0% found this document useful (0 votes)

17 views185 pages

SOC2 Via AWS Report

Report of SOC2 TYPE II AWS

Uploaded by

lawscribd

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

17 views185 pages

SOC2 Via AWS Report

Report of SOC2 TYPE II AWS

Uploaded by

lawscribd

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Ij

DOCUMENT STRUCTURE

s
The requested document is appended to this terms and conditions page. This document

H1
contains supplementary attachments. To access the supplementary attachments, you must open
this document in an application that supports PDF attachments. See the AWS Artifact User Guide
for instructions on how to open attachments.

OV
TERMS AND CONDITIONS
You hereby agree that you will not distribute, display, or otherwise make this document available
to an individual or entity, unless expressly permitted herein. This document is AWS Confidential

F
Information (as defined in the AWS Customer Agreement), and you may not remove these terms

QE
and conditions from this document, nor take excerpts of this document, without Amazon’s
express written consent. You may not use this document for purposes competitive with Amazon.
You may distribute this document, in its complete form, upon the commercially reasonable

3F
request by (1) an end user of your service, to the extent that your service functions on relevant
AWS offerings provided that such distribution is accompanied by documentation that details the
function of AWS offerings in your service, provided that you have entered into a confidentiality

ab
agreement with the end user that includes terms not less restrictive than those provided herein
and have named Amazon as an intended beneficiary, or (2) a regulator, so long as you request
confidential treatment of this document (each (1) and (2) is deemed a “Permitted Recipient”).
M
You must keep comprehensive records of all Permitted Recipient requests, and make such records
available to Amazon and its auditors, upon request. You further (i) acknowledge and agree that
rro
you do not acquire any rights against Amazon’s Service Auditors in connection with your receipt
or use of this document, and (ii) release Amazon’s Service Auditor from any and all claims or
causes of action that you have now or in the future against Amazon’s Service Auditor arising from
ap

this document. The foregoing sentence is meant for the benefit of Amazon’s Service Auditors,
who are entitled to enforce it. “Service Auditor” means the party that created this document for
Amazon or assisted Amazon with creating this document.
W
E RK
n-
ke
-to
rm
te
Ij
s
H1
F OV
QE
3F
System and Organization Controls 2 (SOC 2) Type 2 Report

ab
Description of the Amazon Web Services System
M
Relevant to Security, Availability, Confidentiality, and
rro
Privacy
For the Period April 1, 2024 to March 31, 2025
ap
W
E RK
n-
ke
-to
rm
te

Proprietary and Confidential Information - Trade Secret

F
Availability, Confidentiality, and Privacy

QE
Table of Contents

3F
SECTION I – Assertion of Amazon Web Services........................................................................................... 3
SECTION II – Independent Service Auditor’s Assurance Report ................................................................. 11

ab
SECTION III – Description of the Amazon Web Services System Relevant to Security, Availability,
Confidentiality, and Privacy ........................................................................................................................ 21
Amazon Web Services System Overview ............................................................................................... 22
M
Relevant Aspects of Internal Controls .................................................................................................... 28
A. Policies ........................................................................................................................................ 29
rro
B. Communications .............................................................................................................................
C. Service Commitments and System Requirements ...................................................................... 33
ap

D. Procedures .................................................................................................................................. 34
E. Monitoring .................................................................................................................................. 90
W

Complementary User Entity Controls..................................................................................................... 91

SECTION IV – Description of Criteria, AWS Controls, Tests, and Results of Tests ...................................... 95
RK

Testing Performed and Results of Entity-Level Controls ........................................................................ 96

Procedures for Assessing Completeness and Accuracy of Information Provided by the Entity (IPE) .... 96
Trust Services Criteria and Related Controls for Systems and Applications .......................................... 96
E

Information System Control Environment ............................................................................................. 97

AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria .................... 97
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service
ke

Auditor’s Testing Performed and Results ............................................................................................. 111

SECTION V – Other Information Provided By Amazon Web Services ....................................................... 179
Modifications to existing controls ........................................................................................................ 180
-to

Addition of new controls ...................................................................................................................... 181

APPENDIX – Glossary of Terms ................................................................................................................. 182
rm

Appendix – Glossary of Terms .............................................................................................................. 183

Proprietary and Confidential Information - Trade Secret

SECTION I – Assertion of Amazon Web Services

ap
W
ERK
n-
ke
-to
rm
te

Proprietary and Confidential Information - Trade Secret

Ij
Seattle, WA 98109-5210

s
H1
Amazon Web Services’ Management Assertion

We have prepared the accompanying description titled “Description of the Amazon Web Services System

OV
Relevant to Security, Availability, Confidentiality, and Privacy” (Description) of Amazon Web Services, Inc.
(“AWS” or “Service Organization”) in accordance with the criteria for a description of a service
organization’s system set forth in the Description Criteria DC section 200 2018 Description Criteria for a
Description of a Service Organization’s System in a SOC 2 Report (Description Criteria). The Description is

F
intended to provide report users with information about the Amazon Web Services System (System) that

QE
may be useful when assessing the risks arising from interactions with the System, particularly information
about system controls that the Service Organization has designed, implemented and operated to provide
reasonable assurance that its service commitments and system requirements were achieved based on the
trust services criteria relevant to security, availability, confidentiality, and privacy (applicable trust services

3F
criteria) set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing
Integrity, Confidentiality, and Privacy, in AICPA Trust Services Criteria.

ab
The scope of this system description includes the following services:

• •
•
Amazon API Gateway
Amazon AppFlow
M •
Amazon WorkSpaces
Amazon WorkSpaces Secure Browser
•
rro
Amazon Application Recovery Controller (formerly known as Amazon Workspaces
• Amazon AppStream 2.0 Web)
• Amazon Athena • Amazon WorkSpaces Thin Client
• Amazon Augmented AI [excludes Public • AWS Amplify
ap

Workforce and Vendor Workforce for all • AWS App Mesh

features] • AWS App Runner
• Amazon Bedrock [excludes Amazon • AWS AppFabric
W

Bedrock Marketplace] • AWS Application Migration Service

• Amazon Braket • AWS AppSync
RK

• Amazon Chime • AWS Artifact

• Amazon Chime SDK • AWS Audit Manager
• Amazon Cloud Directory • AWS B2B Data Interchange
• Amazon CloudFront [excludes content • AWS Backup
E

delivery through Amazon CloudFront • AWS Batch

Embedded Point of Presences] • AWS Certificate Manager (ACM)

• Amazon CloudWatch • AWS Chatbot
• Amazon CloudWatch Logs • AWS Clean Rooms
ke

• Amazon CodeWhisperer • AWS Cloud Map

• Amazon Cognito • AWS Cloud9
•
-to

Amazon Comprehend • AWS CloudFormation

• Amazon Comprehend Medical • AWS CloudHSM
• Amazon Connect • AWS CloudShell
• Amazon Data Firehose •
rm

AWS CloudTrail
• Amazon DataZone • AWS CodeBuild
te

Proprietary and Confidential Information - Trade Secret

Ij
Seattle, WA 98109-5210

s
H1
• Amazon Detective • AWS CodeCommit
• Amazon DevOps Guru • AWS CodeDeploy
• Amazon DocumentDB [with MongoDB • AWS CodePipeline

OV
compatibility] • AWS Config
• Amazon DynamoDB • AWS Control Tower
• Amazon DynamoDB Accelerator (DAX) • AWS Data Exchange

F
• Amazon EC2 Auto Scaling • AWS Database Migration Service (DMS)
• Amazon Elastic Block Store (EBS) • AWS DataSync

QE
• Amazon Elastic Compute Cloud (EC2) • AWS Direct Connect
• Amazon Elastic Container Registry (ECR) • AWS Directory Service [excludes Simple AD]
• Amazon Elastic Container Service [both • AWS Elastic Beanstalk

3F
Fargate and EC2 launch types] • AWS Elastic Disaster Recovery
• Amazon Elastic File System (EFS) • AWS Elemental MediaConnect
• Amazon Elastic Kubernetes Service (EKS) • AWS Elemental MediaConvert

ab
[both Fargate and EC2 launch types] • AWS Elemental MediaLive
• Amazon Elastic MapReduce (EMR) • AWS Entity Resolution
• Amazon ElastiCache M • AWS Fault Injection Service
• Amazon EventBridge • AWS Firewall Manager
• Amazon FinSpace • AWS Global Accelerator
rro
• Amazon Forecast • AWS Glue
• Amazon Fraud Detector • AWS Glue DataBrew
• Amazon FSx • AWS Health Dashboard
• Amazon GuardDuty •
ap

AWS HealthImaging
• Amazon Inspector • AWS HealthLake
• Amazon Inspector Classic • AWS HealthOmics
• •
W

Amazon Kendra AWS IAM Identity Center

• Amazon Keyspaces (for Apache Cassandra) • AWS Identity and Access Management
• Amazon Kinesis Data Streams (IAM)
RK

• Amazon Kinesis Video Streams • AWS IoT Core

• Amazon Lex • AWS IoT Device Defender
• Amazon Location Service • AWS IoT Device Management
E

• Amazon Macie • AWS IoT Events

• Amazon Managed Grafana • AWS IoT Greengrass
n-

• Amazon Managed Service for Apache Flink • AWS IoT SiteWise

• Amazon Managed Service for Prometheus • AWS IoT TwinMaker
ke

• Amazon Managed Streaming for Apache • AWS Key Management Service (KMS)
Kafka • AWS Lake Formation
• Amazon Managed Workflows for Apache • AWS Lambda
-to

Airflow (Amazon MWAA) • AWS License Manager

• Amazon MemoryDB (formerly known as • AWS Mainframe Modernization
Amazon MemoryDB for Redis) • AWS Managed Services
rm

• Amazon MQ • AWS Network Firewall

Proprietary and Confidential Information - Trade Secret

Ij
Seattle, WA 98109-5210

s
H1
• Amazon Neptune • AWS OpsWorks [includes Chef Automate,
• Amazon OpenSearch Service Puppet Enterprise]
• Amazon Personalize • AWS OpsWorks Stacks

OV
• Amazon Pinpoint and End User Messaging • AWS Organizations
(formerly Amazon Pinpoint) • AWS Outposts
• Amazon Polly • AWS Payment Cryptography

F
• Amazon Q Business • AWS Private Certificate Authority
• Amazon Q Developer • AWS Resilience Hub

QE
• Amazon Quantum Ledger Database (QLDB) • AWS Resource Access Manager (RAM)
• Amazon QuickSight • AWS Resource Explorer
• Amazon Redshift • AWS Resource Groups
• •

3F
Amazon Rekognition AWS RoboMaker
• Amazon Relational Database Service (RDS) • AWS Secrets Manager
• Amazon Route 53 • AWS Security Hub

ab
• Amazon S3 Glacier • AWS Serverless Application Repository
• Amazon SageMaker AI (formerly Amazon • AWS Service Catalog
SageMaker) [excludes Studio Lab, Public M • AWS Shield
Workforce and Vendor Workforce for all • AWS Signer
features] • AWS Snowball
rro
• Amazon Security Lake • AWS Snowball Edge
• Amazon Simple Email Service (SES) • AWS Step Functions
• Amazon Simple Notification Service (SNS) • AWS Storage Gateway
• Amazon Simple Queue Service (SQS) •
ap

AWS Systems Manager

• Amazon Simple Storage Service (S3) • AWS Transfer Family
• Amazon Simple Workflow Service (SWF) • AWS User Notifications
• •
W

Amazon SimpleDB AWS Verified Access

• Amazon Textract • AWS WAF
• Amazon Timestream • AWS Wickr
RK

• Amazon Transcribe • AWS X-Ray

• Amazon Translate • EC2 Image Builder
• Amazon Verified Permissions • Elastic Load Balancing (ELB)
•
E

Amazon Virtual Private Cloud (VPC) • FreeRTOS

• Amazon WorkDocs • VM Import/Export
n-

• Amazon WorkMail
ke

More information about the in-scope services, can be found at the following web address:
https://aws.amazon.com/compliance/services-in-scope/
-to

The scope of locations covered in this report includes the supporting data centers located in the following
regions:
rm

• Australia: Asia Pacific (Sydney) (ap-southeast-2), Asia Pacific (Melbourne) (ap-southeast-4)

Proprietary and Confidential Information - Trade Secret

Ij
Seattle, WA 98109-5210

s
H1
• Bahrain: Middle East (Bahrain) (me-south-1)
• Brazil: South America (São Paulo) (sa-east-1)
• Canada: Canada (Central) (ca-central-1), Canada West (Calgary) (ca-west-1)

OV
• England: Europe (London) (eu-west-2)
• France: Europe (Paris) (eu-west-3)
• Germany: Europe (Frankfurt) (eu-central-1)

F
• Hong Kong: Asia Pacific (ap-east-1)
• India: Asia Pacific (Mumbai) (ap-south-1), Asia Pacific (Hyderabad) (ap-south-2)

QE
• Indonesia: Asia Pacific (Jakarta) (ap-southeast-3)
• Ireland: Europe (Ireland) (eu-west-1)
• Israel: Israel (Tel Aviv) (il-central-1)

3F
• Italy: Europe (Milan) (eu-south-1)
• Japan: Asia Pacific (Tokyo) (ap-northeast-1), Asia Pacific (Osaka) (ap-northeast-3)
• Malaysia: Asia Pacific (Malaysia) (ap-southeast-5)*

ab
• Mexico: Mexico (Central) (mx-central-1)*
• Singapore: Asia Pacific (Singapore) (ap-southeast-1)
• South Africa: Africa (Cape Town) (af-south-1) M
• South Korea: Asia Pacific (Seoul) (ap-northeast-2)
• Spain: Europe (Spain) (eu-south-2)
rro
• Sweden: Europe (Stockholm) (eu-north-1)
• Switzerland: Europe (Zurich) (eu-central-2)
• Thailand: Asia Pacific (Thailand) (ap-southeast-7)*
•
ap

United Arab Emirates: Middle East (UAE) (me-central-1)

• United States: US East (Northern Virginia) (us-east-1), US East (Ohio) (us-east-2), US West
(Oregon) (us-west-2), US West (Northern California) (us-west-1), AWS GovCloud (US-East) (us-
W

gov-east-1), AWS GovCloud (US-West) (us-gov-west-1)

* Effective date for this region is February 15, 2025.

and the following AWS Edge locations in:

• Caba, Argentina • Milan, Italy • Atlanta, United States

• General Pacheco, • Rome, Italy • Aurora, United States

Argentina • Inzai, Japan • Bluffdale, United States

• Brisbane, Australia • Nairobi, Kenya • Boston, United States
ke

• Canberra, Australia • Kuala Lumpur, Malaysia • Chandler, United States

• Melbourne, Australia • Santiago de Querétaro, • Chicago, United States
• Perth, Australia Mexico • Columbus, United States
-to

• Vienna, Austria • Amsterdam, Netherlands • Dallas, United States

• Brussels, Belgium • Diemen, Netherlands • Denver, United States
• Fortaleza, Brazil • Schiphol-Rijk, Netherlands • El Segundo, United States
rm

• Rio de Janeiro, Brazil • Auckland, New Zealand

Proprietary and Confidential Information - Trade Secret

Ij
Seattle, WA 98109-5210

s
H1
• São Paulo, Brazil • Rosedale, New Zealand • Elk Grove Village, United
• Sofia, Bulgaria • Lagos, Nigeria States
• Scarborough, Canada • Oslo, Norway • Franklin, United States

OV
• Toronto, Canada • Barka, Oman • Greenwood Village, United
• Vancouver, Canada • Santiago de Surco, Peru States
• Huechuraba, Chile • Manila, Philippines • Hillsboro, United States

F
• Santiago, Chile • Quezon, Philippines • Houston, United States

QE
• Bogotá, Colombia • Warsaw, Poland • Irvine, United States
• Zagreb, Croatia • Lisbon, Portugal • Kansas City, United States
• Prague, Czech Republic • Doha, Qatar • Las Vegas, United States
• Ballerup, Denmark • Bucharest, Romania • Los Angeles, United States

3F
• Cairo, Egypt • Jeddah, Saudi Arabia • Lynnwood, United States
• Tallinn, Estonia • Singapore, Singapore • Miami, United States

ab
• Helsinki, Finland • Cape Town, South Africa • Milpitas, United States
• Espoo, Finland • Johannesburg, South Africa • Minneapolis, United States
• Marseille, France • Anyang-si, South Korea
M • New York City, United States
• Berlin, Germany • Seoul, South Korea • Newark, United States
• Dusseldorf, Germany • Barcelona, Spain • North Las Vegas, United
rro
• Frankfurt, Germany • Madrid, Spain States
• Hamburg, Germany • Stockholm, Sweden • Philadelphia, United States
• Munich, Germany • Zurich, Switzerland • Phoenix, United States
ap

• Koropi, Greece • New Taipei City, Taiwan • Piscataway, United States

• Kropia, Greece • Taipei, Taiwan • Pittsburgh, United States
• Budapest, Hungary • Bangkok, Thailand • Portland, United States
W

• Bangalore, India • Bang Chalong, Thailand • Reston, United States

• Chennai, India • Istanbul, Turkey • Richardson, United States
RK

• Kolkata, India • Dubai, United Arab • Seattle, United States

• Mumbai, India Emirates • Secaucus, United States
• New Delhi, India • Fujairah, United Arab • Tampa, United States
E

• Noida, India Emirates • Tempe, United States

• Pune, India • London, United Kingdom • West Valley City, United
n-

• Jakarta, Indonesia • Manchester, United States

• Clonshaugh, Ireland Kingdom • Hanoi, Vietnam
ke

• Dublin, Ireland • Swinton, United Kingdom • Ho Chi Minh, Vietnam

• Haifa, Israel • Ashburn, United States
-to
rm
te

Proprietary and Confidential Information - Trade Secret

Ij
Seattle, WA 98109-5210

s
H1
and the following Wavelength locations in:

OV
• Toronto, Canada • Alpharetta, United States • Minneapolis, United States
• Berlin, Germany • Annapolis Junction, United • New Berlin, United States
• Dortmund, Germany States • Pembroke Pines, United States

F
• Munich, Germany • Aurora, United States • Plant City, United States

QE
• Osaka, Japan • Azusa, United States • Redmond, United States
• Tama, Japan • Charlotte, United States • Rocklin, United States
• Daejeon, South Korea • Euless, United States • Southfield, United States

3F
• Seoul, South Korea • Houston, United States • Tempe, United States
• London, United Kingdom • Knoxville, United States • Wall Township, United States
• Salford, United Kingdom • Las Vegas, United States • Westborough, United States

ab
as well as Local Zone locations in:
• • •
•
Caba, Argentina
Perth, Australia •
M
Manila, Philippines
Warsaw, Poland •
Itasca, United States
Kansas City, United States
rro
• Santiago, Chile • Singapore, Singapore* • Kapolei, United States
• Ballerup, Denmark • New Taipei City, Taiwan • Las Vegas, United States
• Espoo, Finland • Bang Chalong, Thailand • Lee's Summit, United States*
• • •
ap

Hamburg, Germany Atlanta, United States Lithia Springs, United States

• Kolkata, India • Boston, United States • Mesa, United States
• New Delhi, India • Chicago, United States • Miami, United States
W

• Noida, India* • Doral, United States • Minneapolis, United States

• Santiago de Queretaro, • El Segundo, United States • North Las Vegas, United
•
RK

Mexico Garland, United States States

• Nouaceur, Morocco • Greenwood Village, • Philadelphia, United States
• Rosedale, New Zealand United States • Phoenix, United States
• Lagos, Nigeria • Hillsboro, United States • Piscataway, United States
E

• Barka, Oman • Houston, United States • Richardson, United States

• Santiago de Surco, Peru • Irvine, United States • Seattle, United States

* This location is a Dedicated Local Zone and may not be available to all customers.

The Description also indicates complementary user entity controls that are suitably designed and
-to

operating effectively are necessary along with AWS’ controls to achieve the service commitments and
system requirements. The Description presents AWS’ controls and the complementary user entity
controls assumed in the design of AWS’ controls.
rm

We confirm, to the best of our knowledge and belief, that:

Proprietary and Confidential Information - Trade Secret

Ij
Seattle, WA 98109-5210

s
H1
a. The Description presents the System that was designed and implemented throughout the period
April 1, 2024 to March 31, 2025 in accordance with the Description Criteria.

OV
b. The controls stated in the Description were suitably designed throughout the period April 1, 2024
to March 31, 2025 to provide reasonable assurance that AWS’ service commitments and system
requirements would be achieved based on the applicable trust services criteria, if its controls

F
operated throughout that period, and if user entities applied the complementary user entity
controls assumed in the design of AWS’ controls throughout the period April 1, 2024 to March 31,

QE
2025.
c. The AWS controls stated in the Description operated effectively throughout the period April 1, 2024
to March 31, 2025 to provide reasonable assurance that AWS’ service commitments and system

3F
requirements were achieved based on the applicable trust services criteria, if the complementary
user entity controls assumed in the design of AWS’ controls operated effectively throughout that
period.

ab
Amazon Web Services Management
M
rro
ap
W
E RK
n-
ke
-to
rm
te

Proprietary and Confidential Information - Trade Secret

©2025 Amazon.com, Inc. or its affiliates
10
Ij
s
H1
F OV
QE
3F
ab
M
rro
SECTION II – Independent Service Auditor’s Assurance Report
ap
W
E RK
n-
ke
-to
rm
te

Proprietary and Confidential Information - Trade Secret

©2025 Amazon.com, Inc. or its affiliates
11
te
rm
-to
ke
n-
ERK
W
ap
rro
M
ab
3F
QE
F OV
H1
s Ij
te
rm
-to
ke
n-
ERK
W
ap
rro
M
ab
3F
QE
F OV
H1
s Ij
te
rm
-to
ke
n-
ERK
W
ap
rro
M
ab
3F
QE
F OV
H1
s Ij
te
rm
-to
ke
n-
ERK
W
ap
rro
M
ab
3F
QE
F OV
H1
s Ij
te
rm
-to
ke
n-
ERK
W
ap
rro
M
ab
3F
QE
F OV
H1
s Ij
te
rm
-to
ke
n-
ERK
W
ap
rro
M
ab
3F
QE
F OV
H1
s Ij
te
rm
-to
ke
n-
ERK
W
ap
rro
M
ab
3F
QE
F OV
H1
s Ij
te
rm
-to
ke
n-
ERK
W
ap
rro
M
ab
3F
QE
F OV
H1
s Ij
te
rm
-to
ke
n-
ERK
W
ap
rro
M
ab
3F
QE
F OV
H1
s Ij
Ij
s
H1
F OV
QE
3F
ab
M
rro

SECTION III – Description of the Amazon Web Services System

Relevant to Security, Availability, Confidentiality, and Privacy
ap
W
E RK
n-
ke
-to
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
Amazon Web Services System Overview

H1
Since 2006, Amazon Web Services (AWS) has provided flexible, scalable and secure IT infrastructure to
businesses of all sizes around the world. With AWS, customers can deploy solutions in a cloud computing
environment that provides compute power, storage, and other application services over the Internet as

OV
their business needs demand. AWS affords businesses the flexibility to employ the operating systems,
application programs, and databases of their choice.

The scope of this system description includes the following services:

F
• Amazon API Gateway • Amazon WorkSpaces

QE
• Amazon AppFlow • Amazon WorkSpaces Secure Browser
• Amazon Application Recovery Controller (formerly known as Amazon Workspaces
• Amazon AppStream 2.0 Web)

3F
• Amazon Athena • Amazon WorkSpaces Thin Client
• Amazon Augmented AI [excludes Public • AWS Amplify
Workforce and Vendor Workforce for all • AWS App Mesh

ab
features] • AWS App Runner
• Amazon Bedrock [excludes Amazon Bedrock • AWS AppFabric
Marketplace] M • AWS Application Migration Service
• Amazon Braket • AWS AppSync
• Amazon Chime • AWS Artifact
rro
• Amazon Chime SDK • AWS Audit Manager
• Amazon Cloud Directory • AWS B2B Data Interchange
• Amazon CloudFront [excludes content delivery • AWS Backup
•
ap

through Amazon CloudFront Embedded Point AWS Batch

of Presences] • AWS Certificate Manager (ACM)
• Amazon CloudWatch • AWS Chatbot
•
W

Amazon CloudWatch Logs • AWS Clean Rooms

• Amazon CodeWhisperer • AWS Cloud Map
• Amazon Cognito • AWS Cloud9
RK

• Amazon Comprehend • AWS CloudFormation

• Amazon Comprehend Medical • AWS CloudHSM
• Amazon Connect • AWS CloudShell
E

• Amazon Data Firehose • AWS CloudTrail

• Amazon DataZone • AWS CodeBuild
n-

• Amazon Detective • AWS CodeCommit

• Amazon DevOps Guru • AWS CodeDeploy
ke

• Amazon DocumentDB [with MongoDB • AWS CodePipeline

compatibility] • AWS Config
• Amazon DynamoDB • AWS Control Tower
-to

• Amazon DynamoDB Accelerator (DAX) • AWS Data Exchange

• Amazon EC2 Auto Scaling • AWS Database Migration Service (DMS)
• Amazon Elastic Block Store (EBS) • AWS DataSync
rm

• Amazon Elastic Compute Cloud (EC2) • AWS Direct Connect

• Amazon Elastic Container Registry (ECR) • AWS Directory Service [excludes Simple AD]
te

Proprietary and Confidential Information - Trade Secret

s Ij
• Amazon Elastic Container Service [both Fargate • AWS Elastic Beanstalk

H1
and EC2 launch types] • AWS Elastic Disaster Recovery
• Amazon Elastic File System (EFS) • AWS Elemental MediaConnect
• Amazon Elastic Kubernetes Service (EKS) [both • AWS Elemental MediaConvert
•

OV
Fargate and EC2 launch types] AWS Elemental MediaLive
• Amazon Elastic MapReduce (EMR) • AWS Entity Resolution
• Amazon ElastiCache • AWS Fault Injection Service
• Amazon EventBridge • AWS Firewall Manager

F
• Amazon FinSpace • AWS Global Accelerator
• •

QE
Amazon Forecast AWS Glue
• Amazon Fraud Detector • AWS Glue DataBrew
• Amazon FSx • AWS Health Dashboard
• Amazon GuardDuty • AWS HealthImaging

3F
• Amazon Inspector • AWS HealthLake
• Amazon Inspector Classic • AWS HealthOmics
• Amazon Kendra • AWS IAM Identity Center

ab
• Amazon Keyspaces (for Apache Cassandra) • AWS Identity and Access Management (IAM)
• Amazon Kinesis Data Streams • AWS IoT Core
• Amazon Kinesis Video Streams M • AWS IoT Device Defender
• Amazon Lex • AWS IoT Device Management
• Amazon Location Service • AWS IoT Events
rro
• Amazon Macie • AWS IoT Greengrass
• Amazon Managed Grafana • AWS IoT SiteWise
• Amazon Managed Service for Apache Flink • AWS IoT TwinMaker
ap

• Amazon Managed Service for Prometheus • AWS Key Management Service (KMS)
• Amazon Managed Streaming for Apache Kafka • AWS Lake Formation
• Amazon Managed Workflows for Apache • AWS Lambda
W

Airflow (Amazon MWAA) • AWS License Manager

• Amazon MemoryDB (formerly known as • AWS Mainframe Modernization
RK

Amazon MemoryDB for Redis) • AWS Managed Services

• Amazon MQ • AWS Network Firewall
• Amazon Neptune • AWS OpsWorks [includes Chef Automate, Puppet
• Amazon OpenSearch Service Enterprise]
E

