
systems,
and new versions,
upgrades, and new
which provides Automated
versions while Application &
AIS- application Application
ensuring Yes CSP-owned See response to Question ID AIS-02.1 AIS-05 Interface
05.1 security assurance Security
application Security
and maintains Testing
security,
compliance while
compliance
enabling
adherence,
organizational speed
and organizational
of delivery goals.
speed of delivery
Automate when
goals?
applicable and
possible.
Implement a testing
strategy, including
criteria for
Where appropriate, a continuous deployment acceptance of
methodology is conducted to ensure changes new information
are automatically built, tested, and pushed to systems, upgrades
production, with the goal of eliminating as and new versions,
Is testing many manual steps as possible. Continuous which provides Automated
Application &
AIS- automated when deployment seeks to eliminate the manual application Application
Yes CSP-owned AIS-05 Interface
05.2 applicable and nature of this process and automate each step, security assurance Security
Security
possible? allowing service teams to standardize the and maintains Testing
process and increase the efficiency with which compliance while
they deploy code. In continuous deployment, enabling
an entire release process is a "pipeline" organizational speed
containing "stages”. of delivery goals.
Automate when
applicable and
possible.
Where appropriate, a continuous deployment
methodology is conducted to ensure changes
Are strategies and are automatically built, tested, and pushed to Establish and
capabilities production, with the goal of eliminating as implement strategies
established and many manual steps as possible. Continuous and capabilities for
Automated
implemented to secure, standardized, Application &
AIS- deployment seeks to eliminate the manual Secure
deploy application Yes CSP-owned AIS-06 and compliant Interface
06.1 nature of this process and automate each step, Application
code in a secure, application Security
allowing service teams to standardize the Deployment
standardized, and deployment.
compliant process and increase the efficiency with which Automate where
manner? they deploy code. In continuous deployment, possible.
an entire release process is a "pipeline"
containing "stages”.
Automated code analysis tools are run as a part
of the AWS Software Development Lifecycle,
and all deployed software undergoes recurring Establish and
penetration testing performed by carefully implement strategies
Is the deployment selected industry experts. Our security risk and capabilities for
assessment reviews begin during the design Automated
and integration of secure, standardized, Application &
AIS- Secure
application code Yes CSP-owned phase and the engagement lasts through AIS-06 and compliant Interface
06.2 Application
automated where launch to ongoing operations. application Security
Deployment
possible? Refer to the AWS Overview of Security deployment.
Processes for further details. That whitepaper Automate where
is located here. possible.
https://d1.awsstatic.com/whitepapers/Security
/AWS_Security_Whitepaper.pdf
Static code analysis tools are run as a part of
the standard build process, and all deployed
software undergoes recurring penetration
testing performed by carefully selected
industry experts. Our security risk assessment
reviews begin during the design phase and the Define and
Are application engagement lasts through launch to ongoing implement a process
security operations. to remediate
Application Application &
AIS- vulnerabilities Refer to the Best Practices for Security, application security
Yes CSP-owned AIS-07 Vulnerability Interface
07.1 remediated Identity, & Compliance website for further vulnerabilities,
Remediation Security
following defined automating
details -
processes? remediation when
https://aws.amazon.com/architecture/security-
possible.
identity-compliance/?cards-all.sort-
by=item.additionalFields.sortDate&cards-
all.sort-order=desc&awsf.content-
type=*all&awsf.methodology=*all
Automated code analysis tools are run as a part

of the AWS Software Development Lifecycle,
and all deployed software undergoes recurring
penetration testing performed by carefully
selected industry experts. Our security risk Define and
Is the remediation assessment reviews begin during the design implement a process
of application phase and the engagement lasts through to remediate
Application Application &
AIS- security launch to ongoing operations. application security
Yes CSP-owned AIS-07 Vulnerability Interface
07.2 vulnerabilities Refer to the Best Practices for Security, vulnerabilities,
Remediation Security
automated when Identity, & Compliance website for further automating
possible? details - remediation when
https://aws.amazon.com/architecture/security- possible.
identity-compliance/?cards-all.sort-
by=item.additionalFields.sortDate&cards-
all.sort-order=desc&awsf.content-
type=*all&awsf.methodology=*all
The AWS business continuity policy is designed
Are business to ensure minimum outage time and maximum Establish, document,
continuity effectiveness of the recovery and approve,
management and reconstitution efforts. which include communicate, apply,
operational • Activation and Notification, evaluate and maintain
• Recovery, and Business
resilience policies business continuity Business
Continuity
and • Reconstitution Phase management and Continuity
BCR- Management
procedures Yes CSP-owned BCR-01 operational resilience Management
01.1 and
established, AWS business continuity mechanisms are policies and Policy and
Operational
documented, designed to ensure minimum outage time and procedures. Procedures
Resilience
approved, maximum effectiveness of the recovery and Review and update
communicated, reconstitution efforts. AWS resiliency the policies and
applied, evaluated, encompasses the processes and procedures to procedures at least
and maintained? identify, respond to, and recover from a major annually.
event or incident within our environment.
approve,
communicate, apply,
Business
Are the policies business continuity Business
Continuity
and procedures management and Continuity
BCR- Policies are reviewed approved by AWS Management
reviewed and Yes CSP-owned BCR-01 operational resilience Management
01.2 leadership at least annually or as needed basis. and
updated at least policies and Policy and
Operational
annually? procedures. Procedures
Resilience
Review and update
the policies and
procedures at least
annually.
Are criteria for
developing Determine the
business impact of business
continuity and AWS Business Continuity Policies and Plans disruptions and risks Business
operational have been developed and tested in alignment to establish Risk Continuity
BCR- resiliency Shared CSP criteria for Assessment Management
Yes with ISO 27001 standards. Refer to ISO 27001 BCR-02
02.1 strategies and and CSC developing business and Impact and
standard, annex A domain 17 for further details
capabilities continuity and Analysis Operational
established based on AWS and business continuity. operational resilience Resilience
on business strategies
disruption and risk and capabilities.
impacts?
Are strategies
developed to Establish strategies
AWS Business Continuity Policies and Plans Business
reduce the impact to reduce the impact
have been developed and tested in alignment Continuity
of, withstand, and of, withstand, and Business
BCR- Shared CSP Management
recover from Yes with ISO 27001 standards. Refer to ISO 27001 BCR-03 recover Continuity
03.1 and CSC and
business standard, annex A domain 17 for further details from business Strategy
Operational
disruptions in on AWS and business continuity. disruptions within
Resilience
accordance with risk appetite.
risk appetite?
Are operational
resilience
strategies and
approve,
capability results
AWS Business Continuity Policies and Plans communicate, apply, Business
incorporated
evaluate and maintain Continuity
to establish, have been developed and tested in alignment Business
BCR- Shared CSP a business continuity Management
document, Yes with ISO 27001 standards. Refer to ISO 27001 BCR-04 Continuity
04.1 and CSC plan based on the and
approve, standard, annex A domain 17 for further details Planning
results of the Operational
communicate, on AWS and business continuity. operational resilience Resilience
apply, evaluate,
strategies and
and maintain a
capabilities.
business
continuity plan?
Develop, identify,
The AWS business continuity plan details the and acquire
Is relevant three-phased approach that AWS has documentation that
documentation developed to recover and reconstitute the AWS is relevant to
infrastructure: • Activation and Notification Business
developed, support the business
Continuity
identified, and Phase • Recovery Phase • Reconstitution Phase continuity and
BCR- Documentati Management
acquired to Yes CSP-owned This approach ensures that AWS performs BCR-05 operational resilience
05.1 on and
support business system recovery and reconstitution efforts in a programs. Make the
Operational
continuity and methodical sequence, maximizing the documentation
Resilience
operational effectiveness of the recovery and available to
resilience plans? reconstitution efforts and minimizing system authorized
outage time due to errors and omissions. stakeholders and
review periodically.
Develop, identify,
and acquire
documentation that
Is business
is relevant to
continuity and Business
Information System Documentation is made support the business
operational Continuity
continuity and
BCR- resilience available internally to AWS personnel through Documentati Management
Yes CSP-owned BCR-05 operational resilience
05.2 documentation the use of Amazon's Intranet site. Refer to ISO on and
programs. Make the
available 27001 Appendix A Domain 12. Operational
documentation
to authorized Resilience
available to
stakeholders?
authorized
stakeholders and
Develop, identify,
and acquire
documentation that
Is business is relevant to
Business
continuity and support the business
Continuity
operational continuity and
BCR- Policies are reviewed approved by AWS Documentati Management
resilience Yes CSP-owned BCR-05 operational resilience
05.3 leadership at least annually or as needed basis. on and
documentation programs. Make the
Operational
reviewed documentation
Resilience
periodically? available to
authorized
stakeholders and
Are the business AWS Business Continuity Policies and Plans
continuity and have been developed and tested at least Exercise and test
Business
operational annually in alignment with ISO 27001 business continuity
Continuity
resilience plans and operational Business
BCR- standards. Management
exercised and Yes CSP-owned BCR-06 resilience Continuity
06.1 and
tested at least plans at least annually Exercises
Refer to ISO 27001 standard, annex A domain Operational
annually and when or upon significant
17 for further details on AWS and business Resilience
significant changes changes.
occur? continuity at least annually
The AWS Business Continuity policy provides a
complete discussion of AWS services, roles and
responsibilities, and AWS processes for
managing an outage from detection to
deactivation.
AWS Service teams create administrator

Do business documentation for their services and store the
documents in internal AWS document Establish
continuity and
repositories. Using these documents, teams communication with Business
resilience
provide initial training to new team members stakeholders and Continuity
procedures
BCR- that covers their job duties, on-call participants in the Communicat Management
establish Yes CSP-owned BCR-07
07.1 responsibilities, service specific monitoring course of business ion and
communication
continuity and Operational
with metrics and alarms, along with the intricacies of
resilience Resilience
stakeholders and the service they are supporting. Once trained,
procedures.
participants? service team members can assume on-call
duties and be paged into an engagement as a
resolver. In addition to the documentation
stored in the repository, AWS also uses
GameDay Exercises to train coordinators and
Service Teams in their roles and
responsibilities.
Customers retain control
and ownership of their
content. When
customers store content
in a specific region, it is
not replicated outside
that region. It is the
customer's responsibility
to replicate content
across regions if business
needs require that.
Backup and retention

policies are the
responsibility of the
customer. AWS offers
best practice resources Periodically backup
AWS maintains a retention policy applicable to data stored in the
AWS internal data and system components in to customers including
guidance and alignment cloud. Ensure the Business
order to continue operations of AWS business confidentiality, Continuity
Is cloud data and services. Critical AWS system components, to the Well Architected
BCR- Shared CSP integrity and Management
periodically Yes including audit evidence and logging records, Framework. Snapshots BCR-08 Backup
08.1 and CSC availability of the and
backed up? are AWS objects to which
are replicated across multiple Availability Zones backup, and verify Operational
and backups are maintained and monitored. IAM users, groups, and data restoration Resilience
roles can be assigned from backup
permissions, so that only for resiliency.
authorized users can
access Amazon backups.
AWS Backup allows

customers to centrally
manage and automate
backups across AWS
services. The service
enables customers to
centralize and automate
data protection across
AWS services. For
additional details, refer
to -
https://aws.amazon.com
/backup.
Periodically backup
data stored in the
Is the cloud. Ensure the Business
confidentiality, confidentiality, Continuity
BCR- integrity, and Shared CSP integrity and Management
Yes See response to Question ID BCR-08.1 BCR-08 Backup
08.2 availability of and CSC availability of the and
backup data backup, and verify Operational
ensured? data restoration Resilience
from backup
for resiliency.
Periodically backup
AWS Backup allows data stored in the
customers to centrally cloud. Ensure the Business
Can backups be manage and automate confidentiality, Continuity
BCR- restored backups across AWS integrity and Management
Yes CSC-owned BCR-08 Backup
08.3 appropriately for services. For additional availability of the and
resiliency? details, refer to - backup, and verify Operational
https://aws.amazon.com data restoration Resilience
/backup from backup
for resiliency.
The AWS business continuity policy is designed
to ensure minimum outage time and maximum
effectiveness of the recovery and
reconstitution efforts. which include
• Activation and Notification,
• Recovery, and
• Reconstitution Phase
AWS provides customers
AWS business continuity mechanisms are with the capability to
designed to ensure minimum outage time and implement a robust
maximum effectiveness of the recovery and continuity plan, including
reconstitution efforts. AWS resiliency the utilization of
encompasses the processes and procedures to frequent server instance Establish, document,
Is a disaster
identify, respond to, and recover from a major back-ups, data approve,
response plan
event or incident within our environment redundancy replication, communicate, apply,
established,
and the flexibility to evaluate and maintain Business
documented,
a disaster response Continuity
approved, applied, AWS maintains a ubiquitous security control place instances and store Disaster
BCR- Shared CSP plan to recover from Management
evaluated, Yes environment across its infrastructure. Each data within multiple BCR-09 Response
09.1 and CSC natural and man- and
and maintained to data center is built to physical, environmental, geographic regions as Plan
made disasters. Operational
ensure recovery and security standards in an active-active well as across multiple Update Resilience
from natural and configuration, employing an n+1 redundancy Availability Zones within the plan at least
man-made model to ensure system availability in the event each region. Customers annually or upon
disasters? of component failure. are responsible for significant changes.
properly implementing
Components (N) have at least one independent contingency planning,
backup component (+1), so the backup training and testing for
component is active in the operation even if their systems hosted on
other components are fully functional. In order AWS.
to eliminate single points of failure, this model
is applied throughout AWS, including network
and data center implementation. Data centers
are online and serving traffic; no data center is
“cold.” In case of failure, there is sufficient
capacity to enable traffic to be load-balanced
to the remaining sites.
approve,
communicate, apply,
Is the disaster evaluate and maintain Business
response plan a disaster response Continuity
Disaster
BCR- updated at least Policies are reviewed approved by AWS plan to recover from Management
Yes CSP-owned BCR-09 Response
09.2 annually, and leadership at least annually or as needed basis. natural and man- and
Plan
when significant made disasters. Operational
changes occur? Update Resilience
the plan at least
annually or upon
significant changes.
AWS tests the business continuity at least
annually to ensure effectiveness of the Exercise the disaster
Is the disaster associated procedures and the organization response plan Business
response plan readiness. Testing consists of gameday annually or upon Continuity
BCR- exercised annually significant Response Management
Yes CSP-owned exercises that execute on activities that would BCR-10
10.1 or when changes, including if Plan Exercise and
be performed in an actual outage. AWS
significant changes possible local Operational
occur? documents the results, including lessons emergency Resilience
learned and any corrective actions that were authorities.
completed.
Exercise the disaster
Are local response plan Business
emergency annually or upon Continuity
BCR- authorities significant Response Management
No CSP-owned BCR-10
10.2 included, if changes, including if Plan Exercise and
possible, in the possible local Operational
exercise? emergency Resilience
authorities.
AWS maintains a ubiquitous security control
environment across its infrastructure. Each
data center is built to physical, environmental,
Is business-critical and security standards in an active-active
equipment configuration, employing an n+1 redundancy Supplement business-
supplemented model to ensure system availability in the event critical equipment
with redundant of component failure. with redundant
Business
equipment equipment
Components (N) have at least one independent Continuity
independently independently
BCR- Equipment Management
located at a Yes CSP-owned backup component (+1), so the backup BCR-11 located at a
11.1 Redundancy and
reasonable component is active in the operation even if reasonable minimum
Operational
minimum distance other components are fully functional. In order distance in
Resilience
in accordance to eliminate single points of failure, this model accordance with
with applicable is applied throughout AWS, including network applicable industry
industry and data center implementation. Data centers standards.
standards? are online and serving traffic; no data center is
“cold.” In case of failure, there is sufficient
capacity to enable traffic to be load-balanced
to the remaining sites.
AWS applies a systematic approach to
managing change to ensure that all changes to
a production environment are reviewed,
tested, and approved. The AWS Change
Management approach requires that the
following steps be complete before a change is Establish, document,
Are risk
approve,
management deployed to the production environment:
communicate, apply,
policies and
procedures 1. Document and communicate the change via policies and
associated with the appropriate AWS change management tool. procedures for
changing 2. Plan implementation of the change and managing the risks
organizational rollback procedures to minimize disruption. associated with
assets including 3. Test the change in a logically segregated, applying changes
applications, non-production environment. to organization
systems, 4. Complete a peer-review of the change with a assets, including Change Change
infrastructure,
CCC- focus on business impact and technical rigor. application, systems, Management Control and
configuration, etc., Yes CSP-owned CCC-01
01.1 The review should include a code review. infrastructure, Policy and Configuration
established,
5. Attain approval for the change by an configuration, Procedures Management
documented,
authorized individual. etc., regardless of
approved,
whether the assets
communicated,
Where appropriate, a continuous deployment are managed
applied, evaluated
methodology is conducted to ensure changes internally or
and maintained
are automatically built, tested, and pushed to externally
(regardless
production, with the goal of eliminating as (i.e., outsourced).
of whether asset
many manual steps as possible. Continuous Review and update
management is
the policies and
internal or deployment seeks to eliminate the manual
procedures at least
external)? nature of this process and automate each step,
annually.
allowing service teams to standardize the
process and increase the efficiency with which
they deploy code. In continuous deployment,
an entire release process is a "pipeline"
containing "stages”.
approve,
communicate, apply,
policies and
procedures for
managing the risks
associated with
applying changes
to organization
Are the policies
assets, including Change Change
and procedures
CCC- Policies are reviewed approved by AWS application, systems, Management Control and
reviewed and Yes CSP-owned CCC-01
01.2 leadership at least annually or as needed basis. infrastructure, Policy and Configuration
updated at least
configuration, Procedures Management
annually?
etc., regardless of
whether the assets
are managed
internally or
externally
(i.e., outsourced).
Review and update
the policies and
procedures at least
annually.
Is a defined quality
change control, Follow a defined
approval and quality change
Change
testing process control, approval and
CCC- Quality Control and
(with established Yes CSP-owned See response to Question ID CCC-01.1 CCC-02 testing process
02.1 Testing Configuration
baselines, testing, with established
Management
and release baselines, testing, and
standards) release standards.
followed?
Are risks
associated with Manage the risks
changing associated with
organizational applying changes to
assets (including organization
applications, assets, including
systems, application, systems, Change
Change
CCC- infrastructure, infrastructure, Control and
Yes CSP-owned See response to Question ID CCC-01.1 CCC-03 Management
03.1 configuration, configuration, etc., Configuration
Technology
etc.) managed, regardless of Management
regardless of whether the assets
whether asset are managed
management internally or
occurs internally externally (i.e.,
or externally (i.e., outsourced).
outsourced)?
Is the Authorized staff must pass two-factor Restrict the
unauthorized authentication a minimum of two times to unauthorized
Change
addition, removal, access data center floors. addition, removal, Unauthorize
CCC- Control and
update, and Yes CSP-owned Physical access points to server locations are CCC-04 update, and d Change
04.1 Configuration
management of recorded by closed circuit television camera management Protection
Management
organization (CCTV) as defined in the AWS Data Center of organization
assets restricted? Physical Security Policy. assets.
Are provisions to AWS notifies customers of changes to the AWS
limit changes that service offering in accordance with the
commitment set forth in the AWS Customer Include provisions
directly impact
Agreement. AWS continuously evolves and limiting changes
CSC-owned
improves our existing services, and frequently directly impacting
environments
CSCs owned Change
and require adds new services. Our services are controlled
CCC- environments/tenant Change Control and
tenants to No CSP-owned using APIs. If we change or discontinue any API CCC-05
05.1 s to explicitly Agreements Configuration
authorize requests used to make calls to the services, we will
authorized requests Management
explicitly included continue to offer the existing API for 12 within service level
within the service months. Additionally, AWS maintains a public agreements between
level agreements Service Health Dashboard to provide customers CSPs and CSCs.
(SLAs) between with the real-time operational status of our
CSPs and CSCs? services at http://status.aws.amazon.com/.
Are change
management
Establish change
baselines
management Change
established for all Change
CCC- baselines for all Control and
relevant Yes CSP-owned See response to Question ID CCC-01.1 CCC-06 Management
06.1 relevant authorized Configuration
authorized Baseline
changes on Management
changes
organization assets.
on organizational
assets?
Are detection
measures Implement detection
implemented with measures with
Change
proactive proactive notification Detection of
CCC- Control and
notification if Yes CSP-owned See response to Question ID CCC-08.1 CCC-07 in case Baseline
07.1 Configuration
changes of changes deviating Deviation
Management
deviate from from the established
established baseline.
baselines?
'Implement a
procedure for the
Is a procedure
management of
implemented to
exceptions, including
manage
emergencies, in the Change
exceptions,
CCC- Policies are reviewed approved by AWS change and Exception Control and
including Yes CSP-owned CCC-08
08.1 leadership at least annually or as needed basis. configuration Management Configuration
emergencies, in
process. Align the Management
the change and
procedure with
configuration
the requirements of
process?
GRC-04: Policy
Exception Process.'
'Implement a
procedure for the
management of
'Is the procedure exceptions, including
aligned with the emergencies, in the Change
CCC- requirements of change and Exception Control and
Yes CSP-owned See response to Question ID CCC-08.1 CCC-08
08.2 the GRC-04: configuration Management Configuration
Policy Exception process. Align the Management
Process?' procedure with
the requirements of
GRC-04: Policy
Exception Process.'
Is a process to
Define and
proactively roll
implement a process
back changes to a
to proactively roll Change
previously known
CCC- back changes to Change Control and
"good Yes CSP-owned See response to Question ID CCC-01.1 CCC-09
09.1 a previous known Restoration Configuration
state" defined and
good state in case of Management
implemented in
errors or security
case of errors or
concerns.
security concerns?
AWS customers are
responsible for managing
encryption keys within
their AWS environments.
Customers can leverage Establish, document,
Are cryptography, Internally, AWS establishes and manages approve,
AWS services such as
encryption, and cryptographic keys for required cryptography communicate, apply,
AWS KMS and CloudHSM
key management employed within the AWS infrastructure. AWS evaluate and maintain
to manage the lifecycle
policies and produces, controls and distributes symmetric policies and Encryption
of their keys according to Cryptography,
procedures cryptographic keys using NIST approved key procedures for and Key
CEK- Shared CSP internal policy Encryption &
established, Yes management technology and processes in the CEK-01 Cryptography, Management
01.1 and CSC requirements. See Key
documented, AWS information system. An AWS developed Encryption and Key Policy and
following: Management
approved, secure key and credential manager is used to Management. Review Procedures
communicated, create, protect and distribute symmetric keys, and update the
applied, evaluated, AWS KMS policies and
AWS credentials needed on hosts, RSA
and maintained? https://aws.amazon.com procedures at least
public/private keys and X.509 Certifications.
/kms/ annually.
AWS CloudHSM
/cloudhsm/
approve,
communicate, apply,
Are cryptography,
encryption, and
policies and Encryption
key management Cryptography,
procedures for and Key
CEK- policies and Policies are reviewed approved by AWS Encryption &
Yes CSP-owned CEK-01 Cryptography, Management
01.2 procedures leadership at least annually or as needed basis. Key
Encryption and Key Policy and
reviewed Management
Management. Review Procedures
and updated at
and update the
least annually?
policies and
procedures at least
annually.
Are cryptography, Define and
encryption, and implement
CEK Roles Cryptography,
key management cryptographic,
CEK- and Encryption &
roles and Yes CSC-owned See response to CEK-01.1 CEK-02 encryption and key
02.1 Responsibiliti Key
responsibilities management
es Management
defined and roles and
implemented? responsibilities.
AWS allows customers to
use their own encryption
mechanisms (for storage
and in-transit) for nearly
all the services, including
S3, EBS and EC2. IPSec
tunnels to VPC are also
encrypted. In addition,
customers can leverage
Are data at-rest AWS Key Management Provide
and in-transit Systems (KMS) to create cryptographic
cryptographically Cryptography,
and control encryption protection to data
CEK- protected using Data Encryption &
NA CSC-owned keys (refer to CEK-03 at-rest and in-transit,
03.1 cryptographic Encryption Key
https://aws.amazon.com using cryptographic
libraries certified Management
/kms/). Refer to AWS libraries certified to
to approved
SOC reports for more approved standards.
standards?
details on KMS.
Refer to AWS: Overview
of Security Processes
Whitepaper for
additional details -
available at:
http://aws.amazon.com/
security/security-
learning/
This is a customer
responsibility. AWS
customers are
responsible for the
Are appropriate management of the data Use encryption
data protection they place into AWS algorithms that are
encryption services. AWS has no appropriate for data
algorithms used protection, Cryptography,
insight as to what type of
CEK- that consider data considering the Encryption Encryption &
NA CSC-owned content the customer CEK-04
04.1 classification, classification of data, Algorithm Key
chooses to store in AWS
associated risks, associated risks, and Management
and encryption and the customer retains usability of the
technology complete control of how encryption
usability? they choose to classify technology.
their content, where it is
stored, used and
protected from
disclosure.
Are standard
change Establish a standard
management change management
procedures procedure, to
established to AWS customers are accommodate
review, approve, responsible for managing changes from internal
implement and encryption keys within and external sources, Cryptography,
Encryption
CEK- communicate Shared CSP for review, approval, Encryption &
Yes See response to CEK-01.1 their AWS environments CEK-05 Change
05.1 cryptography, and CSC implementation Key
according to their Management
encryption, and and communication Management
key management internal policy of cryptographic,
technology requirements. encryption and key
changes that management
accommodate technology
internal and changes.
external sources?
mechanisms for nearly all
the services, including S3,
Are changes to EBS and EC2. IPSec
cryptography-, tunnels to VPC are also Manage and adopt
encryption- and encrypted. In addition, changes to
key management- customers can leverage cryptography-,
related systems, AWS Key Management encryption-, and key
policies, and Systems (KMS) to create management-related
procedures, and control encryption systems (including Encryption Cryptography,
managed and
CEK- Shared CSP keys (refer to policies and Change Cost Encryption &
adopted in a Yes See response to CEK-01.1 CEK-06
06.1 and CSC https://aws.amazon.com procedures) that fully Benefit Key
manner that fully
/kms/). Refer to AWS account for Analysis Management
accounts
SOC reports for more downstream
for downstream
details on KMS. Refer to effects of proposed
effects of
AWS: Overview of changes, including
proposed changes,
Security Processes residual risk, cost,
including residual
Whitepaper for and benefits analysis.
risk, cost, and
benefits analysis? additional details -
available at:
security/security-
learning/
AWS has established an information security
management program with designated roles
and responsibilities that are appropriately
aligned within the organization. AWS
management reviews and evaluates the risks
identified in the risk management program at
least annually. The risk management program
encompasses the following phases:
Is a cryptography, Discovery – The discovery phase includes listing

