AWS Compliance and Risk Whitepaper
AWS Risk and Compliance Whitepaper aims to provide information to assist AWS customers in integrating AWS into their existing control framework to support their IT environment.
AWS communicates its security and control environment to customers by doing the following: AWS accomplishes this by following the steps: Obtaining industry certifications and independent third party attestations as described in this document
Whitepapers and web content can be used to publish information about AWS security and control practices.
Sharing responsibility model: Providing certificates, reports and other documentation directly under NDA to AWS customers (as needed)
AWS’ share in the shared responsibility involves providing its services on a highly secure platform and offering a wide range of security features customers can use
AWS takes the operational burden off the customer by operating, managing and controlling the components of the host operating system and virtualization layer right down to the physical security in the facilities where the service operates.
Customers are responsible for configuring their IT environments securely and in a controlled manner that serves their purposes
Management of the guest operating systems (including security patches), associated software, and configuration of the AWS-provided security group firewall.
stringent compliance requirements by leveraging technology such as host based firewalls, host based intrusion detection/prevention, encryption and key management
Reduce customer burden by managing the controls that are associated with the physical infrastructure in the AWS environment. Risk and Compliance Governance
AWS offers a wide range information about its IT control environment to customers through whitepapers, reports, certifications and other third-party attestations
Customers of AWS must ensure adequate governance over the entire IT control system, regardless of how IT is deployed.
Leading practices include an understanding of compliance requirements and objectives (from relevant sources).
Establishment of a control environment that meets these objectives and requirements.
An understanding of the validation requirements based on the organization’s tolerance for risk.
Verification of the operating effectiveness of their control environments.
A basic approach to strong customer compliance and governance could include the following: Review information from AWS with other information to understand the entire IT environment. Document all compliance requirements.
To meet compliance requirements within an enterprise, design and implement control objectives.
Identify and document controls that are owned by third parties.
Verify that all control objectives have been met and that all key controls are properly designed and functioning.
This approach to compliance governance helps companies gain a better understanding and delineate the verification activities that must be performed.
AWS works with independent auditors and external certifying bodies to provide customers with extensive information about the policies, processes and controls that AWS has established and operates.
AWS provides third party attestations, certifications and reports on Service Organization Controls (SOC), reports, and other compliance reports directly to customers under NDA. Key Risk and Compliance Questions
Shared ResponsibilityAWS manages the physical components of this technology.
Everything else is owned and controlled by the customer, including all connection points and transmissions.
Auditing ITAuditing for all layers and controls beyond the physical controls is the responsibility of each customer
AWS Compliance and Risk – Whitepaper – Certification