• Amazon Personalize • AWS OpsWorks Stacks

• Amazon Pinpoint and End User Messaging •
n-

AWS Organizations
(formerly Amazon Pinpoint) • AWS Outposts
• Amazon Polly • AWS Payment Cryptography
ke

• Amazon Q Business • AWS Private Certificate Authority

• Amazon Q Developer • AWS Resilience Hub
• Amazon Quantum Ledger Database (QLDB) •
-to

AWS Resource Access Manager (RAM)

• Amazon QuickSight • AWS Resource Explorer
• Amazon Redshift • AWS Resource Groups
• Amazon Rekognition • AWS RoboMaker
rm

• Amazon Relational Database Service (RDS) • AWS Secrets Manager

• Amazon Route 53 • AWS Security Hub
te

Proprietary and Confidential Information - Trade Secret

s Ij
• Amazon S3 Glacier • AWS Serverless Application Repository

H1
• Amazon SageMaker AI (formerly Amazon • AWS Service Catalog
SageMaker) [excludes Studio Lab, Public • AWS Shield
Workforce and Vendor Workforce for all • AWS Signer
•

OV
features] AWS Snowball
• Amazon Security Lake • AWS Snowball Edge
• Amazon Simple Email Service (SES) • AWS Step Functions
• Amazon Simple Notification Service (SNS) • AWS Storage Gateway

F
• Amazon Simple Queue Service (SQS) • AWS Systems Manager
• •

QE
Amazon Simple Storage Service (S3) AWS Transfer Family
• Amazon Simple Workflow Service (SWF) • AWS User Notifications
• Amazon SimpleDB • AWS Verified Access
• Amazon Textract • AWS WAF

3F
• Amazon Timestream • AWS Wickr
• Amazon Transcribe • AWS X-Ray
• Amazon Translate • EC2 Image Builder

ab
• Amazon Verified Permissions • Elastic Load Balancing (ELB)
• Amazon Virtual Private Cloud (VPC) • FreeRTOS
• Amazon WorkDocs M • VM Import/Export
• Amazon WorkMail
rro
More information about the in-scope services, can be found at the following web address:
https://aws.amazon.com/compliance/services-in-scope/
ap

The scope of locations covered in this report includes the supporting data centers located in the following
regions:
W

• Australia: Asia Pacific (Sydney) (ap-southeast-2), Asia Pacific (Melbourne) (ap-southeast-4)

• Bahrain: Middle East (Bahrain) (me-south-1)
RK

• Brazil: South America (São Paulo) (sa-east-1)

• Canada: Canada (Central) (ca-central-1), Canada West (Calgary) (ca-west-1)
• England: Europe (London) (eu-west-2)
• France: Europe (Paris) (eu-west-3)
E

• Germany: Europe (Frankfurt) (eu-central-1)

•
n-

Hong Kong: Asia Pacific (ap-east-1)

• India: Asia Pacific (Mumbai) (ap-south-1), Asia Pacific (Hyderabad) (ap-south-2)
• Indonesia: Asia Pacific (Jakarta) (ap-southeast-3)
ke

• Ireland: Europe (Ireland) (eu-west-1)

• Israel: Israel (Tel Aviv) (il-central-1)
•
-to

Italy: Europe (Milan) (eu-south-1)

• Japan: Asia Pacific (Tokyo) (ap-northeast-1), Asia Pacific (Osaka) (ap-northeast-3)
• Malaysia: Asia Pacific (Malaysia) (ap-southeast-5)*
• Mexico: Mexico (Central) (mx-central-1)*
rm

• Singapore: Asia Pacific (Singapore) (ap-southeast-1)

• South Africa: Africa (Cape Town) (af-south-1)
te

Proprietary and Confidential Information - Trade Secret

s Ij
• South Korea: Asia Pacific (Seoul) (ap-northeast-2)

H1
• Spain: Europe (Spain) (eu-south-2)
• Sweden: Europe (Stockholm) (eu-north-1)
• Switzerland: Europe (Zurich) (eu-central-2)
•

OV
Thailand: Asia Pacific (Thailand) (ap-southeast-7)*
• United Arab Emirates: Middle East (UAE) (me-central-1)
• United States: US East (Northern Virginia) (us-east-1), US East (Ohio) (us-east-2), US West
(Oregon) (us-west-2), US West (Northern California) (us-west-1), AWS GovCloud (US-East) (us-

F
gov-east-1), AWS GovCloud (US-West) (us-gov-west-1)

QE
* Effective date for this region is February 15, 2025.

and the following AWS Edge locations in:

3F
• Caba, Argentina • Milan, Italy • Atlanta, United States
• General Pacheco, • Rome, Italy • Aurora, United States

ab
Argentina • Inzai, Japan • Bluffdale, United States
• Brisbane, Australia • Nairobi, Kenya • Boston, United States
• Canberra, Australia • Kuala Lumpur, Malaysia
M • Chandler, United States
• Melbourne, Australia • Santiago de Querétaro, • Chicago, United States
• Perth, Australia Mexico • Columbus, United States
rro
• Vienna, Austria • Amsterdam, Netherlands • Dallas, United States
• Brussels, Belgium • Diemen, Netherlands • Denver, United States
• Fortaleza, Brazil • Schiphol-Rijk, Netherlands • El Segundo, United States
ap

• Rio de Janeiro, Brazil • Auckland, New Zealand • Elk Grove Village, United
• São Paulo, Brazil • Rosedale, New Zealand States
• • •
W

Sofia, Bulgaria Lagos, Nigeria Franklin, United States

• Scarborough, Canada • Oslo, Norway • Greenwood Village, United
• Toronto, Canada • Barka, Oman States
RK

• Vancouver, Canada • Santiago de Surco, Peru • Hillsboro, United States

• Huechuraba, Chile • Manila, Philippines • Houston, United States
• Santiago, Chile • Quezon, Philippines • Irvine, United States
E

• Bogotá, Colombia • Warsaw, Poland • Kansas City, United States

• • •
n-

Zagreb, Croatia Lisbon, Portugal Las Vegas, United States

• Prague, Czech Republic • Doha, Qatar • Los Angeles, United States
• Ballerup, Denmark • Bucharest, Romania • Lynnwood, United States
ke

• Cairo, Egypt • Jeddah, Saudi Arabia • Miami, United States

• Tallinn, Estonia • Singapore, Singapore • Milpitas, United States
-to

• Helsinki, Finland • Cape Town, South Africa • Minneapolis, United States

• Espoo, Finland • Johannesburg, South Africa • New York City, United States
• Marseille, France • Anyang-si, South Korea • Newark, United States
rm

• Berlin, Germany • Seoul, South Korea • North Las Vegas, United

• Dusseldorf, Germany • Barcelona, Spain States
te

Proprietary and Confidential Information - Trade Secret

s Ij
• Frankfurt, Germany • Madrid, Spain • Philadelphia, United States

H1
• Hamburg, Germany • Stockholm, Sweden • Phoenix, United States
• Munich, Germany • Zurich, Switzerland • Piscataway, United States
• Koropi, Greece • New Taipei City, Taiwan • Pittsburgh, United States

OV
• Kropia, Greece • Taipei, Taiwan • Portland, United States
• Budapest, Hungary • Bangkok, Thailand • Reston, United States
• Bangalore, India • Bang Chalong, Thailand • Richardson, United States
• • •

F
Chennai, India Istanbul, Turkey Seattle, United States
• Kolkata, India • Dubai, United Arab • Secaucus, United States

QE
• Mumbai, India Emirates • Tampa, United States
• New Delhi, India • Fujairah, United Arab • Tempe, United States
• Noida, India Emirates • West Valley City, United

3F
• Pune, India • London, United Kingdom States
• Jakarta, Indonesia • Manchester, United • Hanoi, Vietnam
• Clonshaugh, Ireland Kingdom • Ho Chi Minh, Vietnam

ab
• Dublin, Ireland • Swinton, United Kingdom
• Haifa, Israel • Ashburn, United States

and the following Wavelength locations in:

M
rro
• Toronto, Canada • Alpharetta, United States • Minneapolis, United States
• Berlin, Germany • Annapolis Junction, United • New Berlin, United States
• Dortmund, Germany States • Pembroke Pines, United States
ap

• Munich, Germany • Aurora, United States • Plant City, United States

• Osaka, Japan • Azusa, United States • Redmond, United States
• Tama, Japan • Charlotte, United States • Rocklin, United States
W

• Daejeon, South Korea • Euless, United States • Southfield, United States

• Seoul, South Korea • Houston, United States • Tempe, United States
RK

• London, United Kingdom • Knoxville, United States • Wall Township, United States
• Salford, United Kingdom • Las Vegas, United States • Westborough, United States
E

as well as Local Zone locations in:

• Caba, Argentina • Warsaw, Poland • Kansas City, United States

• Perth, Australia • Singapore, Singapore* • Kapolei, United States
ke

• Santiago, Chile • New Taipei City, Taiwan • Las Vegas, United States
• Ballerup, Denmark • Bang Chalong, Thailand • Lee's Summit, United States*
-to

• Espoo, Finland • Atlanta, United States • Lithia Springs, United States

• Hamburg, Germany • Boston, United States • Mesa, United States
• Kolkata, India • Chicago, United States • Miami, United States
rm

• New Delhi, India • Doral, United States • Minneapolis, United States

• Noida, India* • El Segundo, United States
te

Proprietary and Confidential Information - Trade Secret

s Ij
• Santiago de Queretaro, • Garland, United States • North Las Vegas, United

H1
Mexico • Greenwood Village, States
• Nouaceur, Morocco United States • Philadelphia, United States
• Rosedale, New Zealand • Hillsboro, United States • Phoenix, United States

OV
• Lagos, Nigeria • Houston, United States • Piscataway, United States
• Barka, Oman • Irvine, United States • Richardson, United States
• Santiago de Surco, Peru • Itasca, United States • Seattle, United States
•

F
Manila, Philippines

QE
* This location is a Dedicated Local Zone and may not be available to all customers.

Shared Responsibility Environment

3F
Moving the customer’s IT infrastructure to AWS builds a shared responsibility model between customers
and AWS. AWS operates, manages, and controls the components from the host operating system and
virtualization layer down to the physical security of the facilities in which the services operate. In turn,

ab
customers assume responsibility and management of the design, implementation and operation of their
AWS environment, which may include guest operating systems (including updates and security patches),
other associated application software, as well as the configuration of the AWS-provided security group
M
firewall. Customers should carefully consider the services they choose as customer responsibilities vary
depending on the services they use, the integration of those services into their IT environments, and
rro
applicable laws and regulations. It is possible to enhance security and/or meet more stringent compliance
requirements by leveraging technology such as host-based firewalls, host-based intrusion
detection/prevention, and encryption. AWS provides tools and information to assist customers in their
ap

efforts to account for and to validate that controls are operating effectively in their extended IT
environment. More information can be found on the AWS Compliance center at
https://aws.amazon.com/compliance.
W

AWS offers a variety of different infrastructure and platform services. More information can be found on
the AWS Shared Responsibility Model at https://aws.amazon.com/compliance/shared-responsibility-
RK

model/. For the purpose of understanding security and shared responsibility for AWS’ services, AWS has
categorized its services into three main categories: infrastructure, container, and abstracted. Each
category comes with a slightly different security ownership model based on how customers interact and
E

access the functionality. Customer responsibility is determined by the AWS Cloud services that a customer
selects. This determines the amount of configuration work the customer must perform as part of their
n-

security responsibilities.
ke

Infrastructure Services: Services such as Amazon Elastic Compute Cloud (Amazon EC2) and Amazon
Virtual Private Cloud (Amazon VPC) are categorized as Infrastructure Services and, as such, require the
customer to perform the necessary security configuration and management tasks. If a customer deploys
-to

an Amazon EC2 instance, that customer is responsible for management of the guest operating system
(including updates and security patches), any application software or utilities installed by the customer
on the instances, and the configuration of the AWS-provided firewall (called a security group) on each
instance.
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
Container Services: Services in this category typically run separately on Amazon EC2 or other

H1
infrastructure instances, but sometimes customers are not required to manage the operating system or
the platform layer. AWS provides a managed service for these application “containers”. Customers are
responsible for setting up and managing network controls, such as firewall rules, and for managing
platform-level identity and access management separately from IAM. Examples of container services

OV
include Amazon Relational Database Services (Amazon RDS), Amazon Elastic Map Reduce (Amazon EMR)
and AWS Elastic Beanstalk.

F
Abstracted Services: This category includes high-level storage, database, and messaging services, such as
Amazon Simple Storage Service (Amazon S3), Amazon Glacier, Amazon DynamoDB, Amazon Simple

QE
Queuing Service (Amazon SQS), and Amazon Simple Email Service (Amazon SES). These services abstract
the platform or management layer on which the customers can build and operate cloud applications. The
customers access the endpoints of these abstracted services using AWS Application Programming

3F
Interfaces (APIs), and AWS manages the underlying service components or the operating system on which
they reside.

ab
As every customer deploys their environment differently in AWS, customers can take advantage of shifting
the management of certain IT controls to AWS, which results in a (new) distributed control environment.
Customers can then use the AWS control and compliance documentation available to them to perform
M
their control evaluation and verification procedures as required. Certain functions of services have been
identified as controls in the system description and are denoted as “service-specific” as they are unique
to the respective service.
rro

More information and examples on the AWS Security Best Practices can be found at
https://aws.amazon.com/architecture/security-identity-compliance/.
ap

Furthermore, AWS publishes security blogs that cover best practices around using AWS services at
https://aws.amazon.com/blogs/security/tag/best-practices/.
W

Relevant Aspects of Internal Controls

As defined by the American Institute of Certified Public Accountants (AICPA), internal control is a process
affected by an entity’s board of directors, management, and other personnel and consists of five
interrelated components:
E

• Control Environment – Sets the tone of an organization, influencing the control consciousness of
n-

its people. It is the foundation for all other components of internal control, providing discipline
and structure.
ke

• Risk Assessment – The entity’s identification and analysis of relevant risks to the achievement of
its objectives, forming a basis for determining how the risks should be managed.
-to

• Information and Communication – Surrounding these activities are information and

communication systems. These enable the entity’s people to capture and exchange information
needed to conduct and control its operations.
rm

• Monitoring – The entire process must be monitored, and modifications made as necessary. In this
way, the system can react dynamically, changing as conditions warrant.
te

Proprietary and Confidential Information - Trade Secret

s Ij
• Control Activities – Control policies and procedures must be established and executed to help

H1
ensure that the actions identified by management as necessary to address risks to the
achievement of the entity’s objectives are effectively carried out.

OV
This section briefly describes the essential characteristics and other interrelated components of internal
controls in achieving the service commitments and system requirements for the applicable trust services
criteria of security, availability, confidentiality, and privacy as they pertain to AWS that may be relevant
to customers in five broad areas:

F
• Policies (Control Environment and Risk Management) – The entity has defined and documented

QE
its policies relevant to the applicable trust services criteria.
• Communications (Information and Communication) – The entity has communicated its defined
policies to responsible parties and authorized users of the system.

3F
• Service Commitments and System Requirements (Control Activities) – The entity has
communicated its service commitments and system requirements to customers in accordance

ab
with customer agreements.
• Procedures (Control Activities) – The entity has placed in operation procedures to achieve service
commitments and systems requirements in accordance with its defined policies.
M
• Monitoring – The entity monitors the system and takes action to maintain compliance with its
defined policies.
rro

A. Policies
ap

A.1 Control Environment

AWS is a unit within Amazon.com (“Amazon” or “the Company”) that is aligned organizationally around
W

each of the web services, such as Amazon EC2, Amazon S3, Amazon VPC, Amazon EBS and Amazon RDS.
AWS leverages some aspects of Amazon’s overall control environment in the delivery of these web
RK

services. The collective control environment encompasses management and employee efforts to establish
and maintain an environment that supports the effectiveness of specific controls. AWS maintains internal
informational websites describing the AWS environment, its boundaries, user responsibilities and services
(Control AWSCA-9.1).
E

The control environment at Amazon begins at the highest level of the Company. Executive and senior
n-

leadership play important roles in establishing the Company’s core values and tone at the top. The
Company’s Code of Business Conduct and Ethics, which sets guiding principles, is made available to every
ke

employee.

Amazon is committed to having highly qualified members as a part of its Board of Directors (Board)
-to

(Control AWSCA-1.7). Annually, the Amazon Corporate Governance Committee provides each Board
member a questionnaire that establishes whether they are independent and qualified to serve on each
Board or Committee under the applicable rules. The Corporate Governance Committee periodically
rm

reviews and assesses the composition of the Board and evaluates the overall Board performance during
the annual assessment of individual Board members. The Leadership Development and Compensation
Committee, with the full Board present, annually evaluates the succession plan for each member of the
te

Proprietary and Confidential Information - Trade Secret

s Ij
Senior Management team (Control AWSCA-1.8). This includes the annual Company and CEO performance

H1
and succession plan.

AWS is committed to protecting its customers’ data and maintaining compliance with applicable
regulatory requirements. This is demonstrated by the consolidated annual operational plan that includes

OV
regulatory and compliance requirements and objectives to enable the identification and assessment of
risks relating to those objectives (Control AWSCA-1.9). AWS’ policies and procedures outline the required
guidance for operation and information security that supports AWS environments, acceptable use of

F
mobile devices, and access to data content and network devices (Control AWSCA-3.16). Periodically, AWS
employees are required to review and comply with the most current versions of applicable policies and

QE
procedures.

Amazon has setup an ethics hotline for the employees or third-party contractors to report misconduct or

3F
violation of AWS policies, practices, rules, requirements or procedures (Control AWSCA-9.6). Material
violations of the Company Code of Business Conduct and Ethics or any other similar policies are
appropriately handled accordingly which may include disciplinary action or termination of employment.

ab
Violations by vendors or third-party contractors are reported by Amazon to their employers for
disciplinary action, removal of assignment with Amazon, or termination (Control AWSCA-9.7).

M
AWS has implemented a formal audit program that monitors and audits controls that are designed to
protect against organizational risks and safeguard customer content. This includes external independent
assessments against regulatory, internal and external control frameworks (Control AWSCA-9.8). The
rro
internal and external audits are planned, performed and reported to the Audit Committee. The AWS
compliance team conducts audits according to a documented schedule. They review the audit plan and
communicate the audit requirements to the Audit Committee. These requirements are based on standard
ap

criteria that verify AWS' compliance with relevant regulatory obligations and reported risk areas.

AWS Artifact is the primary resource for customers to obtain compliance-related information from AWS.
W

It provides access to AWS’ security and compliance reports and select online agreements. Reports
available in AWS Artifact include: AWS System and Organization Controls (SOC) reports, Payment Card
Industry (PCI) Attestation of Compliance, and certifications from accreditation bodies across geographies
RK

and industry verticals that validate the implementation and operating effectiveness of AWS security
controls. Amongst other things, compliance reports are made available to customers to enable them to
evaluate AWS’ conformance with security controls and associated compliance obligations.
E

The AWS organizational structure provides a framework for planning, executing and controlling business
n-

operations (Control AWSCA-1.1). AWS Leadership assigns roles and responsibilities based on the AWS
organizational structure to provide for adequate staffing, efficiency of operations and the segregation of
ke

duties. Management has also established authority and appropriate lines of reporting for key personnel.
The Company follows a structured on-boarding process to assist new employees as they become familiar
with Amazon tools, processes, systems, policies and procedures.
-to

AWS performs a formal evaluation of the appropriate resourcing and staffing to align employee
qualifications with the entity’s business objectives to support the achievement of the entity’s business
rm

objectives. Appropriate feedback is given to the employee on strengths and growth areas during the
annual performance review process. Employee strength and growth evaluations are shared by the
employee’s manager with the employee (Control AWSCA-9.3).
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
The GovCloud (US East) and GovCloud (US West) environments are AWS regions located in the United
States (US) that are designed to maintain physical and logical access controls that limit access by AWS
personnel to the AWS Network for the GovCloud (US) regions to US citizens. The AWS control environment
described in this document is also applicable to the GovCloud (US) regions.

OV
AWS has established an information security framework. As part of this framework, AWS periodically
reviews and updates the security policies, provides security training to its employees, which includes

F
instruction on data classification. Additionally, the AWS Application Security (AppSec) team performs
security reviews of AWS applications. These reviews assess the availability, confidentiality, and integrity

QE
of data, as well as conformance to the security policies. Where necessary, AWS Security leverages the
security framework and security policies established and maintained by Amazon Corporate Information
Security.

3F
AWS has a process in place to review environmental and geo-political risks before launching a new region
(Control AWSCA-1.10). Risk assessments encompass reviews of natural catastrophe (e.g., extreme

ab
weather events), technological (e.g., fire, nuclear radiation, industrial pollution) and man-made (e.g.,
vehicle impact, intentional acts, geo-political) hazards, including exposures presented by nearby entities;
as applicable. In addition to site-specific considerations, AWS evaluates scenarios potentially affecting
separate Availability Zones (AZs) within a region. M
A.2 Risk Management
rro

AWS maintains a formal risk management program to identify, analyze, treat, continuously monitor and
report on risks that affect AWS’ business objectives, regulatory requirements, and customers. The AWS
ap

Enterprise Risk Management (ERM) team identifies enterprise risks, documents them in a risk register,
and reports results to leadership on a quarterly basis. The risk management program consists of the
following phases:
W

1) Identifying Risks
RK

ERM has developed a tailored approach to identifying risks across the business. The approach is:
• Bottom-up to identify existing risks and emerging risks, with a focus on internal
mechanisms and data to identify risks;
E

• Top down to gather information from key leaders and external sources; and
n-

• Proactive outreach from risk owners to gather information from other internal teams,
external events, and industry trends.
ke

2) Analyzing Risks
ERM reviews the identified risks with senior leaders, risk owners and risk subject matter experts
(SMEs) to calibrate, assess, and prioritize. This is accomplished by evaluating:
-to

• Probability (likelihood of occurrence in a defined time period);

• Impact (degree of severity in terms of the domains in which it may impact); and
rm

• Current Risk Controls (existence of mechanisms or controls that address inherent risk).
te

Proprietary and Confidential Information - Trade Secret

s Ij
3) Treating Risks

H1
ERM’s approach is risk treatment, versus risk mitigation. ERM collaborates with business SMEs to
develop treatment plans after considering available options. It is the risk owner that determines
whether to accept or further mitigate the risk based on the residual risk rating once options are

OV
considered. Options might include:
• Eliminating or avoiding the risk (e.g., stopping the activity);
• Reducing the risk (e.g., implementing controls);

F
• Transferring the risk (e.g., to a third-party); or

QE
• Accepting the risk (when capacity and appetite exist).
4) Monitoring and Reporting Risks

3F
ERM actively monitors material risks and their treatment plans and provides quarterly reports to
senior leadership. Reports may include important information about key risks and treatments, as
well as emerging trends and general program updates (Control AWSCA-1.5).

ab
In addition to the ERM Risk Assessment, Internal Audit performs a separate Risk Assessment to identify
and prioritize significant AWS risks and uses this information to define the audit plan. The Risk Assessment
incorporates input from multiple sources such as changes to the business, internal audits, operational
M
events, and emerging risks. The audit plan and changes to the plan during the year are presented to the
Audit Committee. Internal Audit also communicates significant audit findings and associated action plans
rro
to the Audit Committee.

Additionally, at least on a monthly basis, AWS management reviews the AWS operational metrics and
ap

Correction of Errors (COEs) to improve the overall availability of AWS services and to identify areas of
improvements while mitigating risks to AWS environments. The “COE” documents are used to perform
deep root cause analysis of certain incidents across AWS, document actions taken, and assign follow-up
W

action items and owners to track to resolution.

B. Communications
RK

AWS has implemented various methods of internal communication at a global level to help employees
understand their individual roles and responsibilities and to communicate significant events in a timely
E

manner. These methods include orientation and training programs for newly hired employees; annual
training programs are tailored based on employee roles and responsibilities and may include Amazon
n-

Security Awareness (ASA) (Control AWSCA-1.4), Software Developer Engineer (SDE) Bootcamp,
International Traffic in Arms Regulations (ITAR) Secure Coding Training, Threat Modeling the Right Way
for Amazon Builders, Fraud/Bribery/Foreign corrupt practices training, Privacy Engineering Foundations
ke

for AWS Service Teams training, Managing Third Parties Using the Third-Party Risk Management Lifecycle,
Export Compliance trainings; regular management meetings for updates on business performance and
-to

other matters; and electronic means such as video conferencing, electronic mail messages, and the
posting of information via the Amazon intranet on topics such as reporting of information security
incidents and guidelines describing change management. The AWS Internal Privacy Policy informs AWS
employees and applicable vendors/contractors about AWS’ requirements regarding the privacy of
rm

customers’ personal information in accordance with applicable legislation and other AWS obligations.
te

Proprietary and Confidential Information - Trade Secret

s Ij
C. Service Commitments and System Requirements

H1
C.1 Service Commitments

AWS communicates service commitments to user entities (AWS customers) in the form of Service Level

OV
Agreements (SLAs), customer agreements (https://aws.amazon.com/agreement/), contracts or through
the description of the service offerings provided online through the AWS website. More information
regarding Service Level Agreements can be found at https://aws.amazon.com/legal/service-level-

F
agreements/.

QE
AWS uses various methods of external communication to support its customers and the community.
Mechanisms are in place to allow the AWS Support Escalation and Event Management (E2M) team to be
notified and to notify customers of potential operational issues that could impact the customer

3F
experience. AWS Health Dashboard is available to alert customers of “General Service Events” which show
the health of all AWS services and “Your Account Events” which show events specific to the account.
Current status information can be checked by the customer on this site or by leveraging Amazon

ab
EventBridge Integrations or RSS feeds, which allow customers to be notified of interruptions to each
individual service. Details related to security and compliance with AWS can also be obtained on the AWS
Security Center and AWS Compliance websites.
M
Customers have the ability to contact AWS through the ‘Contact us’ page for issues related to AWS
services. AWS provides publicly available mechanisms for external parties to contact AWS to report
rro
security events and publishes information including a system description and security and compliance
information addressing AWS commitments and responsibilities (Control AWSCA-9.5). Customers can also
subscribe to Premium Support offerings that include direct communication with the customer support
ap

team and proactive alerts for any customer impacting issues. AWS also deploys monitoring and alarming
mechanisms which are configured by AWS Service Owners to identify and notify operational and
management personnel of incidents when early warning thresholds are crossed on key operational
W

metrics (Control AWSCA-8.1). Additionally, incidents are logged within a ticketing system, assigned a
severity rating and tracked to resolution (Control AWSCA-8.2).
RK

C.2 System Requirements

The selection and use of services by AWS’ customers must be set up and operated under a shared
E

responsibility model so that the functionality of the services and the associated security is appropriately
managed. AWS is responsible for protecting the infrastructure that runs the service(s) offered in the AWS
n-

Cloud. The customer’s responsibility is determined by the AWS Cloud service(s) that a customer selects
and the interdependencies of those services within the AWS Cloud and their own networked
ke

environment. Customers should assess the objectives of their AWS cloud services network and identify
the risks and corresponding controls that need to be implemented to address those risks when using AWS
services, software, and operational controls. Customers should carefully consider the specific AWS
-to

services they choose, as their security responsibilities can vary depending on the service(s) they select, as
well as the type of configurations and operational controls required for those services.
rm

When designing and developing its services, AWS management has created internal policies that are
relevant to the services and systems available to customers. The development of these policies and
procedures helps to support management decision-making and provides the operational teams with clear
te

Proprietary and Confidential Information - Trade Secret

s Ij
business requirements and guidance for managing each AWS service and system. As each AWS service is

H1
unique, the system requirements to use different services vary depending on the service and each
customer’s environment.