out risks (threats and vulnerabilities) that exist Establish and
encryption, and
in the environment. This phase provides a basis maintain an
key management
for all other risk management activities. encryption and key
risk program
Research – The research phase considers the management risk
established
program Cryptography,
and maintained potential impact(s) of identified risks to the Encryption
CEK- that includes Encryption &
that includes risk Yes CSP-owned business and its likelihood of occurrence and CEK-07 Risk
07.1 provisions for risk Key
assessment, risk includes an evaluation of internal control Management
assessment, risk Management
treatment, risk effectiveness. treatment, risk
context, Evaluate – The evaluate phase includes context,
monitoring, ensuring controls, processes and other physical monitoring, and
and feedback and virtual safeguards in place to prevent and feedback.
provisions? detect identified and assessed risks.
Resolve – The resolve phase results in risk
reports provided to managers with the data
they need to make effective business decisions
and to comply with internal policies and
applicable regulations.
Monitor – The monitor phase includes
performing monitoring activities to evaluate
whether processes, initiatives, functions and/or
activities are mitigating the risk as designed.
EBS and EC2. IPSec
encrypted. In addition,
customers can leverage
Are CSPs AWS Key Management
providing CSCs Systems (KMS) to create CSPs must provide
and control encryption Cryptography,
with the capacity the capability for CSC Key
CEK- Encryption &
to manage their Yes CSC-owned keys (refer to CEK-08 CSCs to manage Management
08.1 Key
own data https://aws.amazon.com their own data Capability
Management
encryption /kms/). Refer to AWS encryption keys.
keys? SOC reports for more
details on KMS.
In addition, refer to AWS
Cloud Security
Whitepaper for
available at
security
Audit encryption and
Are encryption key management
and key systems, policies, and
management processes
systems, policies, AWS has established a formal, periodic audit with a frequency that
and processes program that includes continual, independent is proportional to Encryption Cryptography,
CEK- audited the risk exposure of and Key Encryption &
Yes CSP-owned internal and external assessments to validate CEK-09
09.1 with a frequency the system with Management Key
the implementation and operating
proportional to audit occurring Audit Management
the system's risk effectiveness of the AWS control environment. preferably
exposure, and continuously but at
after any security least annually and
event? after any
security event(s).
Audit encryption and
key management
systems, policies, and
Are encryption
processes
and key
AWS has established a formal, periodic audit with a frequency that
management
is proportional to Encryption Cryptography,
systems, policies, program that includes continual, independent
CEK- the risk exposure of and Key Encryption &
and processes Yes CSP-owned internal and external assessments to validate CEK-09
09.2 the system with Management Key
audited the implementation and operating
audit occurring Audit Management
(preferably effectiveness of the AWS control environment. preferably
continuously but
continuously but at
at least annually)?
least annually and
after any
security event(s).
AWS allows customers to use their own
encryption mechanisms for nearly all the
services, including S3, EBS and EC2. In addition,
customers can leverage AWS Key Management
Systems (KMS) to create and control encryption
keys (refer to https://aws.amazon.com/kms/).
Are cryptographic Refer to AWS SOC reports for more details on
KMS. Generate
keys generated
AWS establishes and manages cryptographic Cryptographic keys
using industry- AWS customers are
keys for required cryptography employed using industry
accepted and responsible for managing
within the AWS infrastructure. AWS produces, accepted
approved Cryptography,
encryption keys within cryptographic
CEK- cryptographic Shared CSP controls and distributes symmetric Key Encryption &
Yes their AWS environments CEK-10 libraries specifying
10.1 libraries that and CSC cryptographic keys using NIST approved key Generation Key
according to their the algorithm
specify algorithm management technology and processes in the Management
internal policy strength and the
strength and AWS information system. An AWS developed
requirements. random number
random number secure key and credential manager is used to generator
generator create, protect and distribute symmetric keys used.
specifications? and is used to secure and distribute: AWS
credentials needed on hosts, RSA public/private
keys and X.509 Certifications.
AWS cryptographic processes are reviewed by
independent third-party auditors for our
continued compliance with SOC, PCI DSS and
ISO 27001.
Customers determine
whether they want to
leverage AWS KMS to
Are private keys store encryption keys in Manage
provisioned for a the cloud or use other Cryptography,
cryptographic secret
CEK- unique purpose Encryption &
NA CSC-owned mechanisms (on-prem CEK-11 and private keys that Key Purpose
11.1 managed, and is Key
HSM, other key are provisioned
cryptography Management
management for a unique purpose.
secret?
technologies) to store
keys within their on-
premises environments.
EBS and EC2. IPSec
encrypted. In addition, Rotate cryptographic
Are cryptographic
customers can leverage keys in accordance
keys rotated
AWS Key Management with the calculated
based on a
Systems (KMS) to create cryptoperiod,
cryptoperiod
and control encryption which includes Cryptography,
calculated while
CEK- provisions for Encryption &
considering NA CSC-owned keys (refer to CEK-12 Key Rotation
12.1 considering the risk Key
information https://aws.amazon.com
of information Management
disclosure risks /kms/). Refer to AWS disclosure
and legal and SOC reports for more and legal and
regulatory details on KMS. regulatory
requirements? In addition, refer to AWS requirements.
Cloud Security
Whitepaper for
available at
security
Are cryptographic use their own encryption
keys revoked and mechanisms for nearly all
removed before the services, including S3, Define, implement
the end of the EBS and EC2. IPSec and evaluate
established tunnels to VPC are also processes,
cryptoperiod encrypted. In addition, procedures and
(when a key is customers can leverage technical
compromised, or AWS Key Management measures to revoke
an entity is no Systems (KMS) to create and remove
longer part of the cryptographic keys Cryptography,
and control encryption
CEK- organization) per prior to the end of Key Encryption &
NA CSC-owned keys (refer to CEK-13
13.1 defined, its established Revocation Key
implemented, and cryptoperiod, when a Management
evaluated /kms/). Refer to AWS key is compromised,
processes, SOC reports for more or an entity is no
procedures, and details on KMS. longer part of the
technical In addition, refer to AWS organization, which
measures to Cloud Security include provisions for
include legal and Whitepaper for legal and regulatory
regulatory additional details - requirements.
requirement available at
provisions? http://aws.amazon.com/
security
Are processes,
procedures and
technical
measures to Define, implement
destroy unneeded EBS and EC2. IPSec and evaluate
keys tunnels to VPC are also processes,
defined, encrypted. In addition, procedures and
implemented and customers can leverage technical
evaluated to AWS Key Management measures to destroy
address key Systems (KMS) to create keys stored outside a
and control encryption Cryptography,
destruction secure environment
CEK- Key Encryption &
outside secure NA CSC-owned keys (refer to CEK-14 and revoke keys
14.1 Destruction Key
environments, https://aws.amazon.com stored in Hardware
Management
revocation of keys /kms/). Refer to AWS Security Modules
stored in SOC reports for more (HSMs) when they
hardware security details on KMS. are no longer
modules (HSMs), In addition, refer to AWS needed, which
and include Cloud Security include provisions for
applicable Whitepaper for legal and regulatory
legal and additional details - requirements.
regulatory
available at
requirement
provisions?
security
Are processes,
procedures, and EBS and EC2. IPSec Define, implement
technical tunnels to VPC are also and evaluate
measures to encrypted. In addition, processes,
create keys in a customers can leverage procedures and
pre-activated AWS Key Management technical
state (i.e., when Systems (KMS) to create measures to create
Cryptography,
they have been and control encryption keys in a pre-
CEK- Key Encryption &
generated but not NA CSC-owned keys (refer to CEK-15 activated state when
15.1 Activation Key
authorized for https://aws.amazon.com they have been
Management
use) being defined, /kms/). Refer to AWS generated
implemented, and SOC reports for more but not authorized
evaluated to details on KMS. for use, which
include legal and In addition, refer to AWS include provisions for
regulatory Cloud Security legal and regulatory
requirement Whitepaper for requirements.
provisions? additional details -
available at
security
Are processes,
procedures, and EBS and EC2. IPSec
tunnels to VPC are also Define, implement
technical
encrypted. In addition, and evaluate
measures to
customers can leverage processes,
monitor, review
AWS Key Management procedures and
and approve
Systems (KMS) to create technical
key transitions
and control encryption measures to Cryptography,
(e.g., from any
CEK- monitor, review and Key Encryption &
state to/from NA CSC-owned keys (refer to CEK-16
16.1 approve key Suspension Key
suspension) being https://aws.amazon.com
transitions from any Management
defined, /kms/). Refer to AWS state to/from
implemented, SOC reports for more suspension, which
and evaluated to details on KMS. include provisions for
include legal and In addition, refer to AWS legal and regulatory
regulatory Cloud Security requirements.
requirement Whitepaper for
available at
security
Are processes, EBS and EC2. IPSec
procedures, and tunnels to VPC are also Define, implement
technical encrypted. In addition, and evaluate
measures to customers can leverage processes,
deactivate keys (at AWS Key Management procedures and
the Systems (KMS) to create technical
time of their Cryptography,
and control encryption measures to
CEK- expiration date) Key Encryption &
NA CSC-owned keys (refer to CEK-17 deactivate keys at the
17.1 being defined, Deactivation Key
https://aws.amazon.com time of their
implemented, and Management
/kms/). Refer to AWS expiration date,
evaluated to
SOC reports for more which include
include
details on KMS. provisions for legal
legal and
In addition, refer to AWS and regulatory
regulatory
Cloud Security requirements.
requirement
provisions? Whitepaper for
available at
security
Are processes,
procedures, and EBS and EC2. IPSec
tunnels to VPC are also Define, implement
technical
encrypted. In addition, and evaluate
measures to
customers can leverage processes,
manage archived
AWS Key Management procedures and
keys
Systems (KMS) to create technical
in a secure
and control encryption measures to manage Cryptography,
repository
CEK- archived keys in a Encryption &
(requiring least NA CSC-owned keys (refer to CEK-18 Key Archival
18.1 secure repository Key
privilege access) https://aws.amazon.com
requiring least Management
being defined, /kms/). Refer to AWS privilege
implemented, SOC reports for more access, which include
and evaluated to details on KMS. provisions for legal
include legal and In addition, refer to AWS and regulatory
regulatory Cloud Security requirements.
requirement Whitepaper for
available at
security
Are processes,
procedures, and Define, implement
technical This is a customer and evaluate
measures to responsibility. AWS processes,
encrypt customers are procedures and
information in responsible for the technical
specific scenarios management of the data measures to use
(e.g., only in they place into AWS compromised keys
controlled services. AWS has no to encrypt
circumstances and information only in Cryptography,
insight as to what type of
CEK- thereafter only controlled Key Encryption &
NA CSC-owned content the customer CEK-19
19.1 for data circumstance, Compromise Key
decryption and and thereafter Management
never for and the customer retains exclusively for
encryption) being complete control of how decrypting data and
defined, they choose to classify never for encrypting
implemented, and their content, where it is data,
evaluated to stored, used and which include
include legal and protected from provisions for legal
regulatory disclosure. and regulatory
requirement requirements.
provisions?
Are processes,
Define, implement
procedures, and
AWS establishes and manages cryptographic and evaluate
technical
keys for required cryptography employed AWS allows customers to processes,
measures to
within the AWS infrastructure. AWS produces, use their own encryption procedures and
assess operational
controls and distributes symmetric mechanisms for nearly all technical
continuity
cryptographic keys using NIST approved key the services, including S3, measures to assess
risks (versus the
management technology and processes in the EBS and EC2. In addition, the risk to
risk of losing
AWS information system. An AWS developed customers can leverage operational
control of keying Cryptography,
continuity versus the
CEK- material and Shared CSP secure key and credential manager is used to AWS Key Management Key Encryption &
Yes CEK-20 risk of the
20.1 exposing and CSC create, protect and distribute symmetric keys Systems (KMS) to create Recovery Key
keying material and
protected and is used to secure and distribute: AWS and control encryption Management
the information it
data) being credentials needed on hosts, RSA public/private keys (refer to protects being
defined, keys and X.509 Certifications. https://aws.amazon.com exposed if control of
implemented, and AWS cryptographic processes are reviewed by /kms/). Refer to AWS the keying material is
evaluated to independent third-party auditors for our SOC reports for more lost, which include
include legal and continued details on KMS. provisions for legal
regulatory compliance with SOC, PCI DSS and ISO 27001. and regulatory
requirement
requirements.
provisions?
Are key the services, including S3,
EBS and EC2. IPSec Define, implement
management
tunnels to VPC are also and evaluate
system processes,
encrypted. In addition, processes,
procedures, and
customers can leverage procedures and
technical
AWS Key Management technical
measures being
Systems (KMS) to create measures in order
defined,
and control encryption for the key Cryptography,
implemented, and Key
CEK- management system Encryption &
evaluated to track NA CSC-owned keys (refer to CEK-21 Inventory
21.1 to track and report Key
and report all https://aws.amazon.com Management
all cryptographic Management
cryptographic /kms/). Refer to AWS materials and
materials SOC reports for more changes in status,
and status changes details on KMS. which include
that include legal In addition, refer to AWS provisions for legal
and regulatory Cloud Security and regulatory
requirements Whitepaper for requirements.
available at
security
approve,
communicate, apply,
policies and
Are policies and
Environments used for the delivery of the AWS procedures for the
procedures for
services are managed by authorized personnel secure disposal of
the secure
and are located in an AWS managed data equipment used
disposal of
centers. Media handling controls for the data outside the
equipment used
centers are managed by AWS in alignment with organization's Off-Site
outside
premises. If the Equipment
DCS- the organization's the AWS Media Protection Policy. This policy Datacenter
Yes CSP-owned DCS-01 equipment is not Disposal
01.1 premises includes procedures around access, marking, Security
physically destroyed Policy and
established, storage, transporting, and sanitation. a data Procedures
documented,
destruction
approved, Live media transported outside of data center procedure that
communicated, secure zones is escorted by authorized renders recovery of
enforced, personnel. information
and maintained?
impossible must be
applied. Review and
update the policies
and procedures at
least annually.
approve,
communicate, apply,
policies and
When a storage device has reached the end of procedures for the
Is a data its useful life, AWS procedures include a secure disposal of
destruction decommissioning process that is designed to equipment used
procedure applied prevent customer data from being exposed to outside the
that renders unauthorized individuals. AWS uses the organization's Off-Site
information premises. If the Equipment
DCS- techniques detailed in NIST 800-88 (“Guidelines Datacenter
recovery Yes CSP-owned DCS-01 equipment is not Disposal
01.2 for Media Sanitization”) as part of the Security
information physically destroyed Policy and
decommissioning process. Refer to AWS:
impossible if a data Procedures
equipment is not Overview of Security Processes Whitepaper for destruction
physically additional details - available at: procedure that
destroyed? http://aws.amazon.com/security/security- renders recovery of
learning/ information
impossible must be
applied. Review and
update the policies
and procedures at
least annually.
approve,
communicate, apply,
policies and
procedures for the
Are policies and secure disposal of
procedures for equipment used
the secure outside the
disposal of organization's Off-Site
equipment used premises. If the Equipment
DCS- Policies are reviewed approved by AWS Datacenter
outside Yes DCS-01 equipment is not Disposal
01.3 leadership at least annually or as needed basis. Security
the organization's physically destroyed Policy and
premises a data Procedures
reviewed and destruction
updated at least procedure that
annually? renders recovery of
information
impossible must be
applied. Review and
update the policies
and procedures at
least annually.
approve,
communicate, apply,
Are policies and evaluate and maintain
procedures for procedures to provide employees a common policies and
the relocation or baseline for information security standards and procedures for the
transfer of guidance. The AWS Information Security relocation or
hardware, Management System policy establishes transfer of hardware,
software, guidelines for protecting the confidentiality, software,
or integrity, and availability of customers’ systems or data/information Off-Site
data/information and content. Maintaining customer trust and to an offsite or Transfer
DCS- Datacenter
to an offsite or Yes confidence is of the utmost importance to DCS-02 alternate location. Authorizatio
02.1 Security
alternate location AWS. The relocation or n Policy and
established, transfer Procedures
documented, AWS works to comply with applicable federal, request requires the
approved, state, and local laws, statutes, ordinances, and written or
communicated, regulations concerning security, privacy and cryptographically
implemented, data protection of AWS services in order to verifiable
enforced, minimize the risk of accidental or unauthorized authorization.
maintained? access or disclosure of customer content. Review and update
the policies and
procedures at least
annually.
approve,
communicate, apply,
policies and
Environments used for the delivery of the AWS procedures for the
services are managed by authorized personnel relocation or
and are located in an AWS managed data transfer of hardware,
Does a relocation centers. Media handling controls for the data software,
or transfer centers are managed by AWS in alignment with or data/information Off-Site
request require to an offsite or Transfer
DCS- the AWS Media Protection Policy. This policy Datacenter
written or Yes DCS-03 alternate location. Authorizatio
02.2 includes procedures around access, marking, Security
cryptographically The relocation or n Policy and
verifiable storage, transporting, and sanitation. transfer Procedures
authorization? request requires the
Live media transported outside of data center written or
secure zones is escorted by authorized cryptographically
personnel. verifiable
authorization.
Review and update
the policies and
procedures at least
annually.
approve,
communicate, apply,
policies and
Are policies and procedures for the
procedures for relocation or
the relocation or transfer of hardware,
transfer of software,
hardware, or data/information Off-Site
software, to an offsite or Transfer
DCS- Policies are reviewed approved by AWS Datacenter
or Yes CSP-owned DCS-04 alternate location. Authorizatio
02.3 leadership at least annually or as needed basis. Security
data/information The relocation or n Policy and
to an offsite or transfer Procedures
alternate location request requires the
reviewed and written or
updated at cryptographically
least annually? verifiable
authorization.
Review and update
the policies and
procedures at least
annually.
Are policies and Establish, document,
procedures for AWS engages with external certifying bodies approve,
maintaining a safe and independent auditors to review and communicate, apply,
and secure validate our compliance with compliance evaluate and maintain
working frameworks. AWS SOC reports provide policies and
environment additional details on the specific physical procedures for
Secure Area
DCS- (in offices, rooms, maintaining a safe Datacenter
Yes CSP-owned security control activities executed by AWS. DCS-03 Policy and
03.1 and facilities) and secure working Security
Refer to ISO 27001 standards; Annex A, domain Procedures
established, environment
documented, 11 for additional details. AWS has been in offices, rooms, and
approved, validated and certified by an independent facilities. Review and
communicated, auditor to confirm alignment with ISO 27001 update the policies
enforced, and certification standard. and procedures
maintained? at least annually.
approve,
communicate, apply,
Are policies and
procedures for
policies and
maintaining safe,
procedures for
secure working Secure Area
DCS- Policies are reviewed approved by AWS maintaining a safe Datacenter
environments Yes CSP-owned DCS-03 Policy and
03.2 leadership at least annually or as needed basis. and secure working Security
(e.g., offices, Procedures
environment
rooms) reviewed
in offices, rooms, and
and updated at
facilities. Review and
least annually?
update the policies
and procedures
at least annually.
Are policies and Environments used for the delivery of the AWS approve,
procedures for services are managed by authorized personnel communicate, apply,
the secure and are located in an AWS managed data evaluate and maintain
transportation of centers. Media handling controls for the data policies and Secure
physical media centers are managed by AWS in alignment with procedures for the Media
DCS- established, the AWS Media Protection Policy. This policy secure Transportati Datacenter
Yes CSP-owned DCS-04
04.1 documented, includes procedures around access, marking, transportation of on Policy Security
approved, storage, transporting, and sanitation. physical media. and
communicated, Review Procedures
enforced, Live media transported outside of data center and update the
evaluated, and secure zones is escorted by authorized policies and
maintained? personnel. procedures at least
annually.
approve,
communicate, apply,
Are policies and evaluate and maintain
procedures for policies and Secure
the secure procedures for the Media
DCS- transportation of Policies are reviewed approved by AWS secure Transportati Datacenter
04.2 physical media leadership at least annually or as needed basis. transportation of on Policy Security
reviewed and physical media. and
updated at least Review Procedures
annually? and update the
policies and
procedures at least
annually.
Is the classification
Classify and
and
document the
documentation of In alignment with ISO 27001 standards, AWS physical, and logical
physical and
DCS- assets are assigned an owner, tracked and assets (e.g., Assets Datacenter
logical assets Yes CSP-owned DCS-05
05.1 monitored by the AWS personnel with AWS applications) Classification Security
based
proprietary inventory management tools. based on the
on the
organizational
organizational
business risk.
business risk?
Are all relevant Catalogue and track
physical and In alignment with ISO 27001 standards, AWS all relevant physical
logical assets at all Hardware assets are assigned an owner, and logical assets Assets
DCS- Datacenter
CSP sites Yes CSP-owned tracked and monitored by the AWS personnel DCS-06 located Cataloguing
06.1 Security
cataloged and with AWS proprietary inventory management at all of the CSP's and Tracking
tracked within a tools. sites within a secured
secured system? system.
Physical security controls include but are not
limited to perimeter controls such as fencing,
walls, security staff, video surveillance, Implement physical
intrusion detection systems and other security perimeters
electronic means. Authorized staff must pass to safeguard
Are physical two-factor authentication a minimum of two personnel, data,
security times to access data center floors. and information
perimeters systems. Establish
Controlled
DCS- implemented to The AWS SOC reports provide additional details physical security Datacenter
Yes CSP-owned DCS-07 Access
07.1 safeguard on the specific control activities executed by perimeters between Security
Points
personnel, data, AWS. Refer to ISO 27001 standards; Annex A, the
and information domain 11 for further information. AWS has administrative and
systems? been validated and certified by an independent business areas and
auditor to confirm alignment with ISO 27001 the data storage and
certification standard. For more information on processing facilities
the design, layout and operations of our data areas.
centers, please visit this site: AWS Data Center
Overview
Physical security controls include but are not
limited to perimeter controls such as fencing,
walls, security staff, video surveillance, Implement physical
intrusion detection systems and other security perimeters
Are physical electronic means. Authorized staff must pass to safeguard
security two-factor authentication a minimum of two personnel, data,
perimeters times to access data center floors. and information
established
systems. Establish
between Controlled
DCS- The AWS SOC reports provide additional details physical security Datacenter
administrative and Yes CSP-owned DCS-07 Access
07.2 on the specific control activities executed by perimeters between Security
business Points
AWS. Refer to ISO 27001 standards; Annex A, the
areas, data
domain 11 for further information. AWS has administrative and
storage, and
been validated and certified by an independent business areas and
processing
auditor to confirm alignment with ISO 27001 the data storage and
facilities?
certification standard. For more information on processing facilities
the design, layout and operations of our data areas.
centers, please visit this site: AWS Data Center
Overview
Is equipment AWS manages equipment identification in Use equipment
identification used alignment with ISO 27001 standard. identification as a
DCS- Equipment Datacenter
as a method for Yes CSP-owned AWS has been validated and certified by an DCS-08 method for
08.1 Identification Security
connection independent auditor to confirm alignment with connection
authentication? ISO 27001 certification standard. authentication.
Allow only
authorized personnel
Are solely Physical access is strictly controlled both at the access to secure
authorized perimeter and at building ingress points and areas, with all
personnel able to includes, but is not limited to, professional ingress and egress
