AWS Security Certifications
Amazon Web Services (AWS) is an established cloud provider, with a variety of cloud services and hundreds of thousands of cloud customers. Organizations operating in the cloud may leverage AWS’ cloud security and compliance programs alongside compliance automation tools such as Dash ComplyOps to automate administrative and technical configuration or services and manage compliant workloads on AWS.
As one of the first movers in public cloud, Amazon has many established Compliance Programs that cover a wide range of national and global cybersecurity and administrative frameworks. Amazon Web Services has a number of security certifications from 3rd party or independent auditors (such as SOC and ISO standards), as well as alignments to more frameworks (such as HIPAA and GDPR) that do not have formal certifications.
Client Security Responsibilities
AWS customers are able to take advantage of the established security standards that Amazon has already put into place. Since the cloud provider takes care of many physical safeguards required by HIPAA and other frameworks. Organizations do not need to worry about physical server security or employee access when they enter into certain arrangements with Amazon. This allows teams to focus product development and easily build and scale services.
At the same time, most major cloud providers including AWS follow a shared responsibility model when it comes to security and compliance in the cloud. This means that both AWS, as well as AWS customers are responsible for specific security safeguards when building applications and managing compliant workloads in the cloud.
AWS Certifications and Attestations
AWS has the following compliance certifications and attestations that are assessed by a third-party, independent auditor and are the result of certification, audit report, or attestation of compliance:
Organizations are able to utilize the full suite of Amazon Web Services infrastructure to build applications and manage data in a manner that is compliant with the above frameworks. AWS customers are typically responsible for specific framework controls, such as organizational policies and technical implementation.
Laws and Regulations
For certain laws and regulations, AWS offers security features, enablers, and legal agreements (such as the AWS Data Processing Agreement and Business Associate Addendum) for supporting customer compliance.
The following laws and regulations have no formal certification available for cloud service provider within the law and regulatory domains, but can be supported by entering into certain agreements and implementing specific Amazon security features:
- Argentina Data Privacy
- CISPE
- FERPA
- GDPR
- GLBA
- HIPAA/HITECH
- IRS 1075
- ITAR
- My Number Act [Japan]
- U.K. DPA – 1988
- VPAT / Section 508
- Privacy Act [Australia]
- Privacy Act [New Zealand]
- PDPA – 2010 [Malaysia]
- PDPA – 2012 [Singapore]
- PHIPA [Ontario, Canada]
- PIPEDA [Canada]
- Spanish DPA Authorization
For these laws and regulations, organization’s must read Amazon’s guidelines and utilize services and protections as dictated via AWS agreements and regulatory requirements.
For example, HIPAA does not have an official certification. But AWS provides a business associates agreement (BAA) which clarifies security responsibilities and HIPAA eligible services. It is the cloud customer’s responsibility to make sure they are properly following this BAA and managing their responsibilities, in order to remain compliant with HIPAA.
Highlighted Compliance Programs
HIPAA/HITECH –
AWS will enter into a business associates’ agreement otherwise known as a business associates’ addendum (BAA) with any AWS customer. This BAA outlines the division of compliance responsibilities between the cloud provider and the cloud customer.
Under this agreement and the cloud shared responsibility model, AWS provides many of the physical security standards and technical controls required to maintain HIPAA compliance in the cloud. It is up to your organization to implement all necessary HIPAA administrative safeguards and administrative policies and configure technical safeguards across individual cloud services. Security teams may consider turning to a HIPAA automation solution to establish HIPAA compliance controls in AWS.
Your organization is responsible for managing:
- Creation of HIPAA administrative policies
- Configuring and setting up all security standards across all “HIPAA-eligible” services
- Continually monitoring and managing compliance (HIPAA does not have an official certification your team must ensure all safeguards are maintained)
SOC 2 – SOC 2 is a security auditing framework that many software vendors and companies work to obtain certification for, to validate security efforts for enterprise clients.
AWS is audited by an independent 3rd party and provides cloud customers with SOC 2 Type 1, Type 2, and Type 3 reports detailing security controls that have been put in place by the cloud provider to meet industry standards.
While AWS does provide specific physical security controls and technical security settings that can be enabled across cloud environments, SOC 2 Type 1 or SOC 2 Type 2 certification is not automatically inherited by your organization.
It is up to your organization to develop your own SOC 2 security program and go through a 3rd party SOC 2 audit to receive a SOC 2 report/certification. Security teams may consider turning to a SOC 2 automation solution to establish SOC 2 compliance controls in AWS.
Your organization is responsible for the following:
- Creation of SOC 2 security policies
- Configuring internal controls to meet SOC 2 TSC criteria across all cloud services
- Gathering security evidence and documentation for audit
- Having a SOC 2 audit performed a qualified 3rd party auditor.
Building an Internal Cloud Security Program
Built-in security programs from Amazon Web Services give organizations a great start for building around compliance and regulatory frameworks. Ultimately, it is up to the organization to build and maintain a Security Plan that maps to applicable security frameworks, employee workflow, and technologies of the organization.
Organization’s should build administrative policies that define standard operating procedures and proper controls for security frameworks. More importantly, administrative policies should be understandable and actually followed by your security team and staff. Dash allows organizations to build customized administrative policies based around security best practices and the team.
Technical controls need to be implemented to match specific security frameworks and regulations. This means for regulations such as HIPAA/HITECH, organization’s must configure AWS services or appropriate solutions for requirements including audit logging, disaster recovery, vulnerability scanning. By establishing smart DevOps practices or utilizing the Dash platform, customers can automate technical compliance controls and continually monitor their cloud environment.
