Where is your data stored
We store your data simultaneously in a minimum of 3 difference regions.
Unlike virtually every other technology infrastructure provider, each AWS Region has multiple Availability Zones and data centers. As we’ve learned from running the leading cloud infrastructure technology platform since 2006, customers who care about the availability and performance of their applications want to deploy these applications across multiple Availability Zones in the same region for fault tolerance and low latency. Availability Zones are connected to each other with fast, private fiber-optic networking, enabling you to easily architect applications that automatically fail-over between Availability Zones without interruption.
AWS is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS). Customers can run applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. In February 2013, the PCI Security Standards Council released PCI DSS Cloud Computing Guidelines. These guidelines provide customers who are managing a cardholder data environment with considerations for maintaining PCI DSS controls in the cloud.
AWS has incorporated the PCI DSS Cloud Computing Guidelines into the AWS PCI Compliance Package for customers. The AWS PCI Compliance Package includes the AWS PCI Attestation of Compliance (AoC), which shows that AWS has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 3.1, and the AWS PCI Responsibility Summary, which explains how compliance responsibilities are shared between AWS and our customers in the cloud. The AWS PCI DSS Level 1 certification includes AWS data centers in US East (Northern Virginia), US West (Oregon), US West (Northern California), AWS GovCloud (US) (Oregon), EU (Frankfurt), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) that support in-scope services.
Amazon Web Services publishes a Service Organization Controls 1 (SOC
1), Type II report. The audit for this report is conducted in
accordance with AICPA: AT 801 (formerly SSAE 16) and the
International Standards for Assurance Engagements No. 3402 (ISAE
3402).
This audit is the replacement of the Statement on Auditing
Standards No. 70 (SAS 70) Type II report. This dual-standard report
can meet a broad range of auditing requirements for U.S. and
international auditing bodies.
The SOC 1 report audit attests
that the AWS control objectives are appropriately designed and that
the controls safeguarding customer data are operating effectively.
The AWS SOC 1 report includes AWS data centers in US East (Northern
Virginia), US West (Oregon), US West (Northern California), AWS
GovCloud (US) (Oregon), EU (Dublin), EU (Frankfurt), Asia Pacific
(Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and South
America (Sao Paulo) that support in-scope services.
In addition to the SOC 1 report, AWS publishes a Service Organization
Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the
evaluation of controls, the SOC 2 report is an attestation report
that expands the evaluation of controls to the criteria set forth by
the American Institute of Certified Public Accountants (AICPA) Trust
Services Principles. These principles define leading practice
controls relevant to security, availability, processing integrity,
confidentiality, and privacy applicable to service organizations
such as AWS.
The AWS SOC 2 is an evaluation of the design and
operating effectiveness of controls that meet the criteria for the
security and availability principles set forth in the AICPA’s Trust
Services Principles criteria. This report provides additional
transparency into AWS security and availability based on a defined
industry standard and further demonstrates AWS’ commitment to
protecting customer data. The AWS SOC 2 report includes AWS data
centers in US East (Northern Virginia), US West (Oregon), US West
(Northern California), AWS GovCloud (US) (Oregon), EU (Dublin), EU
(Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia
Pacific (Tokyo), and South America (Sao Paulo) that support in-scope
services.
AWS publishes a Service Organization Controls 3 (SOC 3) report. The
SOC 3 report is a publically-available summary of the AWS SOC 2
report.
The report includes the external auditor’s opinion of the
operation of controls (based on the AICPA’s Security Trust
Principles included in the SOC 2 report), the assertion from AWS
management regarding the effectiveness of controls, and an overview
of AWS Infrastructure and Services. The AWS SOC 3 report includes
AWS data centers in US East (Northern Virginia), US West (Oregon),
US West (Northern California), AWS GovCloud (US) (Oregon), EU
(Dublin), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific
(Sydney), Asia Pacific (Tokyo), and South America (Sao Paulo) that
support in-scope services. This is a great resource for customers to
validate that AWS has obtained external auditor assurance without
going through the process to request a SOC 2 report.
Amazon Web Services has completed an independent assessment that has determined all applicable ISM controls are in place relating to the processing, storage and transmission of Unclassified (DLM) for the AWS Sydney Region.
ISO 9001:2008 is a global standard (published certificate) for
managing the quality of products and services. This standard
outlines a quality management system based on eight principles
defined by the International Organization for Standardization (ISO)
Technical Committee for Quality Management and Quality Assurance.
They include:
Customer focus
Leadership
Involvement of
people
Process approach
System approach to
management
Continual Improvement
Factual approach to
decision-making
Mutually beneficial supplier relationships
The
key to the ongoing certification under this standard is
establishing, maintaining and improving the organizational
structure, responsibilities, procedures, processes, and resources in
a manner where AWS products and services consistently satisfy ISO
9001:2008 quality requirements.