access secure security staff utilizing video surveillance, points restricted,
areas, with all intrusion detection systems, and other documented, and
ingress monitored by Secure Area
DCS- electronic means. Authorized staff must pass Datacenter
and egress areas Yes CSP-owned DCS-09 physical Authorizatio
09.1 two-factor authentication a minimum of two Security
restricted, access control n
documented, and times to access data center floors. Physical mechanisms. Retain
monitored by access points to server locations are recorded access control
physical access by closed circuit television camera (CCTV) as records on a
control defined in the AWS Data Center Physical periodic basis
mechanisms? Security Policy. as deemed
appropriate by the
organization.
Allow only
Authentication logging aggregates sensitive authorized personnel
logs from EC2 hosts and stores them on S3. The access to secure
log integrity checker inspects logs to ensure areas, with all
they were uploaded to S3 unchanged by ingress and egress
Are access comparing them with local manifest files. points restricted,
control records Access and privileged command auditing logs documented, and
retained record every automated and interactive login monitored by Secure Area
DCS- Datacenter
periodically, as Yes CSP-owned to the systems as well as every privileged DCS-09 physical Authorizatio
09.2 Security
deemed command executed. access control n
appropriate by mechanisms. Retain
the organization? External access to data stored in Amazon S3 is access control
logged and the logs are retained for at least 90 records on a
days, including relevant access request periodic basis
information, such as the data accessor IP as deemed
address, object, and operation. appropriate by the
organization.
Are external Physical access is strictly controlled both at the
perimeter and at building ingress points and Implement, maintain,
perimeter
includes, but is not limited to, professional and operate
datacenter
security staff utilizing video surveillance, datacenter
surveillance
intrusion detection systems, and other surveillance systems
systems and
at the external
DCS- surveillance electronic means. Authorized staff must pass Surveillance Datacenter
Yes CSP-owned DCS-10 perimeter and at all
10.1 systems two-factor authentication a minimum of two System Security
the ingress and
at all ingress and times to access data center floors. Physical
egress points to
egress points access points to server locations are recorded detect
implemented, by closed circuit television camera (CCTV) as unauthorized ingress
maintained, and defined in the AWS Data Center Physical and egress attempts.
operated? Security Policy.
Physical access is strictly controlled both at the
perimeter and at building ingress points and
includes, but is not limited to, professional
Are datacenter security staff utilizing video surveillance, Train datacenter
personnel trained intrusion detection systems, and other personnel to Unauthorize
DCS- to respond to electronic means. Authorized staff must pass respond to d Access Datacenter
11.1 unauthorized two-factor authentication a minimum of two unauthorized ingress Response Security
access or egress times to access data center floors. Physical or Training
attempts? access points to server locations are recorded egress attempts.
by closed circuit television camera (CCTV) as
defined in the AWS Data Center Physical
Security Policy.
Are processes,
Define, implement
procedures, and
and evaluate
technical
processes,
measures defined, AWS equipment is protected from utility procedures and
implemented, and service outages in alignment with ISO 27001 technical
evaluated to standard. AWS has been validated and certified measures that ensure
ensure risk-based by an independent auditor to confirm a risk-based
protection of
DCS- alignment with ISO 27001 certification protection of power Cabling Datacenter
power and Yes CSP-owned DCS-12
12.1 standard. and Security Security
telecommunicatio
AWS SOC reports provide additional details on telecommunication
n cables
controls in place to minimize the effect of a cables from a threat
from interception,
malfunction or physical disaster to the of interception,
interference, or
computer and data center facilities. interference or
damage threats at
damage at all
all facilities,
facilities,
offices,
offices and rooms.
and rooms?
Are data center
Implement and
environmental AWS data centers incorporate physical maintain data center
control systems protection against environmental risks. AWS' environmental
designed to physical protection against environmental risks control systems
monitor, maintain, has been validated by an independent auditor that monitor,
and test that on-
and has been certified as being in alignment maintain and test for
DCS- site temperature Environment Datacenter
Yes CSP-owned with ISO 27002 best practices. DCS-13 continual
13.1 and humidity al Systems Security
Refer to ISO 27001 standard, Annex A domain effectiveness the
conditions fall
11 and link below for Data center controls temperature
within accepted
overview: and humidity
industry standards
https://aws.amazon.com/compliance/data- conditions within
effectively
center/controls/ accepted industry
implemented and
standards.
maintained?
AWS has been validated and certified by an
independent auditor to confirm alignment with
Are utility services ISO 27001 certification standard.
secured, AWS SOC reports provide additional details on Secure, monitor,
monitored, maintain, and test
controls in place to minimize the effect of a
DCS- maintained, and utilities services for Secure Datacenter
Yes CSP-owned malfunction or physical disaster to the DCS-14
14.1 tested at planned continual Utilities Security
computer and data center facilities.
intervals for effectiveness at
continual Please refer to link below for Data center planned intervals.
effectiveness? controls overview:
https://aws.amazon.com/compliance/data-
center/controls/
Is business-critical The AWS Security Operations Center performs
quarterly threat and vulnerability reviews of Keep business-critical
equipment
datacenters and colocation sites. These reviews equipment away
segregated from
from locations
DCS- locations subject are in addition to an initial environmental and Equipment Datacenter
Yes CSP-owned DCS-15 subject to high
15.1 to a high geographic assessment of a site performed Location Security
probability for
probability of prior to building or leasing. The quarterly
environmental risk
environmental risk reviews are validated by third parties during events.
events? our SOC, PCI, and ISO assessments.
AWS has implemented data handling and
classification requirements which provide
specifications around:
Are policies and
procedures
• Data encryption approve,
established,
• Content in transit and during storage communicate, apply,
documented,
• Access evaluate and maintain
approved,
• Retention policies and
communicated,
• Physical controls procedures for the
enforced,
• Mobile devices classification,
evaluated, and
• Handling requirements protection and
maintained for the Security and Data Security
handling of data
DSP- classification, Privacy and Privacy
Yes CSP-owned DSP-01 throughout its
01.1 protection, and AWS services are content agnostic, in that they Policy and Lifecycle
lifecycle, and
handling offer the same high level of security to Procedures Management
according to all
of data customers, regardless of the type of content applicable laws and
throughout its being stored. We are vigilant about our regulations,
lifecycle according customers' security and have implemented standards, and risk
to all applicable sophisticated technical and physical measures level. Review and
laws and against unauthorized access. AWS has no update the policies
regulations, insight as to what type of content the customer and procedures at
standards, and risk
chooses to store in AWS and the customer least annually.
level?
retains complete control of how they choose to
classify their content, where it is stored, used
and protected from disclosure.
approve,
communicate, apply,
policies and
procedures for the
Are data security classification,
and privacy protection and
Security and Data Security
policies and handling of data
DSP- Policies are reviewed approved by AWS Privacy and Privacy
procedures Yes CSP-owned DSP-01 throughout its
01.2 leadership at least annually or as needed basis. Policy and Lifecycle
reviewed and lifecycle, and
Procedures Management
updated according to all
at least annually? applicable laws and
regulations,
standards, and risk
level. Review and
update the policies
and procedures at
least annually.
When a storage device has reached the end of
Are industry- its useful life, AWS procedures include a
accepted methods decommissioning process that is designed to Apply industry
applied for secure prevent customer data from being exposed to accepted methods
data disposal from unauthorized individuals. AWS uses the for the secure Data Security
DSP- storage techniques detailed in NIST 800-88 (“Guidelines disposal of data from Secure and Privacy
Yes CSP-owned DSP-02
02.1 media so for Media Sanitization”) as part of the storage media such Disposal Lifecycle
information is not decommissioning process. Refer to AWS: that data is not Management
recoverable by Overview of Security Processes Whitepaper for recoverable by any
any forensic additional details - available at: forensic means.
means? http://aws.amazon.com/security/security-
learning/
This is a customer
responsibility. AWS
customers are
responsible for the
management of the data
Is a data inventory they place into AWS
created and services. AWS has no Create and maintain
Data Security
maintained for insight as to what type of a data inventory, at
DSP- Data and Privacy
sensitive and NA CSC-owned content the customer DSP-03 least for any sensitive
03.1 Inventory Lifecycle
personal chooses to store in AWS data and personal
Management
information and the customer retains data.
(at a minimum)? complete control of how
they choose to classify
stored, used and
protected from
disclosure.
This is a customer
responsibility. AWS
customers are
responsible for the
they place into AWS
services. AWS has no
Is data classified insight as to what type of Data Security
Classify data
DSP- according to type Data and Privacy
NA CSC-owned content the customer DSP-04 according to its type
04.1 and sensitivity Classification Lifecycle
chooses to store in AWS and sensitivity level.
levels? Management
and the customer retains
complete control of how
stored, used and
protected from
disclosure.
This is a customer
responsibility. AWS
customers are
responsible for the Create data flow
management of the data documentation to
Is data flow they place into AWS identify what data is
documentation services. AWS has no processed,
Data Security
created to identify insight as to what type of stored or Data Flow
DSP- and Privacy
what data is NA CSC-owned content the customer DSP-05 transmitted where. Documentati
05.1 Lifecycle
processed and chooses to store in AWS Review data flow on
Management
where it is stored and the customer retains documentation at
and transmitted? complete control of how defined intervals,
they choose to classify at least annually, and
their content, where it is after any change.
stored, used and
protected from
disclosure.
This is a customer
responsibility. AWS
customers are
responsible for the Create data flow
management of the data documentation to
Is data flow they place into AWS identify what data is
documentation services. AWS has no processed,
Data Security
reviewed at insight as to what type of stored or Data Flow
DSP- and Privacy
defined intervals, NA CSC-owned content the customer DSP-05 transmitted where. Documentati
05.2 Lifecycle
at least annually, chooses to store in AWS Review data flow on
Management
and after any and the customer retains documentation at
change? complete control of how defined intervals,
they choose to classify at least annually, and
their content, where it is after any change.
stored, used and
protected from
disclosure.
This is a customer
responsibility. AWS
customers are
responsible for the
they place into AWS Document
Is the ownership services. AWS has no ownership and
and stewardship insight as to what type of stewardship of all Data Data Security
DSP- of all relevant relevant documented Ownership and Privacy
NA CSC-owned content the customer DSP-06
06.1 personal and personal and Lifecycle
sensitive data and sensitive data. Stewardship Management
documented? and the customer retains Perform review at
complete control of how least annually.
stored, used and
protected from
disclosure.
This is a customer
responsibility. AWS
customers are
responsible for the
they place into AWS Document
services. AWS has no ownership and
Is data ownership
stewardship of all Data Data Security
and stewardship insight as to what type of
DSP- relevant documented Ownership and Privacy
documentation NA CSC-owned content the customer DSP-06
06.2 personal and Lifecycle
reviewed at least chooses to store in AWS
and sensitive data. Stewardship Management
annually? and the customer retains Perform review at
complete control of how least annually.
stored, used and
protected from
disclosure.
AWS maintains a
systematic approach, to
planning and developing
new services for the AWS
environment, to ensure
the quality and security
requirements are met
with each release. The
design of new services or
any significant changes
to current services follow
secure software
Are systems, development practices Develop systems,
products, and and are controlled products, and
business practices through a project business practices Data Data Security
DSP- based on security based upon a Protection and Privacy
Yes CSP-owned management system DSP-07
07.1 principles principle by Design Lifecycle
with multi-disciplinary
by design and per of security by design and Default Management
industry best participation. Prior to and industry best
practices? launch, each of the practices.
following requirements
must be reviewed:
• Security Risk
Assessment
• Threat modeling
• Security design reviews
• Secure code reviews
• Security testing
•
Vulnerability/penetration
testing
This is a customer
responsibility. AWS
customers are Develop systems,
responsible for the products, and
management of the data business practices
Are systems,
they place into AWS based upon a
products, and
services. AWS has no principle
business practices
of privacy by design Data Security
based on privacy insight as to what type of Data Privacy
DSP- and industry best and Privacy
principles NA CSC-owned content the customer DSP-08 by Design
08.1 practices. Ensure that Lifecycle
by design and chooses to store in AWS and Default
systems' privacy Management
according to and the customer retains settings are
industry best complete control of how configured by default,
practices? they choose to classify according to all
their content, where it is applicable laws and
stored, used and regulations.
protected from
disclosure.
Develop systems,
products, and
business practices
Are systems' This is a customer based upon a
privacy settings responsibility. AWS principle
configured by of privacy by design Data Security
customers are Data Privacy
DSP- default and and industry best and Privacy
NA CSC-owned responsible to adhere to DSP-08 by Design
08.2 according to all practices. Ensure that Lifecycle
regulatory requirements and Default
applicable systems' privacy Management
laws and in the jurisdictions their settings are
regulations? business are active in. configured by default,
according to all
applicable laws and
regulations.
This is a customer
Is a data responsibility. AWS
protection impact customers are Conduct a Data
assessment responsible for the Protection Impact
(DPIA) conducted management of the data Assessment (DPIA)
when processing they place into AWS to evaluate the
personal services. AWS has no origin, nature,
data and insight as to what type of particularity and Data Data Security
DSP- evaluating the severity of the risks Protection and Privacy
NA CSC-owned content the customer DSP-09
09.1 origin, nature, upon the processing Impact Lifecycle
particularity, and of personal data, Assessment Management
severity of risks and the customer retains according to any
according complete control of how applicable laws,
to any applicable they choose to classify regulations and
laws, regulations their content, where it is industry
and industry best stored, used and best practices.
practices? protected from
disclosure.
Are processes,
This is a customer
procedures, and
responsibility. AWS Define, implement
technical
customers are and evaluate
measures defined,
responsible for the processes,
implemented, and
management of the data procedures and
evaluated to
they place into AWS technical
ensure any
services. AWS has no measures that ensure
transfer of
any transfer of Data Security
personal or insight as to what type of Sensitive
DSP- personal or sensitive and Privacy
sensitive data is NA CSC-owned content the customer DSP-10 Data
10.1 data is protected Lifecycle
protected from chooses to store in AWS Transfer
from unauthorized Management
unauthorized and the customer retains access and only
access and only complete control of how processed within
processed within they choose to classify scope as permitted
scope (as their content, where it is by the
permitted by stored, used and respective laws and
respective protected from regulations.
laws and disclosure.
regulations)?
This is a customer
responsibility. AWS
Are processes, customers are Define and
procedures, and responsible for the implement,
technical management of the data processes,
measures defined, they place into AWS procedures and
implemented, and services. AWS has no technical measures
Personal
evaluated to to enable data Data Security
insight as to what type of Data Access,
DSP- enable data subjects to request and Privacy
NA CSC-owned content the customer DSP-11 Reversal,
11.1 subjects to access to, Lifecycle
chooses to store in AWS Rectification
request access to, modification, or Management
and the customer retains and Deletion
modify, or delete deletion of their
personal complete control of how personal data,
data (per they choose to classify according to any
applicable laws their content, where it is applicable laws and
and regulations)? stored, used and regulations.
protected from
disclosure.
AWS customers are
responsible for the
Are processes, management of the data
procedures, and (including adhering to Define, implement
technical AWS has established a formal Data Subject applicable laws and and evaluate
measures defined, Access Request (DSAR) according to General regulations) they place processes,
implemented, and Data Protection Regulation (GDPR) For this they into AWS services. AWS procedures and
evaluated to have to call AWS and open a Harbinger ticket has no insight as to what technical Limitation of
Data Security
ensure personal measures to ensure Purpose in
DSP- Shared CSP by contacting a CS Team Manager, who will type of content the and Privacy
data is processed Yes DSP-12 that personal data is Personal
12.1 and CSC work with Legal to open a ticket which includes customer chooses to Lifecycle
(per applicable processed according Data
continual, independent internal and external store in AWS and the Management
laws and to any applicable Processing
regulations assessments to validate the implementation customer retains laws and regulations
and for the and operating effectiveness of the AWS control complete control of how and for the purposes
purposes declared environment. they choose to classify declared to the data
to the data their content, where it is subject.
subject)? stored, used and
protected from
disclosure.
Note: AWS customers are responsible for the
management of the data they place into AWS
Are processes, services. AWS has no insight as to what type of Define, implement
procedures, and content the customer chooses to store in AWS and evaluate
technical and the customer retains complete control of processes,
measures defined, how they choose to classify their content, procedures and
implemented, and where it is stored, used and protected from technical
evaluated for the measures for the Data Security
disclosure. Personal
DSP- transfer and sub- transfer and sub- and Privacy
NA DSP-13 Data Sub-
13.1 processing of processing of Lifecycle
AWS does not utilize third parties to provide processing
personal data personal data within Management
within the service services to customers. There are no the service
supply chain subcontractors authorized by AWS to access supply chain,
(according to any any customer-owned content that you upload according to any
applicable laws onto AWS. To monitor subcontractor access applicable laws and
and regulations)? year-round please refer to regulations.
https://aws.amazon.com/compliance/sub-
processors/.
Are processes,
Define, implement
procedures, and
and evaluate
technical
AWS does not utilize third parties to provide processes,
measures defined,
services to customers. There are no procedures and
implemented, and
subcontractors authorized by AWS to access technical
evaluated to Data Security
measures to disclose Disclosure
DSP- disclose details to any customer-owned content that you upload and Privacy
NA DSP-14 the details of any of Data Sub-
14.1 the data owner of onto AWS. To monitor subcontractor access Lifecycle
personal or sensitive processors
any personal or year-round please refer to Management
data access by
sensitive data https://aws.amazon.com/compliance/third- sub-processors to
access by sub- party-access/. the data owner prior
processors before
to initiation of that
processing
processing.
initiation?
Is authorization
Obtain authorization
from data owners
from data owners,
obtained, and the
and manage
associated risk Data Security
associated risk Limitation of
DSP- managed, and Privacy
NA Customer data is not used for testing. DSP-15 before replicating or Production
15.1 before replicating Lifecycle
using production Data Use
or using Management
data in non-
production data in
production
non-production
environments.
environments?
AWS customers are Data retention,
Do data retention, AWS maintains a retention policy applicable to
responsible for the archiving and
archiving, and AWS internal data and system components in
management of the data deletion is managed Data Security
deletion practices order to continue operations of AWS business Data
DSP- Shared CSP they place into AWS in accordance with and Privacy
follow business Yes and services. Critical AWS system components, DSP-16 Retention
16.1 and CSC services, including business Lifecycle
requirements, including audit evidence and logging records, and Deletion
retention, archiving, and requirements, Management
applicable laws, are replicated across multiple Availability Zones
deletion policies and applicable laws and
and regulations? and backups are maintained and monitored.
practices. regulations.
Customers control their
customer content. With
AWS, customers:
• Determine where their
customer content will be
stored, including the type
of storage and
geographic region of that
storage.
• Customers can
replicate and back up
their customer content in
more than one region,
and we will not move or
replicate customer
content outside of the
Are processes, customer's chosen
region(s), except as Define and
procedures, and
legally required and as implement,
technical
necessary to maintain processes, Data Security
measures defined Sensitive
DSP- procedures and and Privacy
and implemented NA CSC-owned the AWS services and DSP-17 Data
17.1 technical measures Lifecycle
to protect provide them to our Protection
to protect sensitive Management
sensitive data customers and their end data throughout it's
throughout its users. lifecycle.
lifecycle? • Choose the secured
state of their customer
content. We offer
customers strong
encryption for customer
content in transit or at
rest, and we provide
customers with the
option to manage their
own encryption keys.
• Manage access to their
customer content and
AWS services and
resources through users,
groups, permissions and
credentials that
customers control.
The CSP must have
We are vigilant about our customers' privacy. in place, and describe
AWS policy prohibits the disclosure of customer to CSCs the
content unless we’re required to do so to procedure to
comply with the law, or with a valid and manage and respond
binding order of a governmental or regulatory to requests for
Does the CSP
body. Unless we are prohibited from doing so disclosure of
have in place, and
or there is clear indication of illegal conduct in Personal Data by
describe to CSCs,
connection with the use of Amazon products or Law Enforcement
the procedure to
services, Amazon notifies customers before Authorities according
manage
disclosing customer content so they can seek to applicable laws
and respond to Data Security
and regulations. The
DSP- requests for protection from disclosure. It's also important Disclosure and Privacy
Yes CSP-owned DSP-18 CSP must give
18.1 disclosure of to point out that our customers can encrypt Notification Lifecycle
special attention to
Personal Data by their customer content, and we provide Management
the notification
Law Enforcement customers with the option to manage their procedure to
Authorities own encryption keys. interested CSCs,
according to
unless otherwise
applicable laws We know transparency matters to our prohibited, such as a
and regulations? customers, so we regularly publish a report prohibition under
about the types and volume of information criminal law to
requests we receive here: preserve
https://aws.amazon.com/compliance/amazon- confidentiality
information-requests/. of a law enforcement
investigation.
The CSP must have
in place, and describe
to CSCs the
procedure to
manage and respond
Does the CSP give to requests for
special attention disclosure of
to the notification Personal Data by
procedure to Law Enforcement
interested Authorities according
CSCs, unless to applicable laws
Data Security
otherwise and regulations. The
DSP- Shared CSP Disclosure and Privacy
prohibited, such Yes See response to Question ID DSP-18.1 DSP-18 CSP must give
18.2 and CSC Notification Lifecycle
as a prohibition special attention to
Management
under criminal law the notification
to procedure to
preserve interested CSCs,
confidentiality of a unless otherwise
law enforcement prohibited, such as a
investigation? prohibition under
criminal law to
preserve
confidentiality
of a law enforcement
investigation.
This is a customer
responsibility.
Customers manage
access to their customer
content and AWS
services and resources.
We provide an advanced
set of access, encryption,
and logging features to
help you do this
effectively (such as AWS
CloudTrail). We do not
access or use customer
content for any purpose
other than as legally
required and for
maintaining the AWS Define and
Are processes, services and providing implement,
procedures, and them to our customers processes,
technical and their end users. procedures and
measures defined
technical measures
and implemented Data Security
Customers choose the to specify and
DSP- to specify and Data and Privacy
NA CSC-owned region(s) in which their DSP-19 document the
19.1 document physical Location Lifecycle
customer content will be physical locations of
data locations, Management
stored. We will not move data, including any
including locales
or replicate customer locations
where data
content outside of the in which data is
is processed or
customer’s chosen processed or backed
backed up?
region(s), except as up.
legally required and as
necessary to maintain
the AWS services and
provide them to our
customers and their end
users.
Customers choose how