As explained in the Availability section of the report, AWS has processes and infrastructure in place to

OV
make AWS services available to customers to meet their needs. AWS communicates its system
requirements to customers and how to get started with using the AWS services in the form of user guides,
developer guides, API references, service specific tutorials, or SDK toolkits. More information regarding

F
AWS Documentation can be found at https://docs.aws.amazon.com/. These resources help the customers
with architecting the AWS services to satisfy their business needs.

QE
AWS has identified the following objectives to support the security, change, and operational processes
underlying their service commitments and business requirements. These objectives help ensure the

3F
system operates and mitigates risks that threaten the achievement of the service commitments and
system requirements. The objectives below provide reasonable assurance that:

ab
Data integrity is maintained through all phases, including transmission, storage and processing.
• Policies and mechanisms are in place to appropriately restrict unauthorized access to systems and
data, and customer data is appropriately segregated from other customers.
M
• System incidents are recorded and analyzed timely and tracked to resolution.
rro
• Changes (including emergency/non-routine and configuration) to existing IT resources are
documented, authorized, tested, approved and implemented by authorized personnel.
• Critical system components are replicated across multiple AZs and authoritative backups are
ap

maintained and monitored to ensure successful replication to meet the service commitments.
• Controls are implemented to safeguard data from within and outside of the boundaries of
environments which store a customer’s content to meet the service commitments.
W

• Procedures have been established so that the collection, use, retention, disclosure, and disposal
of customer content within AWS services is in accordance with the service commitments.
RK

D. Procedures
E

D.1 Security Organization

AWS has an established information security organization that is managed by the AWS Security team and
is led by the AWS Chief Information Security Officer (CISO). AWS Security team responsibilities are defined
ke

and allocated across the organization. The AWS Security team works with AWS service teams, other
internal security teams, and external parties striving to ensure that security risks are mitigated. AWS
Security establishes and maintains policies and procedures to delineate standards for logical access on
-to

the AWS system and infrastructure hosts. The policies also identify functional responsibilities for the
administration of logical access, privacy, and security. Where applicable, AWS Security leverages the
information system framework and policies established and maintained by Amazon Corporate
rm

Information Security. AWS and Amazon Corporate Information Security policies are reviewed and
approved on an annual basis by AWS Security Leadership and are used to support AWS in meeting the
service commitments made to the customers (Control AWSCA-1.1, AWSCA -1.2, and AWSCA-1.3).
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
As part of this annual assessment, the following policies were inspected to verify approval occurred within
the last year:

OV
AWS Access Control Policy AWS Media Protection Policy
AWS Configuration Management Policy AWS Password Policy
AWS Contingency Planning Policy AWS Personnel Security Policy

F
AWS Critical Permission Group Standard AWS Physical and Environmental Protection

QE
Policy
Data Center Security Standard: Media Handling, Secure Software Development Policy
Storage and Destruction

3F
AWS Data Classification and Handling Policy AWS Security Assessment and Certification
Standard
AWS Facility Badge Management and Use Standard AWS Security Awareness Training Policy

ab
AWS Identification and Authentication Policy AWS System and Communications Protection
MPolicy
AWS Incident Response Policy AWS System and Information Integrity Policy
AWS Information Security Risk Management Policy AWS System Maintenance Policy
rro

AWS Internal Privacy Policy AWS Third Party Information Sharing Policy
AWS Risk Management Policy
ap

AWS has a security awareness and training policy that is disseminated via an internal Amazon
communication portal to all employees. This policy addresses purpose, scope, roles and responsibilities.
W

AWS maintains and provides security awareness training to all information system users on an annual
basis. The training also includes components such as privacy, data protection training, and data handling
RK

leading practices (Control AWSCA-1.4).

As a part of AWS’ responsibilities within the shared responsibility model, AWS implements the three lines
of defense model established by the Institute of Internal Auditors (IIA), discussed in the IIA’s Three Lines
E

Model“https://www.theiia.org/en/content/position-papers/2020/the-iias-three-lines-model-an-update-
of-the-three-lines-of-defense/” whitepaper. In this model, operational management is the first line of
n-

defense, the various risk control and compliance oversight functions established by management are the
second line of defense (Control AWSCA-1.5), and independent assurance is the third. As its third line of
ke

defense, Amazon has an Internal Audit function to periodically evaluate risks and assess conformance to
AWS security processes with due professional care (Control AWSCA-9.8).
-to

Further, AWS Security Assurance works with third-party assessors to obtain an independent assessment
of risk management content/processes by performing periodic security assessments and compliance
audits or examinations (e.g., SOC, FedRAMP, ISO, PCI) to evaluate the security, integrity, confidentiality,
rm

and availability of information and resources. AWS management also collaborates with Internal Audit to
determine the health of the AWS control environment and leverages this information to fairly present the
assertions made within the reports.
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
D.2 Logical Security

AWS has established policies and procedures to delineate standards for logical access to AWS systems
and infrastructure hosts. The policies also identify functional responsibilities for the administration of

OV
logical access and security. Where permitted by law, AWS requires that employees undergo a background
screening, at the time of hiring commensurate with their position and level of access and in accordance
with the AWS Personnel Security Policy (Control AWSCA-9.2).

F
AWS employees who have access to systems that could impact the confidentiality, integrity, or availability,

QE
or privacy of customer content are required to complete a post-hire background screening within a year
from their last background check. Post-hire screening includes criminal screening requirements consistent
with the pre-hire background screening. Access to the systems that could impact the confidentiality,

3F
integrity, or availability, or privacy of customer content is managed by membership in permission groups.
Employees who support internal services or have access to network resources are not required to
complete the post-hire background screening. Post-hire background screening is conducted where it is

ab
legally permissible by local law and in accordance with the AWS Personnel Security Policy (Control
AWSCA-9.9).

Account Provisioning M
The responsibility for provisioning user access, which includes employee and contractor access, is shared
across Human Resources (HR), Corporate Operations, and Service Owners.
rro

A standard employee or contractor account with minimum privileges is provisioned in a disabled state
when a hiring manager submits their new employee or contractor onboarding request in Amazon’s HR
ap

system. The account is automatically enabled after the employee’s record is activated in Amazon’s HR
system. First time passwords are set to a unique value and are required to be changed on first use (Control
AWSCA-2.1).
W

Access Management
AWS employs the concept of least privilege, allowing only the necessary access for users to accomplish
RK

their job function. User accounts are created to have minimal access. Access above these least privileges
require appropriate and separate authorization.
E

Access to resources including Services, Hosts, Network devices, and Windows and UNIX groups is
approved in Amazon’s proprietary Permission management system by the appropriate owner or manager.
n-

Requests for changes in access are captured in the Amazon permissions management tool audit log. When
changes in an employee’s job function occur, continued access must be approved to the resource, or it
ke

will be automatically revoked (Control AWSCA-2.2).

Periodic Access Review

-to

Access control lists or permission groups granting access to critical infrastructure are reviewed for
appropriateness on a periodic basis. On a quarterly basis, reviews are performed by appropriate AWS
management personnel of user access to AWS systems supporting the infrastructure and network; explicit
rm

re-approval is required, or access to the resource is revoked. On a semi-annual basis, AWS reviews the
access to AWS accounts. When an internal user no longer has a required business need to access the
te

Proprietary and Confidential Information - Trade Secret

s Ij
operational management system, the user’s privileges and access to the relevant systems are revoked

H1
(Control AWSCA-2.3).

Access Removal
Access is revoked when an employee’s record is terminated in Amazon’s HR system. Windows and UNIX

OV
accounts are disabled, and Amazon’s permission management system removes the user from all systems
(Control AWSCA-2.4).

F
Password Policy
Access and administration of logical security for Amazon relies on user IDs, passwords and Kerberos to

QE
authenticate users to services, resources and devices as well as to authorize the appropriate level of
access for the user. AWS Security has established a password policy with required configurations and
expiration intervals. AWS has a credential monitoring and response process to monitor compromised

3F
credentials for Amazon employees. Impacted user credentials are identified, tracked and rotated in a
timely manner (Control AWSCA-2.5).

ab
Remote Access
AWS requires two-factor authentication over an approved cryptographic channel for authentication to
the internal AWS network from remote locations (Control AWSCA-2.6).
M
AWS enables customers to select who has access to AWS services and resources (if resource-level
permissions are applicable to the service) that they own. AWS prevents customers from accessing AWS
rro
resources that are not assigned to them via access permissions. User content is segregated by the service’s
software. Content is only returned to individuals authorized to access the specified AWS service or
resource (if resource-level permissions are applicable to the service) (Control AWSCA-3.5).
ap

AWS performs Application Security (AppSec) reviews when needed for externally launched products,
services, and significant feature additions prior to launch to identify security and privacy risks and
W

determine if they are mitigated. As a part of the AppSec review, the Application Security team collects
detailed information from service teams required for the review. The Application Security team tracks
reviews against an independently managed inventory of products and features to be released to ensure
RK

that none are inadvertently launched before a completed review. As part of the security review, newly
created or modified IAM policies allowing end users to interact with launched updates are also reviewed.
The Application Security team then determines the granularity of review required based on the design,
E

threat model, and impact to AWS’ risk profile. During this process, they work with the service team to
identify, prioritize, and remediate security findings. The Application Security team provides their final
n-

approval for launch only upon completion of the review (Control AWSCA-3.6). Penetration testing is
performed as needed.
ke

AWS Network Security

The AWS Network consists of the internal data center facilities, servers, networking equipment and host
-to

software systems that are within AWS’ control and are used to provide AWS services.

The AWS network provides significant protection against traditional network security issues. The following
rm

are a few examples:

Proprietary and Confidential Information - Trade Secret

s Ij
• Distributed Denial of Service (DDoS) Attacks. In order to defend against network attacks,

H1
including DDoS attempts and suspicious traffic patterns, events from multiple sources are
collected, monitored and actioned through an integrated ticketing system, enabling rapid threat
detection and coordinated response measures. (Control AWSCA-8.2). Additionally, AWS’

OV
networks are multi-homed across a number of providers to achieve Internet access diversity.
• Man in the Middle (MITM) Attacks. All of the AWS APIs are available via TLS/SSL-protected
endpoints, which provide server authentication. Amazon EC2 Amazon Machine Images (AMIs)
automatically generate new SSH host certificates on first boot and log them to the instance’s

F
console. Customers can then use the secure APIs to call the console and access the host

QE
certificates before logging into the instance for the first time. Customers can use TLS/SSL for all of
their interactions with AWS (Control AWSCA-3.11).
• IP Spoofing. The AWS-controlled, host-based firewall infrastructure will not permit an instance to

3F
send traffic with a source IP or MAC address other than its own (Control AWSCA-3.10).
• Port Scanning. Unauthorized port scans by Amazon EC2 customers are a violation of the AWS
Acceptable Use Policy. Violations of the AWS Acceptable Use Policy are taken seriously, and every

ab
reported violation is investigated. Customers can report suspected abuse via the contacts
available on our website at: https://aws.amazon.com/contact-us/report-abuse/. Port scans of
Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon
M
EC2 instances are closed and are only opened by the customer. Customers’ strict management of
security groups can further mitigate the threat of port scans. Customers may request permission
rro
to conduct vulnerability scans as required to meet specific compliance requirements. These scans
must be limited to customers’ own instances and must not violate the AWS Acceptable Use Policy.
Advanced approval for these types of scans can be initiated by submitting a request via the AWS
website at: https://aws.amazon.com/security/penetration-testing/.
ap

• Packet sniffing by other tenants. Virtual instances are designed to prevent other instances
running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual
W

instance. While customers can place instances into promiscuous mode, the hypervisor will not
deliver any traffic to them that is not addressed to them. Even two virtual instances that are
owned by the same customer located on the same physical host cannot listen to each other’s
RK

traffic. While Amazon EC2 does provide protection against one customer inadvertently or
maliciously attempting to view another’s data, as standard practice customers can encrypt
sensitive traffic (Control AWSCA-3.10).
E

• Anti-virus software installed on workstations. Anti-virus software is deployed and running on

Amazon corporate workstations. Client Engineering and Enterprise Engineering teams deploy
Anti-virus software at imaging to Amazon corporate workstations. AWS has implemented checks
ke

to ensure that anti-virus software is installed, running, and capable of quarantining any non-
compliant workstations. This quarantine functionality isolates those workstations from the
network until the necessary remediation actions have been taken (Control AWSCA-3.18).
-to

Firewall devices are configured to restrict access to production networks (Control AWSCA-3.1). The
configurations of these firewall policies are maintained via an automatic push from a parent server
rm

(Control AWSCA-3.2). All changes to the firewall policies are reviewed and approved by appropriate AWS
management personnel (Control AWSCA-3.3).
te

Proprietary and Confidential Information - Trade Secret

s Ij
AWS Security performs at least quarterly vulnerability scans on host operating systems, web applications,

H1
and databases in the AWS environment using a variety of tools (Control AWSCA-3.4). AWS Security teams
also subscribe to newsfeeds for applicable vendor flaws and proactively monitor vendors’ websites and
other relevant outlets for new patches. AWS customers have the ability to report issues to AWS via the
AWS Vulnerability Reporting website at: https://aws.amazon.com/security/vulnerability-reporting/.

OV
AWS utilizes virtualization techniques to control and restrict traffic flow. This includes the use of virtual
networking devices, host-based firewalls, and Access Control Lists (ACLs) within EC2 and VPC. Additionally,

F
AWS offers a variety of operating systems for its EC2 instances. It is the responsibility of the customers to
appropriately configure server resources within the customer VPC.

QE
External Access Control
External API access to services is configurable by customers via AWS Identity and Access Management

3F
(IAM). IAM enables customers to securely control access to AWS services and resources for their users.
Using IAM, customers can create and manage AWS users, roles, groups, and create and attach policies to
those entities with granular permissions that allow or deny access to AWS resources. Security Groups act

ab
as firewalls and may also be used to control access to some in-scope applications such as VPC, EFS,
ElastiCache, and DMS. These groups default to a “deny all” access mode and customers must specifically
authorize network connectivity. This can be achieved by authorizing a network IP range or authorizing an
existing Security Group (Control AWSCA-3.5). M
Interacting with the Services
rro
AWS provides several methods of interacting with its services in the form of APIs, Software Development
Kits (SDKs), the AWS Management Console, and the AWS command line interface. All of the methods
ultimately rely on public APIs and follow standard AWS authentication and authorization practices.
ap

Authenticated calls to AWS services are signed by an X.509 certificate and/or the customer's AWS Secret
Access Key. When using the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make
W

requests to AWS, these tools automatically sign the requests with the access key specified by the customer
when the tools were configured. Manually created requests must be signed using Signature Version 4 or
Signature Version 2. All AWS services support Signature Version 4, except Amazon SimpleDB, which
RK

requires Signature Version 2. For AWS services that support both versions, it is recommended to use
Signature Version 4.
E

Internal Logging
AWS maintains centralized repositories that provide core log archival functionality available for internal
n-

use by AWS service teams. Leveraging S3 for high scalability, durability, and availability allows service
teams to collect, archive, and view service logs in a central log service.
ke

Production hosts at AWS are deployed using master baseline images (Control AWSCA-9.4). The baseline
images are equipped with a standard set of configurations and functions including logging and monitoring
-to

for security purposes.

These logs are stored and accessible by AWS security teams for root cause analysis in the event of a
rm

suspected security incident. Logs for a given host are also available to the team that owns that host in
case the team needs to search their logs for operational and security analysis.
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
Encryption
Amazon cryptographic policy defines the appropriate cryptography implementation through the Amazon
cryptographic standard. The cryptography standard is based on FIPS standards, NIST standards, and/or
the Commercial National Security Algorithm Suite (Suite B). Implementation guidance including

OV
appropriate encryption key length and algorithm specific parameters are provided to service teams
through application security reviews. Additionally, AWS Security Engineers within the cryptography
review program review the appropriate use of cryptography within AWS. In addition, API calls can be

F
encrypted with TLS/SSL to maintain confidentiality. It is the customer’s responsibility to appropriately
configure and manage usage and implementation of available encryption options to meet compliance

QE
requirements.

Each production firmware version release for the AWS Key Management Service HSM (Hardware Security

3F
Module) either holds or is in the process of actively pursuing FIPS 140-3 level 3 certification from the
National Institute of Standards and Technology's (NIST) Cryptographic Module Validation Program (CMVP)
(Control AWSCA-4.14). The certification process involves a coordinated effort between the AWS KMS

ab
team and NVLAP-certified FIPS consulting laboratories which acts as authorized intermediary between
AWS KMS and NIST/CMVP. Before deployment, each new firmware version undergoes thorough
evaluation to ensure compliance with the FIPS 140-3 level 3 standards, as verified by the FIPS consulting
M
laboratory. Once compliance is confirmed, the laboratory submits a comprehensive report to NIST's
CMVP, initiating the formal FIPS 140-3 review and certification process for the firmware version.
rro
All new objects uploaded to Amazon S3 are automatically encrypted with server-side encryption (AWSCA-
3.19). Amazon S3 automatically applies server-side encryption with Amazon S3 managed keys (SSE-S3) for
each new object uploaded to Amazon S3, unless a customer specifies a different encryption option.
ap

Amazon S3 server- side encryption uses 256-bit Advanced Encryption Standard Galois/Counter Mode
(AES-GCM) to encrypt all uploaded objects. Customers can also alternatively choose to encrypt their
objects with server-side encryption with customer-provided encryption keys (SSE-C), server-side
W

encryption with AWS Key Management Service keys (SSE-KMS), server-side encryption with AWS Key
Management Service keys (SSE-KMS) with S3 Bucket Keys, or Dual-layer server-side encryption with AWS
Key Management Service keys (DSSE-KMS).
RK

Deletion of Customer Content

AWS provides customers the ability to delete their content. Once successfully removed, the data is
E

rendered unreadable (Control AWSCA-7.7). For services that utilize ephemeral storage, such as EC2, the
ephemeral storage is deleted once the EC2 instance is deleted.
n-

D.3 AWS Service Descriptions

The following section describes the AWS services within the scope of this report. These descriptions are
not exhaustive, and customers should review documentation provided online for additional information
-to

on these services. Any AI functionality made available by services within the scope of this report are not
included in the controls described.
rm

Amazon API Gateway

Amazon API Gateway is a service that makes it easy for developers to publish, maintain, monitor, and
secure APIs at any scale. With Amazon API Gateway, customers can create a custom API to code running
te

Proprietary and Confidential Information - Trade Secret

s Ij
in AWS Lambda, and then call the Lambda code from customers' API. Amazon API Gateway can execute

H1
AWS Lambda code in a customer’s account, start AWS Step Functions state machines, or make calls to
AWS Elastic Beanstalk, Amazon EC2, or web services outside of AWS with publicly accessible HTTP
endpoints. Using the Amazon API Gateway console, customers can define customers' REST API and its
associated resources and methods, manage customers' API lifecycle, generate customers' client SDKs, and

OV
view API metrics.

Amazon AppFlow

F
Amazon AppFlow is an integration service that enables customers to securely transfer data between
Software-as-a-Service (SaaS) applications like Salesforce, SAP, Zendesk, Slack, and ServiceNow, and AWS

QE
services like Amazon S3 and Amazon Redshift. With AppFlow, customers can run data flows at enterprise
scale at the frequency they choose - on a schedule, in response to a business event, or on demand.
Customers are able to configure data transformation capabilities like filtering and validation to generate

3F
rich, ready-to-use data as part of the flow itself, without additional steps.

Amazon Application Recovery Controller (Effective August 15, 2024)

ab
Amazon Application Recovery Controller gives insights into whether customers’ applications and
resources are ready for recovery. The Application Recovery Controller also helps manage and coordinate
recovery for customers’ applications across AWS Regions and Availability Zones (AZs). These capabilities
M
make it simpler and more reliable to recover applications by reducing the manual steps required by
traditional tools and processes.
rro
Amazon AppStream 2.0
Amazon AppStream 2.0 is an application streaming service that provides customers instant access to their
desktop applications from anywhere. Amazon AppStream 2.0 simplifies application management,
ap

improves security, and reduces costs by moving a customer’s applications from their users’ physical
devices to the AWS Cloud. The Amazon AppStream 2.0 streaming protocol provides customers a
responsive, fluid performance that is almost indistinguishable from a natively installed application. With
W

Amazon AppStream 2.0, customers can realize the agility to support a broad range of compute and storage
requirements for their applications.
RK

Amazon Athena
Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using
standard SQL. Athena is serverless, so there is no infrastructure for customers to manage. Athena is highly
E

available; and executes queries using compute resources across multiple facilities and multiple devices in
each facility. Amazon Athena uses Amazon S3 as its underlying data store, making customers’ data highly
n-

available and durable.

Amazon Augmented AI (excludes Public Workforce and Vendor Workforce for all features)
Amazon Augmented AI (A2I) is a machine learning service which makes it easy to build the workflows
required for human review. Amazon A2I brings human review to all developers, removing the
-to

undifferentiated heavy lifting associated with building human review systems or managing large numbers
of human reviewers whether it runs on AWS or not. The public and vendor workforce options of this
service are not in scope for purposes of this report.
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
Amazon Bedrock (excludes Amazon Bedrock Marketplace)

H1
Amazon Bedrock is a fully managed service that makes foundation models (FMs) from Amazon and leading
Artificial Intelligence (AI) companies available through an API, so customers can choose from various FMs
to find the model that's best suited for their use case. With the Amazon Bedrock serverless experience,

OV
customers can quickly get started, easily experiment with FMs, privately customize FMs with their own
data, and seamlessly integrate and deploy them into customer applications using AWS tools and
capabilities. Agents for Amazon Bedrock are fully managed and make it easier for developers to create
generative-AI applications that can deliver up-to-date answers based on proprietary knowledge sources

F
and complete tasks for a wide range of use cases. The Foundational Models (FMs) from Amazon and

QE
leading AI companies, made available by Amazon Bedrock, and the FMs offered through Bedrock
Marketplace, are not included in the design of the controls described in this SOC report.

Amazon Braket

3F
Amazon Braket, the quantum computing service of AWS, is designed to help accelerate scientific research
and software development for quantum computing. Amazon Braket provides everything customers need
to build, test, and run quantum programs on AWS, including access to different types of quantum

ab
computers and classical circuit simulators and a unified development environment for building and
executing quantum circuits. Amazon Braket also manages the classical infrastructure required for the
execution of hybrid quantum-classical algorithms. When customers choose to interact with quantum
M
computers provided by third-parties, Amazon Braket anonymizes the content, so that only content
necessary to process the quantum task is sent to the quantum hardware provider. No AWS account
rro
information is shared and customer data is not stored outside of AWS.

Amazon Chime
ap

Amazon Chime is a communications service that lets customers meet, chat, and place business calls inside
and outside organizations, all using a single application. With Amazon Chime, customers can conduct and
attend online meetings with HD video, audio, screen sharing, meeting chat, dial—in numbers, and in-room
W

video conference support. Customer can use chat and chat rooms for persistent communications across
desktop and mobile devices. Customers are also able to administer enterprise users, manage policies, and
set up SSO or other advanced features in minutes using Amazon Chime management console.
RK

Amazon Chime SDK

The Amazon Chime SDK is a set of real-time communications components that customers can use to
E

quickly add messaging, audio, video, and screen sharing capabilities to their web or mobile applications.
Customers can use the Amazon Chime SDK to build real-time media applications that can send and receive
n-

audio and video and allow content sharing. The Amazon Chime SDK works independently of any Amazon
Chime administrator accounts and does not affect meetings hosted on Amazon Chime.
ke

Amazon Cloud Directory

Amazon Cloud Directory enables customers to build flexible cloud-native directories for organizing
-to

hierarchies of data along multiple dimensions. Customers also can create directories for a variety of use
cases, such as organizational charts, course catalogs, and device registries. For example, customers can
create an organizational chart that can be navigated through separate hierarchies for reporting structure,
location, and cost center.
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
Amazon CloudFront (excludes content delivery through Amazon CloudFront Embedded Point of

H1
Presences)
Amazon CloudFront is a fast content delivery network (CDN) web service that securely delivers data,
videos, applications and APIs to customers globally with low latency and high-transfer speeds. CloudFront
offers the most advanced security capabilities, including field level encryption and HTTPS support,

OV
seamlessly integrated with AWS Shield, AWS Web Application Firewall and Route 53 to protect against
multiple types of attacks including network and application layer DDoS attacks. These services co-reside
at edge networking locations – globally scaled and connected via the AWS network backbone – providing

F
a more secure, performant, and available experience for the users.

QE
CloudFront delivers customers' content through a worldwide network of Edge locations. When an end
user requests content that customers serve with CloudFront, the user is routed to the Edge location that
provides the lowest latency, so content is delivered with the best possible performance. If the content is

3F
already in that Edge location, CloudFront delivers it immediately.

Amazon CloudWatch

ab
Amazon CloudWatch is a monitoring and management service built for developers, system operators, site
reliability engineers (SRE), and IT managers. CloudWatch provides the customers with data and actionable
insights to monitor their applications, understand and respond to system-wide performance changes,
M
optimize resource utilization, and get a unified view of operational health. CloudWatch collects
monitoring and operational data in the form of logs, metrics, and events, providing the customers with a
rro
unified view of AWS resources, applications and services that run on AWS, and on-premises servers.

Amazon CloudWatch Logs

Amazon CloudWatch Logs is a service used to monitor, store, and access log files from Amazon Elastic
ap

Compute Cloud (EC2) instances, AWS CloudTrail, Route 53 and other sources. CloudWatch Logs enables
customers to centralize the logs from systems, applications and AWS services used in a single, highly
scalable service. Customers can easily view them, search for patterns, filter on specific fields or archive
W

them securely for future analysis. CloudWatch Logs enables customers to view logs, regardless of their
source, as a single and consistent flow of events ordered by time, and to query them based on specific
RK

criteria.

Amazon CodeWhisperer (Deprecated August 15, 2024)

Amazon CodeWhisperer is a productivity tool that generates real-time, single-line or full-function code
E

suggestions in the customers’ integrated development environment (IDE) and in the command line to help
quickly build software. Customers can quickly and easily accept the top suggestion, view more
n-

suggestions, or continue writing their own code.

Amazon Cognito
Amazon Cognito lets customers add user sign-up, sign-in, and manage permissions for mobile and web
applications. Customers can create their own user directory within Amazon Cognito. Customers can also
-to

choose to authenticate users through social identity providers such as Facebook, Twitter, or Amazon; with
SAML identity solutions; or by using customers' own identity system. In addition, Amazon Cognito enables
customers to save data locally on users' devices, allowing customers' applications to work even when the
rm

devices are offline. Customers can then synchronize data across users' devices so that their app
experience remains consistent regardless of the device they use.
te

Proprietary and Confidential Information - Trade Secret

s Ij
Amazon Comprehend

H1
Amazon Comprehend is a natural language processing (NLP) service that uses machine learning to find
insights and relationships in text. Amazon Comprehend uses machine learning to help the customers
uncover insights and relationships in their unstructured data without machine learning experience. The
service identifies the language of the text; extracts key phrases, places, people, brands, or events;

OV
understands how positive or negative the text is; analyzes text using tokenization and parts of speech;
and automatically organizes a collection of text files by topic.

F
Amazon Comprehend Medical
Amazon Comprehend Medical is a HIPAA-eligible natural language processing (NLP) service that facilitates

QE
the use of machine learning to extract relevant medical information from unstructured text. Using
Amazon Comprehend Medical, customers can quickly and accurately gather information, such as medical
condition, medication, dosage, strength, and frequency from a variety of sources like doctors’ notes,

3F
clinical trial reports, and patient health records. Amazon Comprehend Medical uses advanced machine
learning models to accurately and quickly identify medical information, such as medical conditions and
medications, and determines their relationship to each other, for instance, medicine dosage and strength.

ab
Amazon Connect
Amazon Connect is a unified omnichannel solution built to empower personalized, efficient and proactive
M
experiences across customers’ preferred channels. Customer can ensure customer issues are quickly
resolved, and if multiple contacts are needed, seamlessly maintain context as customer needs change.
Amazon Connect also helps customers proactively engage their customers at scale with relevant
rro
information, such as appointment reminders, product recommendations, and marketing promotions.