AWS is ISO 27001:2013 certified (published certificate) under the
International Organization for Standardization (ISO) 27001 standard.
ISO 27001:2013 is a widely-adopted global security standard that
outlines the requirements for information security management
systems. It provides a systematic approach to managing company and
customer information that’s based on periodic risk assessments. In
order to achieve the certification, a company must show it has a
systematic and ongoing approach to managing information security
risks that affect the confidentiality, integrity, and availability
of company and customer information.
AWS has established a formal
program to maintain the certification. This certification reinforces
our commitment to providing transparency into our security controls
and practices. AWS’ ISO 27001:2013 accreditation covers AWS Regions
including US East (Northern Virginia), US West (Oregon), US West
(Northern California), AWS GovCloud (US), South America (Sãu Paulo),
EU (Ireland), EU (Frankfurt) and Asia Pacific (Singapore), Asia
Pacific (Sydney), and Asia Pacific (Tokyo).
ISO 27017:2015 is a global cloud-specific information security code
of practice released by the International Organization for
Standardization (ISO). The standard’s guidance is based on ISO 27002
(hyperlink) and gives cloud service providers and customers secure
and specific implementation guidance for ISO 27002 security
controls, as well as provides additional security controls specific
to cloud services. This globally recognized code of practice was
designed to provide cloud service providers and cloud service
customers a common code of practice for security measures in the
cloud. AWS obtained an independent external audit against the
controls and guidance contained within the ISO 27017:2015 code of
practice to further demonstrate our commitment to cloud security for
our customers.
Having successfully attested to the ISO 27017:2015
practice, AWS and cloud service consumers can further enhance their
information security control environments with industry-specific
implementation guidance based on risk assessment for the use of
cloud services.
ISO 27017:2015 provides cloud specific guidance
around
Information Security Management
Human Resource
Security
Asset Security
Access Security
Cryptography
Security
Physical and Environmental Security
Operations
Security
Communications Security
System acquisition,
development, and maintenance
Supplier Relationships
Incident
Management
Business Continuity Management
AWS has established
a formal program to maintain the certification. This certification
reinforces our commitment to providing transparency into our
security controls and practices. AWS’ ISO 27017:2015 accreditation
covers US East (Northern Virginia), US West (Oregon), US West
(Northern California), AWS GovCloud (US) (Oregon), EU (Frankfurt),
EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia
Pacific (Sydney), China (Beijing), and South America (Sao Paulo)
ISO/IEC 27018:2014 is a code of practice published by the
International Organization for Standardization (ISO). It is based on
ISO 27002 and designed to give cloud service providers security
control implementation guidance to protect Personally Identifiable
Information (PII). In addition to implementation guidance specific
to existing ISO 27002 controls, ISO 27018:2014 also provides
additional security controls not addressed by ISO 27002 to further
protect PII. AWS obtained an independent external audit against the
controls and guidance contained within the 27018:2014 code of
practice to further demonstrate our commitment to our customer’s
data privacy. While ISO 27018:2014 is targeted for PII, AWS applies
this same high bar to all customer content.
Alignment with the
ISO 27018:2014 code of practice provides assurance that:
•
Customers control their content
• Customer content will not be
used for any unauthorized purposes
• Physical media is destroyed
prior to leaving AWS data centers
• AWS provides customers the
means to delete their content
• AWS doesn’t disclose customer
content unless we’re required to do so to comply with a legally
valid and binding order
Aligning our security controls that
protect the privacy of our customers with the measures outlined in
ISO 27018:2014 demonstrates our ongoing commitment to operate
securely and to protect the privacy of all customer content.
The Multi-Tier Cloud Security (MTCS) is an operational Singapore
security management Standard (SPRING SS 584:2013), based on ISO
27001/02 Information Security Management System (ISMS) standards.
The certification assessment requires us to:
• Systematically
evaluate our information security risks, taking into account the
impact of company threats and vulnerabilities;
• Design and
implement a comprehensive suite of information security controls and
other forms of risk management to address company and architecture
security risks;
• Adopt an overarching management process to
ensure that the information security controls meet the our
information security needs on an ongoing basis.
The Multi-Level Protection Scheme (MLPS) Level 3 certification
applies to critical infrastructure including finance,
transportation, telecom and education.
The scope of the
certifications covers AWS China network infrastructure, cloud
storage systems, and cloud computing systems. These certifications
have been successfully filed with the Chinese Ministry of Public
Security.
AWS enables covered entities and their business associates subject to
the U.S. Health Insurance Portability and Accountability Act (HIPAA)
to leverage the secure AWS environment to process, maintain, and
store protected health information. Additionally, AWS, as of July
2013, is able to sign business associate agreements (BAA) with such
customers.