their customer content is
secured. We offer our
customers strong
encryption for customer
content in transit or at
rest, and we provide
customers with the
option to manage their
own encryption keys.
procedures to provide employees a common Establish, document,
Are information baseline for information security standards and approve,
governance guidance. The AWS Information Security communicate, apply,
program policies Management System policy establishes evaluate and maintain
and procedures guidelines for protecting the confidentiality, policies and
sponsored by integrity, and availability of customers’ systems procedures for an
Governance
organizational and content. Maintaining customer trust and information Governance,
GRC- Program
leadership Yes CSP-owned confidence is of the utmost importance to GRC-01 governance program, Risk and
01.1 Policy and
established, AWS. which is sponsored Compliance
Procedures
documented, by the leadership of
approved, AWS works to comply with applicable federal, the organization.
communicated, state, and local laws, statutes, ordinances, and Review and update
applied, evaluated, regulations concerning security, privacy and the policies and
and maintained? data protection of AWS services in order to procedures
minimize the risk of accidental or unauthorized at least annually.
access or disclosure of customer content.
approve,
communicate, apply,
policies and
Are the policies procedures for an
Governance
and procedures information Governance,
GRC- Policies are reviewed approved by AWS Program
reviewed and Yes CSP-owned GRC-01 governance program, Risk and
01.2 leadership at least annually or as needed basis. Policy and
updated at least which is sponsored Compliance
Procedures
annually? by the leadership of
the organization.
Review and update
the policies and
procedures
at least annually.
Is there an
established formal,
documented, and Establish a formal,
leadership- Discovery – The discovery phase includes listing documented, and
sponsored out risks (threats and vulnerabilities) that exist leadership-sponsored
enterprise in the environment. This phase provides a basis Enterprise
risk management for all other risk management activities. Risk Management
(ERM) program Research – The research phase considers the (ERM) program that
that includes potential impact(s) of identified risks to the includes policies and Risk Governance,
GRC-
policies and Yes CSP-owned business and its likelihood of occurrence and GRC-02 procedures for Management Risk and
02.1
procedures for includes an evaluation of internal control identification, Program Compliance
identification, effectiveness. evaluation,
evaluation, Evaluate – The evaluate phase includes ownership,
ownership, ensuring controls, processes and other physical treatment, and
treatment, and and virtual safeguards in place to prevent and acceptance of cloud
acceptance of detect identified and assessed risks. security and privacy
cloud security and Resolve – The resolve phase results in risk risks.
privacy reports provided to managers with the data
risks?
Are all relevant
organizational Review all relevant
policies and organizational
associated policies and
procedures associated Organization Governance,
GRC- Policies are reviewed approved by AWS
reviewed Yes CSP-owned GRC-03 procedures al Policy Risk and
03.1 leadership at least annually or as needed basis.
at least annually, at least annually or Reviews Compliance
or when a when a substantial
substantial change occurs within
organizational the organization.
change occurs?
Is an approved
exception process Management reviews exceptions to security Establish and follow
mandated by the policies to assess and mitigate risks. AWS an approved
governance Security maintains a documented procedure exception process as
program describing the policy exception workflow on an mandated by Policy Governance,
GRC-
established Yes CSP-owned internal AWS website. Policy exceptions are GRC-04 the governance Exception Risk and
04.1
and followed tracked and maintained with the policy tool program whenever a Process Compliance
whenever a and exceptions are approved, rejected, or deviation from an
deviation from an denied based on the procedures outlined established policy
established policy within the procedure document. occurs.
occurs?
Discovery – The discovery phase includes listing