Amazon Data Firehose

Amazon Data Firehose is a reliable way to load streaming data into data stores and analytics tools. It can
capture, transform, and load streaming data into Amazon S3, Amazon Redshift, and Amazon OpenSearch
Service enabling near real-time analytics with existing business intelligence tools and dashboards
W

customers are already using today. The service automatically scales to match the throughput of the
customers’ data and requires no ongoing administration. It can also batch, compress, transform, and
RK

encrypt the data before loading it, minimizing the amount of storage used at the destination and
increasing security.

Amazon DataZone
E

Amazon DataZone is a data management service that makes it faster and easier for customers to catalog,
discover, share, and govern data stored across AWS, on premises, and third-party sources. With Amazon
n-

DataZone, engineers, data scientists, product managers, analysts, and business users can quickly access
data throughout an organization so that they can discover, use, and collaborate to derive data-driven
ke

insights. Administrators and data owners who oversee an organization's data assets can easily manage
and govern access to data. Amazon DataZone provides built-in workflows for data consumers to request
access to data and for data owners to approve the access.
-to

Amazon Detective
Amazon Detective allows customers to easily analyze, investigate, and quickly identify the root cause of
rm

potential security issues or suspicious activity. Amazon Detective collects log data from customer’s AWS
resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data
te

Proprietary and Confidential Information - Trade Secret

s Ij
that enables customers to conduct faster and more efficient security investigations. AWS Security services

H1
can be used to identify potential security issues or findings.

Amazon Detective can analyze trillions of events from multiple data sources and automatically creates a
unified, interactive view of the resources, users, and the interactions between them over time. With this

OV
unified view, customers can visualize all the details and context in one place to identify the underlying
reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

F
Amazon DevOps Guru
Amazon DevOps Guru is a service powered by machine learning (ML) that is designed to improve an

QE
application’s operational performance and availability. DevOps Guru helps detect behaviors that deviate
from normal operating patterns so customers can identify operational issues before they impact them.

3F
DevOps Guru uses ML models informed by years of Amazon.com and AWS operational excellence to
identify anomalous application behavior (for example, increased latency, error rates, resource constraints,
and others) and helps surface critical issues that could cause potential outages or service disruptions.

ab
When DevOps Guru identifies a critical issue, it automatically sends an alert and provides a summary of
related anomalies, the likely root cause, and context for when and where the issue occurred. When
possible, DevOps Guru also helps provide recommendations on how to remediate the issue.

Amazon DocumentDB (with MongoDB compatibility)

M
rro
Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, and highly available document
database service that supports MongoDB workloads. Amazon DocumentDB is designed from the ground-
up to give customers the performance, scalability, and availability customers need when operating
mission-critical MongoDB workloads at scale. Amazon DocumentDB implements the Apache 2.0 open-
ap

source MongoDB 3.6 API by emulating the responses that a MongoDB client expects from a MongoDB
server, allowing customers to use their existing MongoDB drivers and tools with Amazon DocumentDB.
Amazon DocumentDB uses a distributed, fault-tolerant, self-healing storage system that auto-scales up to
W

64 TB per database cluster.

Amazon DynamoDB
Amazon DynamoDB is a managed NoSQL database service. Amazon DynamoDB enables customers to
offload to AWS the administrative burdens of operating and scaling distributed databases such as
hardware provisioning, setup and configuration, replication, software patching, and cluster scaling.
E

Customers can create a database table that can store and retrieve data and serve any requested traffic.
n-

Amazon DynamoDB automatically spreads the data and traffic for the table over a sufficient number of
servers to handle the request capacity specified and the amount of data stored, while maintaining
ke

consistent, fast performance. All data items are stored on Solid State Drives (SSDs) and are automatically
replicated across multiple AZs in a region.
-to

Amazon DynamoDB Accelerator (DAX)

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available caching service built for Amazon
DynamoDB. DAX delivers up to a 10 times performance improvement—from milliseconds to
rm

microseconds—even at millions of requests per second. DAX does the heavy lifting required to add in-
memory acceleration to your DynamoDB tables, without requiring developers to manage cache
invalidation, data population, or cluster management.
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
Amazon EC2 Auto Scaling
Amazon EC2 Auto Scaling launches/terminates instances on a customer's behalf according to conditions
customers define, such as schedule, changing metrics like average CPU utilization, or health of the
instance as determined by EC2 or ELB health checks. It allows customers to have balanced compute across

OV
multiple AZs and scale their fleet based on usage.

Amazon Elastic Block Store (EBS)

F
Amazon Elastic Block Store (EBS) provides persistent block storage volumes for use with Amazon EC2
instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its AZ to protect

QE
customers from component failure. Amazon EBS allows customers to create storage volumes from 1 GB
to 16 TB that can be mounted as devices by Amazon EC2 instances. Storage volumes behave like raw,
unformatted block devices, with user supplied device names and a block device interface. Customers can

3F
create a file system on top of Amazon EBS volumes or use them in any other way one would use a block
device (e.g., a hard drive).

ab
Amazon EBS volumes are presented as raw unformatted block devices that have been wiped prior to being
made available for use. Wiping occurs before reuse. If customers have procedures requiring that all data
be wiped via a specific method, customers can conduct a wipe procedure prior to deleting the volume for
M
compliance with customer requirements. Amazon EBS includes Data Lifecycle Manager, which provides a
simple, automated way to back up data stored on Amazon EBS volumes.
rro
Amazon Elastic Compute Cloud (EC2)
Amazon Elastic Compute Cloud (EC2) is Amazon’s Infrastructure as a Service (IaaS) offering, which
provides scalable computing capacity using server instances in AWS’ data centers. Amazon EC2 is designed
ap

to make web-scale computing easier by enabling customers to obtain and configure capacity with minimal
friction. Customers create and launch instances, which are virtual machines that are available in a wide
variety of hardware and software configurations.
W

Security within Amazon EC2 is provided on multiple levels: the operating system (OS) of the host layer,
the virtual instance OS or guest OS, a firewall, and signed API calls. Each of these items builds on the
RK

capabilities of the others. This helps prevent data contained within Amazon EC2 from being intercepted
by unauthorized systems or users and to provide Amazon EC2 instances themselves security without
sacrificing flexibility of configuration. The Amazon EC2 service utilizes a hypervisor to provide memory
E

and CPU isolation between virtual machines and controls access to network, storage, and other devices,
and maintains strong isolation between guest virtual machines. Independent auditors regularly assess the
n-

security of Amazon EC2 and penetration teams regularly search for new and existing vulnerabilities and
attack vectors.
ke

AWS prevents customers from accessing physical hosts or instances not assigned to them by filtering
through the virtualization software (Control AWSCA-3.12).
-to

Amazon EC2 provides a complete firewall solution, referred to as a Security Group. This mandatory
inbound firewall is configured in a default deny-all mode to prevent unauthorized access and Amazon EC2
rm

customers must explicitly open the ports needed to allow inbound traffic (Control AWSCA-3.9).
te

Proprietary and Confidential Information - Trade Secret

s Ij
Amazon provides a Time Sync function for time synchronization in EC2 Linux instances with the

H1
Coordinated Universal Time (UTC). It is delivered over the Network Time Protocol (NTP) and uses a fleet
of redundant satellite-connected and atomic clocks in each region to provide a highly accurate reference
clock via the local 169.254.169.123 IPv4 address or fd00:ec2::123 IPv6 address. Irregularities in the Earth’s
rate of rotation that cause UTC to drift with respect to the International Celestial Reference Frame (ICRF),

OV
by an extra second, are called leap second. Time Sync addresses this clock drift by smoothing out leap
seconds over a period of time (commonly called leap smearing) which makes it easy for customer
applications to deal with leap seconds. The Amazon EC2 clock synchronization for the US East (Northern

F
Virginia), US East (Ohio), Asia Pacific (Tokyo), Asia Pacific (Thailand), Asia Pacific (Malaysia), and Europe
(Stockholm) regions have been uplifted to achieve accuracy within 100 microseconds versus 1 millisecond

QE
for the other regions on supported EC2 instances. Instance types that do not support this will still have 1
millisecond accuracy (Control AWSCA-7.10).

3F
Amazon Elastic Container Registry (ECR)
Amazon Elastic Container Registry is a Docker container image registry that makes it easy for developers
to store, manage, and deploy Docker container images. Amazon Elastic Container Registry is integrated

ab
with Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS).

Amazon Elastic Container Service (both Fargate and EC2 launch types)
M
Amazon Elastic Container Service is a highly scalable, high performance container management service
that supports Docker containers and allows customers to easily run applications on a managed cluster of
Amazon EC2 instances. Amazon Elastic Container Service eliminates the need for customers to install,
rro
operate, and scale customers' own cluster management infrastructure. With simple API calls, customers
can launch and stop Docker-enabled applications, query the complete state of customers' clusters, and
access many familiar features like security groups, Elastic Load Balancing, EBS volumes, and IAM roles.
ap

Customers can use Amazon Elastic Container Service to schedule the placement of containers across
customers' clusters based on customers' resource needs and availability requirements.
W

Amazon Elastic File System (EFS)

Amazon Elastic File System (EFS) provides file storage for Amazon EC2 instances. EFS presents a network
attached file system interface via the NFS v4 protocol. EFS file systems grow and shrink elastically as data
RK

is added and deleted by users. Amazon EFS spreads data across multiple AZs; in the event that an AZ is
not reachable, the structure allows customers to still access their full set of data. The customer is
responsible for choosing which of their Virtual Private Clouds (VPCs) they want a file system to be accessed
E

from by creating resources called mount targets. One mount target exists for each AZ, which exposes an
IP address and DNS name for mounting the customer’s file system onto their EC2 instances. Customers
n-

then log into their EC2 instance and issue a ‘mount’ command, pointing at their mount target’ IP address
or DNS name. A mount target is assigned one or more VPC security groups to which it belongs. The VPC
ke

security groups define rules for what VPC traffic can reach the mount targets and in turn can reach the
file system.
-to

Amazon Elastic Kubernetes Service (EKS) (both Fargate and EC2 launch types)
Amazon Elastic Kubernetes Service (EKS) makes it easy to deploy, manage, and scale containerized
applications using Kubernetes on AWS. Amazon EKS runs the Kubernetes management infrastructure for
rm

the customer across multiple AWS AZs to eliminate a single point of failure. Amazon EKS is certified
Kubernetes conformant so the customers can use existing tooling and plugins from partners and the
Kubernetes community. Applications running on any standard Kubernetes environment are fully
te

Proprietary and Confidential Information - Trade Secret

s Ij
compatible and can be easily migrated to Amazon EKS.

H1
Amazon Elastic MapReduce (EMR)
Amazon Elastic MapReduce (EMR) is a web service that provides managed Hadoop clusters on Amazon
EC2 instances running a Linux operating system. Amazon EMR uses Hadoop processing combined with

OV
several AWS products to do such tasks as web indexing, data mining, log file analysis, machine learning,
scientific simulation, and data warehousing. Amazon EMR actively manages clusters for customers,
replacing failed nodes and adjusting capacity as requested. Amazon EMR securely and reliably handles a

F
broad set of big data use cases, including log analysis, web indexing, data transformations (ETL), machine
learning, financial analysis, scientific simulation, and bioinformatics.

QE
Amazon ElastiCache
Amazon ElastiCache automates management tasks for in-memory cache environments, such as patch

3F
management, failure detection, and recovery. It works in conjunction with other AWS services to provide
a managed in-memory cache. For example, an application running in Amazon EC2 can securely access an
Amazon ElastiCache Cluster in the same region with very slight latency.

ab
Using the Amazon ElastiCache service, customers create a Cache Cluster, which is a collection of one or
more Cache Nodes, each running an instance of the Memcached, Redis Engine, or DAX Engine. A Cache
M
Node is a self-contained environment which provides a fixed-size chunk of secure, network-attached RAM.
Each Cache Node runs an instance of the Memcached, Redis Engine, or DAX Engine, and has its own DNS
name and port. Multiple types of Cache Nodes are supported, each with varying amounts of associated
rro
memory.

Amazon EventBridge
ap

Amazon EventBridge delivers a near real-time stream of events that describe changes in AWS resources.
Customers can configure routing rules to determine where to send collected data to build application
architectures that react in real time to the data sources. Amazon EventBridge becomes aware of
W

operational changes as they occur and responds to these changes by taking corrective action as necessary
by sending message to respond to the environment, activating functions, making changes and capturing
state information.
RK

Amazon FinSpace
Amazon FinSpace is a data management and analytics service that makes it easy to store, catalog, and
E

prepare financial industry data at scale. Amazon FinSpace reduces the time it takes for financial services
industry (FSI) customers to find and access all types of financial data for analysis.
n-

Amazon Forecast
ke

Amazon Forecast uses machine learning to combine time series data with additional variables to build
forecasts. With Amazon Forecast, customers can import time series data and associated data into Amazon
Forecast from their Amazon S3 database. From there, Amazon Forecast automatically loads the data,
-to

inspects it, and identifies the key attributes needed for forecasting. Amazon Forecast then trains and
optimizes a customer’s custom model and hosts them in a highly available environment where it can be
used to generate business forecasts.
rm

Amazon Forecast is protected by encryption. Any content processed by Amazon Forecast is encrypted
with customer keys through Amazon Key Management Service and encrypted at rest in the AWS Region
te

Proprietary and Confidential Information - Trade Secret

s Ij
where a customer is using the service. Administrators can also control access to Amazon Forecast through

H1
an AWS Identity and Access Management (IAM) permissions policy ensuring that sensitive information is
kept secure and confidential.

Amazon Fraud Detector

OV
Amazon Fraud Detector helps detect suspicious online activities such as the creation of fake accounts and
online payment fraud. Amazon Fraud Detector uses machine learning (ML) and 20 years of fraud detection
expertise from AWS and Amazon.com to automatically identify fraudulent activity to catch more fraud,

F
faster. With Amazon Fraud Detector, customers can create a fraud detection ML model with just a few
clicks and use it to evaluate online activities in milliseconds.

QE
Amazon FSx
Amazon FSx provides third-party file systems. Amazon FSx provides the customers with the native

3F
compatibility of third-party file systems with feature sets for workloads such as Windows-based storage,
high-performance computing (HPC), machine learning, and electronic design automation (EDA). The
customers don’t have to worry about managing file servers and storage, as Amazon FSx automates the

ab
time-consuming administration tasks such as hardware provisioning, software configuration, patching,
and backups. Amazon FSx integrates the file systems with cloud-native AWS services, making them even
more useful for a broader set of workloads.

Amazon GuardDuty
M
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and
rro
unauthorized behavior to protect the customers’ AWS accounts and workloads. With the cloud, the
collection and aggregation of account and network activities is simplified, but it can be time consuming
for security teams to continuously analyze event log data for potential threats. With GuardDuty, the
ap

customers now have an intelligent and cost-effective option for continuous threat detection in the AWS
Cloud.
W

Amazon Inspector
Amazon Inspector is an automated vulnerability management service that continually scans AWS
workloads for software vulnerabilities and unintended network exposure. Amazon Inspector removes the
RK

operational overhead associated with deploying and configuring a vulnerability management solution by
allowing customers to deploy Amazon Inspector across all accounts with a single step.
E

Amazon Inspector Classic

Amazon Inspector Classic is an automated security assessment service for customers seeking to improve
n-

the security and compliance of applications deployed on AWS. Amazon Inspector Classic automatically
assesses applications for vulnerabilities or deviations from leading practices. After performing an
ke

assessment, Amazon Inspector Classic produces a detailed list of security findings prioritized by level of
severity.
-to

Amazon Kendra
Amazon Kendra is an intelligent search service powered by machine learning. Kendra reimagines
enterprise search for customer websites and applications so employees and customers can easily find
rm

content, even when it's scattered across multiple locations and content repositories.
te

Proprietary and Confidential Information - Trade Secret

s Ij
Amazon Keyspaces (for Apache Cassandra)

H1
Amazon Keyspaces (for Apache Cassandra) is a scalable, highly available Apache Cassandra–compatible
database service. With Amazon Keyspaces, customers can run Cassandra workloads on AWS using the
same Cassandra application code and developer tools that customers use today. Amazon Keyspaces is
serverless and gives customers the performance, elasticity, and enterprise features customers need to

OV
operate business-critical Cassandra workloads at scale.

Amazon Kinesis Data Streams

F
Amazon Kinesis Data Streams is a massively scalable and durable real-time data streaming service. Kinesis
Data Streams can continuously capture gigabytes of data per second from hundreds of thousands of

QE
sources such as website clickstreams, database event streams, financial transactions, social media feeds,
IT logs and location-tracking events. The collected data is available in milliseconds to enable real-time
analytics use cases such as real-time dashboards, real-time anomaly detection, dynamic pricing and more.

3F
Amazon Kinesis Video Streams
Amazon Kinesis Video Streams makes it easy to securely stream video from connected devices to AWS for

ab
analytics, machine learning (ML), playback, and other processing. Kinesis Video Streams automatically
provisions and elastically scales the infrastructure needed to ingest streaming video data from millions of
devices. It also durably stores, encrypts, and indexes video data in the streams, and allows the customers
M
to access their data through easy-to-use APIs. Kinesis Video Streams enables the customers to playback
video for live and on-demand viewing, and quickly build applications that take advantage of computer
vision and video analytics.
rro

Amazon Lex
Amazon Lex is a service for building conversational interfaces into any application using voice and text.
ap

Amazon Lex provides the advanced deep learning functionalities of automatic speech recognition (ASR)
for converting speech to text, and natural language understanding (NLU) to recognize the intent of the
text, to enable customers to build applications with highly engaging user experiences and lifelike
W

conversational interactions. Amazon Lex scales automatically, so customers do not need to worry about
managing infrastructure.
RK

Amazon Location Service

Amazon Location Service makes it easy for developers to add location functionality to applications without
compromising data security and user privacy. With Amazon Location Service, customers can build
E

applications that provide maps and points of interest, convert street addresses into geographic
coordinates, calculate routes, track resources, and trigger actions based on location. Amazon Location
n-

Service uses high-quality geospatial data to provide maps, places, routes, tracking, and geofencing.
ke

Amazon Macie
Amazon Macie is a data security and data privacy service that uses machine learning and pattern matching
to help customers discover, monitor, and protect their sensitive data in AWS.
-to

Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and
financial data, to provide customers with a better understanding of the data that organization stores in
rm

Amazon Simple Storage Service (Amazon S3). Macie also provides customers with an inventory of the S3
buckets, and it automatically evaluates and monitors those buckets for security and access control. Within
minutes, Macie can identify and report overly permissive or unencrypted buckets for the organization.
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
If Macie detects sensitive data or potential issues with the security or privacy of customer content, it
creates detailed findings for customers to review and remediate as necessary. Customers can review and
analyze these findings directly in Macie, or monitor and process them by using other services, applications,
and systems.

OV
Amazon Managed Grafana
Amazon Managed Grafana is a service for open-source Grafana, providing interactive data visualization

F
for monitoring and operational data. Using Amazon Managed Grafana, customers can visualize, analyze,
and alarm on their metrics, logs, and traces collected from multiple data sources in their observability

QE
system, including AWS, third-party ISVs, and other resources across their IT portfolio. Amazon Managed
Grafana offloads the operational management of Grafana by automatically scaling compute and database
infrastructure as usage demands increase, with automated version updates and security

3F
patching. Amazon Managed Grafana natively integrates with AWS services so customers can securely add,
query, visualize, and analyze their AWS data across multiple accounts and regions with a few clicks in the
AWS Console. Amazon Managed Grafana integrates with AWS IAM Identity Center and supports Security

ab
Assertion Markup Language (SAML) 2.0, so customers can set up user access to specific dashboards and
data sources for only certain users in their corporate directory.

Amazon Managed Service for Apache Flink M

Amazon Managed Service for Apache Flink is an easy way for customers to analyze streaming data, gain
actionable insights, and respond to business and customer needs in real time. Amazon Managed Service
rro
for Apache Flink reduces the complexity of building, managing, and integrating streaming applications
with other AWS services. SQL users can easily query streaming data or build entire streaming applications
using templates and an interactive SQL editor. Java developers can quickly build sophisticated streaming
ap

applications using open-source Java libraries and AWS integrations to transform and analyze data in real-
time.
W

Amazon Managed Service for Prometheus

Amazon Managed Service for Prometheus is a Prometheus-compatible monitoring and alerting service
RK

that facilitates monitoring of containerized applications and infrastructure at scale. The Cloud Native
Computing Foundation’s Prometheus project is an open-source monitoring and alerting solution
optimized for container environments. With Amazon Managed Service for Prometheus, customers can
use the open-source Prometheus query language (PromQL) to monitor and alert on the performance of
E

containerized workloads, without having to scale and operate the underlying infrastructure. Amazon
Managed Service for Prometheus automatically scales the ingestion, storage, alerting, and querying of
n-

operational metrics as workloads grow or shrink, and it is integrated with AWS security services to enable
fast and secure access to data.
ke

Amazon Managed Streaming for Apache Kafka

Amazon Managed Streaming for Apache Kafka is a service that makes it easy for customers to build and
-to

run applications that use Apache Kafka to process streaming data. Apache Kafka is an open-source
platform for building real-time streaming data pipelines and applications. With Amazon MSK, customers
can use Apache Kafka APIs to populate data lakes, stream changes to and from databases, and power
rm

machine learning and analytics applications.

Proprietary and Confidential Information - Trade Secret

s Ij
Amazon Managed Workflows for Apache Airflow (Amazon MWAA)

H1
Amazon Managed Workflows for Apache Airflow is a service for Apache Airflow that lets customers use
their current, familiar Apache Airflow platform to orchestrate their workflows. Customers gain improved
scalability, availability, and security without the operational burden of managing underlying
infrastructure. Amazon Managed Workflows for Apache Airflow orchestrates customer workflows using

OV
Directed Acyclic Graphs (DAGs) written in Python. Customers provide Amazon Managed Workflows for
Apache Airflow an Amazon Simple Storage Service (S3) bucket where customer’s DAGs, plugins, and
Python requirements reside. Then customers can run and monitor their DAGs from the AWS Management

F
Console, a command line interface (CLI), a software development kit (SDK), or the Apache Airflow user
interface (UI).

QE
Amazon MemoryDB (formerly known as Amazon MemoryDB for Redis)
Amazon MemoryDB is a Redis-compatible, durable, in-memory database service. It is purpose-built for

3F
modern applications with microservices architectures.

Amazon MemoryDB is compatible with Redis, an open-source data store, enabling customers to quickly

ab
build applications using the same flexible Redis data structures, APIs, and commands that they already
use today. With Amazon MemoryDB, all of the customer’s data is stored in memory, which enables the
customer to achieve microsecond read and single-digit millisecond write latency and high throughput.
M
Amazon MemoryDB also stores data durably across multiple AZs using a distributed transactional log to
enable fast failover, database recovery, and node restarts. Delivering both in-memory performance and
Multi-AZ durability, Amazon MemoryDB can be used as a high-performance primary database for
rro
microservices applications eliminating the need to separately manage both a cache and durable database.

Amazon MQ
ap

Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that sets up and
operates message brokers in the cloud. Message brokers allow different software systems – often using
different programming languages, and on different platforms – to communicate and exchange
W

information. Messaging is the communications backbone that connects and integrates the components
of distributed applications, such as order processing, inventory management, and order fulfillment for e-
RK

commerce. Amazon MQ manages the administration and maintenance of two open-source message
brokers, ActiveMQ and RabbitMQ.

Amazon Neptune
E

Amazon Neptune is a fast and reliable graph database service that makes it easy to build and run
applications that work with highly connected datasets. The core of Amazon Neptune is a purpose-built,
n-

high-performance graph database engine optimized for storing billions of relationships and querying the
graph with milliseconds latency. Amazon Neptune supports popular graph models, Property Graph, and
ke

W3C's RDF, and their respective query languages Apache, TinkerPop Gremlin, and SPARQL, allowing
customers to easily build queries that efficiently navigate highly connected datasets. Neptune powers
graph use cases such as recommendation engines, fraud detection, knowledge graphs, drug discovery,
-to

and network security.

Amazon OpenSearch Service

Amazon OpenSearch Service is a service that makes it easy for the customer to deploy, secure, and
operate OpenSearch cost effectively at scale. Amazon OpenSearch Service lets the customers pay only for
te

Proprietary and Confidential Information - Trade Secret

s Ij
what they use – there are no upfront costs or usage requirements. With Amazon OpenSearch Service, the

H1
customers get the ELK stack they need, without the operational overhead.

Amazon Personalize
Amazon Personalize is a machine learning service that makes it easy for developers to create

OV
individualized recommendations for customers using their applications. Amazon Personalize makes it easy
for developers to build applications capable of delivering a wide array of personalization experiences,
including specific product recommendations, personalized product re-ranking and customized direct

F
marketing. Amazon Personalize goes beyond rigid static rule- based recommendation systems and trains,
tunes, and deploys custom machine learning models to deliver highly customized recommendations to

QE
customers across industries such as retail, media and entertainment.

Amazon Pinpoint and End User Messaging (formerly Amazon Pinpoint)

3F
Amazon Pinpoint and End User Messaging helps customers engage with their customers by sending email,
SMS, and mobile push messages. The customers can use Amazon Pinpoint and End User Messaging
to send targeted messages (such as promotional alerts and customer retention campaigns), as well as

ab
direct messages (such as order confirmations and password reset messages) to their customers.

Amazon Polly
M
Amazon Polly is a service that turns text into lifelike speech, allowing customers to create applications
that talk, and build entirely new categories of speech-enabled products. Amazon Polly is a Text-to-
Speech service that uses advanced deep learning technologies to synthesize speech that sounds like a
rro
human voice.

Amazon Q Business (Effective August 15, 2024)

Amazon Q Business is a service that deploys a generative AI business expert for your enterprise data. It
comes with a built-in user interface, where users ask complex questions in natural language, create or
compare documents, generate document summaries, and interact with their third- party applications.
W

Amazon Q Developer (Effective August 15, 2024)

Amazon Q Developer is a generative artificial intelligence (AI) powered conversational assistant that can
help customers understand, build, extend, and operate AWS applications. Customers can ask questions
about AWS architecture, AWS resources, best practices, documentation, support, and more. When used
in an integrated development environment (IDE), Amazon Q provides software development assistance.
E

Amazon Q can chat about code, provide inline code completions, generate net new code, scan your code
for security vulnerabilities, and make code upgrades and improvements, such as language updates,
n-

debugging, and optimizations.

Amazon Quantum Ledger Database (QLDB)

Amazon Quantum Ledger Database (QLDB) is a ledger database that provides a transparent, immutable
and cryptographically verifiable transaction log owned by a central trusted authority. Amazon QLDB can
-to

be used to track each and every application data change and maintains a complete and verifiable history
of changes over time.
rm

Amazon QuickSight
Amazon QuickSight is a fast, cloud-powered business analytics service that makes it easy to build
visualizations, perform ad-hoc analysis, and quickly get business insights from customers’ data. Using this
te

Proprietary and Confidential Information - Trade Secret

s Ij
cloud-based service customers can connect to their data, perform advanced analysis, and create

H1
visualizations and dashboards that can be accessed from any browser or mobile device.

Amazon Redshift
Amazon Redshift is a data warehouse service to analyze data using a customer’s existing Business

OV
Intelligence (BI) tools. Amazon Redshift also includes Redshift Spectrum, allowing customers to directly
run SQL queries against Exabytes of unstructured data in Amazon S3.