AWS also offers a HIPAA-focused whitepaper and HIPAA
FAQ for customers interested in learning more about how they can
leverage AWS for the processing and storage of health information.
The “Architecting for HIPAA Security and Compliance on AWS” outlines
how companies can use AWS to process systems that facilitate HIPAA
and HITECH compliance. For more information on the AWS HIPAA
compliance program please contact AWS Sales and Business
Development.
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. §
1232g; 34 CFR Part 99) is a Federal law that protects the privacy of
student education records. The law applies to all schools that
receive funds under an applicable program of the U.S. Department of
Education. FERPA gives parents certain rights with respect to their
children’s education records. These rights transfer to the student
when he or she reaches the age of 18, or attends a school beyond the
high school level. Students to whom the rights have transferred are
“eligible students.”
AWS enables covered entities and their
business associates subject to FERPA to leverage the secure AWS
environment to process, maintain, and store protected education
information.
The AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to the US. AWS GovCloud (US) provides an environment physically located in the US and where access by AWS Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data subject to ITAR restrictions. The AWS GovCloud (US) environment has been audited by an independent third-party to validate the proper controls are in place to support customer export compliance programs for this requirement.
In 1998, The Congress of the United States of America amended the
Rehabilitation Act to require Federal agencies to make their
electronic and information technology accessible to people with
disabilities. Inaccessible technology interferes with an
individual’s ability to obtain and use information quickly and
easily. Section 508 was enacted to eliminate barriers in information
technology, to make available new opportunities for people with
disabilities, and to encourage development of technologies that will
help achieve these goals.
The law applies to all Federal agencies
when they develop, procure, maintain, or use electronic and
information technology. Under Section 508 (29 U.S.C. ‘ 794d),
agencies must give disabled employees and members of the public
access to information that is comparable to the access available to
others.
AWS has achieved two Agency Authority to Operate (ATOs) under the
Federal Risk and Authorization Management Program (FedRAMP) at the
Moderate impact level. FedRAMP is a government-wide program that
provides a standardized approach to security assessment,
authorization, and continuous monitoring for cloud products and
services up to the Moderate level.
All U.S. government agencies
can leverage the AWS Agency ATO packages stored in the FedRAMP
repository to evaluate AWS for their applications and workloads,
provide authorizations to use AWS, and transition workloads into the
AWS environment.
AWS enables US government agencies to achieve and sustain compliance
with the Federal Information Security Management Act (FISMA). The
AWS infrastructure has been evaluated by independent assessors for a
variety of government systems as part of their system owners’
approval process. Numerous Federal Civilian and Department of
Defense (DoD) organizations have successfully achieved security
authorizations for systems hosted on AWS in accordance with the Risk
Management Framework (RMF) process defined in NIST 800-37 and DoD
Information Assurance Certification and Accreditation Process
(DIACAP).
AWS’s secure infrastructure has helped federal agencies
expand cloud computing use cases and deploy sensitive government
data and applications in the cloud while complying with the rigorous
security requirements of federal standards. To request more
information related to AWS FISMA, RMF and DIACAP compliance please
contact AWS Sales and Business Development.
In June 2015 The National Institute of Standards and Technology
(NIST) released guidelines 800-171, “Final Guidelines for Protecting
Sensitive Government Information Held by Contractors”. This guidance
is applicable to the protection of Controlled Unclassified
Information (CUI) on nonfederal systems.
AWS is already compliant
with these guidelines, and customers can effectively comply with
NIST 800-171 immediately. NIST 800-171 outlines a subset of the NIST
800-53 requirements, a guideline under which AWS has already been
audited under the FedRAMP program. The FedRAMP Moderate security
control baseline is more rigorous than the recommended requirements
established in Chapter 3 of 800-171, and includes a significant
number of security controls above and beyond those required of FISMA
Moderate systems that protect CUI data.
AWS complies with the FBI’s Criminal Justice Information Services
(CJIS) standard. We sign CJIS security agreements with our
customers, including allowing or performing any required employee
background checks according to the CJIS Security Policy.
We have
also created a Criminal Justice Information Services (CJIS) Workbook
in a security plan template format aligned to the CJIS Policy Areas.
The Department of Defense (DoD) Cloud Security Model (SRG) provides a formalized assessment and authorization process for cloud service providers (CSPs) to gain a DoD Provisional Authorization, which can subsequently be leveraged by DoD customers. A Provisional Authorization under the SRG provides a reusable certification that attests to our compliance with DoD standards, reducing the time necessary for a DoD mission owner to assess and authorize one of their systems for operation on AWS. AWS currently holds provisional authorizations at Levels 2 and 4 of the SRG.