out risks (threats and vulnerabilities) that exist
Has an in the environment. This phase provides a basis
for all other risk management activities. Develop and
information
Research – The research phase considers the implement an
security program
Information Security
(including potential impact(s) of identified risks to the Information Governance,
GRC- Program, which
programs of all Yes CSP-owned business and its likelihood of occurrence and GRC-05 Security Risk and
05.1 includes
relevant CCM includes an evaluation of internal control Program Compliance
programs for all the
domains) been effectiveness. relevant domains of
developed and Evaluate – The evaluate phase includes the CCM.
implemented? ensuring controls, processes and other physical
and virtual safeguards in place to prevent and
detect identified and assessed risks.
Resolve – The resolve phase results in risk
reports provided to managers with the data
Are roles and
Define and document
responsibilities for
roles and
planning,
responsibilities for
implementing,
planning, Governance Governance,
GRC- operating,
Yes CSP-owned See response to Question ID GRC-05.1 GRC-06 implementing, Responsibilit Risk and
06.1 assessing,
operating, assessing, y Model Compliance
and improving
and improving
governance
governance
programs defined
programs.
and documented?
AWS documents, tracks, and monitors its legal,
regulatory, and contractual agreements and
obligations. In order to do so, AWS performs
and maintains the following activities:
1) Identifies and evaluates applicable laws and

regulations for each of the jurisdictions in
which AWS operates
2) Documents and implements controls to help
ensure its conformity with statutory,
regulatory, and contractual requirements
relevant to AWS
3) Categorizes the sensitivity of information
according to the AWS information security
policies to help protect from loss, destruction,
falsification, unauthorized access and
Are all relevant unauthorized release Identify and
standards, 4) Informs and continually trains personnel that document all
regulations, must be made aware of information security relevant standards,
legal/contractual, policies to help protect sensitive AWS Information
regulations, Governance,
GRC- and statutory System
Yes CSP-owned information GRC-07 legal/contractual, Risk and
07.1 requirements Regulatory
5) Monitors for nonconformities to the and statutory Compliance
applicable to your Mapping
information security policies with a process in requirements, which
organization
place to take corrective actions and enforce are applicable to
identified and
appropriate disciplinary action your organization.
documented?
AWS maintains relationships with internal and

external parties to monitor legal, regulatory,
and contractual requirements. Should a new
security directives be issued, AWS creates and
documents plans to implement the directive
within a designated timeframe.
AWS provides customers with evidence of its