F
Amazon Rekognition
The easy-to-use Rekognition API allows customers to automatically identify objects, people, text, scenes,

QE
and activities, as well as detect any inappropriate content. Developers can quickly build a searchable
content library to optimize media workflows, enrich recommendation engines by extracting text in
images, or integrate secondary authentication into existing applications to enhance end-user security.

3F
With a wide variety of use cases, Amazon Rekognition enables the customers to easily add the benefits of
computer vision to the business.

ab
Amazon Relational Database Service (RDS)
Amazon Relational Database Service (RDS) enables customers to set up, operate, and scale a relational
database in the cloud. Amazon RDS manages backups, software patching, automatic failure detection,
M
and recovery. It provides cost-efficient and resizable capacity while automating time-consuming
administration tasks such as hardware provisioning, database setup, patching and backups.
rro
Amazon Route 53
Amazon Route 53 provides managed Domain Name System (DNS) web service. Amazon Route 53 connects
user requests to infrastructure running both inside and outside of AWS. Customers can use Amazon Route
ap

53 to configure DNS health checks to route traffic to healthy endpoints or to independently monitor the
health of their application and its endpoints. Amazon Route 53 enables customers to manage traffic
globally through a variety of routing types, including Latency Based Routing, Geo DNS, and Weighted
W

Round Robin, all of these routing types can be combined with DNS Failover. Amazon Route 53 also offers
Domain Name Registration; customers can purchase and manage domain names such as example.com
RK

and Amazon Route 53 will automatically configure DNS settings for their domains. Amazon Route 53 sends
automated requests over the internet to a resource, such as a web server, to verify that it is reachable,
available, and functional. Customers also can choose to receive notifications when a resource becomes
unavailable and choose to route internet traffic away from unhealthy resources.
E

Amazon S3 Glacier
n-

Amazon S3 Glacier is an archival storage solution for data that is infrequently accessed for which retrieval
times of several hours are suitable. Data in Amazon S3 Glacier is stored as an archive. Archives in Amazon
ke

S3 Glacier can be created or deleted, but archives cannot be modified. Amazon S3 Glacier archives are
organized in vaults. All vaults created have a default permission policy that only permits access by the
account creator or users that have been explicitly granted permission. Amazon S3 Glacier enables
-to

customers to set access policies on their vaults for users within their AWS Account. User policies can
express access criteria for Amazon S3 Glacier on a per vault basis. Customers can enforce Write Once Read
Many (WORM) semantics for users through user policies that forbid archive deletion.
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
Amazon SageMaker AI (formerly Amazon SageMaker) (excludes Studio Lab, Public Workforce and

H1
Vendor Workforce for all features)
Amazon SageMaker AI is a platform that enables developers and data scientists to quickly and easily build,
train, and deploy machine learning models at any scale. Amazon SageMaker AI removes the barriers that
typically “slow down” developers who want to use machine learning.

OV
Amazon SageMaker AI removes the complexity that holds back developer success with the process of
building, training, and deploying machine learning models at scale. Amazon SageMaker AI includes

F
modules that can be used together or independently to build, train, and deploy a customer’s machine
learning models.

QE
Amazon Security Lake (Effective August 15, 2024)
Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, on

3F
premises, and cloud sources into a purpose-built data lake stored in a customer account. With Security
Lake, customers can get a more complete understanding of security data across their entire organization.
They can also improve the protection of workloads, applications, and data.

ab
Amazon Simple Email Service (SES)
Amazon Simple Email Service (SES) is a cost-effective, flexible and scalable email service that enables
M
developers to send mail from within any application. Customers can configure Amazon SES to support
several email use cases including transactional, marketing, or mass email communications. Amazon SES'
rro
flexible IP deployment and email authentication options help drive higher deliverability and protect
sender reputation, while sending analytics to measure impact of each email. With Amazon SES, customers
can send email securely, globally and at scale.
ap

Amazon Simple Notification Service (SNS)

Amazon Simple Notification Service (SNS) is a web service to set up, operate, and send notifications. It
provides developers the capability to publish messages from an application and deliver them to
W

subscribers or other applications. Amazon SNS follows the “publish-subscribe” (pub-sub) messaging
paradigm, with notifications being delivered to clients using a “push” mechanism. Using SNS requires
RK

defining a "Topic", setting policies on access and delivery of the Topic, subscribing consumers and
designating delivery endpoints, and publishing messages to a Topic. Administrators define a Topic as an
access point for publishing messages and allowing customers to subscribe to notifications. Security
policies are applied to Topics to determine who can publish, who can subscribe, and to designate protocols
E

supported.
n-

Amazon Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a message queuing service that offers a distributed hosted queue
ke

for storing messages as they travel between computers. By using Amazon SQS, developers can move data
between distributed components of their applications that perform different tasks, without losing
messages or requiring each component to be always available. Amazon SQS allows customers to build an
-to

automated workflow, working in close conjunction with Amazon EC2 and the other AWS infrastructure
web services.
rm

Amazon SQS’ main components consist of a frontend request-router fleet, a backend data-storage fleet,
a metadata cache fleet, and a dynamic workload management fleet. User queues are mapped to one or
te

Proprietary and Confidential Information - Trade Secret

s Ij
more backend clusters. Requests to read, write, or delete messages come into the frontends. The

H1
frontends contact the metadata cache to find out which backend cluster hosts that queue and then
connect to nodes in that cluster to service the request.

For authorization, Amazon SQS has its own resource-based permissions system that uses policies written

OV
in the same language used for AWS IAM policies. User permissions for any Amazon SQS resource can be
given either through the Amazon SQS policy system or the AWS IAM policy system, which is authorized
by AWS Identity and Access Management Service. Such policies with a queue are used to specify which

F
AWS Accounts have access to the queue as well as the type of access and conditions.

QE
Amazon Simple Storage Service (S3)
Amazon Simple Storage Service (S3) provides a web services interface that can be used to store and
retrieve data from anywhere on the web. To provide customers with the flexibility to determine how,

3F
when, and to whom they wish to expose the information they store in AWS, Amazon S3 APIs provide both
bucket and object-level access controls, with defaults that only permit authenticated access by the bucket
and/or object creator. Unless a customer grants anonymous access, the first step before a user can access

ab
Amazon S3 is to be authenticated with a request signed using the user’s secret access key.

An authenticated user can read an object only if the user has been granted read permissions in an Access
M
Control List (ACL) at the object level. An authenticated user can list the keys and create or overwrite
objects in a bucket only if the user has been granted read and write permissions in an ACL at the bucket
level. Bucket and object-level ACLs are independent; an object does not inherit ACLs from its bucket.
rro
Permissions to read or modify the bucket or object ACLs are themselves controlled by ACLs that default
to creator-only access. Therefore, the customer maintains full control over who has access to its data.
Customers can grant access to their Amazon S3 data to other AWS users by AWS Account ID or email, or
ap

DevPay Product ID. Customers can also grant access to their Amazon S3 data to all AWS users or to
everyone (enabling anonymous access).
W

Network devices supporting Amazon S3 are configured to only allow access to specific ports on other
Amazon S3 server systems (Control AWSCA-3.7). External access to data stored in Amazon S3 is logged
RK

and the logs are retained for at least 90 days, including relevant access request information, such as the
data accessor IP address, object, and operation (Control AWSCA-3.8).

Amazon Simple Workflow Service (SWF)

Amazon Simple Workflow Service (SWF) is an orchestration service for building scalable distributed
applications. Often an application consists of several different tasks to be performed in a particular
n-

sequence driven by a set of dynamic conditions. Amazon SWF enables developers to architect and
implement these tasks, run them in the cloud or on-premises and coordinate their flow. Amazon SWF
ke

manages the execution flow such that tasks are load balanced across the workers, inter-task dependencies
are respected, concurrency is handled appropriately, and child workflows are executed.
-to

Amazon SWF enables applications to be built by orchestrating tasks coordinated by a decider process.
Tasks represent logical units of work and are performed by application components that can take any
form, including executable code, scripts, web service calls, and human actions.
rm

Developers implement workers to perform tasks. They run their workers either on cloud infrastructure,
such as Amazon EC2, or off-cloud. Tasks can be long-running, may fail, may timeout and may complete
te

Proprietary and Confidential Information - Trade Secret

s Ij
with varying throughputs and latencies. Amazon SWF stores tasks for workers, assigns them when workers

H1
are ready, tracks their progress, and keeps their latest state, including details on their completion. To
orchestrate tasks, developers write programs that get the latest state of tasks from Amazon SWF and use
it to initiate subsequent tasks in an ongoing manner. Amazon SWF maintains an application’s execution
state durably so that the application can be resilient to failures in individual application components.

OV
Amazon SWF provides auditability by giving customers visibility into the execution of each step in the
application. The Management Console and APIs let customers monitor all running executions of the

F
application. The customer can zoom in on any execution to see the status of each task and its input and
output data. To facilitate troubleshooting and historical analysis, Amazon SWF retains the history of

QE
executions for any number of days that the customer can specify, up to a maximum of 90 days.

The actual processing of tasks happens on compute resources owned by the end customer. Customers

3F
are responsible for securing these compute resources, for example if a customer uses Amazon EC2 for
workers then they can restrict access to their instances in Amazon EC2 to specific AWS IAM users. In
addition, customers are responsible for encrypting sensitive data before it is passed to their workflows

ab
and decrypting it in their workers.

Amazon SimpleDB
M
Amazon SimpleDB is a non-relational data store that allows customers to store and query data items via
web services requests. Amazon SimpleDB then creates and manages multiple geographically distributed
replicas of data automatically to enable high availability and data durability.
rro

Data in Amazon SimpleDB is stored in domains, which are similar to database tables except that functions
cannot be performed across multiple domains. Amazon SimpleDB APIs provide domain-level controls that
ap

only permit authenticated access by the domain creator.

Data stored in Amazon SimpleDB is redundantly stored in multiple physical locations as part of normal
W

operation of those services. Amazon SimpleDB provides object durability by protecting data across
multiple AZs on the initial write and then actively doing further replication in the event of device
unavailability or detected bit-rot.
RK

Amazon Textract
Amazon Textract automatically extracts text and data from scanned documents. With Textract customers
E

can quickly automate document workflows, enabling customers to process large volumes of document
pages in a short period of time. Once the information is captured, customers can take action on it within
n-

their business applications to initiate next steps for a loan application or medical claims processing.
Additionally, customers can create search indexes, build automated approval workflows, and better
ke

maintain compliance with document archival rules by flagging data that may require redaction.

Amazon Timestream
-to

Amazon Timestream is a fast, scalable, and serverless time series database service for IoT and operational
applications that makes it easy to store and analyze trillions of events per day up to 1,000 times faster
and at as little as 1/10th the cost of relational databases. Amazon Timestream saves customers time and
rm

cost in managing the lifecycle of time series data by keeping recent data in memory and moving historical
data to a cost optimized storage tier based upon user defined policies. Amazon Timestream's purpose-
built query engine lets customers access and analyze recent and historical data together, without needing
te

Proprietary and Confidential Information - Trade Secret

s Ij
to specify explicitly in the query whether the data resides in the in-memory or cost-optimized tier. Amazon

H1
Timestream has built-in time series analytics functions, helping customers identify trends and patterns in
data in real-time.

Amazon Transcribe

OV
Amazon Transcribe makes it easy for customers to add speech-to-text capability to their applications.
Audio data is virtually impossible for computers to search and analyze. Therefore, recorded speech needs
to be converted to text before it can be used in applications.

F
Amazon Transcribe uses a deep learning process called automatic speech recognition (ASR) to convert

QE
speech to text quickly. Amazon Transcribe can be used to transcribe customer service calls, to automate
closed captioning and subtitling, and to generate metadata for media assets to create a fully searchable
archive.

3F
Amazon Transcribe automatically adds punctuation and formatting so that the output closely matches the
quality of manual transcription at a fraction of the time and expense.

ab
Amazon Translate
Amazon Translate is a neural machine translation service that delivers fast, high-quality, and affordable
M
language translation. Neural machine translation is a form of language translation automation that uses
deep learning models to deliver more accurate and more natural sounding translation than traditional
statistical and rule- based translation algorithms. Amazon Translate allows customers to localize content
rro
such as websites and applications - for international users, and to easily translate large volumes of text
efficiently.
ap

Amazon Verified Permissions (Effective February 15, 2025)

Amazon Verified Permissions is a fully managed authorization service that uses the provably correct Cedar
policy language, so customers can build more secure applications. With Verified Permissions, developers
W

can build applications faster by externalizing authorization and centralizing policy management. They can
also align authorization within the application with Zero Trust principles. Security and audit teams can
better analyze and audit who has access to what within applications.
RK

Amazon Virtual Private Cloud (VPC)

Amazon Virtual Private Cloud (VPC) enables customers to provision a logically isolated section of the AWS
E

cloud where AWS resources can be launched in a virtual network defined by the customer. Customers can
connect their existing infrastructure to the network isolated Amazon EC2 instances within their Amazon
n-

VPC, including extending their existing management capabilities, such as security services, firewalls and
intrusion detection systems, to include their instances via a Virtual Private Network (VPN) connection. The
ke

VPN service provides end-to-end network isolation by using an IP address range of a customer’s choice,
and routing all of their network traffic between their Amazon VPC and another network designated by the
customer via an encrypted Internet Protocol security (IPsec) VPN.
-to

Customers can optionally connect their VPC to the Internet by adding an Internet Gateway (IGW) or a NAT
Gateway. An IGW allows bi-directional access to and from the internet for some instances in the VPC
rm

based on the routes a customer defines, which specify which IP address traffic should be routable from
the internet, Security Groups, and Network ACLs (NACLS) which limit which instances can accept or send
this traffic. Customers can also optionally configure a NAT Gateway which allows egress-only traffic
te

Proprietary and Confidential Information - Trade Secret

s Ij
initiated from a VPC instance to reach the internet, but not allow traffic initiated from the internet to

H1
reach VPC instances. This is accomplished by mapping the private IP addresses to a public address on the
way out, and then map the public IP address to the private address on the return trip.

The objective of this architecture is to isolate AWS resources and data in one Amazon VPC from another

OV
Amazon VPC, and to help prevent data transferred from outside the Amazon network except where the
customer has specifically configured internet connectivity options or via an IPsec VPN connection to their
off-cloud network.

F
Further details are provided below:

QE
• Virtual Private Cloud (VPC): An Amazon VPC is an isolated portion of the AWS cloud within which
customers can deploy Amazon EC2 instances into subnets that segment the VPC’s IP address

3F
range (as designated by the customer) and isolate Amazon EC2 instances in one subnet from
another. Amazon EC2 instances within an Amazon VPC are accessible to customers via Internet
Gateway (IGW), Virtual Gateway (VGW), Transit Gateway (TGW) or VPC Peerings established to

ab
the Amazon VPC (Control AWSCA-3.13 and AWSCA-3.15).
• IPsec VPN: An IPsec VPN connection connects a customer’s Amazon VPC to another network
designated by the customer. IPsec is a protocol suite for securing Internet Protocol (IP)
M
communications by authenticating and encrypting each IP packet of a data stream. An AWS site-
to-site VPN connection consists of two independent IPsec VPN tunnels for redundancy and
rro
availability. Amazon VPC customers can create an IPsec VPN connection to their Amazon VPC by
first establishing an Internet Key Exchange (IKE) security association between their Amazon VPC
VPN gateway and another network gateway using a pre-shared key as the authenticator. Upon
establishment, IKE negotiates an ephemeral key to secure future IKE messages. An IKE security
ap

association cannot be established unless there is complete agreement among the parameters.
Next, using the IKE ephemeral key, two keys in total are established between the VPN gateway
and customer gateway to form an IPsec security association. Traffic between gateways is
W

encrypted and decrypted using this security association. IKE automatically rotates the ephemeral
keys used to encrypt traffic within the IPsec security association on a regular basis to ensure
RK

confidentiality of communications (Control AWSCA-3.14 and AWSCA-4.3).

Amazon WorkDocs
Amazon WorkDocs is a secure content creation, storage and collaboration service. Users can share files,
E

provide rich feedback, and access their files on WorkDocs from any device. WorkDocs encrypts data in
n-

transit and at rest, and offers powerful management controls, active directory integration, and near real-
time visibility into file and user actions. The WorkDocs SDK allows users to use the same AWS tools they
are already familiar with to integrate WorkDocs with AWS products and services, their existing solutions,
ke

third-party applications, or build their own.

Amazon WorkMail
-to

Amazon WorkMail is a managed business email and calendaring service with support for existing desktop
and mobile email clients. It allows access to email, contacts, and calendars using Microsoft Outlook, a
browser, or native iOS and Android email applications. Amazon WorkMail can be integrated with a
rm

customer’s existing corporate directory and the customer controls both the keys that encrypt the data
and the location (AWS Region) under which the data is stored.
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
Customers can create an organization in Amazon WorkMail, select the Active Directory they wish to
integrate with, and choose their encryption key to apply to all customer content. After setup and
validation of their mail domain, users from the Active Directory are selected or added, enabled for Amazon
WorkMail, and given an email address identity inside the customer owned mail domain.

OV
Amazon WorkSpaces
Amazon WorkSpaces is a managed desktop computing service in the cloud. Amazon WorkSpaces enables

F
customers to deliver a high-quality desktop experience to end-users as well as help meet compliance and
security policy requirements. When using Amazon WorkSpaces, an organization’s data is neither sent to

QE
nor stored on end-user devices. The PCoIP and WSP protocols used by Amazon WorkSpaces utilize
interactive video streaming to provide a desktop experience to the user while the data remains in the
AWS cloud or in the organization’s off-cloud environment.

3F
When Amazon WorkSpaces is integrated with a corporate Active Directory, each WorkSpace joins the
Active Directory domain, and can be managed like any other desktop in the organization. This means that

ab
customers can use Active Directory Group Policies to manage their Amazon WorkSpaces and can specify
configuration options that control the desktop, including those that restrict users’ abilities to use local
storage on their devices. Amazon WorkSpaces also integrates with customers’ existing RADIUS server to
enable multi-factor authentication (MFA). M
Amazon WorkSpaces Secure Browser (formerly known as Amazon WorkSpaces Web)
rro
Amazon WorkSpaces Secure Browser is an on-demand, managed service designed to facilitate secure
browser access to internal websites and software-as-a-service (SaaS) applications. Customers can access
the service from existing web browsers without infrastructure management, specialized client software,
ap

or virtual private network (VPN) solutions.

Amazon WorkSpaces Thin Client (Effective August 15, 2024)

Amazon WorkSpaces Thin Client reduces end-user computing costs and simplifies device logistics by
shipping directly from Amazon fulfillment centers to end users or company locations. End users can set
up a device in minutes, with no IT assistance. It also helps improve security by preventing users from
RK

storing data or loading applications on the local device and includes a simple device management service.
WorkSpaces Thin Client provides a console to centrally monitor, manage, and maintain devices and their
connectivity to AWS virtual desktop services.
E

AWS Amplify
n-

AWS Amplify is a set of tools and services that can be used together or on their own, to help front-end
web and mobile developers build scalable full stack applications, powered by AWS. With Amplify,
ke

customers can configure app backend and connect applications in minutes, deploy static web apps in a
few clicks and easily manage app content outside of AWS console. Amplify supports popular web
frameworks including JavaScript, React, Angular, Vue, Next.js, and mobile platforms including Android,
-to

iOS, React Native, Ionic, and Flutter.

AWS App Mesh

AWS App Mesh is a service mesh that provides application-level networking which allows customer
services to communicate with each other across multiple types of compute infrastructure. App Mesh gives
customers end-to-end visibility and high availability for their applications. AWS App Mesh makes it easy
te

Proprietary and Confidential Information - Trade Secret

s Ij
to run services by providing consistent visibility and network traffic controls, which helps to deliver secure

H1
services. App Mesh removes the need to update application code to change how monitoring data is
collected or traffic is routed between services. App Mesh configures each service to export monitoring
data and implements consistent communications control logic across applications.

OV
AWS App Runner
AWS App Runner is a service that makes it easy for developers to quickly deploy containerized web
applications and APIs, at scale and with no prior infrastructure experience required. The service provides

F
a simplified infrastructure-less abstraction for multi-concurrent web applications and API-based services.
With App Runner, infrastructure components like build, load balancers, certificates and application

QE
replicas are managed by AWS. Customers simply provide their source-code (or a pre-built container
image) and get a service endpoint URL in return against which requests can be made.

3F
AWS AppFabric
AWS AppFabric is a no-code service that connects multiple software as a service (SaaS) applications for
better security, management, and productivity. AppFabric aggregates and normalizes SaaS data (e.g., user

ab
event logs, user access) across SaaS applications without the need to write custom data integrations.

AWS Application Migration Service

M
AWS Application Migration Service is the primary service that AWS recommends for lift-and-shift
applications to AWS. The service minimizes time-intensive, error-prone manual processes by
automatically converting customers’ source servers from physical, virtual, or cloud infrastructure to run
rro
natively on AWS. Customers are able to use the same automated process to migrate a wide range of
applications to AWS without making changes to applications, their architecture, or the migrated servers.
ap

AWS AppSync
AWS AppSync is a service that allows customers to easily develop and manage GraphQL APIs. Once
deployed, AWS AppSync automatically scales the API execution engine up and down to meet API request
W

volumes. AWS AppSync offers GraphQL setup, administration, and maintenance, with high availability
serverless infrastructure built in.
RK

AWS Artifact
AWS Artifact is a self-service audit artifact retrieval portal that provides customers with on-demand access
to AWS’ compliance documentation and AWS agreements. Customers can use AWS Artifact Reports to
E

download AWS security and compliance documents, such as AWS ISO certifications, Payment Card
Industry (PCI), and System and Organization Control (SOC) reports. Customers can use AWS Artifact
n-

Agreements to review, accept, and track the status of AWS agreements.

AWS Audit Manager

AWS Audit Manager helps customers continuously audit AWS usage to simplify how customers manage
risk and compliance with regulations and industry standards. AWS Audit Manager makes it easier to
-to

evaluate whether policies, procedures, and activities—also known as controls—are operating as intended.
The service offers prebuilt frameworks with controls that are mapped to well-known industry standards
and regulations, full customization of frameworks and controls, and automated collection and
rm

organization of evidence as designed by each control requirement.

Proprietary and Confidential Information - Trade Secret

s Ij
AWS B2B Data Interchange (Effective February 15, 2025)

H1
AWS B2B Data Interchange automates the transformation of business-critical EDI transactions at scale,
with elasticity and cost efficiency. B2B Data Interchange’s generative AI-assisted mapping capability
reduces the time, complexity, and cost associated with bi-directional EDI implementations, so customers
can focus on gaining valuable insight to drive meaningful business impact.

OV
AWS Backup
AWS Backup is a backup service that makes it easy to centralize and automate the back up of data across

F
AWS services in the cloud as well as on premises using the AWS Storage Gateway. Using AWS Backup, the
customers can centrally configure backup policies and monitor backup activity for AWS resources, such as

QE
Amazon EBS volumes, Amazon RDS databases, Amazon DynamoDB tables, Amazon EFS file systems, and
AWS Storage Gateway volumes. AWS Backup automates and consolidates backup tasks previously
performed service-by-service, removing the need to create custom scripts and manual processes.

3F
AWS Batch
AWS Batch enables developers, scientists, and engineers to run batch computing jobs on AWS. AWS Batch

ab
dynamically provisions the optimal quantity and type of compute resources (e.g., CPU or memory
optimized instances) based on the volume and specific resource requirements of the batch jobs
submitted. AWS Batch plans, schedules, and executes customers’ batch computing workloads across the
M
full range of AWS compute services and features, such as Amazon EC2 and Spot Instances.

AWS Certificate Manager (ACM)

rro
AWS Certificate Manager (ACM) is a service that lets the customer provision, manage, and deploy public
and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services
and their internal connected resources. SSL/TLS certificates are used to secure network communications
ap

and establish the identity of websites over the Internet as well as resources on private networks. AWS
Certificate Manager removes the manual process of purchasing, uploading, and renewing SSL/TLS
certificates.
W

AWS Chatbot (Deprecated January 1, 2025)

AWS Chatbot is an AWS service that enables DevOps and software development teams to use Slack or
Amazon Chime chat rooms to monitor and respond to operational events in their AWS Cloud. AWS
Chatbot processes AWS service notifications from Amazon Simple Notification Service (Amazon SNS), and
forwards them to Slack or Amazon Chime chat rooms so teams can analyze and act on them. Teams can
E

respond to AWS service events from a chat room where the entire team can collaborate, regardless of
location.
n-

AWS Clean Rooms

AWS Clean Rooms helps customers and their partners more easily and securely collaborate and analyze
their collective datasets—without sharing or copying one another’s underlying data. With AWS Clean
Rooms, customers can create a secure data clean room in minutes and collaborate with any other
-to

company on the AWS Cloud to generate unique insights about advertising campaigns, investment
decisions, and research and development. With AWS Clean Rooms, customers can analyze data with up
to four other parties in a single collaboration. Customers can securely generate insights from multiple
rm

companies without having to write code. Customers can create a clean room, invite companies they want
to collaborate with, and select which participants can run analyses within the collaboration.
te

Proprietary and Confidential Information - Trade Secret

s Ij
AWS Cloud Map

H1
AWS Cloud Map is a cloud resource discovery service which allows customers to define custom names for
their application resources. Cloud Map maintains the location of these changing resources to increase
application availability.

OV
Customers can register any application resource, such as databases, queues, microservices, and other
cloud resources, with custom names. Cloud Map then constantly checks the health of resources to make
sure the location is up-to-date. The application can then query the registry for the location of the

F
resources needed based on the application version and deployment environment.

QE
AWS Cloud9
AWS Cloud9 is an integrated development environment, or IDE. The AWS Cloud9 IDE offers a rich code-
editing experience with support for several programming languages and runtime debuggers, and a built-

3F
in terminal. It contains a collection of tools that customers use to code, build, run, test, and debug
software, and helps customers release software to the cloud. Customers access the AWS Cloud9 IDE
through a web browser. Customers can configure the IDE to their preferences. Customers can switch color

ab
themes, bind shortcut keys, enable programming language-specific syntax coloring and code formatting,
and more.

AWS CloudFormation
M
AWS CloudFormation is a service to simplify provisioning of AWS resources such as Auto Scaling groups,
rro
ELBs, Amazon EC2, Amazon VPC, Amazon Route 53, and others. Customers author templates of the
infrastructure and applications they want to run on AWS, and the AWS CloudFormation service
automatically provisions the required AWS resources and their relationships as defined in these
templates.
ap

AWS CloudHSM
AWS CloudHSM is a service that allows customers to use dedicated HSMs within the AWS cloud. AWS
W

CloudHSM is designed for applications where the use of HSMs for encryption and key storage is
mandatory.
RK

AWS acquires these production HSM devices securely using the tamper evident authenticable (TEA) bags
from the vendors. These TEA bag serial numbers and production HSM serial numbers are verified against
data provided out-of-band by the manufacturer and logged by approved individuals in tracking systems
E

(Control AWSCA-4.15).
n-

AWS CloudHSM allows customers to store and use encryption keys within HSMs in AWS data centers.
With AWS CloudHSM, customers maintain full ownership, control, and access to keys and sensitive data
ke

while Amazon manages the HSMs in close proximity to customer applications and data. All HSM media is
securely decommissioned and physically destroyed, verified by two personnel, prior to leaving AWS
control (Control AWSCA-5.13).
-to

AWS CloudShell
AWS CloudShell is a browser-based shell used to securely manage, explore, and interact with your AWS
rm

resources. CloudShell is pre-authenticated with customer console credentials. Common development and
operations tools are pre-installed, so no local installation or configuration is required. With CloudShell,
customers can run scripts with the AWS Command Line Interface (AWS CLI), experiment with AWS service
te

Proprietary and Confidential Information - Trade Secret

s Ij
APIs using the AWS SDKs, or use a range of other tools to be productive. Customers can use CloudShell

H1
right from their browser.

