AWS Security Blog

Focus on Customers: Next Gen Compliance Enablers

May 16, 2019 update: We’ve removed a reference to the IT-Grundschutz Certification Workbook. AWS now recommends that customers refer to the Cloud Computing Compliance Controls Catalog (C5) instead. Learn more about C5 here: https://aws.amazon.com/compliance/bsi-c5/


AWS has radically improved cloud service provider compliance offerings with the ongoing development and releases of next gen customer-focused compliance enablers that directly assist customers in
1) understanding how to apply legacy compliance requirements to an AWS environment, and 2) helping establish a secure, compliant, and auditable AWS IT environment.

Traditionally our global customers have asked us for the standard audit reports, legal agreement terms, and control mapping documents they need to perform their due diligence on AWS. Our heavy investment in these kinds of compliance artifacts results in a mature, robust set of enablers that likely meet or exceed your compliance requirements and can assist you in performing your due diligence on AWS-owned controls. However, the bigger challenge is traditionally left completely up to you, the customer: translating those artifacts to company security requirements and operationalizing a secure and auditable environment that will meet all of the enterprise’s compliance requirements over time. 

We are evolving our compliance program by accelerating the development of next gen compliance artifacts. These new types of enablers build on the traditional compliance programs but focus directly on your efforts in establishing and operating your AWS security control environment by tying together governance-focused, audit-friendly AWS service features with applicable compliance or audit standards. Some of these new enablers include:

  • FFIEC Examiners Workbook. This workbook was developed by Coalfire, a global audit advisory firm, and is targeted to financial institutions, their examiners, and advisors. It is designed to guide customers subject to FFIEC audits on the secure architecture, use, and audit of AWS services.
  • PCI Responsibility Matrix. This document was also developed by Coalfire (our PCI QSA) and is updated annually during the AWS PCI assessment. It describes the responsibility for the customer and for AWS for each of the PCI DSS controls and, because of its general applicability to IT security, has been used by a wide range of global customers to properly implement and audit an effective control environment in AWS.
  • CJIS Workbook. For our customers protecting criminal justice information on AWS, the AWS CJIS Workbook is a security plan template to document the implementation of CJIS Security Policy requirements. The completed template can be submitted to local law enforcement agencies for a CJIS review and authorization.
  • Auditing Your Security Architecture in AWS. This is a hands-on training bootcamp designed for risk managers and auditors that can be delivered in a classroom setting or done at your own pace online. The course is intended to instruct participants on how to audit the security architecture and controls of core AWS services and features such as Amazon EC2, Amazon EBS, Amazon S3, Amazon VPC, AWS Identity and Access Management, AWS CloudTrail, Amazon AMIs, and AWS CloudFormation.

We believe providing more of this type of next gen compliance material is a more direct way to help you with this critical objective—to continually meet your organization’s specific compliance obligations. At the same time we continue to mature our traditional (and complimentary) compliance enablers, such as standard audit reports (e.g., our recent ISO 9001 certification) and legal agreement terms (e.g., our recent EU Model Clause announcement). Both of these types of enablers make it more straightforward for you to move sensitive and regulated workloads into AWS and to maintain full compliance with a wide range of industry and geographic requirements.

Visit us at http://aws.amazon.com/compliance/ to download or request these and other resources. Let us know what you think of this new approach, or give us your ideas on other ways the AWS Compliance team can directly support your efforts to establish and manage your security and compliance program: awscompliance@amazon.com. You can also get more information from your AWS account representative, or contact the AWS business development team.

– Chad Woolf, Director, AWS Risk and Compliance

 

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.