compliance with applicable legal, regulatory,
and contractual requirements through audit
reports, attestations, certifications and other
compliance enablers. Visit
aws.amazon.com/artifact for information on
how to review the AWS external attestation
and assurance documentation.
Establish and
Is contact AWS personnel are part of special interest maintain contact with
established and groups, including relevant external parties such cloud-related special
maintained with Special Governance,
GRC- as security groups. AWS personnel use these interest
cloud-related Yes CSP-owned GRC-08 Interest Risk and
08.1 groups to improve their knowledge about groups and other
special interest Groups Compliance
security best practices and to stay up to date relevant entities in
groups and other
with relevant security information. line with business
relevant entities?
context.
approve,
communicate, apply,
policies and
procedures for
Are background background
verification verification of all new
policies and Where permitted by law, AWS requires that employees (including
procedures of all employees undergo a background screening at but not limited to
new employees hiring, commensurate with their position and remote employees,
(including level of access. (Control AWSCA-9.2) contractors, and
but not limited to AWS has a process to assess whether AWS third parties)
employees who have access to resources that Background
remote according
HRS- Screening Human
employees, Yes CSP-owned store or process customer data via permission HRS-01 to local laws,
01.1 Policy and Resources
contractors, and groups are subject to a post-hire background regulations, ethics,
Procedures
third parties) check as applicable with local law. AWS and contractual
established, employees who have access to resources that constraints and
documented, store or process customer data will have a proportional
approved, background check no less than once a year. to the data
communicated, (Control AWSCA-9.9) classification to be
applied, evaluated, accessed, the
and maintained? business
requirements, and
acceptable
risk. Review and
update the policies
and procedures at
least annually.
approve,
communicate, apply,
policies and
procedures for
Are background background
verification verification of all new
policies and employees (including
procedures but not limited to
designed AWS conducts criminal background checks, as remote employees,
according to permitted by applicable law, as part of pre- contractors, and
local laws, employment screening practices for employees third parties)
Background
regulations, ethics, according
HRS- commensurate with the employee’s position Screening Human
and contractual Yes CSP-owned HRS-01 to local laws,
01.2 and level of access to AWS facilities. Policy and Resources
constraints and regulations, ethics,
The AWS SOC reports provide additional details Procedures
proportional and contractual
to the data regarding the controls in place for background constraints and
classification to be verification. proportional
accessed, business to the data
requirements, and classification to be
acceptable accessed, the
risk? business
requirements, and
acceptable
risk. Review and
update the policies
and procedures at
least annually.
approve,
communicate, apply,
policies and
procedures for
background
verification of all new
employees (including
but not limited to
remote employees,
Are background contractors, and
verification third parties)
Background
policies and according
HRS- Policies are reviewed approved by AWS Screening Human
procedures Yes CSP-owned HRS-01 to local laws,
01.3 leadership at least annually or as needed basis. Policy and Resources
reviewed and regulations, ethics,
Procedures
updated at and contractual
least annually? constraints and
proportional
to the data
classification to be
accessed, the
business
requirements, and
acceptable
risk. Review and
update the policies
and procedures at
least annually.
Are policies and AWS has implemented data handling and approve,
procedures for classification requirements that provide communicate, apply,
defining specifications around: evaluate and maintain
allowances and • Data encryption policies and
conditions for the • Content in transit and during storage procedures for
acceptable use of • Access Acceptable
defining allowances
organizationally- Use of
HRS- • Retention and conditions for Human
owned or Yes CSP-owned HRS-02 Technology
02.1 • Physical controls the acceptable Resources
managed assets Policy and
• Mobile devices use of
established, Procedures
• Data handling requirements organizationally-
documented,
Employees are required to review and sign-off owned or managed
approved,
on an employment contract, which assets. Review and
communicated,
acknowledges their responsibilities to overall update the policies
applied, evaluated,
Company standards and information security. and procedures at
and maintained?
least annually.
approve,
Are the policies
communicate, apply,
and procedures
for defining
policies and
allowances and
procedures for
conditions for Acceptable
defining allowances
the acceptable use Use of
HRS- Policies are reviewed approved by AWS and conditions for Human
of Yes CSP-owned HRS-02 Technology
02.2 leadership at least annually or as needed basis. the acceptable Resources
organizationally- Policy and
use of
owned or Procedures
organizationally-
managed assets
owned or managed
reviewed and
assets. Review and
updated
update the policies
at least annually?
and procedures at
least annually.
Are policies and Establish, document,
procedures approve,
requiring communicate, apply,
unattended evaluate and maintain
workspaces to AWS roles and responsibilities for maintaining policies and
conceal procedures that
safe and secure working environment are Clean Desk
HRS- confidential require unattended Human
Yes CSP-owned reviewed by independent external auditors HRS-03 Policy and
03.1 data established, workspaces to not Resources
during audits for our SOC, PCI DSS and ISO Procedures
documented, have openly
approved, 27001 compliance. visible confidential
communicated, data. Review and
applied, evaluated, update the policies
and and procedures at
maintained? least annually.
approve,
Are policies and communicate, apply,
procedures evaluate and maintain
requiring policies and
unattended procedures that
Clean Desk
HRS- workspaces to Policies are reviewed approved by AWS require unattended Human
Yes CSP-owned HRS-03 Policy and
03.2 conceal leadership at least annually or as needed basis. workspaces to not Resources
Procedures
confidential have openly
data reviewed and visible confidential
updated at least data. Review and
annually? update the policies
and procedures at
least annually.
AWS has a formal access control policy that is
reviewed and updated on an annual basis (or Establish, document,
Are policies and
when any major change to the system occurs approve,
procedures to
that impacts the policy). The policy addresses communicate, apply,
protect
purpose, scope, roles, responsibilities and evaluate and maintain
information
management commitment. AWS employs the policies and
accessed,
concept of least privilege, allowing only the procedures to Remote and
processed, or
protect information Home
HRS- stored at remote Shared CSP necessary access for users to accomplish their Human
Yes HRS-04 accessed, processed Working
04.1 sites and locations and CSC job function. Resources
or stored Policy and
established, All access from remote devices to the AWS at remote sites and Procedures
documented, corporate environment is managed via VPN and locations. Review
approved, MFA. The AWS production network is and update the
communicated, separated from the corporate network by policies and
applied, evaluated, multiple layers of security documented in procedures
and maintained? various control documents discussed in other at least annually.
sections of this response.
approve,
Are policies and communicate, apply,
procedures to evaluate and maintain
protect policies and
information procedures to Remote and
accessed, protect information Home
HRS- Policies are reviewed approved by AWS Human
processed, or Yes CSP-owned HRS-04 accessed, processed Working
04.2 leadership at least annually or as needed basis. Resources
stored at remote or stored Policy and
sites and locations at remote sites and Procedures
reviewed and locations. Review
updated at least and update the
annually? policies and
procedures
at least annually.
Are return Upon termination of employee or contracts, Establish and
procedures of AWS assets in their possessions are retrieved document
organizationally-
on the date of termination. In case of procedures for the
HRS- owned assets by Asset Human
Yes CSP-owned immediate termination, the HRS-05 return of
05.1 terminated returns Resources
employee/contractor manager retrieves all organization-owned
employees
AWS assets (e.g., Authentication tokens, keys, assets by terminated
established and
badges) and escorts them out of AWS facility. employees.
documented?
Are procedures
outlining the roles
and
AWS Human Resources team defines internal and communicate to
responsibilities
management responsibilities to be followed for all personnel the
concerning
HRS- procedures Employment Human
changes Yes CSP-owned termination and role change of employees and HRS-06
06.1 outlining the roles Termination Resources
in employment vendors. AWS SOC reports provide additional
and responsibilities
established, details. concerning changes
documented, and
in employment.
communicated to
all personnel?
Are employees
required to sign Personnel supporting AWS systems and devices Employees sign the
an employment must sign a non-disclosure agreement prior to employee agreement
agreement before
being granted access. Additionally, upon hire, prior to being Employment
HRS- gaining access Human
Yes CSP-owned personnel are required to read and accept the HRS-07 granted access Agreement
07.1 to organizational Resources
Acceptable Use Policy and the Amazon Code of to organizational Process
information
Business Conduct and Ethics (Code of Conduct) information systems,
systems,
Policy. resources and assets.
resources, and
assets?
The organization
Are provisions
includes within the
and/or terms for In alignment with ISO 27001 standard, AWS employment
adherence to employees complete periodic role-based agreements
established training that includes AWS Security training and provisions
information Employment
HRS- requires an acknowledgement to complete. and/or terms for Human
governance Yes CSP-owned HRS-08 Agreement
08.1 Compliance audits are periodically performed adherence to Resources
and security Content
to validate that employees understand and established
policies included
follow the established policies. Refer to SOC information
within
reports for additional details. governance and
employment
security
agreements?
policies.
Are employee AWS implements formal, documented policies
roles and and procedures that provide guidance for Document and
responsibilities operations and information security within the communicate roles
Personnel
relating to organization and the supporting AWS and responsibilities
HRS- Roles and Human
information assets Yes CSP-owned environments. Policies address purpose, scope, HRS-09 of employees,
09.1 Responsibiliti Resources
and roles, responsibilities and management as they relate to
es
security commitment. All policies are maintained in a information assets
documented and centralized location that is accessible by and security.
communicated? employees.
Are requirements
Identify, document,
for non-
and review, at
disclosure/confide
planned intervals,
ntiality
requirements
agreements
for non-
reflecting Amazon Legal Counsel manages and disclosure/confidenti Non-
HRS- organizational Human
Yes CSP-owned periodically revises the Amazon NDA to reflect HRS-10 ality agreements Disclosure
10.1 data protection Resources
AWS business needs. reflecting the Agreements
needs and
organization's
operational details
needs for the
identified,
protection of data
documented,
and operational
and reviewed at
details.
planned intervals?
Is a security In alignment with ISO 27001 standard, all AWS Establish, document,
awareness training employees complete periodic Information approve,
program for all Security training which requires an communicate, apply,
employees of the acknowledgement to complete. Compliance evaluate and maintain
organization Security
HRS- audits are periodically performed to validate a security awareness Human
established, Yes CSP-owned HRS-11 Awareness
11.1 that employees understand and follow the training program for Resources
documented, Training
established policies. all employees of the
approved,
AWS roles and responsibilities are reviewed by organization
communicated,
independent external auditors during audits for and provide regular
applied, evaluated
our SOC, PCI DSS and ISO 27001 compliance. training updates.
and maintained?
approve,
communicate, apply,
Are regular evaluate and maintain
Security
HRS- security a security awareness Human
Yes CSP-owned See response to Question ID HRS-11.1 HRS-11 Awareness
11.2 awareness training training program for Resources
Training
updates provided? all employees of the
organization
and provide regular
training updates.
Provide all
employees with
In alignment with ISO 27001 standard, all AWS access to sensitive
Are all employees
employees complete periodic Information organizational and
granted access to
Security training which requires an personal data with
sensitive
acknowledgement to complete. Compliance appropriate security Personal and
organizational and
awareness training Sensitive
HRS- personal audits are periodically performed to validate Human
Yes CSP-owned HRS-12 and regular updates Data
12.1 data provided that employees understand and follow the Resources
in organizational Awareness
with appropriate established policies.
procedures, and Training
security AWS roles and responsibilities are reviewed by processes, and
awareness independent external auditors during audits for policies relating to
training? our SOC, PCI DSS and ISO 27001 compliance. their professional
function relative to
the organization.
reviewed and updated on an annual basis (or
when any major change to the system occurs
that impacts the policy). The policy addresses Provide all
Are all employees purpose, scope, roles, responsibilities and employees with
granted access to management commitment. AWS employs the access to sensitive
sensitive concept of least privilege, allowing only the organizational and
organizational and necessary access for users to accomplish their personal data with
personal job function. appropriate security Personal and
data provided
All access from remote devices to the AWS awareness training Sensitive
HRS- with regular Human
Yes CSP-owned corporate environment is managed via VPN and HRS-12 and regular updates Data
12.2 updates in Resources
MFA. The AWS production network is in organizational Awareness
procedures,
separated from the corporate network by procedures, and Training
processes, and
multiple layers of security documented in processes, and
policies relating
various control documents discussed in other policies relating to
to their
sections of this response. their professional
professional
Customers retain the control and responsibility function relative to
function?
of their data and associated media assets. It is the organization.
the responsibility of the customer to manage
mobile security devices and the access to the
customer’s content.
Are employees
notified of their AWS has implemented various methods of Make employees
roles and internal communication at a global level to help aware of their roles
responsibilities to employees understand their individual roles and responsibilities
maintain and responsibilities and to communicate for maintaining
awareness significant events in a timely manner. These awareness and
methods include orientation and training Compliance
and compliance compliance with
HRS- User Human
with established Yes CSP-owned programs for newly hired employee as well as HRS-13 established policies
13.1 Responsibilit Resources
policies, electronic mail messages and the posting of and procedures and
y
procedures, and information via the Amazon intranet. Refer to applicable
applicable legal, ISO 27001 standard, Annex A, domain 7 and 8. legal, statutory, or
statutory, AWS has been validated and certified by an regulatory
or regulatory independent auditor to confirm alignment with compliance
compliance ISO 27001 certification standard. obligations.
obligations?
In alignment with ISO 27001, AWS has a formal Establish, document,
Are identity and access control policy that is reviewed and approve,
access updated on an annual basis (or when any major communicate,
management change to the system occurs that impacts the implement, apply,
policies and policy). The policy addresses purpose, scope, evaluate Identity and
procedures roles, responsibilities and management and maintain policies Access Identity &
IAM- established,
Yes CSP-owned commitment. Access control procedures are IAM-01 and procedures for Management Access
01.1 documented,
systematically enforced through proprietary identity and access Policy and Management
approved,
tools. Refer to ISO 27001 Annex A, domain 9 for management. Review Procedures
communicated,
additional details. AWS has been validated and and update the
implemented,
certified by an independent auditor to confirm policies and
applied, evaluated,
alignment with ISO 27001 certification procedures at least
and maintained?
standard. annually.
approve,
communicate,
Are identity and
implement, apply,
access
evaluate Identity and
management
and maintain policies Access Identity &
IAM- policies and Policies are reviewed approved by AWS
Yes CSP-owned IAM-01 and procedures for Management Access
01.2 procedures leadership at least annually or as needed basis.
identity and access Policy and Management
reviewed and
management. Review Procedures
updated
and update the
at least annually?
policies and
procedures at least
annually.
AWS internal Password Policies and guidelines approve,
Are strong outlines requirements of password strength communicate,
password policies and handling for passwords used to access implement, apply,
and procedures internal systems. evaluate
established, Strong
AWS Identity and Access Management (IAM) and maintain strong Identity &
IAM- documented, Password
Yes CSP-owned enables customers to securely control access to IAM-02 password policies Access
02.1 approved, Policy and
AWS services and resources for their users. and procedures. Management
communicated, Procedures
Additional information about IAM can be found Review and update
implemented,
on website at https://aws.amazon.com/iam/. the
applied, evaluated,
AWS SOC reports provide details on the specific policies and
and maintained?
control activities executed by AWS. procedures at least
annually.
approve,
communicate,
implement, apply,
Are strong
evaluate
password policies Strong
and maintain strong Identity &
IAM- and procedures Policies are reviewed approved by AWS Password
Yes CSP-owned IAM-02 password policies Access
02.2 reviewed and leadership at least annually or as needed basis. Policy and
and procedures. Management
updated at least Procedures
Review and update
annually?
the
policies and
procedures at least
annually.
Amazon personnel with a business need to
access the management plane are required to
first use multi-factor authentication, distinct
from their normal corporate Amazon
Is system identity credentials, to gain access to purpose-built Manage, store, and
AWS customers are
information and administration hosts. These administrative review the Identity &
IAM- Shared CSP responsible for access Identity
levels of access Yes hosts are systems that are specifically designed, IAM-03 information of Access
03.1 and CSC management within their Inventory
managed, stored, built, configured, and hardened to protect the system identities, and Management
AWS environments.
and reviewed? management plane. All such access is logged level of access.
and audited. When an employee no longer has
a business need to access the management
plane, the privileges and access to these hosts
and relevant systems are revoked.
reviewed and updated on an annual basis (or
Customers retain the
when any major change to the system occurs
ability to manage
that impacts the policy). The policy addresses
segregations of duties of
purpose, scope, roles, responsibilities and
their AWS resources.
Is the separation management commitment. AWS employs the Employ the
AWS best practices for
of duties principle concept of least privilege, allowing only the separation of duties
Identity & Access Identity &
IAM- employed when Shared CSP necessary access for users to accomplish their principle when Separation of
Yes Management can be IAM-04 Access
04.1 implementing and CSC job function. implementing Duties
found here: Management
information All access from remote devices to the AWS information
system access? https://docs.aws.amazon system access.
corporate environment is managed via VPN and
.com/IAM/. Search for
MFA. The AWS production network is
AWS best practices for
separated from the corporate network by
Identity & Access
multiple layers of security documented in
Management.
various control documents discussed in other
sections of this response.
Is the least
privilege principle Employ the least
employed when privilege principle Identity &
IAM- Least
implementing Yes CSP-owned See response to Question ID IAM-04.1 IAM-05 when implementing Access
05.1 Privilege
information information Management
system system access.
access?
In alignment with ISO 27001, AWS has a formal
access control policy that is reviewed and
Is a user access updated on an annual basis (or when any major Define and
provisioning change to the system occurs that impacts the implement a user
process defined policy). The policy addresses purpose, scope, access provisioning
and implemented roles, responsibilities and management process which Identity &
IAM- User Access
which authorizes, Yes CSP-owned commitment. Access control procedures are IAM-06 authorizes, Access
06.1 Provisioning
records, and systematically enforced through proprietary records, and Management
communicates tools. Refer to ISO 27001 Annex A, domain 9 for communicates access
data and assets additional details. AWS has been validated and changes to data and
access changes? certified by an independent auditor to confirm assets.
alignment with ISO 27001 certification
standard.
Is a process in Access privilege reviews are triggered upon job
place to de- and/or role transfers initiated from HR system.
provision or IT access privileges are reviewed on a quarterly De-provision or
modify the access, basis by appropriate personnel on a regular respectively modify
in a timely cadence. access of movers /
manner, IT access from AWS systems is terminated leavers or
of movers / within 24 hours of termination or deactivation. system identity User Access Identity &
IAM-
leavers or system Yes CSP-owned AWS SOC reports provide further details on IAM-07 changes in a timely Changes and Access
07.1
identity changes, User access revocation. In addition, the AWS manner in order to Revocation Management
to effectively Security White paper, section "AWS Access" effectively adopt and
adopt and provides additional information. Refer to ISO communicate identity
communicate 27001 Annex A, domain 9 for additional details. and access
identity and access AWS has been validated and certified by an management policies.
management independent auditor to confirm alignment with
policies? ISO 27001 certification standard.
Access privilege reviews are triggered upon job
and/or role transfers initiated from HR system.
Are reviews and IT access privileges are reviewed on a quarterly
revalidation of basis by appropriate personnel on a regular Review and
user access for cadence. revalidate user
least privilege and IT access from AWS systems is terminated access for least
separation privilege and
within 24 hours of termination or deactivation. Identity &
IAM- of duties separation User Access
Yes CSP-owned AWS SOC reports provide further details on IAM-08 Access
08.1 completed with a of duties with a Review
User access revocation. In addition, the AWS Management
frequency frequency that is
commensurate Security White paper, section "AWS Access" commensurate with
with provides additional information. Refer to ISO organizational risk
organizational risk 27001 Annex A, domain 9 for additional details. tolerance.
tolerance? AWS has been validated and certified by an
independent auditor to confirm alignment with
ISO 27001 certification standard.
Are processes, reviewed and updated on an annual basis (or
procedures, and when any major change to the system occurs Define, implement
technical that impacts the policy). The policy addresses and evaluate
measures for the purpose, scope, roles, responsibilities and processes,
segregation of management commitment. AWS employs the procedures and
privileged concept of least privilege, allowing only the technical
access roles necessary access for users to accomplish their measures for the
defined, job function. segregation of
implemented, and
All access from remote devices to the AWS privileged access Segregation Identity &
IAM- evaluated such
Yes CSP-owned corporate environment is managed via VPN and IAM-09 roles such that of Privileged Access
09.1 that administrative
MFA. The AWS production network is administrative Access Roles Management
data
separated from the corporate network by access to data,
access,
multiple layers of security documented in encryption and key
encryption, key
various control documents discussed in other management
management
sections of this response. capabilities and
capabilities, and
Customers retain the control and responsibility logging capabilities
logging capabilities
of their data and associated media assets. It is are distinct and
are
the responsibility of the customer to manage separated.
distinct and
separate? mobile security devices and the access to the
customer’s content.
Amazon personnel with a business need to
access the management plane are required to Define and
first use multi-factor authentication, distinct implement an access
Is an access from their normal corporate Amazon process to ensure
process defined credentials, to gain access to purpose-built privileged access
and implemented administration hosts. These administrative roles and rights are
to ensure granted for a time Management Identity &
IAM- hosts are systems that are specifically designed,
privileged access Yes CSP-owned IAM-10 limited period, and of Privileged Access
10.1 built, configured, and hardened to protect the
roles implement Access Roles Management
management plane. All such access is logged
and rights are procedures
granted for a and audited. When an employee no longer has to prevent the
limited period? a business need to access the management culmination of
plane, the privileges and access to these hosts segregated privileged
and relevant systems are revoked. access.
Refer to SOC2 report for additional details.
Access to AWS systems are allocated based on
Define and
least privilege, approved by an authorized implement an access
individual prior to access provisioning. Duties process to ensure
Are procedures and areas of responsibility (for example, access privileged access
implemented to request and approval, change management roles and rights are
prevent the request and approval, change development, granted for a time Management Identity &
IAM- testing and deployment, etc.) are segregated
culmination of Yes CSP-owned IAM-10 limited period, and of Privileged Access
10.2 across different individuals to reduce
segregated implement Access Roles Management
privileged opportunities for an unauthorized or procedures
access? unintentional modification or misuse of AWS to prevent the
systems. Group or shared accounts are not culmination of
permitted within the system boundary. segregated privileged
access.
Are processes and
Define, implement
procedures for
and evaluate
customers to
processes and
participate, where
procedures for
applicable,
customers
in granting access CSCs
to participate, where
for agreed, high Approval for Identity &
IAM- applicable, in the
risk as (defined by No IAM-11 Agreed Access
11.1 granting of access for
the organizational Privileged Management
agreed, high
risk Access Roles
risk (as defined by
assessment)
the organizational
privileged access
risk assessment)
roles defined,
privileged access
implemented and
roles.
evaluated?
AWS has identified auditable event categories
across systems and devices within the AWS
system. Service teams configure the auditing
features to record continuously the security- Define, implement
related events in accordance with and evaluate
requirements. The log storage system is processes,
designed to provide a highly scalable, highly procedures and
Are processes, available service that automatically increases technical
procedures, and capacity as the ensuing need for log storage measures to ensure
technical grows. Audit records contain a set of data the logging
measures to elements in order to support necessary analysis infrastructure is
ensure the logging requirements. In addition, audit records are read-only for all with
infrastructure write Safeguard Identity &
IAM- available for AWS Security team or other
is "read-only" for Yes CSP-owned IAM-12 access, including Logs Access
12.1 appropriate teams to perform inspection or
all with write privileged access Integrity Management
access (including analysis on demand, and in response to roles, and that the
privileged access security-related or business-impacting events. ability to disable it
roles) defined, Designated personnel on AWS teams receive is controlled through
implemented, and automated alerts in the event of an audit a procedure that
evaluated? processing failure. Audit processing failures ensures the
include, for example, software/hardware segregation of duties
errors. When alerted, on-call personnel issue a and
trouble ticket and track the event until it is break glass
resolved. AWS logging and monitoring procedures.
processes are reviewed by independent third-
party auditors for our continued compliance
with SOC, PCI DSS and ISO 27001 compliance.
features to record continuously the security- Define, implement
related events in accordance with and evaluate
requirements. The log storage system is processes,
designed to provide a highly scalable, highly procedures and
Is the ability to available service that automatically increases technical
disable the "read- capacity as the ensuing need for log storage measures to ensure
only" grows. Audit records contain a set of data the logging
configuration of elements in order to support necessary analysis infrastructure is
logging requirements. In addition, audit records are read-only for all with
infrastructure write Safeguard Identity &
IAM- available for AWS Security team or other
controlled Yes CSP-owned IAM-12 access, including Logs Access
12.2 appropriate teams to perform inspection or
through a privileged access Integrity Management