AWS CloudTrail
AWS CloudTrail is a web service that records AWS activity for customers and delivers log files to a specified

OV
Amazon S3 bucket. The recorded information includes the identity of the API caller, the time of the API
call, the source IP address of the API caller, the request parameters, and the response elements returned
by the AWS service.

F
AWS CloudTrail provides a history of AWS API calls for customer accounts, including API calls made via the

QE
AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS
CloudFormation). The AWS API call history produced by AWS CloudTrail enables security analysis, resource
change tracking, and compliance auditing.

3F
AWS CodeBuild
AWS CodeBuild is a build service that compiles source code, runs tests, and produces software packages

ab
that are ready to deploy. CodeBuild scales continuously and processes multiple builds concurrently, so
that customers’ builds are not left waiting in a queue. Customers can use prepackaged build environments
or can create custom build environments that use their own build tools. AWS CodeBuild eliminates the
M
need to set up, patch, update, and manage customers’ build servers and software.

AWS CodeCommit
rro
AWS CodeCommit is a source control service that hosts secure Git-based repositories. It allows teams to
collaborate on code in a secure and highly scalable ecosystem. CodeCommit eliminates the need for
customers to operate their own source control system or worry about scaling their infrastructure.
ap

CodeCommit can be used to securely store anything from source code to binaries, and it works seamlessly
with the existing Git tools.
W

AWS CodeDeploy
AWS CodeDeploy is a deployment service that automates software deployments to a variety of compute
services such as Amazon EC2, AWS Fargate, AWS Lambda, and the customer’s on-premises servers. AWS
RK

CodeDeploy allows customers to rapidly release new features, helps avoid downtime during application
deployment, and handles the complexity of updating the applications.
E

AWS CodePipeline
AWS CodePipeline is a continuous delivery service that helps customers automate release pipelines for
n-

fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and
deploy phases of customers release process every time there is a code change, based on the release model
ke

defined by the customer. This enables customers to rapidly and reliably deliver features and updates.
Customers can easily integrate AWS CodePipeline with third-party services such as GitHub or with their
own custom plugin.
-to

AWS Config
AWS Config enables customers to assess, audit, and evaluate the configurations of their AWS resources.
rm

AWS Config continuously monitors and records AWS resource configurations and allows customers to
automate the evaluation of recorded configurations against desired configurations. With AWS Config,
customers can review changes in configurations and relationships between AWS resources, dive into
te

Proprietary and Confidential Information - Trade Secret

s Ij
detailed resource configuration histories, and determine overall compliance against the configurations

H1
specified within the customers’ internal guidelines. This enables customers to simplify compliance
auditing, security analysis, change management, and operational troubleshooting.

AWS Control Tower

OV
AWS Control Tower provides the easiest way to set up and govern a new, secure, multi-account AWS
environment based on AWS’ best practices established through AWS’ experience working with thousands
of enterprises as they move to the cloud. With AWS Control Tower, builders can provision new AWS

F
accounts that conform to customer policies. If customers are building a new AWS environment, starting
out on the journey to AWS, starting a new cloud initiative, or are completely new to AWS, Control Tower

QE
will help customers get started quickly with governance and AWS’ best practices built-in.

AWS Data Exchange

3F
AWS Data Exchange makes it easy to find, subscribe to, and use third-party data in the cloud. Qualified
data providers include category-leading brands. Once subscribed to a data product, customers can use
the AWS Data Exchange API to load data directly into Amazon S3 and then analyze it with a wide variety

ab
of AWS analytics and machine learning services. For data providers, AWS Data Exchange makes it easy to
reach the millions of AWS customers migrating to the cloud by removing the need to build and maintain
infrastructure for data storage, delivery, billing, and entitling.

AWS Database Migration Service (DMS)

M
AWS Database Migration Service (DMS) is a cloud service that enables customers to migrate relational
rro
databases, data warehouses, NoSQL databases, and other types of data stores. AWS DMS can be used to
migrate data into the AWS Cloud, between on-premises instances (through AWS Cloud setup), or between
combinations of cloud and on-premises setups. The service supports homogenous migrations within one
ap

database platform, as well as heterogeneous migrations between different database platforms. AWS
Database Migration Service can also be used for continuous data replication with high availability.
W

AWS DataSync
AWS DataSync is an online data transfer service that simplifies, automates and accelerates moving data
between on-premises storage and AWS Storage services, as well as between AWS Storage services.
RK

DataSync can copy data between Network File System (NFS), Server Message Block (SMB) file servers, self-
managed object storage, AWS Snowcone, Amazon Simple Storage Service (Amazon S3) buckets, Amazon
EFS file systems and Amazon FSx for Windows File Server file systems. DataSync automatically handles
E

many of the tasks related to data transfers that can slow down migrations or burden customers’ IT
operations, including running customers own instances, handling encryption, managing scripts, network
n-

optimization, and data integrity validation.

AWS Direct Connect

AWS Direct Connect enables customers to establish a dedicated network connection between their
network and one of the AWS Direct Connect locations. Using AWS Direct Connect, customers can establish
-to

private connectivity between AWS and their data center, office, or colocation environment.

AWS Directory Service (excludes Simple AD)

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft Active
Directory (AD), enables customers' directory-aware workloads and AWS resources to use managed Active
Directory in the AWS Cloud. AWS Managed Microsoft AD stores directory content in encrypted Amazon
te

Proprietary and Confidential Information - Trade Secret

s Ij
Elastic Block Store volumes using encryption keys. Data in transit to and from Active Directory clients is

H1
encrypted when it travels through Lightweight Directory Access Protocol (LDAP) over customers' Amazon
Virtual Private Cloud (VPC) network. If an Active Directory client resides in an off-cloud network, the traffic
travels to customers' VPC by a virtual private network link or an AWS Direct Connect link.

OV
AWS Elastic Beanstalk
AWS Elastic Beanstalk is an application container launch program for customers to launch and scale their
applications on top of AWS. Customers can use AWS Elastic Beanstalk to create new environments using

F
Elastic Beanstalk curated programs and their applications, deploy application versions, update application
configurations, rebuild environments, update AWS configurations, monitor environment health and

QE
availability, and build on top of the scalable infrastructure provided by underlying services such as Auto
Scaling, Elastic Load Balancing, Amazon EC2, Amazon VPC, Amazon Route 53, and others.

3F
AWS Elastic Disaster Recovery
AWS Elastic Disaster Recovery minimizes downtime and data loss with the recovery of on-premises and
cloud-based applications using affordable storage, minimal compute, and point-in-time recovery.

ab
Customers can set up AWS Elastic Disaster Recovery on their source servers to initiate secure data
replication. Customer content is replicated to a staging area subnet in their AWS account, in the AWS
Region they select. The staging area design reduces costs by using affordable storage and minimal
M
compute resources to maintain ongoing replication. Customers can perform non-disruptive tests to
confirm that implementation is complete. During normal operation, customers can maintain readiness by
monitoring replication and periodically performing non-disruptive recovery and failback drills. If
rro
customers need to recover applications, they can launch recovery instances on AWS within minutes, using
the most up-to-date server state or a previous point in time.
ap

AWS Elemental MediaConnect

AWS Elemental MediaConnect is a high-quality transport service for live video. MediaConnect enables
customers to build mission-critical live video workflows in a fraction of the time and cost of satellite or
W

fiber services. Customers can use MediaConnect to ingest live video from a remote event site (like a
stadium), share video with a partner (like a cable TV distributor), or replicate a video stream for processing
(like an over-the-top service). MediaConnect combines reliable video transport, highly secure stream
RK

sharing, and real-time network traffic and video monitoring that allow customers to focus on their
content, not their transport infrastructure.
E

AWS Elemental MediaConvert

AWS Elemental MediaConvert is a file-based video transcoding service with broadcast-grade features. It
n-

allows customers to create video-on-demand (VOD) content for broadcast and multiscreen delivery at
scale. The service combines advanced video and audio capabilities with a simple web services interface.
ke

With AWS Elemental MediaConvert, customers can focus on delivering media experiences without having
to worry about the complexity of building and operating video processing infrastructure.
-to

AWS Elemental MediaLive

AWS Elemental MediaLive is a live video processing service. Customers can create high-quality video
streams for delivery to broadcast televisions and internet-connected multiscreen devices, like connected
rm

TVs, tablets, smart phones, and set-top boxes. The service works by encoding live video streams in real-
time, taking a larger-sized live video source and compressing it into smaller versions for distribution to
te

Proprietary and Confidential Information - Trade Secret

s Ij
viewers. AWS Elemental MediaLive enables customers to focus on creating live video experiences for

H1
viewers without the complexity of building and operating video processing infrastructure.

AWS Entity Resolution

AWS Entity Resolution is a service that helps customers match, link, and enhance their related records

OV
stored across multiple applications, channels, and data stores. AWS Entity Resolution offers matching
techniques, such as rule-based, machine learning (ML) model-powered, and data service provider
matching to help them more accurately link related sets of customer information, product codes, or

F
business data codes.

QE
AWS Fault Injection Service
AWS Fault Injection Service is a fully managed service for running fault injection experiments to improve
an application’s performance, observability, and resiliency. FIS simplifies the process of setting up and

3F
running controlled fault injection experiments across a range of AWS services, so teams can build
confidence in their application behavior.

ab
AWS Firewall Manager
AWS Firewall Manager is a security management service that makes it easier to centrally configure and
manage AWS WAF rules across customer accounts and applications. Using Firewall Manager, customers
M
can roll out AWS WAF rules for their Application Load Balancers and Amazon CloudFront distributions
across accounts in AWS Organizations. As new applications are created, Firewall Manager also allows
customers to bring new applications and resources into compliance with a common set of security rules
rro
from day one.

AWS Global Accelerator

AWS Global Accelerator is a networking service that improves the availability and performance of the
applications that customers offer to their global users. AWS Global Accelerator also makes it easier to
manage customers’ global applications by providing static IP addresses that act as a fixed entry point to
W

customer applications hosted on AWS which eliminates the complexity of managing specific IP addresses
for different AWS Regions and AZs.
RK

AWS Glue
AWS Glue is an extract, transform, and load (ETL) service that makes it easy for customers to prepare and
load their data for analytics. The customers can create and run an ETL job with a few clicks in the AWS
E

Management Console.
n-

AWS Glue DataBrew

AWS Glue DataBrew is a visual data preparation tool that makes it easy for data analysts and data
ke

scientists to clean and normalize data to prepare it for analytics and machine learning. Customers can
choose from pre-built transformations to automate data preparation tasks, all without the need to write
any code.
-to

AWS Health Dashboard

AWS Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that
rm

may impact customers. While the AWS Health Dashboard displays the general status of AWS services,
AWS Health Dashboard gives customers a personalized view into the performance and availability of the
AWS services underlying customer’s AWS resources.
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
The dashboard displays relevant and timely information to help customers manage events in progress and
provides proactive notification to help customers plan for scheduled activities. With AWS Health
Dashboard, alerts are triggered by changes in the health of AWS resources, giving event visibility, and
guidance to help quickly diagnose and resolve issues.

OV
AWS HealthImaging
AWS HealthImaging is a service that helps healthcare and life science organizations and their software

F
partners to store, analyze, and share medical imaging data at petabyte scale. With HealthImaging,
customers can reduce the total cost of ownership (TCO) of their medical imaging applications up to 40%

QE
by running their medical imaging applications from a single copy of patient imaging data in the cloud. With
sub-second image retrieval latencies for active and archive data, customers can realize the cost savings of
the cloud without sacrificing performance at the point-of-care. HealthImaging removes the burden of

3F
managing infrastructure for customer imaging workflows so that they can focus on delivering quality
patient care.

ab
AWS HealthLake
AWS HealthLake is a service offering healthcare and life sciences companies a complete view of individual
or patient population health data for query and analytics at scale. Using the HealthLake APIs, health
M
organizations can easily copy health data, such as imaging medical reports or patient notes, from on-
premises systems to a secure data lake in the cloud. HealthLake uses machine learning (ML) models to
automatically understand and extract meaningful medical information from the raw data, such as
rro
medications, procedures, and diagnoses. HealthLake organizes and indexes information and stores it in
the Fast Healthcare Interoperability Resources (FHIR) industry standard format to provide a complete view
of each patient's medical history.
ap

AWS HealthOmics
AWS HealthOmics helps Healthcare and Life Sciences organizations process, store, and analyze genomics
W

and other omics data at scale. The service supports a wide range of use cases, including DNA and RNA
sequencing (genomics and transcriptomics), protein structure prediction (proteomics), and more. By
simplifying infrastructure management for customers and removing the undifferentiated heavy lifting,
RK

HealthOmics allows customers to generate deeper insights from their omics data, improve healthcare
outcomes, and advance scientific discoveries.
E

HealthOmics is comprised of three service components. Omics Storage efficiently ingests raw genomic
data into the Cloud, and it uses domain-specific compression to offer attractive storage prices to
n-

customers. It also offers customers the ability to seamlessly access their data from various compute
environments. Omics Workflows runs bioinformatics workflows at scale in a fully-managed compute
ke

environment. It supports three common bioinformatics domain-specific workflow languages. Omics

Analytics stores genomic variant and annotation data and allows customers to efficiently query and
analyze at scale.
-to

AWS IAM Identity Center

AWS IAM Identity Center is a cloud-based service that simplifies managing SSO access to AWS accounts
rm

and business applications. Customers can control SSO access and user permissions across all AWS
accounts in AWS Organizations. Customers can also administer access to popular business applications
and custom applications that support Security Assertion Markup Language (SAML) 2.0. In addition, AWS
te

Proprietary and Confidential Information - Trade Secret

s Ij
IAM Identity Center offers a user portal where users can find all their assigned AWS accounts, business

H1
applications, and custom applications in one place.

AWS Identity and Access Management (IAM)

AWS Identity and Access Management is a web service that helps customers securely control access to

OV
AWS resources for their users. Customers use IAM to control who can use their AWS resources
(authentication) and what resources they can use and in what ways (authorization). Customers can grant
other people permission to administer and use resources in their AWS account without having to share

F
their password or access key. Customers can grant different permissions to different people for different
resources. Customers can use IAM features to. securely give applications that run on EC2 instances the

QE
credentials that they need in order to access other AWS resources, like S3 buckets and RDS or DynamoDB
databases.

3F
AWS IoT Core
AWS IoT Core is a managed cloud service that lets connected devices easily and securely interact with
cloud applications and other devices. AWS IoT Core provides secure communication and data processing

ab
across different kinds of connected devices and locations so that customers can easily build IoT
applications such as industrial solutions and connected home solutions.

AWS IoT Device Defender M

AWS IoT Device Defender is a security service that allows customers to audit the configuration of their
devices, monitor connected devices to detect abnormal behavior, and mitigate security risks. It gives
rro
customers the ability to enforce consistent security policies across their AWS IoT device fleet and respond
quickly when devices are compromised. AWS IoT Device Defender provides tools to identify security issues
and deviations from best practices. AWS IoT Device Defender can audit device fleets to ensure they adhere
ap

to security best practices and detect abnormal behavior on devices.

AWS IoT Device Management

AWS IoT Device Management provides customers with the ability to securely onboard, organize, and
remotely manage IoT devices at scale. With AWS IoT Device Management, customers can register their
connected devices individually or in bulk and manage permissions so that devices remain secure.
RK

Customers can also organize their devices, monitor and troubleshoot device functionality, query the state
of any IoT device in the fleet, and send firmware updates over-the-air (OTA). AWS IoT Device Management
E

is agnostic to device type and OS, so customers can manage devices from constrained microcontrollers to
connected cars all with the same service. AWS IoT Device Management allows customers to scale their
n-

fleets and reduce the cost and effort of managing large and diverse IoT device deployments.
ke

AWS IoT Events

AWS IoT Events is a service that detects events across thousands of IoT sensors sending different
telemetry data, such as temperature from a freezer, humidity from respiratory equipment, and belt speed
-to

on a motor. Customers can select the relevant data sources to ingest, define the logic for each event using
simple ‘if-then-else’ statements, and select the alert or custom action to trigger when an event occurs.
IoT Events continuously monitors data from multiple IoT sensors and applications, and it integrates with
rm

other services, such as AWS IoT Core, to enable early detection and unique insights into events. IoT Events
automatically triggers alerts and actions in response to events based on the logic defined to resolve issues
quickly, reduce maintenance costs, and increase operational efficiency.
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
AWS IoT Greengrass
AWS IoT Greengrass seamlessly extends AWS to edge devices so they can act locally on the data they
generate, while still using the cloud for management, analytics, and durable storage. With AWS IoT
Greengrass, connected devices can run AWS Lambda functions, execute predictions based on machine

OV
learning models, keep device data in sync, and communicate with other devices securely – even when not
connected to the Internet.

F
AWS IoT SiteWise
AWS IoT SiteWise is a service that enables industrial enterprises to collect, store, organize, and visualize

QE
thousands of sensor data streams across multiple industrial facilities. AWS IoT SiteWise includes software
that runs on a gateway device that sits onsite in a facility, continuously collects the data from a historian
or a specialized industrial server and sends it to the AWS Cloud. With the service, customers can skip

3F
months of developing undifferentiated data collection and cataloging solutions and focus on using their
data to detect and fix equipment issues, spot inefficiencies, and improve production output.

ab
AWS IoT TwinMaker
AWS IoT TwinMaker makes it easier for developers to create digital twins of real-world systems such as
buildings, factories, industrial equipment, and production lines. AWS IoT TwinMaker provides the tools
M
customers need to build digital twins to help them optimize building operations, increase production
output, and improve equipment performance. With the ability to use existing data from multiple sources,
create virtual representations of any physical environment, and combine existing 3D models with real-
rro
world data, customers can now harness digital twins to create a holistic view of their operations faster
and with less effort.
ap

AWS Key Management Service (KMS)

AWS Key Management Service (KMS) allows users to create and manage cryptographic keys. One class of
keys, KMS keys, are designed to never be exposed in plaintext outside the service. KMS keys can be used
W

to encrypt data directly submitted to the service. KMS keys can also be used to protect other types of
keys, data keys which are created by the service and returned to the user’s application for local use. AWS
KMS only creates and returns data keys to users; the service does not store or manage data keys.
RK

AWS KMS is integrated with several AWS services so that users can request that resources in those
services are encrypted with unique data keys provisioned by KMS that are protected by a KMS key the
E

user chooses at the time the resource is created (Control AWSCA-4.6). See in-scope services integrated
with KMS at https://aws.amazon.com/kms/. Integrated services use the data keys from AWS KMS. Data
n-

keys provisioned by AWS KMS are encrypted with a 256-bit key unique to the customer’s account under
a defined mode of AES – Advanced Encryption Standard (Control AWSCA-4.7).
ke

When a customer requests AWS KMS to create a KMS key, the service creates a key ID for the KMS key
and key material, referred to as a backing key, which is tied to the key ID of the KMS key. The 256-bit
-to

backing key can only be used for encrypt or decrypt operations by the service (Control AWSCA-4.10). KMS
will generate an associated key ID if a customer chooses to import their own key. If the customer chooses
to enable key rotation for a KMS key with a backing key that the service generated, AWS KMS will create
rm

a new version of the backing key for each rotation event, but the key ID remains the same (Control
AWSCA-4.11). All future encrypt operations under the key ID will use the newest backing key, while all
previous versions of backing keys are retained to decrypt ciphertexts created under the previous version
te

Proprietary and Confidential Information - Trade Secret

s Ij
of the key. Backing keys and customer-imported keys are encrypted under AWS-controlled keys when

H1
created/imported and they are only ever stored on disk in encrypted form.

All requests to AWS KMS APIs are logged and available in the AWS CloudTrail of the requester and the
owner of the key. The logged requests provide information about who made the request, under which

OV
KMS key, and describes information about the AWS resource that was protected through the use of the
KMS key. These log events are visible to the customer after turning on AWS CloudTrail in their account
(Control AWSCA-4.8).

F
AWS KMS creates and manages multiple distributed replicas of KMS keys and key metadata automatically

QE
to enable high availability and data durability. KMS keys themselves are regional objects; KMS keys can
only be used in the AWS region in which they were created. KMS keys are only stored on persistent disk
in encrypted form and in two separate storage systems to ensure durability. When a KMS key is needed

3F
to fulfill an authorized customer request, it is retrieved from storage, decrypted on one of many AWS KMS
hardened security modules (HSMs) in the region, then used only in memory to execute the cryptographic
operation (e.g., encrypt or decrypt). Future requests to use the KMS key each require the decryption of

ab
the KMS key in memory for another one-time use.

AWS KMS endpoints are only accessible via TLS using the following cipher suites that support forward
secrecy (Control AWSCA-4.9): M
• TLS_AES_128_GCM_SHA256
rro
• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• ECDHE-RSA-AES256-GCM-SHA384
ap

• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA
W

• ECDHE-RSA-AES128-SHA256
• DHE-RSA-AES256-SHA256
RK

• DHE-RSA-AES128-SHA256
• DHE-RSA-AES256-SHA
• DHE-RSA-AES128-SHA
• PQ-TLS-1-2-2023-11-29
E

By design, no one can gain access to KMS key material. KMS keys are only ever present on hardened
n-

security modules for the amount of time needed to perform cryptographic operations under them. AWS
employees have no tools to retrieve KMS keys from these hardened security modules. In addition, multi-
ke

party access controls are enforced for operations on these hardened security modules that involve
changing the software configuration or introducing new hardened security modules into the service.
These multi-party access controls minimize the possibility of an unauthorized change to the hardened
-to

security modules, exposing key material outside the service, or allowing unauthorized use of customer
keys (Control AWSCA-4.5). Additionally, key material used for disaster recovery processes by KMS are
physically secured such that no AWS employee can gain access (Control AWSCA-4.12). Access attempts
rm

to recovery key materials are reviewed by authorized operators on a periodic basis (Control AWSCA-4.13).
te

Proprietary and Confidential Information - Trade Secret

s Ij
Roles and responsibilities for those cryptographic custodians with access to systems that store or use key

H1
material are formally documented and acknowledged (Control AWSCA-1.6).

AWS Lake Formation

AWS Lake Formation is an integrated data lake service that makes it easy for customers to ingest, clean,

OV
catalog, transform, and secure their data and make it available for analysis and ML. AWS Lake Formation
gives customers a central console where they can discover data sources, set up transformation jobs to
move data to an Amazon Simple Storage Service (S3) data lake, remove duplicates and match records,

F
catalog data for access by analytic tools, configure data access and security policies, and audit and control
access from AWS analytic and ML services. Lake Formation automatically manages access to the registered

QE
data in Amazon S3 through services including AWS Glue, Amazon Athena, Amazon Redshift, Amazon
QuickSight, and Amazon EMR to ensure compliance with customer defined policies. With AWS Lake
Formation, customers can configure and manage their data lake without manually integrating multiple

3F
underlying AWS services.

AWS Lambda

ab
AWS Lambda lets customers run code without provisioning or managing servers on their own. AWS
Lambda uses a compute fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances across multiple
AZs in a region, which provides the high availability, security, performance, and scalability of the AWS
infrastructure. M
AWS License Manager
rro
AWS License Manager makes it easier to manage licenses in AWS and on-premises servers from software
vendors. AWS License Manager allows customer’s administrators to create customized licensing rules that
emulate the terms of their licensing agreements, and then enforces these rules when an instance of EC2
ap

gets launched. Customer administrators can use these rules to limit licensing violations, such as using
more licenses than an agreement stipulates or reassigning licenses to different servers on a short-term
basis. The rules in AWS License Manager also enable customers to limit a licensing breach by stopping the
W

instance from launching or by notifying the customer administrators about the infringement. Customer
administrators gain control and visibility of all their licenses with the AWS License Manager dashboard
and reduce the risk of non-compliance, misreporting, and additional costs due to licensing overages.
RK

AWS License Manager integrates with AWS services to simplify the management of licenses across
multiple AWS accounts, IT catalogs, and on-premises, through a single AWS account.
E

AWS Mainframe Modernization

AWS Mainframe Modernization is an elastic mainframe service and set of development tools for migrating
and modernizing mainframe and legacy workloads. Using Mainframe Modernization, system integrators
ke

can help discover their mainframe and legacy workloads, assess and analyze migration readiness, and plan
migration and modernization projects. Once planning is complete, customers can use the Mainframe
Modernization built-in development tools to replatform or refactor their mainframe and legacy
-to

workloads, test workload performance and functionality, and migrate their data to AWS.
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
AWS Managed Services

H1
AWS Managed Services provides ongoing management of a customer’s AWS infrastructure. AWS
Managed Services automates common activities such as change requests, monitoring, patch
management, security, and backup services, and provides full-lifecycle services to provision, run, and
support a customer’s infrastructure.

OV
AWS Network Firewall
AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention

F
service for customer virtual private cloud (VPC). With Network Firewall, customers can filter traffic at the
perimeter of customer VPC. This includes filtering traffic going to and coming from an internet gateway,

QE
NAT gateway, or over VPN or AWS Direct Connect.

AWS OpsWorks (includes Chef Automate, Puppet Enterprise)

3F
AWS OpsWorks for Chef Automate is a configuration management service that hosts Chef Automate, a
suite of automation tools from Chef for configuration management, compliance and security, and
continuous deployment. OpsWorks also maintains customers’ Chef server by automatically patching,

ab
updating, and backing up customer servers. OpsWorks eliminates the need for customers to operate their
own configuration management systems or worry about maintaining its infrastructure. OpsWorks gives
customers access to all of the Chef Automate features, such as configuration and compliance
M
management, which customers manage through the Chef console or command line tools like Knife. It also
works seamlessly with customers’ existing Chef cookbooks.
rro
AWS OpsWorks for Puppet Enterprise is a configuration management service that hosts Puppet
Enterprise, a set of automation tools from Puppet for infrastructure and application management.
OpsWorks also maintains customers’ Puppet master server by automatically patching, updating, and
ap

backing up customers’ servers. OpsWorks eliminates the need for customers to operate their own
configuration management systems or worry about maintaining its infrastructure. OpsWorks gives
customers’ access to all of the Puppet Enterprise features, which customers manage through the Puppet
W

console. It also works seamlessly with customers’ existing Puppet code.

AWS OpsWorks Stacks

AWS OpsWorks Stacks is an application and server management service. OpsWorks Stacks lets customers
manage applications and servers on AWS and on-premises. With OpsWorks Stacks, customers can model
their application as a stack containing different layers, such as load balancing, database, and application
E

server. They can deploy and configure Amazon EC2 instances in each layer or connect other resources
such as Amazon RDS databases. OpsWorks Stacks also lets customers set automatic scaling for their
n-

servers based on preset schedules or in response to changing traffic levels, and it uses lifecycle hooks to
orchestrate changes as their environment scales.
ke

AWS Organizations
AWS Organizations helps customers centrally govern their environment as customers grow and scale their
-to

workloads on AWS. Whether customers are a growing startup or a large enterprise, Organizations helps
customers to centrally manage billing; control access, compliance, and security; and share resources
across customer AWS accounts.
rm

Using AWS Organizations, customers can automate account creation, create groups of accounts to reflect
their business needs, and apply policies for these groups for governance. Customers can also simplify
te

Proprietary and Confidential Information - Trade Secret

s Ij
billing by setting up a single payment method for all of their AWS accounts. Through integrations with

H1
other AWS services, customers can use Organizations to define central configurations and resource
sharing across accounts in their organization.

AWS Outposts

OV
AWS Outposts is a service that extends AWS infrastructure, AWS services, APIs and tools to any data
center, co-location space, or an on-premises facility for a consistent hybrid experience. AWS Outposts is
ideal for workloads that require low latency access to on-premises systems, local data processing or local

F
data storage. Outposts offer the same AWS hardware infrastructure, services, APIs and tools to build and
run applications on premises and in the cloud. AWS compute, storage, database and other services run

QE
locally on Outposts and customers can access the full range of AWS services available in the Region to
build, manage and scale on-premises applications. Service Link is established between Outposts and the
AWS region by use of a secured VPN connection over the public internet or AWS Direct Connect (Control

3F
AWSCA-3.17).

AWS Outposts are configured with a Nitro Security Key (NSK) which is designed to encrypt customer

ab
content and give customers the ability to mechanically remove content from the device. Customer
content is cryptographically shredded if a customer removes the NSK from an Outposts device (Control
AWSCA-7.9).
M
Additional information about Security in AWS Outposts, including the shared responsibility model, can be
found in the AWS Outposts User Guide.
rro

AWS Payment Cryptography

AWS Payment Cryptography is a managed service that can be used to replace the payments-specific
ap

cryptography and key management functions that are usually provided by on-premises payment
hardware security modules (HSMs). This elastic, pay-as-you-go AWS API service allows credit, debit, and
payment processing applications to move to the cloud without the need for dedicated payment HSMs.
W

AWS Private Certificate Authority

AWS Private Certificate Authority (CA) is a managed private CA service enables customers to easily and
RK

securely manage the lifecycle of their private certificates. Private CA allows developers to be more agile
by providing them APIs to create and deploy private certificates programmatically. Customers also have
the flexibility to create private certificates for applications that require custom certificate lifetimes or
E

resource names. With Private CA, customers can create and manage private certificates for their
connected resources in one place with a secure, pay as you go, managed private CA service.
n-

AWS Resilience Hub

AWS Resilience Hub helps customers improve the resiliency of their applications and reduce application-
related outages by uncovering resiliency weaknesses through continuous resiliency assessment and
validation. AWS Resilience Hub can also provide Standard Operating Procedures (SOPs) to help recover
-to

applications on AWS when experiencing unplanned disruptions caused by software, deployment, or

operational problems. The service is designed for cloud-native applications that use highly available, fault
tolerant AWS services as building blocks.
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
AWS Resource Access Manager (RAM)

H1
AWS Resource Access Manager helps customers securely share their resources across AWS accounts,
within their organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM
users for supported resource types. Customers are able to use AWS Resource Access Manager to share

OV
transit gateways, subnets, AWS License Manager license configurations, Amazon Route 53 Resolver rules,
and more resource types.

AWS Resource Explorer (Effective February 15, 2025)

F
AWS Resource Explorer quickly and easily searches and discovers AWS resources across AWS Regions and
accounts. Customers can start their search in Unified Search in the AWS Management Console, the AWS

QE
Resource Explorer console, the AWS Command Line Interface (AWS CLI), or the SDK - and filter using tags,
services, and other metadata.

3F
AWS Resource Groups
AWS Resource Groups is a service that helps customers organize AWS resources into logical groupings.
These groups can represent an application, a software component, or an environment. Resource groups

ab
can include more than fifty additional resource types, bringing the overall number of supported resource
types to seventy-seven. Some of these new resource types include Amazon DynamoDB tables, AWS
Lambda functions, AWS CloudTrail trails, and many more. Customers can now create resource groups that
M
accurately reflect their applications, and take action against those groups, rather than against individual
resources.
rro
AWS RoboMaker
AWS RoboMaker is a service that makes it easy to develop, test, and deploy intelligent robotics
applications at scale. RoboMaker extends the most widely used open-source robotics software
ap

framework, Robot Operating System (ROS), with connectivity to cloud services. This includes AWS
machine learning services, monitoring services, and analytics services that enable a robot to stream data,
navigate, communicate, comprehend, and learn. RoboMaker provides a robotics development
W

environment for application development, a robotics simulation service to accelerate application testing,
and a robotics fleet management service for remote application deployment, update, and management.
RK

AWS Secrets Manager

AWS Secrets Manager helps customers protect secrets needed to access their applications, services, and
IT resources. The service enables customers to easily rotate, manage, and retrieve database credentials,
E

API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call
to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. Secrets
n-

Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon
DocumentDB. The service is also extensible to other types of secrets, including API keys and OAuth tokens.
ke

In addition, Secrets Manager allows customers to control access to secrets using fine-grained permissions
and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises.
-to

AWS Security Hub

AWS Security Hub gives customers a comprehensive view of their high-priority security alerts and
compliance status across AWS accounts. There are a range of powerful security tools at customers’
rm

disposal, from firewalls and endpoint protection to vulnerability and compliance scanners. With Security
Hub, customers can now have a single place that aggregates, organizes, and prioritizes their security
te

Proprietary and Confidential Information - Trade Secret

s Ij
alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector Classic, and

H1
Amazon Macie, as well as from AWS Partner solutions. Findings are visually summarized on integrated
dashboards with actionable graphs and tables.

AWS Serverless Application Repository

OV
The AWS Serverless Application Repository is a managed repository for serverless applications. It enables
teams, organizations, and individual developers to store and share reusable applications, and easily
assemble and deploy serverless architectures in powerful new ways. Using the Serverless Application

F
Repository, customers do not need to clone, build, package, or publish source code to AWS before
deploying it. Instead, customers can use pre-built applications from the Serverless Application Repository

QE
in their serverless architectures, helping customers reduce duplicated work, ensure organizational best
practices, and get to market faster. Integration with AWS Identity and Access Management (IAM) provides
resource-level control of each application, enabling customers to publicly share applications with

3F
everyone or privately share them with specific AWS accounts.

AWS Service Catalog

ab
AWS Service Catalog allows customers to create and manage catalogs of IT services that are approved for
use on AWS. These IT services can include everything from virtual machine images, servers, software, and
databases to complete multi-tier application architectures. AWS Service Catalog allows customers to
M
centrally manage commonly deployed IT services, and helps customers achieve consistent governance
and meet their compliance requirements, while enabling users to quickly deploy only the approved IT
services they need.
rro

AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web
ap

applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations
that minimize application downtime and latency, so there is no need to engage AWS Support to benefit
from DDoS protection.
W

AWS Signer
AWS Signer is a managed code-signing service to ensure the trust and integrity of customer code.
RK

Customers validate code against a digital signature to confirm that the code is unaltered and from a
trusted publisher. With AWS Signer, customer security administrators have a single place to define their
signing environment, including what AWS Identity and Access Management (IAM) role can sign code and
E

in what regions. AWS Signer manages the code-signing certificate public and private keys and enables
central management of the code-signing lifecycle.
n-

AWS Snowball
ke

Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts
of data into and out of the AWS cloud. Using Snowball addresses common challenges with large-scale data
transfers including high network costs, long transfer times, and security concerns. Transferring data with
-to

Snowball is simple and secure.

AWS Snowball Edge (Deprecated July 1, 2024)

AWS Snowball Edge is a 100TB data transfer device with on-board storage and compute capabilities.
Customers can use Snowball Edge to move large amounts of data into and out of AWS, as a temporary
storage tier for large local datasets, or to support local workloads in remote or offline locations. Snowball
te

Proprietary and Confidential Information - Trade Secret

s Ij
Edge connects to customers’ existing applications and infrastructure using standard storage interfaces,

H1
streamlining the data transfer process and minimizing setup and integration. Snowball Edge can cluster
together to form a local storage tier and process customers’ data on-premises, helping ensure their
applications continue to run even when they are not able to access the cloud.

OV
AWS Step Functions
AWS Step Functions is a web service that enables customers to coordinate the components of distributed
applications and microservices using visual workflows. Customers can build applications from individual

F
components that each perform a discrete function, or task, allowing them to scale and change applications
quickly. Step Functions provides a reliable way to coordinate components and step through the functions

QE
of a customer’s application. Step Functions provides a graphical console to visualize the components of a
customer’s application as a series of steps. It automatically triggers and tracks each step, and retries when
there are errors, so the customer’s application executes in order and as expected, every time. Step

3F
Functions logs the state of each step, so when things do go wrong, customers can diagnose and debug
problems quickly.

ab
AWS Storage Gateway
The AWS Storage Gateway service connects customers’ off-cloud software appliances with cloud-based
storage. The service enables organizations to store data in AWS’ highly durable cloud storage services:
Amazon S3 and Amazon Glacier. M
AWS Storage Gateway backs up data off-site to Amazon S3 in the form of Amazon EBS snapshots. AWS
rro
Storage Gateway transfers data to AWS and stores this data in either Amazon S3 or Amazon Glacier,
depending on the use case and type of gateway used. There are three types of gateways: Tape, File, and
Volume Gateways. The Tape Gateway allows customers to store more frequently accessed data in Amazon
ap

S3 and less frequently accessed data in Amazon Glacier.

The File Gateway allows customers to copy data to S3 and have those files appear as individual objects in
W

S3. Volume gateways store data directly in Amazon S3 and allow customers to snapshot their data so that
they can access previous versions of their data. These snapshots are captured as Amazon EBS Snapshots,
which are also stored in Amazon S3. Both Amazon S3 and Amazon Glacier redundantly store these
RK

snapshots on multiple devices across multiple facilities, detecting and repairing any lost redundancy. The
Amazon EBS snapshot provides a point-in-time backup that can be restored off-cloud or on a gateway
running in Amazon EC2 or used to instantiate new Amazon EBS volumes. Data is stored within a single
E

region that customers specify.

AWS Systems Manager

AWS Systems Manager gives customers the visibility and control to their infrastructure on AWS. AWS
ke

Systems Manager provides customers a unified user interface so that customers can view their
operational data from multiple AWS services, and it allows customers to automate operational tasks
across the AWS resources.
-to

With AWS Systems manager, customers can group resources, like Amazon EC2 instances, Amazon S3
buckets, or Amazon RDS instances, by application, view operational data for monitoring and
rm

troubleshooting, and take action on groups of resources.

Proprietary and Confidential Information - Trade Secret

s Ij
AWS Transfer Family

H1
AWS Transfer Family enables the transfer of files directly into and out of Amazon S3. With the support for
Secure File Transfer Protocol (SFTP)—also known as Secure Shell (SSH) File Transfer Protocol, the File
Transfer Protocol over SSL (FTPS) and the File Transfer Protocol (FTP), the AWS Transfer Family helps the
customers seamlessly migrate their file transfer workflows to AWS by integrating with existing

OV
authentication systems and providing DNS routing with Amazon Route 53.

AWS User Notifications

F
AWS User Notifications enables users to centrally configure and view notifications from AWS services,
such as AWS Health events, Amazon CloudWatch alarms, or EC2 Instance state changes, in a consistent,

QE
human-friendly format. Users can view notifications across accounts, regions, and services in a Console
Notifications Center, and configure delivery channels, like email, chat, and push notifications to the AWS
Console mobile app, where they can receive these notifications. Notifications provide URLs to direct users

3F
to resources on the Management Console, to enable further action and remediation.

AWS Verified Access (Effective August 15, 2024)

ab
AWS Verified Access is a service that provides the ability to secure access to applications without requiring
the use of a virtual private network (VPN). Verified Access evaluates each application request and helps
ensure that users can access each application only when they meet the specified security requirements.

AWS WAF
M
AWS WAF is a web application firewall that helps protect customer web applications from common web
rro
exploits that could affect application availability, compromise security, or consume excessive resources.

Customers can use AWS WAF to create custom rules that block common attack patterns, such as SQL
ap

injection or cross-site scripting, and rules that are designed for their specific application. New rules can be
deployed within minutes, letting customers respond quickly to changing traffic patterns. Also, AWS WAF
includes a full-featured API that customers can use to automate the creation, deployment, and
W

maintenance of web security rules.

AWS Wickr
RK

AWS Wickr is an end-to-end encrypted service that helps organizations collaborate securely through one-
to-one and group messaging, voice and video calling, file sharing, screen sharing, and more. AWS Wickr
encrypts messages, calls, and files with a 256-bit end-to-end encryption protocol. Only the intended
E

recipients and the customer organization can decrypt these communications, reducing the risk of
adversary-in-the-middle attacks.
n-

AWS X-Ray
ke

AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built
using a microservices architecture. With X-Ray, customers or developers can understand how their
application and its underlying services are performing to identify and troubleshoot the root cause of
-to

performance issues and errors. X-Ray provides an end-to-end view of requests as they travel through the
customers’ application and shows a map of the application’s underlying components. Customers or
developers can use X-Ray to analyze both applications in development and in production.
rm

EC2 Image Builder

EC2 Image Builder makes it easier to automate the creation, management, and deployment of
te

Proprietary and Confidential Information - Trade Secret

s Ij
customized, secure, and up-to-date “golden” server images that are pre-installed and pre-configured with

H1
software and settings to meet specific IT standards.

Elastic Load Balancing (ELB)

Elastic Load Balancing (ELB) provides customers with a load balancer that automatically distributes

OV
incoming application traffic across multiple Amazon EC2 instances in the cloud. It allows customers to
achieve greater levels of fault tolerance for their applications, seamlessly providing the required amount
of load balancing capacity needed to distribute application traffic.

F
FreeRTOS

QE
FreeRTOS is an operating system for microcontrollers that makes small, low-power edge devices easy to
program, deploy, secure, connect, and manage. FreeRTOS extends the FreeRTOS kernel, a popular open-
source operating system for microcontrollers, with software libraries that make it easy to securely connect

3F
the small, low-power devices to AWS cloud services like AWS IoT Core or to more powerful edge devices
running AWS IoT Greengrass.

ab
VM Import/Export
VM Import/Export is a service that enables customers to import virtual machine images from their existing
environment to Amazon EC2 instances and export them back to their on premises environment. This
M
offering allows customers to leverage their existing investments in the virtual machines that customers
have built to meet their IT security, configuration management, and compliance requirements by bringing
rro
those virtual machines into Amazon EC2 as ready-to-use instances. Customers can also export imported
instances back to their off-cloud virtualization infrastructure, allowing them to deploy workloads across
their IT infrastructure.
ap

D.4 Secure Data Handling

AWS provides many methods for customers to securely handle their data. There are additional methods
W

detailed in the Complementary User Entity Controls (CUECs) at the end of this section. AWS enables
customers to open a secure, encrypted channel to AWS servers using HTTPS (TLS/SSL).
RK

Amazon S3 provides a mechanism that enables users to utilize MD5 checksums to validate that data sent
to AWS is bitwise identical to what is received, and that data sent by Amazon S3 is identical to what is
received by the user. When customers choose to provide their own keys for encryption and decryption of
E

Amazon S3 objects (S3 SSE-C), Amazon S3 does not store the encryption key provided by the customer.
n-

Amazon S3 generates and stores a one-way salted HMAC of the customer encryption key and that salted
HMAC value is not logged (Control AWSCA-4.4).
ke

Upon initial communication with an AWS-provided Windows AMI, AWS enables secure communication
by configuring Terminal Services on the instance by generating a unique self-signed X.509 server
certificate and delivering the certificate’s thumbprint to the user over a trusted channel (Control AWSCA-
-to

4.2).

AWS further enables secure communication with Linux AMIs by configuring SSH on the instance,
rm

generating a unique host-key and delivering the key’s fingerprint to the user over a trusted channel
(Control AWSCA-4.1).
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
Connections between customer applications and Amazon RDS MySQL instances can be encrypted using
TLS/SSL. Amazon RDS generates a TLS/SSL certificate for each database instance, which can be used to
establish an encrypted connection using the default MySQL client. Once an encrypted connection is
established, data transferred between the database instance and a customer’s application will be

OV
encrypted during transfer. If customers require data to be encrypted while “at rest” in the database, the
customer application must manage the encryption and decryption of data. Additionally, customers can
set up controls to have their database instances only accept encrypted connections for specific user

F
accounts.

QE
D.5 Physical Security and Environmental Protection

Amazon has significant experience in designing, constructing, and operating large-scale data centers. This

3F
experience has been applied to the AWS system and infrastructure. Refer to the “Amazon Web Services
System Overview” section above for list of in-scope data centers.

ab
Physical Security
AWS provides physical access to its data centers for approved employees and contractors who have a
legitimate business need for such privileges. Access to data centers must be approved by an authorized
M
individual (Control AWSCA-5.1). All visitors are required to present identification and are signed in and
escorted by authorized staff.
rro
When an employee or contractor no longer requires data center access, their access is promptly revoked,
even if they continue to be an employee or contractor of Amazon or AWS. In addition, access is
automatically revoked when an employee or contractor’s record is terminated in Amazon’s HR system
ap

(Control AWSCA-5.2). Cardholder access to data centers is reviewed quarterly. Cardholders marked for
removal have their access automatically revoked as part of the review (Control AWSCA-5.3).
W

Physical access is controlled both at the perimeter and at building ingress points by professional security
staff utilizing video surveillance, intrusion detection systems, and badge and pin electronic means.
Authorized staff utilize multi-factor authentication mechanisms to access data center floors (Control
RK

AWSCA-5.4, AWSCA-5.5, and AWSCA-5.6).

In addition to the physical security controls, physical access to data centers in the GovCloud (US) region is
E

restricted to employees or contractors who have been validated as a U.S. person (green card holder or
citizen as defined by the U.S. Department of State).
n-

Amazon owns and operates many of its data centers, while others are housed in colocation spaces that
are offered by various reputable companies under contract with Amazon. The physical access and security
ke

controls described above are also deployed by AWS at colocation spaces.

AWS Local Zones are a type of AWS infrastructure deployment managed and supported by AWS that
-to

places AWS compute, storage, database and other select services closer to large population, industry, IT
centers or customers where no AWS Region currently exists today. With AWS Local Zones, customers can
run latency-sensitive portions of applications local to end-users and resources in a specific geography,
rm

delivering single-digit millisecond latency for specific use cases. Dedicated Local Zones are deployed on-
premises, delivered in accordance with a customer specific contract, and dedicated to that customer. The
physical security of these Dedicated Local Zones meets the established requirements set by AWS.
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
AWS offers Wavelength infrastructure in partnership with telecom providers, which is optimized for
mobile edge computing applications. Wavelength Zones are AWS infrastructure deployments that embed
AWS compute and storage services within communications service providers’ (CSP or telecom providers)
data centers at the edge of the 5G network, so application traffic from 5G devices can reach application

OV
servers running in Wavelength Zones without leaving the telecommunications network. This avoids the
latency that would result from application traffic having to traverse multiple hops across the Internet to
reach their destination, enabling customers to take full advantage of the latency and bandwidth benefits

F
offered by modern 5G networks.

QE
Contracts with third-party colocation providers include provisions to support the protection of AWS assets
and communication of incidents or events that impact Amazon assets and/or customers to AWS (Control
AWSCA-5.11). In addition, AWS provides monitoring of adherence with security and operational

3F
standards by performing periodic reviews of colocation service providers (Control AWSCA-5.12). The
frequency of colocation reviews is based on a tiering that is dependent on the contracts and level of
engagement with the colocation service provider.

ab
AWS spaces within colocation facilities are installed with AWS-operated closed circuit television (CCTV)
cameras, intrusion detection systems, and access control devices that alert AWS personnel of access and
M
incidents. Physical access to AWS spaces within colocation facilities is controlled by AWS and follows
standard AWS access management processes.
rro
Redundancy
Data centers are designed to anticipate and tolerate failure while maintaining service levels. Each AWS
Region is comprised of multiple data centers. All data centers are online and serving traffic; no data center
ap

is “cold.” In case of failure, automated processes move traffic away from the affected area. Core
applications are deployed to an N+1 standard, so that in the event of a data center failure, there is
sufficient capacity to enable traffic to be load-balanced to the remaining sites.
W

Fire Detection and Suppression

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection
RK

system utilizes smoke detection sensors in Amazon-owned data center environments (e.g., multi-point
aspirating smoke detection (MASD), point source detection), mechanical and electrical infrastructure
spaces, chiller rooms, and generator equipment rooms. These areas are protected by either wet-pipe,
E

double-interlocked pre-action, or gaseous sprinkler systems (Control AWSCA-5.7).

Power
The data center electrical power systems supporting AWS are designed to be fully redundant and
ke

maintainable without impact to operations, 24 hours a day, and Uninterruptible Power Supply (UPS) units
provide back-up power in the event of an electrical failure for critical and essential loads in Amazon-owned
data centers and third-party colocation sites where Amazon maintains the UPS units. Amazon-owned data
-to

centers use generators to provide back-up power for the facility (Control AWSCA-5.9 and AWSCA-5.10).

Climate and Temperature

Climate control is required to maintain a controlled operating temperature for servers and other
hardware, preventing overheating and reducing the possibility of service outages. Amazon-owned data
centers are conditioned to maintain environmental conditions at specified levels. Personnel and systems
te

Proprietary and Confidential Information - Trade Secret

s Ij
monitor and control temperature and humidity at appropriate levels. This is provided at N+1 and utilizes

H1
free cooling as primary source of cooling where it is available based on local environmental conditions
(Control AWSCA-5.8).

Environment Management

OV
In Amazon-owned data centers, AWS monitors electrical, mechanical, and life support systems and
equipment so that any issues are immediately identified. This is carried out via daily rounds and readings,
in tandem with an overview of our data centers provided via AWS’ Building Management System (BMS)

F
and Electrical Monitoring System (EMS). Preventative maintenance is performed to maintain the
continued operability of equipment utilizing the Enterprise Asset Management (EAM) tool and trouble

QE
ticketing and change management system. The primary objective of this process is to provide a holistic
insight into Mechanical, Electrical, Plumbing (MEP) Assets owned by AWS infrastructure teams. This
includes providing a centralized repository for equipment, optimizing planned and unplanned

3F
maintenance and managing data center critical spare parts.

Management of Media

ab
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning
process that is designed to prevent unauthorized access to assets. AWS uses techniques detailed in NIST
800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process. All production media
M
is securely decommissioned in accordance with industry-standard practices (Control AWSCA-5.13).
Production media is not removed from AWS control until it has been securely decommissioned.
rro
D.6 Change Management

Software
ap

AWS applies a systematic approach to managing changes so that changes to customer impacting services
are reviewed, tested, approved, and well communicated. Change management procedures/policies are
based on Amazon change management guidelines and tailored to the specifics of each AWS service
W

(Control AWSCA-6.1). These processes are documented and communicated to the necessary personnel
by service team management.
RK

The goal of AWS’ change management process is to prevent unintended service disruptions and maintain
the integrity of service to the customer. Change details are documented in one of Amazon’s change
management or deployment tools (Control AWSCA-6.2).
E

Prior to deployment to production environments, changes are:

• Developed in a development environment that is segregated from the production environment

(Control AWSCA-6.4).
ke

• Reviewed by peers for technical aspects and appropriateness (Control AWSCA-6.5).

• Tested to confirm the changes will behave as expected when applied and not adversely impact
-to

performance (Control AWSCA-6.3).

• Approved by authorized team members to provide appropriate oversight and understanding of
business impact (Control AWSCA-6.5).
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
Changes are typically pushed into production in a phased deployment starting with the lowest impact

H1
sites. Deployments are closely monitored so impact can be evaluated. Service owners have a number of
configurable metrics that measure the health of the service’s upstream dependencies. These metrics are
closely monitored with thresholds and alarming in place (e.g., latency, availability, fatal errors, CPU
utilization, etc.). Customer information, including personal information, and customer content are not

OV
used in test and development environments (Control AWSCA-6.7). Rollback procedures are documented
so that team members can revert back to the previous state if needed.

F
When possible, changes are scheduled during regular change windows. Emergency changes to production
systems that require deviations from standard change management procedures are associated with an

QE
incident and are logged and approved as appropriate.

AWS performs deployment validations and change reviews to detect unauthorized changes to its

3F
environment and tracks identified issues to resolution. AWS management reviews and tracks deployment
violations for services enrolled in the Deployment Monitoring program as part of the AWS Security
business review. For those services not enrolled in the Deployment Monitoring program, a secondary

ab
monthly review of deployments is conducted within 60 days of the month in which they were made. If
any unauthorized changes are detected or deviates from the standard review and approval process, they
are tracked to resolution (Control AWSCA-6.6).

Infrastructure
M
AWS internally developed configuration management software is installed when new hardware is
rro
provisioned. These tools are run on all UNIX hosts to validate that they are configured, and software is
installed in a standard manner based on host classes and updated regularly.
ap

Only approved users with verified business needs are authorized through a permissions service may log
in to the central configuration management servers. Host configuration settings are monitored to validate
compliance with AWS security standards and automatically pushed to the host fleet (Control AWSCA-9.4).
W

Emergency, non-routine and other configuration changes to existing AWS infrastructure are authorized,
logged, tested, approved and documented in accordance with industry norms for similar systems. Updates
RK

to AWS infrastructure are performed in such a manner to minimize impact to the customer and their
service use. AWS communicates with customers, either via email, or through the AWS Health Dashboard
(https://status.aws.amazon.com/) when service use may be adversely affected.
E

D.7 Data Integrity, Availability, Redundancy and Data Retention

AWS seeks to maintain data integrity through all phases including transmission, storage, and processing.
ke

Amazon S3 utilizes checksums internally to confirm the continued integrity of data in transit within the
system and at rest. Amazon S3 provides a facility for customers to send checksums along with data
transmitted to the service. The latest AWS SDKs, CLI, and the S3 console calculate these checksums
-to

automatically. The service validates the checksum upon receipt of the data to determine that no
corruption occurred in transit. S3 currently supports the CRC64NVME, CRC32, CRC32C, SHA1, and SHA256
algorithms for integrity validation. The MD5 algorithm is also supported for customers utilizing older SDKs
that provide their own checksum for integrity of data in transit. Regardless of whether a checksum is sent
rm

with an object to Amazon S3, the service utilizes checksums internally to confirm the continued integrity
of data in transit within the system and at rest. When disk corruption or device failure is detected, the
te

Proprietary and Confidential Information - Trade Secret

s Ij
system automatically attempts to restore normal levels of object storage redundancy (Control AWSCA-

H1
7.1, AWSCA-7.2, and AWSCA-7.3).

AWS services and systems hosting customer content are designed to retain customer content until the
customer removes it or the customer agreement ends (Control AWSCA-7.8). Once the contractual

OV
obligation to retain content ends, or upon a customer-initiated action to remove or delete content, AWS
services have processes and procedures to detect a deletion and make the content inaccessible. AWS
utilizes Amazon Simple Storage Service (S3), Amazon Elastic Compute Cloud (EC2), Amazon Elastic Block

F
Store (EBS), and Amazon DynamoDB, as the primary services for customer content storage, which
individually or in combination are also utilized by many of the other AWS services listed in the System

QE
Overview for storage of customer content. Amazon S3 Glacier, Amazon Relational Database Service (RDS)
Aurora, SimpleDB, Amazon Simple Queue Service (SQS), Amazon Cloud Directory, Amazon Pinpoint and
End User Messaging, AWS Secrets Manager, Amazon Elastic File System (EFS), and Amazon CloudFront

3F
utilize local storage to store customer content but are not utilized for content storage functionalities by
other services, similar to the primary AWS content storage services. When customers request data to be
deleted, automated processes are initiated to remove the data and render the content unreadable

ab
(Control AWSCA-7.7).