procedure that analysis on demand, and in response to roles, and that the
ensures the security-related or business-impacting events. ability to disable it
segregation of Designated personnel on AWS teams receive is controlled through
duties and break automated alerts in the event of an audit a procedure that
glass procedures? processing failure. Audit processing failures ensures the
include, for example, software/hardware segregation of duties
errors. When alerted, on-call personnel issue a and
trouble ticket and track the event until it is break glass
resolved. AWS logging and monitoring procedures.
processes are reviewed by independent third-
party auditors for our continued compliance
with SOC, PCI DSS and ISO 27001 compliance.
AWS controls access to systems through
authentication that requires a unique user ID
and password. AWS systems do not allow
Are processes, actions to be performed on the information
procedures, and system without identification or Define, implement
technical authentication. and evaluate
measures that User access privileges are restricted based on processes,
ensure users are business need and job responsibilities. AWS procedures and
identifiable employs the concept of least privilege, allowing technical
Uniquely Identity &
IAM- through unique measures that ensure
Yes CSP-owned only the necessary access for users to IAM-13 Identifiable Access
13.1 identification (or users are identifiable
accomplish their job function. New user Users Management
can associate through unique IDs
individuals with accounts are created to have minimal access. or which can
user identification User access to AWS systems (for example, associate individuals
usage) defined, network, applications, tools, etc.) requires to the usage of user
implemented, and documented approval from the authorized IDs.
evaluated? personnel (for example, user's manager and/or
system owner) and validation of the active user
in the HR system.
Refer to SOC2 report for additional details.
Define, implement
Are processes, and evaluate
procedures, and processes,
technical Amazon personnel with a business need to procedures and
measures for access the management plane are required to technical
authenticating first use multi-factor authentication, distinct measures for
access from their normal corporate Amazon authenticating access
to systems, credentials, to gain access to purpose-built to systems,
application, and administration hosts. These administrative application and data
Strong Identity &
IAM- data assets Shared CSP hosts are systems that are specifically designed, assets,
Yes IAM-14 Authenticati Access
14.1 including and CSC built, configured, and hardened to protect the including multifactor
on Management
multifactor management plane. All such access is logged authentication for at
authentication and audited. When an employee no longer has least privileged user
for a least- a business need to access the management and sensitive
privileged user plane, the privileges and access to these hosts data access. Adopt
and sensitive data and relevant systems are revoked. digital certificates or
access defined, Refer to SOC2 report for additional details. alternatives which
implemented, and achieve an equivalent
evaluated? level of security for
system identities.
Are digital
certificates or
alternatives that AWS Identity, Directory, and Access Services Strong Identity &
IAM- achieve an
Yes CSP-owned enable you to add multi-factor authentication IAM-14 Authenticati Access
14.2 equivalent security
(MFA) to your applications. on Management
level for system
identities
adopted?
Are processes,
procedures, and AWS Identity and Access Management (IAM) Define, implement
technical enables customers to securely control access to and evaluate
measures for the processes,
AWS services and resources for their users. Identity &
IAM- secure procedures and Passwords
Yes CSP-owned Additional information about IAM can be found IAM-15 Access
15.1 management technical Management
on website at https://aws.amazon.com/iam/ Management
of passwords measures for the
defined, AWS SOC reports provide details on the specific secure management
implemented, and control activities executed by AWS. of passwords.
evaluated?
AWS Customers retain
Are processes, control and ownership of
procedures, and their data. AWS has no Define, implement
Controls in place limit access to systems and
technical insight as to what type of and evaluate
data and provide that access to systems or data
measures to verify content the customer processes,
is restricted and monitored. In addition,
access to data chooses to store in AWS procedures and Authorizatio Identity &
IAM- Shared CSP customer data and server instances are
and system Yes and the customer retains IAM-16 technical n Access
16.1 and CSC logically isolated from other customers by
functions complete control of how measures to verify Mechanisms Management
authorized, default. Privileged user access controls are access to data and
defined, reviewed by an independent auditor during the system functions is
implemented, and AWS SOC, ISO 27001 and PCI audits. authorized.
stored, used and
evaluated? protected from
disclosure.
approve,
communicate, apply,
policies and
procedures for
interoperability and
Are policies and
portability including
procedures
requirements for:
established,
a. Communications
documented,
between application
approved, Interoperabil
interfaces
communicated, Details regarding AWS APIs can be found on the ity and
IPY- b. Information Interoperabilit
applied, evaluated, Yes CSP-owned AWS website at: IPY-01 Portability
01.1 processing y & Portability
and maintained for https://aws.amazon.com/documentation/ Policy and
interoperability
communications Procedures
c. Application
between
development
application
portability
services
d. Information/Data
(e.g., APIs)?
exchange, usage,
portability, integrity,
and persistence
Review and update
the policies and
procedures at least
annually.
approve,
communicate, apply,
policies and
procedures for
Are policies and
requirements for:
procedures
a. Communications
established,
between application
documented, Interoperabil
Details regarding AWS interoperability of each interfaces
approved, ity and
communicated, Yes CSP-owned service can be found on the AWS website at: IPY-02 Portability
applied, evaluated, https://aws.amazon.com/documentation/ Policy and
interoperability
and maintained for Procedures
c. Application
information
development
processing
portability
interoperability?
d. Information/Data
exchange, usage,
and persistence
Review and update
the policies and
procedures at least
annually.
approve,
communicate, apply,
policies and
procedures for
Are policies and
requirements for:
procedures
a. Communications
established,
between application
documented, Interoperabil
interfaces
approved, Details regarding AWS interoperability of each ity and
communicated, Yes CSP-owned service can be found on the AWS website at: IPY-03 Portability
applied, evaluated, https://aws.amazon.com/documentation/ Policy and
interoperability
and maintained for Procedures
c. Application
application
development
development
portability
portability?
d. Information/Data
exchange, usage,
and persistence
Review and update
the policies and
procedures at least
annually.
approve,
communicate, apply,
policies and
procedures for
Are policies and
procedures
requirements for:
established,
a. Communications
documented,
between application
approved, Interoperabil
Details regarding AWS interoperability of each interfaces
communicated, ity and
applied, evaluated, Yes CSP-owned service can be found on the AWS website at: IPY-04 Portability
and maintained for https://aws.amazon.com/documentation/ Policy and
interoperability
information/data Procedures
c. Application
exchange, usage,
development
portability,
portability
integrity, and
d. Information/Data
persistence?
exchange, usage,
and persistence
Review and update
the policies and
procedures at least
annually.
approve,
communicate, apply,
policies and
procedures for
requirements for:
Are a. Communications
interoperability between application
Interoperabil
and portability interfaces
ity and
IPY- policies and Policies are reviewed approved by AWS b. Information Interoperabilit
Yes CSP-owned IPY-05 Portability
01.5 procedures leadership at least annually or as needed basis. processing y & Portability
Policy and
reviewed and interoperability
Procedures
updated at least c. Application
annually? development
portability
d. Information/Data
exchange, usage,
and persistence
Review and update
the policies and
procedures at least
annually.
Are CSCs able to Provide application
programmatically Details regarding AWS interface(s) to CSCs
retrieve their data interoperability of each so that they
Application
IPY- via an application service can be found on programmatically Interoperabilit
Yes CSC-owned IPY-02 Interface
02.1 interface(s) the AWS website at: retrieve their data to y & Portability
Availability
to enable https://aws.amazon.com enable
interoperability /documentation/ interoperability and
and portability? portability.
Are AWS APIs and the AWS Management Console
cryptographically are available via TLS protected endpoints,
which provide server authentication. Implement
secure and
Customers can use TLS for all of their cryptographically
standardized Secure
interactions with AWS. AWS recommends that secure and
network Interoperabil
IPY- standardized Interoperabilit
protocols Yes CSP-owned customers use secure protocols that offer IPY-03 ity and
03.1 network protocols y & Portability
implemented authentication and confidentiality, such as TLS Portability
for the management,
for the or IPsec, to reduce the risk of data tampering or Management
import and export of
management, loss. AWS enables customers to open a secure, data.
import, and encrypted session to AWS servers using HTTPS
export of data? (Transport Layer Security [TLS]).
Do agreements
include provisions Agreements must
specifying CSC include provisions
data access upon specifying CSCs
contract access to data
termination, and AWS customer agreements include data related upon contract
have the provisions upon termination. Details regarding termination and will
Data
following? include:
IPY- Shared CSP contract termination can be found in the Portability Interoperabilit
a. Data format Yes IPY-04 a. Data format
04.1 and CSC example customer agreement, see Section 7. Contractual y & Portability
b. Duration data b. Length of time the
Term; Termination - Obligations
will be stored data will be stored
c. Scope of the https://aws.amazon.com/agreement/. c. Scope of the data
data retained and retained and made
made available to available to the CSCs
the CSCs d. Data deletion
d. Data deletion policy
policy
approve,
Are infrastructure AWS implements formal, documented policies communicate, apply,
and virtualization and procedures that provide guidance for evaluate and maintain
security policies operations and information security within the Infrastructur
policies and
and procedures organization and the supporting AWS e and Infrastructure
procedures for
IVS- established, Virtualization &
Yes CSP-owned environments. Policies address purpose, scope, IVS-01 infrastructure and
01.1 documented, Security Virtualization
roles, responsibilities and management virtualization
approved, Policy and Security
commitment. All policies are maintained in a security. Review
communicated, Procedures
centralized location that is accessible by and update the
applied, evaluated,
employees. policies and
and maintained?
procedures at least
annually.
approve,
communicate, apply,
Are infrastructure evaluate and maintain
Infrastructur
and virtualization policies and
e and Infrastructure
security policies procedures for
IVS- Policies are reviewed approved by AWS Virtualization &
and procedures Yes CSP-owned IVS-01 infrastructure and
01.2 leadership at least annually or as needed basis. Security Virtualization
reviewed virtualization
Policy and Security
and updated at security. Review
Procedures
least annually? and update the
policies and
procedures at least
annually.
Is resource Plan and monitor the
availability, quality, AWS maintains a capacity planning model to availability, quality,
and capacity assess infrastructure usage and demands at and adequate
planned and least monthly, and usually more frequently capacity Infrastructure
Capacity and
IVS- monitored in a Shared CSP (e.g., weekly). In addition, the AWS capacity of resources in order &
Yes IVS-02 Resource
02.1 way that delivers and CSC planning model supports the planning of future to deliver the Virtualization
Planning
required system demands to acquire and implement additional required system Security
performance, as resources based upon current resources and performance as
determined by the forecasted requirements. determined
business? by the business.
Monitor, encrypt and
restrict
communications
between
environments
to only authenticated
and authorized
Monitoring and alarming are configured by connections, as
Are
justified by the Infrastructure
communications Service Owners to identify and notify
IVS- Shared CSP business. Network &
between Yes operational and management personnel of IVS-03
03.1 and CSC Review these Security Virtualization
environments incidents when early warning thresholds are
configurations at Security
monitored? crossed on key operational metrics. least annually, and
support them by a
documented
justification of all
allowed services,
protocols, ports, and
compensating
controls.
restrict
AWS APIs are available communications
via TLS protected between
endpoints, which provide environments
server authentication. to only authenticated
Customers can use TLS and authorized
for all of their connections, as
Are interactions with AWS justified by the Infrastructure
communications
IVS- and within their multiple business. Network &
between NA CSC-owned IVS-04
03.2 environment. AWS Review these Security Virtualization
environments
provides open encryption configurations at Security
encrypted?
methodologies and least annually, and
enables customers to support them by a
encrypt and authenticate documented
all traffic, and to enforce justification of all
the latest standards and allowed services,
ciphers. protocols, ports, and
compensating
controls.
restrict
communications
between
AWS implements least privilege throughout its environments
Are infrastructure components. AWS prohibits all to only authenticated
communications Customers retain the and authorized
ports and protocols that do not have a specific
between control and responsibility connections, as
business purpose. AWS follows a rigorous
environments of their data and justified by the Infrastructure
approach to minimal implementation of only
IVS- restricted to only Shared CSP associated media assets. business. Network &
Yes those features and functions that are essential IVS-05
03.3 authenticated and and CSC It is the responsibility of Review these Security Virtualization
to use of the device. Network scanning is
authorized the customer to manage configurations at Security
connections, as performed and any unnecessary ports or least annually, and
their AWS environments
justified by the protocols in use are corrected. support them by a
and associated access.
business? Customers maintain information related to documented
their data and individual architecture. justification of all
allowed services,
compensating
controls.
restrict
communications
between
environments
to only authenticated
Regular internal and external vulnerability and authorized
scans are performed on the host operating connections, as
AWS customers are
Are network system, web application and databases in the justified by the Infrastructure
responsible for
IVS- configurations Shared CSP AWS environment utilizing a variety of tools. business. Network &
Yes configuration IVS-06
03.4 reviewed at least and CSC Vulnerability scanning and remediation Review these Security Virtualization
management within their
annually? practices are regularly reviewed as a part of configurations at Security
AWS environments. least annually, and
AWS continued compliance with PCI DSS and
ISO 27001. support them by a
documented
justification of all
allowed services,
compensating
controls.
restrict
communications
between
AWS implements least privilege throughout its environments
infrastructure components. AWS prohibits all to only authenticated
Are network
ports and protocols that do not have a specific and authorized
configurations
business purpose. AWS follows a rigorous connections, as
supported by the AWS customers are justified by the Infrastructure
documented approach to minimal implementation of only
IVS- Shared CSP responsible for network business. Network &
justification of all Yes those features and functions that are essential IVS-07
03.5 and CSC management within their Review these Security Virtualization
allowed services, to use of the device. Network scanning is
AWS environments. configurations at Security
protocols, ports, performed and any unnecessary ports or least annually, and
and compensating protocols in use are corrected. support them by a
controls? Customers maintain information related to documented
their data and individual architecture. justification of all
allowed services,
compensating
controls.
Is every host and
guest OS, Harden host and
hypervisor, or Regular internal and external vulnerability guest OS, hypervisor
infrastructure scans are performed on the host operating or infrastructure
control plane AWS customers are control plane
system, web application and databases in the OS Infrastructure
hardened responsible for server according to their
IVS- Shared CSP AWS environment utilizing a variety of tools. Hardening &
(according to Yes and system management IVS-04 respective best
04.1 and CSC Vulnerability scanning and remediation and Base Virtualization
their respective within their AWS practices, and
practices are regularly reviewed as a part of Controls Security
best practices) environments. supported by
and supported by AWS continued compliance with PCI DSS and technical controls,
technical controls ISO 27001. as part of a security
as part of a baseline.
security baseline?
The development, test and production
environments emulate the production system
Are production environment and are used to properly assess Production
and prepare for the impact of a change to the Infrastructure
and non- Separate production and Non-
IVS- &
production Yes CSP-owned production system environment. In order to IVS-05 and non-production Production
05.1 Virtualization
environments reduce the risks of unauthorized access or environments. Environment
Security
separated? change to the production environment, the s
development, test and production
environments are logically separated.
Customer environments are logically
segregated to prevent users and customers
from accessing resources not assigned to them.
Customers maintain full control over who has
Are applications access to their data. Services which provide
and virtualized operational environments to Design, develop,
infrastructures customers (i.e., EC2) ensure that customers are deploy and configure
designed, segregated from one another and prevent applications and
developed, cross-tenant privilege escalation and infrastructures
deployed, and information disclosure via hypervisors and such that CSP and
configured instance isolation. CSC (tenant) user Infrastructure
such that CSP and Segmentatio
IVS- access and intra- &
CSC (tenant) user Yes CSP-owned IVS-06 n and
06.1 Different instances running on the same tenant access is Virtualization
access and intra- Segregation
physical machine are isolated from each other appropriately Security
tenant access is
via the hypervisor. In addition, the Amazon EC2 segmented and
appropriately
firewall resides within the hypervisor layer, segregated,
segmented,
between the physical network interface and monitored and
segregated,
the instance's virtual interface. All packets must restricted from other
monitored, and
pass through this layer, thus an instance’s tenants.
restricted from
other tenants? neighbors have no more access to that instance
than any other host on the Internet and can be
treated as if they are on separate physical
hosts. The physical random-access memory
(RAM) is separated using similar mechanisms.
AWS offers a wide variety
of services and partner
Are secure and tools to help customer Use secure and
encrypted migrate data securely. encrypted
communication AWS migration services communication
channels including such as AWS Database channels when
only up-to-date Migration Service and migrating servers, Migration to Infrastructure
IVS- and approved services, applications, Cloud &
Yes CSC-owned AWS Snowmobile are IVS-07
07.1 protocols used or data to cloud Environment Virtualization
integrated with AWS
when migrating environments. Such s Security
servers, services, KMS for encryption. channels must
applications, or Learn more about AWS include
data to cloud cloud migration services only up-to-date and
environments? at: approved protocols.
/cloud-data-migration/
AWS Customers retain
responsibility to manage
their own network
segmentation in
adherence with their
defined requirements.
Are high-risk Network Infrastructure
Internally, AWS network Identify and
IVS- environments Architecture &
NA CSC-owned segmentation is aligned IVS-08 document high-risk
08.1 identified and Documentati Virtualization
with the ISO 27001 environments.
documented? on Security
standard. AWS has been
validated and certified by
an independent auditor
to confirm alignment
with ISO 27001
certification standard.
AWS Security regularly scans all Internet facing
service endpoint IP addresses for vulnerabilities
(these scans do not include customer
instances). AWS Security notifies the
Are processes, appropriate parties to remediate any identified
vulnerabilities. In addition, external Define, implement
procedures, and
vulnerability threat assessments are performed and evaluate
defense-in-depth
regularly by independent security firms. processes,
techniques
Findings and recommendations resulting from procedures and
defined, Infrastructure
defense-in-depth
IVS- implemented, these assessments are categorized and Network &
Yes CSP-owned IVS-09 techniques for
09.1 and evaluated for delivered to AWS leadership. Defense Virtualization
protection,
protection, In addition, the AWS control environment is Security
detection, and timely
detection, and subject to regular internal and external risk response to
timely response to assessments. AWS engages with external network-based
network-based certifying bodies and independent auditors to attacks.
attacks? review and test the AWS overall control
environment.
AWS security controls are reviewed by
independent external auditors during audits for
our SOC, PCI DSS and ISO 27001 compliance.
Are logging and AWS implements formal, documented policies approve,
monitoring and procedures that provide guidance for communicate, apply,
policies and operations and information security within the evaluate and maintain
procedures policies and Logging and
organization and the supporting AWS
LOG- established, procedures for Monitoring Logging and
Yes CSP-owned environments. Policies address purpose, scope, LOG-01
01.1 documented, logging and Policy and Monitoring
roles, responsibilities and management
approved, monitoring. Review Procedures
communicated, commitment. All policies are maintained in a and update the
applied, evaluated, centralized location that is accessible by policies
and maintained? employees. and procedures at
least annually.
approve,
communicate, apply,
Are policies and
policies and Logging and
procedures
LOG- Policies are reviewed approved by AWS procedures for Monitoring Logging and
reviewed and Yes CSP-owned LOG-01
01.2 leadership at least annually or as needed basis. logging and Policy and Monitoring
updated at least
monitoring. Review Procedures
annually?
and update the
policies
and procedures at
least annually.
Are processes, In alignment with ISO 27001 standards, audit Define, implement
procedures, and logs are appropriately restricted and and evaluate
technical monitored. AWS SOC reports provide details on processes,
measures defined, procedures and
LOG- the specific control activities executed by AWS. Audit Logs Logging and
implemented, and Yes CSP-owned LOG-02 technical
02.1 Refer to AWS: Overview of Security Processes Protection Monitoring
evaluated to measures to ensure
for additional details - available at:
ensure audit log the security and
security and http://aws.amazon.com/security/security- retention of audit
retention? learning/ logs.
Identify and monitor
security-related
events within
Are security- This is a customer applications
related events responsibility. AWS and the underlying
identified and infrastructure. Define Security
LOG- customers are Logging and
monitored within NA CSC-owned LOG-03 and implement a Monitoring
03.1 responsible for the Monitoring
applications and system to generate and Alerting
applications within their
the underlying alerts to responsible
infrastructure? AWS environment. stakeholders based
on such events and
corresponding
metrics.
Identify and monitor
security-related
Is a system
events within
defined and AWS Security Metrics are monitored and applications
implemented to analyzed in accordance with ISO 27001
AWS customers are and the underlying
generate alerts to
standard. Refer to ISO 27001 Annex A, domain infrastructure. Define Security
LOG- responsible Shared CSP responsible for incident Logging and
Yes 16 for further details. AWS has been validated LOG-03 and implement a Monitoring
03.2 stakeholders and CSC management within their Monitoring
and certified by an independent auditor to system to generate and Alerting
based on security AWS environments.
confirm alignment with ISO 27001 certification alerts to responsible
events and their
standard. stakeholders based
corresponding
on such events and
metrics?
corresponding
metrics.
Is access to audit In alignment with ISO 27001 standards, audit
logs restricted to logs are appropriately restricted and Restrict audit logs
authorized monitored. AWS SOC reports provide details on access to authorized Audit Logs
personnel, and are
LOG- the specific control activities executed by AWS. personnel and Access and Logging and
records Yes CSP-owned LOG-04
04.1 Refer to AWS: Overview of Security Processes maintain records Accountabilit Monitoring
maintained to
for additional details - available at: that provide unique y
provide unique
http://aws.amazon.com/security/security- access accountability.
access
accountability? learning/
AWS provides near real-time alerts when the
AWS monitoring tools show indications of
compromise or potential compromise, based
upon threshold alarming mechanisms Monitor security
determined by AWS service and Security teams. audit logs to detect
AWS correlates information gained from logical activity outside of
Are security audit and physical monitoring systems to enhance typical
logs monitored to security on an as-needed basis. Upon or expected Audit Logs
detect activity
LOG- assessment and discovery of risk, Amazon patterns. Establish Monitoring Logging and
outside of typical Yes CSP-owned LOG-05
05.1 disables accounts that display atypical usage and follow a defined and Monitoring
or
matching the characteristics of bad actors. process to review Response
expected
and take
patterns?
The AWS Security team extracts all log appropriate and
messages related to system access and timely actions on
provides reports to designated officials. Log detected anomalies.
analysis is performed to identify events based
on defined risk management
parameters.
Monitor security
audit logs to detect
Is a process
activity outside of
established and
typical
followed to
or expected Audit Logs
review and take
LOG- patterns. Establish Monitoring Logging and
appropriate and Yes CSP-owned See response to Question ID LOG-005.1 LOG-05
05.2 and follow a defined and Monitoring
timely
process to review Response
actions on
and take
detected
appropriate and
anomalies?
timely actions on
detected anomalies.
In alignment with ISO 27001 standards, AWS
Is a reliable time information systems utilize internal system Use a reliable time
source being used
clocks synchronized via NTP (Network Time source across all Clock
LOG- across all relevant Logging and
Yes CSP-owned Protocol). AWS has been validated and certified LOG-06 relevant information Synchronizati
06.1 information Monitoring
by an independent auditor to confirm processing on
processing
alignment with ISO 27001 certification systems.
systems?
standard.
features to record continuously the security-
related events in accordance with
requirements. The log storage system is
designed to provide a highly scalable, highly
available service that automatically increases
capacity as the ensuing need for log storage Establish, document
grows. Audit records contain a set of data and implement which
elements in order to support necessary analysis information
Are logging
requirements. In addition, audit records are meta/data system
requirements for
events should be
information available for AWS Security team or other
LOG- logged. Review and Logging Logging and
meta/data system Yes CSP-owned appropriate teams to perform inspection or LOG-07
07.1 update the scope at Scope Monitoring
events established, analysis on demand, and in response to
least annually or
documented, and security-related or business-impacting events. whenever
implemented? Designated personnel on AWS teams receive there is a change in
automated alerts in the event of an audit the threat
processing failure. Audit processing failures environment.
include, for example, software/hardware
errors. When alerted, on-call personnel issue a
trouble ticket and track the event until it is
resolved.
AWS logging and monitoring processes are
reviewed by independent third-party auditors
for our continued compliance with SOC, PCI
DSS and ISO 27001 compliance.
Establish, document
and implement which
Is the scope information
reviewed and meta/data system
updated at least events should be
LOG- annually, or Policies are reviewed approved by AWS logged. Review and Logging Logging and
Yes CSP-owned LOG-07
07.2 whenever there is leadership at least annually or as needed basis. update the scope at Scope Monitoring
a change in the least annually or
threat whenever
environment? there is a change in
the threat
environment.
Are audit records designed to provide a highly scalable, highly
available service that automatically increases Generate audit
generated, and do
LOG- capacity as the ensuing need for log storage records containing Logging and
they contain Yes CSP-owned LOG-08 Log Records
08.1 grows. Audit records contain a set of data relevant security Monitoring
relevant security
information.
information? elements in order to support necessary analysis
requirements. In addition, audit records are
available for AWS Security team or other
appropriate teams to perform inspection or
analysis on demand, and in response to
security-related or business-impacting events.
Does the In alignment with ISO 27001 standards, audit

information logs are appropriately restricted and The information
system protect monitored. AWS SOC reports provide details on system protects audit
LOG- audit records the specific control activities executed by AWS. records from Log Logging and
Yes CSP-owned LOG-09
09.1 from unauthorized Refer to AWS: Overview of Security Processes unauthorized access, Protection Monitoring
access, for additional details - available at: modification, and
modification, and http://aws.amazon.com/security/security- deletion.
deletion? learning/
designed to provide a highly scalable, highly
Are monitoring available service that automatically increases
and internal capacity as the ensuing need for log storage Establish and
reporting grows. Audit records contain a set of data maintain a
capabilities elements in order to support necessary analysis monitoring and
established to requirements. In addition, audit records are internal reporting
report on AWS customers are capability Encryption
available for AWS Security team or other
LOG- cryptographic Shared CSP responsible for key over the operations Monitoring Logging and
Yes appropriate teams to perform inspection or LOG-10
10.1 operations, and CSC management within their of cryptographic, and Monitoring
analysis on demand, and in response to
encryption, and AWS environments. encryption and key Reporting
key management security-related or business-impacting events. management policies,
policies, Designated personnel on AWS teams receive processes,
processes, automated alerts in the event of an audit procedures, and
procedures, and processing failure. Audit processing failures controls.
controls? include, for example, software/hardware
errors. When alerted, on-call personnel issue a
trouble ticket and track the event until it is
resolved.
AWS logging and monitoring processes are
reviewed by independent third-party auditors
for our continued compliance with SOC, PCI
DSS and ISO 27001 compliance.
Are key lifecycle
Log and monitor key
management
lifecycle management
events logged and
events to enable Transaction/
LOG- monitored to This is a customer Logging and
NA CSC-owned LOG-11 auditing Activity
11.1 enable auditing responsibility. Monitoring
and reporting on Logging
and reporting on
usage of
cryptographic
cryptographic keys.
keys' usage?
Access to data center is logged. Only authorized
Is physical access users are allowed into data centers. Visitors Monitor and log
logged and follow the visitor access process and their physical access using
LOG- monitored using Access Logging and
Yes CSP-owned relevant details along with business purpose is LOG-12 an auditable access
12.1 an auditable Control Logs Monitoring
logged in the data center access log system. control
access control
The access log is retained for 90 days unless system.
system?
longer retention is legally required.
Define, implement
and evaluate
Are processes and processes,
technical In alignment with ISO 27001 standards, audit procedures and
measures for logs are appropriately restricted and technical
reporting monitored. AWS SOC reports provide details on measures for the
Failures and
LOG- monitoring system the specific control activities executed by AWS. reporting of Logging and
Yes CSP-owned LOG-13 Anomalies
13.1 anomalies Refer to AWS: Overview of Security Processes anomalies and Monitoring
Reporting
and failures for additional details - available at: failures of the
defined, http://aws.amazon.com/security/security- monitoring system
implemented, and learning/ and provide
evaluated? immediate
notification to the
accountable party.
AWS provides near real-time alerts when the
AWS monitoring tools show indications of
compromise or potential compromise, based Define, implement
upon threshold alarming mechanisms and evaluate
determined by AWS service and Security teams. processes,
AWS correlates information gained from logical procedures and
Are accountable and physical monitoring systems to enhance technical
parties security on an as-needed basis. Upon measures for the
Failures and
LOG- immediately assessment and discovery of risk, Amazon reporting of Logging and
Yes CSP-owned LOG-13 Anomalies
13.2 notified about disables accounts that display atypical usage anomalies and Monitoring
Reporting
anomalies and matching the characteristics of bad actors. failures of the
failures? monitoring system
The AWS Security team extracts all log and provide
messages related to system access and immediate
provides reports to designated officials. Log notification to the
analysis is performed to identify events based accountable party.
on defined risk management
parameters.
Are policies and
AWS' incident response program, plans and approve,
procedures for
procedures have been developed in alignment communicate, apply,
security incident
with ISO 27001 standard. AWS has been evaluate and maintain
management, e-
validated and certified by an independent policies and
discovery, Security
auditor to confirm alignment with ISO 27001 procedures for Security
and cloud Incident
Security Incident Incident
SEF- forensics certification standard. Management,
Yes CSP-owned SEF-01 Management, E- Management
01.1 established, E-Discovery,
Discovery, and Policy and
documented, In addition, the AWS: Overview of Security & Cloud
Cloud Procedures
approved, Processes Whitepaper provides further details - Forensics
Forensics. Review
communicated, available at: and update the
applied, http://aws.amazon.com/security/security- policies and
evaluated, and learning/ procedures at least
maintained?
annually.
approve,
communicate, apply,
policies and
Security
procedures for Security
Are policies and Incident
Security Incident Incident
SEF- procedures Policies are reviewed approved by AWS Management,
Yes CSP-owned SEF-01 Management, E- Management
01.2 reviewed and leadership at least annually or as needed basis. E-Discovery,
Discovery, and Policy and
updated annually? & Cloud
Cloud Procedures
Forensics
Forensics. Review
and update the
policies and
procedures at least
annually.
Are policies and approve,
procedures for communicate, apply,
timely evaluate and maintain
Security
management of policies and
Service Incident
security incidents procedures for the
SEF- Management Management,
established, Yes CSP-owned See response to Question ID SEF-01.1 SEF-02 timely management
02.1 Policy and E-Discovery,
documented, of security incidents.
Procedures & Cloud
approved, Review
Forensics
communicated, and update the
applied, evaluated, policies and
and maintained? procedures at least
annually.
approve,
communicate, apply,
Are policies and
procedures for Security
policies and
timely Service Incident
procedures for the
SEF- management of Management Management,
Yes CSP-owned See response to Question ID SEF-01.2 SEF-02 timely management
02.2 security incidents Policy and E-Discovery,
of security incidents.
reviewed Procedures & Cloud
Review
and updated at Forensics
and update the
least annually?
policies and
procedures at least
annually.
Is a security
'Establish, document,
incident response
approve,
plan that includes
communicate, apply,
relevant internal
departments,
a security incident
impacted CSCs, Security
response plan, which
and other Incident
includes but is not Incident
SEF- business-critical Management,
Yes CSP-owned See response to Question ID SEF-01.1 SEF-03 limited to: relevant Response
03.1 relationships (such E-Discovery,
internal departments, Plans
as supply-chain) & Cloud
impacted CSCs, and
established, Forensics
other business
documented,
critical relationships
approved,
(such as supply-
communicated,
chain) that may be
applied, evaluated,
impacted.'
and maintained?
Is the security
incident response Test and update as
plan tested and necessary incident
Security
updated for response plans at
Incident
effectiveness, planned intervals Incident
SEF- AWS incident response plans are tested on at Management,
as necessary, at Yes CSP-owned SEF-04 or upon significant Response
04.1 least on an annual basis. E-Discovery,
planned intervals organizational or Testing
& Cloud
or upon significant environmental
Forensics
organizational or changes for
environmental effectiveness.
changes?
AWS Security Metrics are monitored and
analyzed in accordance with ISO 27001 Security
Are information
Establish and Incident
security incident standard. Refer to ISO 27001 Annex A, domain Incident
SEF- monitor information Management,
metrics Yes CSP-owned 16 for further details. AWS has been validated SEF-05 Response
05.1 security incident E-Discovery,
established and and certified by an independent auditor to Metrics
metrics. & Cloud
monitored? confirm alignment with ISO 27001 certification Forensics
standard.
Are processes, AWS' incident response program, plans and
procedures, and procedures have been developed in alignment
with ISO 27001 standard. AWS has been Define, implement
technical
validated and certified by an independent and evaluate
measures Security
auditor to confirm alignment with ISO 27001 processes,
supporting Incident
procedures and
SEF- business certification standard. Event Triage Management,
Yes CSP-owned SEF-06 technical
06.1 processes Processes E-Discovery,
measures supporting
to triage security- In addition, the AWS: Overview of Security & Cloud
business processes
related events Processes Whitepaper provides further details - Forensics
to triage security-
defined, available at: related events.
implemented, and http://aws.amazon.com/security/security-
evaluated? learning/
AWS employees are trained on how to
recognize suspected security incidents and
where to report them. When appropriate, Define and
incidents are reported to relevant authorities. implement,
AWS maintains the AWS security bulletin processes,
Are processes, webpage, located at: procedures and
procedures, and https://aws.amazon.com/security/security- technical measures Security
technical bulletins for security breach Incident
Security
SEF- measures for , to notify customers of security and privacy notifications. Report Management,
Yes CSP-owned SEF-07 Breach
07.1 security breach events affecting AWS services. Customers can security breaches E-Discovery,
Notification
notifications subscribe to the Security Bulletin RSS Feed to and assumed security & Cloud
defined and keep abreast of security announcements on the breaches including Forensics
implemented? Security Bulletin webpage. The customer any relevant supply
support team maintains a Service Health chain breaches, as
Dashboard webpage, located at: per applicable SLAs,
http://status.aws.amazon.com/ to alert laws and regulations.
customers to any broadly impacting availability
issues.
AWS maintains the AWS security bulletin Define and
webpage, located at: implement,
Are security https://aws.amazon.com/security/security- processes,
breaches and bulletins , to notify customers of security and procedures and
assumed security privacy events affecting AWS services. technical measures Security
breaches reported Customers can subscribe to the Security for security breach Incident
Security
SEF- (including any Bulletin RSS Feed to keep abreast of security notifications. Report Management,
Yes CSP-owned SEF-07 Breach
07.2 relevant supply announcements on the Security Bulletin security breaches E-Discovery,
Notification
chain breaches) as webpage. The customer support team and assumed security & Cloud
per applicable maintains a Service Health Dashboard breaches including Forensics
SLAs, laws, and webpage, located at: any relevant supply
regulations? http://status.aws.amazon.com/ to alert chain breaches, as
customers to any broadly impacting availability per applicable SLAs,
issues. laws and regulations.
Are points of
contact
Maintain points of
maintained for AWS maintains contacts with industry bodies, contact for applicable
applicable risk and compliance organizations, local Security
regulation
regulation Incident
authorities and regulatory bodies as required authorities, Points of
SEF- authorities, Management,
Yes CSP-owned by the ISO 27001 standard. SEF-08 national and local law Contact
08.1 national E-Discovery,
AWS has been validated and certified by an enforcement, and Maintenance
and local law & Cloud
independent auditor to confirm alignment with other legal
enforcement, and Forensics
ISO 27001 certification standard. jurisdictional
other legal
authorities.
jurisdictional
authorities?
Are policies and Security and Compliance is a shared approve,
procedures responsibility between AWS and the customer. communicate, apply,
implementing the The shared model can help relieve the evaluate and maintain
shared security customer's operational burden as AWS policies and
responsibility operates, manages, and controls the procedures for the Supply Chain
model (SSRM)
components from the host operating system application of the SSRM Policy Management,
STA- within the
Yes CSP-owned and virtualization layer down to the physical STA-01 Shared Security and Transparency,
01.1 organization
security of the facilities in which the service Responsibility Procedures and
established,
operates. Model (SSRM) within Accountability
documented,
the organization.
approved,
Refer to shared responsibility model: Review and update
communicated,
https://aws.amazon.com/compliance/shared- the policies and
applied, evaluated,
responsibility-model/ procedures
and maintained?
at least annually.
Security and Compliance is a shared
responsibility between AWS and the customer. Establish, document,
AWS Information Security Management System approve,
policies that are in scope for SSRM are communicate, apply,
reviewed and updated annually and as evaluate and maintain
necessary. The shared model can help relieve policies and
Are the policies
the customer's operational burden as AWS procedures for the Supply Chain
and procedures
application of the SSRM Policy Management,
STA- that apply the operates, manages, and controls the
Yes CSP-owned STA-01 Shared Security and Transparency,
01.2 SSRM reviewed components from the host operating system
Responsibility Procedures and
and updated and virtualization layer down to the physical Model (SSRM) within Accountability
annually? security of the facilities in which the service the organization.
operates. Review and update
the policies and
Refer to shared responsibility model: procedures
https://aws.amazon.com/compliance/shared- at least annually.
responsibility-model/
Is the SSRM AWS proactively informs our customers of any
applied, subcontractors who have access to customer-
owned content you upload onto AWS, including Apply, document,
documented,
content that may contain personal data. There implement and Supply Chain
implemented, and
manage the SSRM Management,
STA- managed are no subcontractors authorized by AWS to SSRM Supply
NA CSP-owned STA-02 throughout the Transparency,
02.1 throughout the access any customer-owned content that you Chain
supply and
supply upload onto AWS. To monitor subcontractor chain for the cloud Accountability
chain for the access year-round please refer to: service offering.
cloud service https://aws.amazon.com/compliance/third-
offering? party-access/
AWS proactively informs our customers of any
subcontractors who have access to customer-
Is the CSC given owned content you upload onto AWS, including Provide SSRM
SSRM guidance content that may contain personal data. There Guidance to the CSC Supply Chain
detailing detailing information Management,
STA- are no subcontractors authorized by AWS to SSRM
information about NA CSP-owned STA-03 about the Transparency,
03.1 access any customer-owned content that you Guidance
SSRM applicability SSRM applicability and
throughout the upload onto AWS. To monitor subcontractor throughout the Accountability
supply chain? access year-round please refer to: supply chain.
https://aws.amazon.com/compliance/third-
party-access/
responsibility between AWS and the customer.
Is the shared This varies by cloud services used, the shared
ownership and model can help relieve the customer's Delineate the shared
applicability of all operational burden as AWS operates, manages, ownership and Supply Chain
CSA CCM and controls the components from the host applicability of all SSRM Management,
STA- controls
Yes CSP-owned operating system and virtualization layer down STA-04 CSA CCM controls Control Transparency,
04.1 delineated
to the physical security of the facilities in which according to the Ownership and
according to the
the service operates. SSRM for the cloud Accountability
SSRM for the
service offering.
cloud service
offering? Refer to shared responsibility model:
https://aws.amazon.com/compliance/shared-
responsibility between AWS and the customer.
The shared model can help relieve the
Is SSRM customer's operational burden as AWS
operates, manages, and controls the Review and validate
documentation Supply Chain
components from the host operating system SSRM documentation
for all cloud SSRM Management,
STA- for all cloud services
services the Yes CSP-owned and virtualization layer down to the physical STA-05 Documentati Transparency,
05.1 offerings
organization uses security of the facilities in which the service on Review and
the organization
reviewed operates. Accountability
uses.
and validated?
Refer to shared responsibility model:
https://aws.amazon.com/compliance/shared-
Are the portions Implement, operate,
of the SSRM the AWS has established a formal, periodic audit and audit or assess Supply Chain
SSRM
organization is program that includes continual, independent the portions of the Management,
STA- Control
responsible for Yes CSP-owned internal and external assessments to validate STA-06 SSRM Transparency,
06.1 Implementati
implemented, the implementation and operating which the and
on
operated, audited, effectiveness of the AWS control environment. organization is Accountability
or assessed? responsible for.
AWS performs periodic reviews of SSRM service
and colocation providers to validate adherence
with AWS security and operational standards.
AWS maintains standard contract review and
Is an inventory of signature processes that include legal reviews Supply Chain
Develop and
all supply chain with consideration of protecting AWS Management,
STA- maintain an inventory Supply Chain
relationships NA CSP-owned resources. AWS proactively informs our STA-07 Transparency,
07.1 of all supply chain Inventory
developed and customers of any subcontractors who have and
relationships.
maintained? access to customer-owned content you upload Accountability
onto AWS, including content that may contain
personal data. There are no subcontractors
authorized by AWS to access any customer-
owned content that you upload onto AWS.
AWS performs periodic reviews of SSRM service
and colocation providers to validate adherence
with AWS security and operational standards.
Are risk factors AWS maintains standard contract review and
associated with all signature processes that include legal reviews CSPs periodically
Supply Chain
organizations with consideration of protecting AWS review risk factors
Supply Chain Management,
STA- within the supply associated with all
NA CSP-owned resources. AWS proactively informs our STA-08 Risk Transparency,
08.1 chain organizations
customers of any subcontractors who have Management and
periodically within their supply
access to customer-owned content you upload Accountability
reviewed by chain.
CSPs? onto AWS, including content that may contain
personal data. There are no subcontractors
authorized by AWS to access any customer-
owned content that you upload onto AWS.
Do service
agreements
between CSPs and
Service agreements
CSCs (tenants)
between CSPs and
incorporate at
CSCs (tenants) must
least the following
incorporate at least
mutually agreed
the following
upon provisions
mutually-agreed
and/or terms?
upon provisions
• Scope,
and/or terms:
characteristics,
• Scope,
and location of
characteristics and
business
location of business
relationship and
relationship and
services offered
services offered
• Information
• Information
security AWS service agreements includes multiple security Supply Chain
requirements provisions and terms. For additional details, Primary
requirements Management,
STA- (including SSRM) Shared CSP Service and
Yes refer to following sample AWS Customer STA-09 (including SSRM) Transparency,
09.1 • Change and CSC Contractual
Agreement online - • Change and
management Agreement
https://aws.amazon.com/agreement/ management process Accountability
process
• Logging and
• Logging and
monitoring capability
monitoring
• Incident
capability
management and
• Incident
communication
management and
procedures
communication
• Right to audit and
procedures
third party
• Right to audit
assessment
and third-party
• Service termination
assessment
• Interoperability and
• Service
portability
termination
requirements
• Interoperability
• Data privacy
and portability
requirements
• Data privacy
Are supply chain Supply Chain
AWS' third party agreement processes include Review supply chain
agreements Supply Chain Management,
STA- agreements between
between CSPs and Yes CSP-owned periodic review and reporting, and are STA-10 Agreement Transparency,
10.1 CSPs and CSCs at
CSCs reviewed at reviewed by independent auditors. Review and
least annually.
least annually? Accountability
Is there a process Define and
for conducting implement a process
internal for conducting
assessments at AWS has established a formal, periodic audit internal assessments
Supply Chain
least annually to to confirm
program that includes continual, independent Internal Management,
STA- confirm the conformance and
Yes CSP-owned internal and external assessments to validate STA-11 Compliance Transparency,
11.1 conformance and effectiveness of
the implementation and operating Testing and
effectiveness of standards, policies,
effectiveness of the AWS control environment. Accountability
standards, procedures,
policies, and service level
procedures, agreement activities
and SLA activities? at least annually.
Are policies that
require all supply
Implement policies
chain CSPs to
requiring all CSPs
comply with
throughout the
information
supply chain
security, Supply Chain
to comply with Supply Chain
confidentiality, AWS' third party agreement processes include Management,
STA- information security, Service
access control, Yes CSP-owned periodic review and reporting, and are STA-12 Transparency,
12.1 confidentiality, access Agreement
privacy, audit, reviewed by independent auditors. and
control, privacy, Compliance
personnel policy, Accountability
audit, personnel
and
policy and service
service level
level requirements
requirements and
and standards.
standards
implemented?
AWS does not utilize third parties to provide
services to customers, but does utilize co-
location provides in limited capacity to house
Are supply chain some AWS data centers. These controls are Periodically review
partner IT audited twice annually in our SOC 1/2 audits Supply Chain
the organization's
governance Supply Chain Management,
STA- and annually in our ISO 27001/17/18 audits. supply chain
policies and NA CSP-owned STA-13 Governance Transparency,
13.1 There are no subcontractors authorized by partners' IT
procedures Review and
AWS to access any customer-owned content governance policies
reviewed Accountability
that customers upload onto AWS. To monitor and procedures.
periodically?
subcontractor access year-round please refer
to: https://aws.amazon.com/compliance/third-
party-access/
AWS does not utilize third parties to provide
services to customers, but does utilize co-
Is a process to location provides in limited capacity to house
some AWS data centers. These controls are Define and
conduct periodic
audited twice annually in our SOC 1/2 audits implement a process Supply Chain
security Supply Chain
for conducting Management,
STA- assessments for all and annually in our ISO 27001/17/18 audits. Data
NA CSP-owned STA-14 security assessments Transparency,
14.1 supply chain There are no subcontractors authorized by Security
periodically for all and
organizations AWS to access any customer-owned content Assessment
organizations within Accountability
defined and that customers upload onto AWS. To monitor the supply chain.
implemented? subcontractor access year-round please refer
to: https://aws.amazon.com/compliance/third-
party-access/
Are policies and approve,
procedures The AWS Security team notifies and communicate, apply,
established, coordinates with the appropriate Service evaluate and maintain
documented, Teams when conducting security-related policies and
approved, activities within the system boundary. Activities procedures to
communicated, include, vulnerability scanning, contingency identify, report and
Threat and
applied, evaluated, prioritize the
testing, and incident response exercises. AWS Vulnerability Threat &
TVM- and maintained to remediation of
Yes CSP-owned performs external vulnerability assessments at TVM-01 Management Vulnerability
01.1 identify, report, vulnerabilities, in
least quarterly and identified issues are Policy and Management
and prioritize the order to protect
investigated and tracked to resolution. Procedures
remediation systems against
of vulnerabilities Additionally, AWS performs unannounced vulnerability
to protect penetration tests by engaging independent exploitation.
systems against third-parties to probe the defenses and device Review and update
vulnerability configuration settings within the system. the policies and
exploitation? procedures at least
annually.
approve,
communicate, apply,
policies and
Are threat and procedures to
vulnerability identify, report and
Threat and
management prioritize the
Vulnerability Threat &
TVM- policies and Policies are reviewed approved by AWS remediation of
Yes CSP-owned TVM-01 Management Vulnerability
01.2 procedures leadership at least annually or as needed basis. vulnerabilities, in
Policy and Management
reviewed and order to protect
Procedures
updated at least systems against
annually? vulnerability
exploitation.
Review and update
the policies and
procedures at least
annually.
Are policies and AWS' program, processes and procedures to approve,
procedures to managing antivirus / malicious software is in communicate, apply,
protect against alignment with ISO 27001 standards. Refer to evaluate and maintain
malware on AWS SOC reports provides further details. policies and
Malware
managed assets procedures to Threat &
TVM- In addition, refer to ISO 27001 standard, Annex Protection
established, Yes CSP-owned TVM-02 protect against Vulnerability
02.1 A, domain 12 for additional details. AWS has Policy and
documented, malware on managed Management
been validated and certified by an independent Procedures
approved, assets. Review
communicated, auditor to confirm alignment with ISO 27001 and update the
applied, evaluated, certification policies and
and maintained? standard. procedures at least
annually.
approve,
Are asset communicate, apply,
management and evaluate and maintain
malware policies and
Malware
protection procedures to Threat &
TVM- Policies are reviewed approved by AWS Protection
policies and Yes CSP-owned TVM-02 protect against Vulnerability
02.2 leadership at least annually or as needed basis. Policy and
procedures malware on managed Management
Procedures
reviewed assets. Review
and updated at and update the
least annually? policies and
procedures at least
annually.
Are processes,
Define, implement
procedures, and
and evaluate
technical
processes,
measures defined,
procedures and
implemented, and
technical
evaluated to Vulnerability Threat &
TVM- measures to enable
enable scheduled Yes CSP-owned See response to Question ID TVM-01.1 TVM-03 Remediation Vulnerability
03.1 both scheduled and
and emergency Schedule Management
emergency responses
responses to
to vulnerability
vulnerability
identifications,
identifications
based on the
(based on the
identified risk.
identified risk)?
Are processes,
Define, implement
procedures, and AWS' program, processes and procedures to and evaluate
technical managing antivirus / malicious software is in processes,
measures defined, alignment with ISO 27001 standards. Refer to procedures and
implemented, and AWS SOC reports provides further details. technical
evaluated to Threat &
TVM- In addition, refer to ISO 27001 standard, Annex measures to update Detection
update detection Yes CSP-owned TVM-04 Vulnerability
04.1 A, domain 12 for additional details. AWS has detection tools, Updates
tools, threat Management
been validated and certified by an independent threat signatures, and
signatures, and
auditor to confirm alignment with ISO 27001 indicators of
compromise
certification compromise
indicators
standard. on a weekly, or more
weekly (or more
frequent basis.
frequent) basis?
Are processes,
procedures, and AWS implements open source software or Define, implement
technical custom code within its services. All open source and evaluate
measures defined, software to include binary or machine- processes,
implemented, and executable code from third-parties is reviewed procedures and
evaluated to and approved by the Open Source Group prior technical
identify updates to implementation, and has source code that is measures to identify
publicly accessible. AWS service teams are External
for applications updates for Threat &
TVM- Library
that use third- Yes CSP-owned prohibited from implementing code from third TVM-05 applications which Vulnerability
05.1 Vulnerabilitie
party or open- parties unless it has been approved through the use third party or Management
s
source open source review. All code developed by open
libraries AWS is available for review by the applicable source libraries
(according to the service team, as well as AWS Security. By its according to the
organization's nature, open source code is available for review organization's
vulnerability by the Open Source Group prior to granting vulnerability
management authorization for use within Amazon. management policy.
policy)?
Are processes, Define, implement
procedures, and AWS Security regularly performs penetration and evaluate
technical testing. These engagements may include processes,
measures defined, carefully selected industry experts and procedures and
implemented, and technical Threat &
TVM- independent security firms. AWS does not Penetration
evaluated for Yes CSP-owned TVM-06 measures for the Vulnerability
06.1 share the results directly with customers. AWS Testing
periodic, periodic Management
third-party auditors review the results to verify
independent, performance of
third-party frequency of penetration testing and penetration testing
penetration remediation of findings. by independent
testing? third parties.
Are processes,
Define, implement
procedures, and
and evaluate
technical AWS Security performs regular vulnerability processes,
measures defined, scans on the host operating system, web procedures and
implemented, and application, and databases in the AWS technical Threat &
TVM- evaluated for Vulnerability
No CSP-owned environment using a variety of tools. External TVM-07 measures for the Vulnerability
07.1 vulnerability Identification
vulnerability assessments are conducted by an detection of Management
detection on
AWS approved third party vendor at least vulnerabilities on
organizationally
quarterly. organizationally
managed assets at
managed assets
least
at least monthly.
monthly?
Is vulnerability
Use a risk-based
remediation
AWS Security performs regular vulnerability model for effective
prioritized using a
prioritization of Threat &
TVM- risk-based model scans on the host operating system, web Vulnerability
Yes CSP-owned TVM-08 vulnerability Vulnerability
08.1 from an application, and databases in the AWS Prioritization
remediation using an Management
industry- environment using a variety of tools. industry recognized
recognized
framework.
framework?
The AWS Security team notifies and
Is a process coordinates with the appropriate Service
Teams when conducting security-related Define and
defined and
activities within the system boundary. Activities implement a process
implemented to
include, vulnerability scanning, contingency for tracking and
track and report
testing, and incident response exercises. AWS reporting
vulnerability Vulnerability Threat &
TVM- vulnerability
identification Yes CSP-owned performs external vulnerability assessments at TVM-09 Management Vulnerability
09.1 identification and
and remediation least quarterly and identified issues are Reporting Management
remediation activities
activities that investigated and tracked to resolution. that includes
include Additionally, AWS performs unannounced stakeholder
stakeholder penetration tests by engaging independent notification.
notification? third-parties to probe the defenses and device
configuration settings within the system.
Are metrics for
vulnerability AWS customers are Establish, monitor
identification and and report metrics
AWS tracks metrics for internal process responsible for Vulnerability Threat &
TVM- remediation Shared CSP for vulnerability
Yes measurements and improvements that align vulnerability TVM-10 Management Vulnerability
10.1 established, and CSC identification
with our policies and standards. management within their Metrics Management
monitored, and and remediation at
reported at AWS environments. defined intervals.
defined intervals?
Are policies and AWS implements formal, documented policies approve,
procedures and procedures that provide guidance for communicate, apply,
established, operations and information security within the evaluate and maintain
organization and the supporting AWS Endpoint
documented, policies and Universal
UEM- Devices
approved, Yes CSP-owned environments. Policies address purpose, scope, UEM-01 procedures for all Endpoint
01.1 Policy and
communicated, roles, responsibilities and management endpoints. Review Management
Procedures
applied, evaluated, commitment. All policies are maintained in a and update the
and maintained for centralized location that is accessible by policies and
all endpoints? employees. procedures at least
annually.
approve,
Are universal
communicate, apply,
endpoint
management Endpoint
policies and Universal
UEM- policies and Policies are reviewed approved by AWS Devices
Yes CSP-owned UEM-01 procedures for all Endpoint
01.2 procedures leadership at least annually or as needed basis. Policy and
endpoints. Review Management
reviewed and Procedures
and update the
updated
policies and
at least annually?
procedures at least
annually.
Is there a defined,
documented,
applicable and
Define, document,
evaluated list Amazon has established baseline infrastructure apply and evaluate a
containing standards in alignment with industry best list of approved
approved practices. All software installations are still services,
services, monitored by AWS security, and mandatory applications and
applications, and Application Universal
UEM- security controls and software is always sources of
the sources of Yes CSP-owned UEM-02 and Service Endpoint
02.1 required. Users cannot continue to use their applications (stores)
applications Approval Management
laptop or desktop if required software is not acceptable for use by
(stores)
installed. Their device will be quarantined from endpoints
acceptable for
network access until the non-conformance is when accessing or
use by endpoints
resolved. storing organization-
when accessing or
managed data.
storing
organization-
managed data?
Is a process
Define and
defined and
implement a process
implemented to Amazon has established baseline infrastructure for the validation of
validate endpoint Universal
UEM- standards in alignment with industry best the endpoint Compatibilit
device Yes CSP-owned UEM-03 Endpoint
03.1 practices. This includes endpoint compatibility device's compatibility y
compatibility Management
with operating systems and applications. with operating
with operating
systems and
systems and
applications.
applications?
Is an inventory of
Amazon has established baseline infrastructure Maintain an inventory
all endpoints used
of all endpoints used Universal
UEM- and maintained to standards in alignment with industry best Endpoint
Yes CSP-owned UEM-04 to store and access Endpoint
04.1 store and access practices. This includes endpoint inventory Inventory
company Management
company management.
data.
data?
Are processes,
procedures, and
technical AWS employees do not access, process, or Define, implement
measures defined, change customer data in the course of and evaluate
implemented and providing our services. AWS has separate CORP processes,
evaluated, to and PROD environments which are separated procedures and
enforce policies from each other via physical and logical technical
Universal
UEM- and controls for measures to enforce Endpoint
NA controls. Only approved users would have the UEM-05 Endpoint
05.1 all endpoints policies and controls Management
ability to be granted access from CORP to Management
permitted to for all endpoints
access PROD. That access is then managed by separate permitted to access
systems and/or permission system, requires an approved systems and/or store,
store, transmit, or ticket, requires MFA, is time limited, and all transmit, or process
process activities are tracked. organizational data.
organizational
data?
Are all relevant
interactive-use Amazon has established baseline infrastructure Configure all relevant
endpoints interactive-use Universal
UEM- standards in alignment with industry best Automatic
configured to Yes CSP-owned UEM-06 endpoints to require Endpoint
06.1 practices. These include automatic lockout Lock Screen
require an an automatic Management
after defined period of inactivity.
automatic lock screen.
lock screen?
Are changes to Amazon has established baseline infrastructure
endpoint standards in alignment with industry best Manage changes to
operating systems, practices. All software installations are still endpoint operating
patch levels, monitored by AWS security, and mandatory systems, patch levels,
and/or Universal
UEM- security controls and software is always and/or Operating
applications Yes CSP-owned UEM-07 Endpoint
07.1 required. Users cannot continue to use their applications through Systems
managed through Management
laptop or desktop if required software is not the company's
the organizational
installed. Their device will be quarantined from change management
change
network access until the non-conformance is processes.
management
process? resolved.
AWS employees do not access, process, or
change customer data in the course of
providing our services. AWS has separate CORP
and PROD environments which are separated
Is information from each other via physical and logical
protected from controls. Only approved users would have the Protect information
unauthorized ability to be granted access from CORP to from unauthorized
Universal
UEM- disclosure on PROD. That access is then managed by separate disclosure on Storage
NA CSP-owned UEM-08 Endpoint
08.1 managed permission system, requires an approved managed endpoint Encryption
Management
endpoints ticket, requires MFA, is time limited, and all devices with storage
with storage activities are tracked. Additionally, customers encryption.
encryption? are provided tools to encrypt data within AWS
environment to add additional layers of
security. The encrypted data can only be
accessed by authorized customer personnel
with access to encryption keys.
AWS' program, processes and procedures to
Are anti-malware managing antivirus / malicious software is in
detection and alignment with ISO 27001 standards. Refer to Configure managed
AWS SOC reports provides further details. Anti-
prevention endpoints with anti-
Malware Universal
UEM- technology In addition, refer to ISO 27001 standard, Annex malware detection
Yes CSP-owned UEM-09 Detection Endpoint
09.1 services A, domain 12 for additional details. AWS has and prevention
and Management
configured on been validated and certified by an independent technology and
Prevention
managed auditor to confirm alignment with ISO 27001 services.
endpoints? certification
standard.
Are software Amazon assets (e.g. laptops) are configured Configure managed
firewalls Universal
UEM- with anti-virus software that includes e-mail endpoints with Software
configured on Yes CSP-owned UEM-10 Endpoint
10.1 filtering, software firewalls, and malware properly configured Firewall
managed Management
detection. software firewalls.
endpoints?
AWS employees do not access, process, or
change customer data in the course of
providing our services. AWS has separate CORP
Are managed and PROD environments which are separated Configure managed
endpoints from each other via physical and logical endpoints with Data
configured with controls. AWS customers are responsible for Loss Prevention Universal
UEM- data loss Data Loss
NA the management of the data they place into UEM-11 (DLP) technologies Endpoint
11.1 prevention (DLP) Prevention
AWS services. AWS has no insight as to what and rules in Management
technologies
type of content the customer chooses to store accordance with a
and rules per a
in AWS and the customer retains complete risk assessment.
risk assessment?
control of how they choose to classify their
content, where it is stored, used and protected
from disclosure.
Are remote
geolocation Enable remote geo-
Universal
UEM- capabilities No response is required as we have indicated location capabilities Remote
No CSP-owned UEM-12 Endpoint
12.1 enabled for all no. for all managed Locate
Management
managed mobile mobile endpoints.
endpoints?
AWS scope for mobile devices are iOS and
Android based mobile phones and tablets.
AWS maintains a formal mobile device policy
and associated procedures. Specifically, AWS
mobile devices are only allowed access to AWS
corporate fabric resources and cannot access
Are processes, AWS production fabric where customer Define, implement
procedures, and content is stored. AWS production fabric is and evaluate
technical separated from the corporate fabric by processes,
measures defined, boundary protection devices that control the procedures and
implemented, and technical Universal
UEM- flow of information between fabrics. Approved Remote
evaluated to Yes CSP-owned UEM-13 measures to enable Endpoint
13.1 firewall rule sets and access control lists Wipe
enable remote the deletion of Management
between network fabrics restrict the flow of
company data company data
deletion on information to specific information system remotely on
managed endpoint services. Access control lists and rule sets are managed endpoint
devices? reviewed and approved, and are automatically devices.
pushed to boundary protection devices on a
periodic basis (at least every 24 hours) to
ensure rule-sets and access control lists are up-
to-date.
Consequently, mobile devices are not relevant
to AWS customer content access.
Are processes, AWS does not utilize third parties to provide
procedures, and services to customers, but does utilize co- Define, implement
technical and/or location provides in limited capacity to house and evaluate
contractual some AWS data centers. These controls are processes,
measures defined, audited twice annually in our SOC 1/2 audits procedures and
Third-Party
implemented, and technical Universal
UEM- and annually in our ISO 27001/17/18 audits. Endpoint
evaluated to NA UEM-14 and/or contractual Endpoint
14.1 There are no subcontractors authorized by Security
maintain proper measures to maintain Management
AWS to access any customer-owned content Posture
security of third- proper security of
party endpoints that customers upload onto AWS. To monitor third-party endpoints
with access to subcontractor access year-round please refer with access to
organizational to: https://aws.amazon.com/compliance/third- organizational assets.
assets? party-access/
End of Standard
Further Reading
For additional information, see the following sources:
 AWS Compliance Quick Reference Guide
 AWS Answers to Key Compliance Questions
 AWS Cloud Security Alliance (CSA) Overview
Document Revisions
Date Description
April 2022 Updated CAIQ template and updated responses to individual questions based on CAIQ v4.0.2
July 2018 2018 validation and update
January 2018 Migrated to new template.
January 2016 First publication

CSA Consensus Assessments Initiative Questionnaire

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSA Consensus Assessments Initiative Questionnaire

Uploaded by

Copyright:

Available Formats

CSA Consensus Assessments

Initiative Questionnaire (CAIQ)

AWS has established a formal audit program

Internal and external audits are planned and

Internal and external audits are planned and

External audits are planned and performed

Compliance reports from these assessments

Are technical and

Automated code analysis tools are run as a part

AWS Service teams create administrator

Backup and retention

AWS Backup allows

Is a cryptography, Discovery – The discovery phase includes listing

Customers choose how

Discovery – The discovery phase includes listing

1) Identifies and evaluates applicable laws and

AWS maintains relationships with internal and

AWS provides customers with evidence of its

Does the In alignment with ISO 27001 standards, audit

 AWS Answers to Key Compliance Questions

 AWS Cloud Security Alliance (CSA) Overview

You might also like