Availability
M
The AWS Resiliency Program encompasses the processes and procedures by which AWS identifies,
responds to, and recovers from a major availability event or incident within the AWS services
environment. This program builds upon the traditional approach of addressing contingency management
rro
which incorporates elements of business continuity and disaster recovery plans and expands this to
consider critical elements of proactive risk mitigation strategies, such as engineering physically separate
Availability Zones (AZs) and continuous infrastructure capacity planning.
ap

AWS contingency plans and incident response playbooks are maintained and updated to reflect emerging
risks and lessons learned from past incidents. Service team response plans are tested and updated
W

through the due course of business, and the AWS Resiliency Plan is tested, reviewed, and approved by
senior leadership annually (Control AWSCA-10.3).
RK

AWS has identified critical system components required to maintain the availability of the system and
recover service in the event of outage. Critical system components (example: code bases) are backed up
across multiple, isolated locations known as Availability Zones. Each Availability Zone runs on its own
E

physically distinct, independent infrastructure, and is engineered to be highly reliable. Common points of
failure, like generators and cooling equipment, are not shared across Availability Zones. Additionally,
n-

Availability Zones are physically separate, and designed such that even extremely uncommon disasters,
such as fires, tornados, or flooding should only affect a single Availability Zone. AWS replicates critical
ke

system components across multiple Availability Zones, and authoritative backups are maintained and
monitored to ensure successful replication (Control AWSCA-10.1 and AWSCA-10.2).
-to

Data Backup
AWS core storage services have the capability to be redundantly stored in multiple physical locations as
part of normal operations. Customers should enable backups of their data across AWS services.
rm

Amazon S3 is designed to provide 99.999999999% durability and 99.99% availability of objects over a
given year. Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3
te

Proprietary and Confidential Information - Trade Secret

s Ij
region. To help provide durability, Amazon S3 PUT and COPY operations synchronously store customer

H1
content across multiple facilities before returning SUCCESS. Once stored, Amazon S3 helps maintain the
durability of the objects by detecting and repairing lost redundancy. Amazon S3 also regularly verifies the
integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data. In
addition, Amazon S3 calculates checksums on all network traffic to detect corruption of data packets when

OV
storing or retrieving data (Control AWSCA-7.3, AWSCA-7.4, and AWSCA-7.5).

Amazon EBS replication is stored within the same AZ, not across multiple zones, but customers have the

F
ability to conduct regular snapshots to Amazon Simple Storage Service (S3) in order to provide long-term
data durability. For customers who have architected complex transactional databases using Amazon EBS,

QE
backups to Amazon S3 can be performed through the database management system so that distributed
transactions and logs can be checkpointed. AWS does not perform backups of data that are maintained
on virtual disks attached to running instances on Amazon EC2.

3F
Amazon RDS provides two different methods for backing up and restoring customer DB Instance(s):
automated backups and database snapshots (DB Snapshots). Turned on by default, the automated backup

ab
feature of Amazon RDS enables point-in-time recovery for a DB Instance. Amazon RDS will back up
databases and transaction logs and store both for a user-specified retention period. This allows for
restoration of a DB Instance to any second during the defined retention period, up to the last five minutes.
M
The automatic backup retention period can be configured to up to 35 days. During the backup window,
storage input/output (I/O) may be suspended for a few seconds, while data is being backed up. This I/O
suspension is avoided with Multi-AZ DB deployments, since the backup is taken from the standby. DB
rro
Snapshots are user-initiated backups of DB Instances. These full database backups will be stored by
Amazon RDS until customers explicitly delete them. Customers can create a new DB Instance from a DB
Snapshot as needed (Control AWSCA-7.6).
ap

The AWS team responsible for capacity management continuously monitors service usage to project
infrastructure needs for availability commitments and requirements. AWS maintains a capacity planning
W

model to assess infrastructure usage and demands at least monthly, and usually more frequently (e.g.,
weekly). In addition, the AWS capacity planning model supports the planning of future demands to acquire
and implement additional resources based upon current resources and forecasted requirements (Control
RK

AWSCA-10.4).

D.8 Confidentiality
E

AWS is committed to protecting the security and confidentiality of its customers’ content, defined as
n-

“Your Content” at https://aws.amazon.com/agreement/ (Control AWSCA-11.3). AWS’ systems and

services are designed to enable authenticated AWS customers to access and manage their content. AWS
ke

notifies customers of third-party access to a customer’s content on the third-party access page located at
https://aws.amazon.com/compliance/third-party-access. AWS may remove a customer’s content when
compelled to do so by a legal order, or where there is evidence of fraud or abuse as described in the
-to

Customer Agreement (https://aws.amazon.com/agreement/) and Acceptable Use Policy

(https://aws.amazon.com/aup/). In executing the removal of a customer’s content due to the reasons
stated above, employees may render it inaccessible as the situation requires. For clarity, this capability to
rm

render customer content inaccessible extends to encrypted content as well.

Proprietary and Confidential Information - Trade Secret

s Ij
In the course of AWS system and software design, build, and test of product features, a customer’s

H1
content is not used and remains in the production environment. A customer’s content is not required for
the AWS software development life cycle. When content is required for the development or test of a
service’s software, AWS service teams have tools to generate mock, random data.

OV
AWS knows customers care about privacy and data security. That is why AWS gives customers ownership
and control over their content by design through tools that allow customers to determine where their
content is stored, secure their content in transit or at rest, and manage access to AWS services and

F
resources. AWS also implements technical and physical controls designed to prevent unauthorized access
to or disclosure of a customer’s content. As described in the Physical Security and Change Management

QE
areas in Section III of this report, AWS employs a number of controls to safeguard data from within and
outside of the boundaries of environments which store a customer’s content. As a result of these
measures, access to a customer’s content is restricted to authorized parties.

3F
AWS contingency plans and incident response playbooks have defined and tested tools and processes to
detect, mitigate, investigate, and assess security incidents. These plans and playbooks include guidelines

ab
for responding to potential data breaches in accordance with contractual and regulatory requirements.
AWS security engineers follow a documented protocol when responding to potential data security
incidents. The protocol involves steps, which include validating the presence of customer content within
M
the AWS service (without actually viewing the data), determining the encryption status of a customer’s
content, and determining improper access to a customer’s content to the extent possible.
rro
During the course of their response, the security engineers document relevant findings in internal tools
used to track the security issue. AWS Security Leadership is regularly apprised of all data security issue
investigations. In the event there are positive indicators that customer content was potentially accessed
ap

by an unintended party, a security engineer engages AWS Security Leadership and the AWS Legal team to
review the findings. AWS Security Leadership and the Legal team review the findings and determine if a
notifiable data breach has occurred pursuant to contractual or regulatory obligations. If confirmed,
W

affected customers are notified in accordance with the applicable reporting requirement.

Vendors and third parties with restricted access, that engage in business with Amazon, are subject to
RK

confidentiality commitments as part of their agreements with Amazon. Confidentiality commitments are
included in agreements with vendors and third parties with restricted access and are reviewed by AWS
and the third-party at time of contract creation or execution (Control AWSCA-11.1). AWS monitors the
E

performance of third parties through periodic reviews on a risk-based approach, which evaluate
performance against contractual obligations (Control AWSCA-11.2).
n-

Internally, confidentiality requirements are communicated to employees through training and policies.
ke

Employees are required to attend Amazon Security Awareness (ASA) training, which includes policies and
procedures related to protecting a customer’s content. Confidentiality requirements are included in the
Data Handling and Classification Policy. Policies are reviewed and updated at least annually.
-to

AWS implements policies and controls to monitor access to resources that process or store customer
content. In addition, a Master Service Agreement (MSA) or Non-Disclosure Agreement (NDA) bind a
rm

subcontractor to confidentiality in the unlikely event they are exposed to a customer’s content. The MSA
references both an NDA and a requirement to protect a customer’s content in the event they do not have
an NDA. AWS Legal maintains the most current MSA in a legal document portal. The portal serves as the
te

Proprietary and Confidential Information - Trade Secret

s Ij
repository for contracts with the most current commitments, document owner, and date modified. A legal

H1
review is also performed when the MSA is executed with a vendor.

Services and systems hosted by AWS are designed to retain and protect a customer’s content for the
duration of the customer agreement period, and in some cases, up to 30 days beyond termination. The

OV
customer agreement, https://aws.amazon.com/agreement/, specifies the terms and conditions. AWS
services are designed to retain a customer’s content until the contractual obligation to retain a customer’s
content ends, or upon a customer-initiated action to remove or delete their content.

F
Once the contractual obligation to retain a customer’s content ends, or upon a customer-initiated action

QE
to remove or delete their content, AWS services have processes and procedures to detect a deletion and
make the content inaccessible. After a delete event, automated actions act on deleted content to render
the content inaccessible (Control AWSCA-7.7).

3F
D.9 Privacy

ab
AWS classifies customer data into two categories: customer content and account information. AWS
defines customer content as software (including machine images), data, text, audio, video, or images that
a customer or any end user transfers to AWS for processing, storage, or hosting by AWS services in
M
connection with that customer's account, and any computational results that a customer or any end user
derives from the foregoing through their use of AWS services. For example, customer content includes
content that a customer or any end user stores in Amazon Simple Storage Service (S3). The terms of the
rro
AWS Customer Agreement (https://aws.amazon.com/agreement/) and AWS Service Terms
(https://aws.amazon.com/service-terms/) apply to customer content.
ap

Account information is information about a customer that a customer provides to AWS in connection with
the creation or administration of a customer account. For example, account information includes names,
usernames, phone numbers, email addresses, and billing information associated with a customer account.
W

Any information submitted by the customer that AWS needs in order to provide services to the customer
or in connection with the administration of customer accounts, is not in-scope for this report.
RK

The AWS Privacy Notice is available from the AWS website at https://aws.amazon.com/privacy/. The AWS
Privacy Notice is reviewed by the AWS Legal team and is updated as required to reflect Amazon’s current
business practices and global regulatory requirements. The Privacy Notice describes how AWS collects
E

and uses a customer’s personal information in relation to AWS websites, applications, products, services,
events, and experiences. The Privacy Notice does not apply to customer content.
n-

As part of the AWS account creation and activation process, AWS customers are informed of the AWS
ke

Privacy Notice and are required to accept the Customer Agreement, including the terms and conditions
related to the collection, use, retention, disclosure, and disposal of their data. Customers are responsible
for determining what content to store within AWS, which may include personal information. Without the
-to

acceptance of the Customer Agreement, customers cannot sign up to use the AWS services.

The AWS Customer Agreement informs customers of the AWS data security and privacy commitments
rm

prior to activating an AWS account and is made available to customers to review at any time on the AWS
website (Control AWSCA-12.1).
te

Proprietary and Confidential Information - Trade Secret

s Ij
The customer determines what data is entered into AWS services and has the ability to configure the

H1
appropriate security and privacy settings for the data, including who can access and use the data. Further,
the customer is able to choose not to provide certain data. Additionally, the customer manages
notification or consent requirements, and maintains the accuracy of the data.

OV
Additionally, the AWS Customer Agreement notes how AWS shares, secures, and retains customer
content. AWS also informs customers of updates to the Customer Agreement by making it available on its
website and providing the last updated date. Customers should check the Customer Agreement website

F
frequently for any changes to the Customer Agreement (Control AWSCA-12.2).

QE
AWS does not store any customer cardholder data obtained from customers. Rather, AWS passes the
customer cardholder data and sends it immediately to the Amazon Payments Platform, the PCI-certified
platform that Amazon uses for all payment processing. This platform returns a unique identifier that AWS

3F
stores and uses for all future processing. The Amazon Payments Platform sits completely outside of the
AWS boundary and is run by the larger Amazon entity. It is not an AWS service, but it is utilized by the
larger Amazon entity for payment processing. As such, the Amazon payment platform is not in-scope for

ab
this report.

AWS offers customers the ability to update their communication preferences through the AWS console
M
or via the AWS Email Preference Center (Control AWSCA-12.3). When customers update their
communication preferences using their email, their updated preferences are saved. Customers can
unsubscribe from AWS marketing emails within the AWS console. AWS Customers will still receive
rro
important account-related notifications from AWS, such as monthly billing statements, or if there are
significant changes to a service that customers use.
ap

AWS provides authenticated customers the ability to access, update, and confirm their data. Denial of
access will be communicated using the AWS console (Control AWSCA-12.6). Customers can sign into to
their AWS accounts through the AWS console to view and update their data.
W

AWS (or Amazon) does not disclose customer information in response to government demands unless
required to do so to comply with a legally valid and binding order. AWS Legal reviews and maintains
RK

records of all the information requests, which lists information on the types and volume of information
requested. Unless AWS is prohibited from doing so or there is clear indication of illegal conduct in
connection with the use of Amazon products or services, AWS notifies customers before disclosing
E

customer content so they can seek protection from disclosure. AWS shares customer content only as
described in the AWS Customer Agreement (Control AWSCA-12.8).
n-

AWS may produce non-content and/or content information in response to valid and binding law
ke

enforcement and governmental requests, such as subpoenas, court orders, and search warrants. “Non-
content information” means customer information such as name, address, email address, billing
information, date of account creation, and service usage information. “Content information” includes the
-to

content that a customer transfers for processing, storage, or hosting in connection with AWS services and
any computational results. AWS records customer information requests to maintain a complete, accurate,
and timely record of such requests (Control AWSCA-12.7).
rm

If required, customers are responsible for providing notice to the individuals whose data the customer
collects and uses within AWS. AWS is not responsible for providing such notice to or obtaining consent
te

Proprietary and Confidential Information - Trade Secret

s Ij
from these individuals and is only responsible for communicating its privacy commitments to AWS

H1
customers, which is provided during the account creation and activation process.

AWS has documented an incident response policy and plan which outlines an organized approach for
responding to security breaches and incidents. The AWS Security team is responsible for monitoring

OV
systems, tracking issues, and documenting findings of security-related events. Records are maintained for
security breaches and incidents, which include status information required for supporting forensic
activities, trend analysis, and evaluation of incident details.

F
As part of the process, potential breaches of customer content are investigated and escalated to AWS

QE
Security and AWS Legal. Customers can subscribe to the AWS Security Bulletins page, which provides
information regarding identified security issues. AWS notifies affected customers and regulators of
breaches and incidents as legally required in accordance with team processes (Control AWSCA-12.5).

3F
AWS retains and disposes of customer content in accordance with the Customer Agreement and the AWS
Data Classification and Handling Policy. When a customer terminates their account or contract with AWS,

ab
the account is put under isolation; after which within 90 days, customers can restore their accounts and
related content. AWS services hosting customer content are designed to retain customer content until
the contractual obligation to retain a customer’s content ends or a customer-initiated action to remove
M
or delete the content is taken (Control AWSCA-7.8). When a customer requests data to be deleted, AWS
utilizes automated processes to detect that request and make the content inaccessible. After the deletion
is complete, automated actions are taken on deleted content to render the content unreadable (Control
rro
AWSCA-7.7).

AWS maintains an externally posted list of third-party sub-processors that are currently engaged by AWS
ap

to process customer data depending on the AWS region and AWS service the customer selects at
https://aws.amazon.com/compliance/sub-processors/. Before AWS authorizes and permits any new
third-party sub-processor to access any customer content, AWS will update the website to inform
W

customers (Control AWSCA-12.12). AWS maintains contracts with third-party sub-processors that define
how access to customer content is limited to the minimum levels necessary to provide the service
described on the page and also contain data protection, confidentiality commitments, and security
RK

requirements (Control AWSCA-12.9 and 12.10). AWS performs application security reviews for each third-
party sub-processor provider prior to integration with AWS to ascertain and mitigate security risks
(Control AWSCA-12.4). A typical security review considers privacy components, such as retention period,
E

use, and collection of data as applicable. The review starts with a system owner initiating a review request
to the dedicated AWS Vendor Security (AVS) team, and submitting detailed information required for the
n-

review.
ke

During this process, the AVS team determines the granularity of review required based on the type of
customer content that will be shared, design, threat model, and impact to AWS’ risk profile. They provide
security guidance, validate security assurance material, and meet with external parties to discuss their
-to

penetration tests, Software Development Life Cycle, change management processes, and other operating
security controls. They work with the system owner to identify, prioritize, and remediate security findings.
The AVS team collaborates with AWS Legal as needed to validate that the content of the AVS reviews are
rm

in-line with AWS privacy policies. The AVS team provides their final approval for the third-party system
after they have adequately assessed the risks and worked with the requester to implement security
controls to mitigate identified risks. These application security reviews are not only executed for new
te

Proprietary and Confidential Information - Trade Secret

s Ij
third-party sub-processors, but also renewed on an annual basis with every third-party sub-processor

H1
(Control AWSCA-12.10 and AWSCA-12.11).

E. Monitoring

OV
E.1 Monitoring Activities

AWS utilizes a wide variety of automated monitoring systems to facilitate a high level of service

F
performance and availability. AWS defines a Security Incident as a security-related adverse event in which
there was a loss of data confidentiality, disruption of data or systems integrity, or disruption or denial of

QE
availability. AWS monitoring tools are implemented to detect unusual or unauthorized activities and
conditions at ingress and egress communication points. These tools monitor server and network usage,
port scanning activities, application usage, and unauthorized intrusion attempts.

3F
Systems within AWS are further designed to monitor key operational metrics, and alarms are configured
to automatically notify operations and management personnel when early warning thresholds are

ab
crossed. An on-call schedule is used such that personnel are always available to respond to operational
issues. This includes a pager system, so that notifications are quickly and reliably communicated to
operations personnel (Control AWSCA-8.1).
M
Documentation is maintained to aid and inform operations personnel in handling incidents or issues. A
ticketing system is used which supports communication, progress updates, necessary collaboration
rro
between teams, and logging capabilities. Trained call leaders facilitate communication and progress
during the handling of operational issues that require collaboration. After action reviews are convened
following significant operational issue, regardless of external impact, and Correction of Errors (COE)
ap

documents are composed such that the root cause is captured, and preventative actions may be taken for
the future. Implementation of the preventative measures identified in COEs is tracked during weekly
operations meetings.
W

The AWS Security Operations team employs industry-standard diagnosis procedures (such as incident
identification, registration and verification, initial incident classification and prioritizing actions) to drive
RK

resolution during business-impacting events. Staff operators in the US, EMEA, and APAC provide 24 x 7
continuous coverage to detect incidents and to manage the impact and resolution (Control AWSCA-8.2).
E

E.2 Incident Notification

AWS has documented an incident response policy and plan which outlines an organized approach for
responding to security breaches and incidents (Control AWSCA-1.2). The AWS Security team is responsible
ke

for monitoring systems, tracking issues, and documenting findings of security-related events. Records are
maintained for security breaches and incidents, which include status information required for supporting
forensic activities, trend analysis, and evaluation of incident details.
-to

As part of the process, potential breaches of customer content are investigated and escalated to AWS
Security and AWS Legal. Affected customers and regulators are notified of breaches and incidents where
rm

legally required. Customers can subscribe to the AWS Security Bulletins page, which provides information
regarding identified security issues.
te

Proprietary and Confidential Information - Trade Secret

s Ij
Complementary User Entity Controls

H1
AWS services were designed with the assumption that certain policies, procedures, and controls are
implemented by its user entities (or customers). In certain situations, the application of specific policies,
procedures, and controls by the customer is necessary to achieve the service commitments and system
requirements that are based on the applicable trust services criteria included in this report. This section

OV
describes the additional policies, procedures, and controls customers may need to implement in order to
satisfy the service commitments and system requirements for customers’ specific use cases.

F
CC1.0 – Common Criteria Related to Control Environment

QE
CC2.0 – Common Criteria Related to Communication and Information

CC3.0 – Common Criteria Related to Risk Assessment

3F
CC4.0 – Common Criteria Related to Monitoring Activities

ab
Customers should ensure appropriate logging of events is in place to support monitoring and
incident response processes. Customers should log events that include but are not limited to
administrator activity, system errors, authentication checks, and data deletions.
•
M
Customers should enable and configure service-specific logging features where available for all
services and implement appropriate monitoring and incident response processes.
rro

CC5.0 – Common Criteria Related to Control Activities

CC6.0 – Common Criteria Related to Logical and Physical Access Controls

• Customers should use asymmetric key-pairs or multi-factor authentication to access their hosts
and avoid simple password-based authentication.
W

• Customers should implement access controls, such as Security-Groups, IAM roles and/or Access
control lists (ACLs), to segment and isolate like-functioning instances.
RK

• S3-Specific – Customers should utilize managed rules and ACLs to secure their S3 buckets by
controlling access to the S3 buckets and preventing them being accessible to the public.
• AppStream 2.0-Specific – Customers are responsible for managing user access to streaming
E

instances and should maintain controls for approving and granting access, timely removing access
when an employee leaves the organization or changes job responsibilities, and periodically
n-

reviewing appropriate access levels for existing users.

• Customers should utilize multi-factor authentication for controlling access to their root account
ke

credentials and should avoid using root account credentials beyond initial account configuration
of AWS Identity and Access Management (IAM), except for Services for which IAM is not available.
Customers should delete access key(s) for the root account when not in use.
-to

• Outpost-Specific – Customers should restrict and monitor physical access to data centers and
facilities hosting Outpost devices to personnel based on job responsibilities.
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
• Outpost-Specific – Customers are responsible for verifying their site meets the Outpost

H1
requirements for facility, networking, and power as published on
https://docs.aws.amazon.com/outposts/latest/userguide/outposts-requirements.html.
• Outpost-Specific – Customers are responsible for removal of the Nitro Security Key (NSK) to

OV
ensure customer content is crypto shredded from the Outpost before returning it to AWS.
• Customers are responsible for managing and reviewing users' access to their instance of AWS
services in accordance with their access management policies.

F
QE
CC7.0 – Common Criteria Related to System Operations

• Customers may subscribe to Premium Support offerings that include direct communication with
the customer support team and proactive alerting to any issues that may impact the customer.

3F
• VPC-Specific – Customers are responsible for their network security requirements and connecting
their Amazon Virtual Private Cloud to an appropriate point of their internal network.

ab
• EC2-Specific – Customers are responsible for configuring the Time Sync functionality and
monitoring the synchronization for accuracy across their EC2 instances, as published by AWS in
M
user guide documentation - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-
time.html#configure-amazon-time-service-amazon-linux.
rro
CC8.0 – Common Criteria Related to Change Management

• Customers are responsible for maintaining the application of patches to customer’s Amazon
ap

instances. Customers can leverage automated patching tools such as AWS Systems Manager
Patch Manager to help deploy operating systems and software patches automatically across large
groups of instances.
W

• Customers should set up separate development and production accounts to isolate the
production system from development work.
RK

• App Mesh-Specific - Customers utilizing their own Envoy image should follow a documented
change management process to ensure updated configurations are documented, tested and
E

approved prior to deployment to customer production instances.

CC9.0 – Common Criteria Related to Risk Mitigation

• Customers should maintain policies and procedures that provide training and guidance for
ke

information security within the organization, the IT environment, and the use of AWS services.
• Customers should assess the objectives of their AWS cloud services network and identify the risks
-to

and corresponding controls that need to be implemented to address those risks when using AWS
services, software, and operational controls.
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
A – Availability Criteria

H1
• EC2-Specific – Customers using the EC2 service should augment the AWS instance firewalls with
a host-based firewall for redundancy and egress filtering.

OV
• EC2/VPC-Specific – Data stored on Amazon EC2 virtual disks should be proactively copied to
another storage option for redundancy.
• Customers should ensure their AWS resources such as server and database instances have the

F
appropriate levels of redundancy and isolation. Redundancy can be achieved through utilization
of the Multi-Region and Multi-AZ deployment option where available.

QE
• EBS-Specific – Amazon EBS replication is stored within the same AZ, not across multiple zones,
and therefore customers should conduct regular snapshots to Amazon S3 in order to provide long-
term data durability.

3F
• Customers should enable backups of their data across AWS services.

C – Confidentiality Criteria

ab
• Customers should utilize Amazon S3’s option to specify an MD5 checksum as part of a REST PUT
operation for the data being sent to Amazon S3. When the request arrives at Amazon S3, an MD5
M
checksum will be recalculated for the object data received and compared to the provided MD5
checksum. If there is a mismatch, the PUT will be failed, preventing data that was corrupted on
rro
the wire from being written into Amazon S3. Customers should use the MD5 checksums returned
in response to REST GET requests to confirm that the data returned by the GET was not corrupted
in transit.
ap

• Any code customers write to call Amazon APIs should expect to receive and handle errors from
the service. Specific guidance for each service can be found within the corresponding User Guide
and API documentation.
W

• AWS Snowball-Specific – Customers should not delete any local copies of their data until they
have verified that it has been copied into AWS.
RK

• AWS Snowball-Specific – All data is encrypted before persisting. With AWS Snowball, there are
short periods where customer content is in plain text prior to encryption and persistence. If a
customer is concerned about this short period, they should encrypt their data before sending it
E

to the device.
n-

• Customers should transmit secret keys over secure channels. Customers should avoid embedding
secret keys in web pages or other publicly accessible source code. Customers should encrypt
ke

sensitive data at rest as well as in transit over the network.

• Customers should appropriately configure and manage usage and implementation of available
encryption options to meet their requirements.
-to

• Customers should use encrypted (TLS/SSL) connections for all of their interactions with AWS.
Leading practices include the use of TLS 1.2. Customers should opt in for a key rotation schedule
that meets their needs for any KMS key they would like rotated.
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
P – Privacy Criteria

H1
P1 – Notice and Communication

P2 - Choice and Consent

OV
• Customers should check the Customer Agreement and Privacy Notice website frequently for any
changes.

F
• Customers are responsible for updating their communication preferences.
•

QE
Customers are responsible for managing disclosure and notice requirements for data stored in
AWS services, when applicable, because AWS is not responsible for providing notice, obtaining
consent, or having knowledge of what individuals have been provided notice or consented to.

3F
P3 – Collection

P4 – Use, Retention and Disposal

ab
• Customers are responsible for complying with any regulations or laws that require a rationale of
the purposes for which personal information is collected, used, retained, and disclosed.

P5 - Access
M
rro
• Customers are responsible for providing individuals with their personal information, that the
customer has stored in AWS services, if required to do so by law.

P6 - Disclosure and Notification

P7 - Quality
W

• Customers are responsible for keeping personal information, that the customer has stored in AWS
services, accurate, complete and relevant as required by any regulations or laws.
RK

P8 - Monitoring and Enforcement

The list of control considerations presented above does not represent all the controls that should be
E

employed by the customer. Other controls may be required. Customers should reference additional AWS
service documentation on the AWS website.
n-
ke
-to
rm
te

Proprietary and Confidential Information - Trade Secret

SECTION IV – Description of Criteria, AWS Controls,

Tests, and Results of Tests

W
E RK
n-
ke
-to
rm
te

AWS Confidential
95
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Testing Performed and Results of Entity-Level Controls

H1
In planning the nature, timing and extent of testing of the controls, EY considered the aspects of AWS’
control environment and tested those controls that were considered necessary.

OV
In addition to the tests of operating effectiveness of specific controls described below, procedures
included tests of the following components of the internal control environment of AWS:

• Management controls and organizational structure

F
• Risk assessment process

QE
• Information and communication
• Control activities

3F
• Monitoring

Tests of the control environment included the following procedures, to the extent EY considered

ab
necessary: (a) a review of AWS’ organizational structure, including the segregation of functional
responsibilities, policy statements, processing manuals and personnel controls, (b) discussions with
management, operations, administrative and other personnel who are responsible for developing,
M
ensuring adherence to and applying controls, and (c) observations of personnel in the performance of
their assigned duties.
rro

The control environment was considered in determining the nature, timing and extent of the testing of
controls and controls relevant to the achievement of the control objectives.
ap

Procedures for Assessing Completeness and Accuracy of Information Provided by the Entity (IPE)
W

For tests of controls requiring the use of IPE (e.g., controls requiring system-generated populations for
sample-based testing), EY performed a combination of the following procedures where possible based on
the nature of the IPE to address the completeness, accuracy, and data integrity of the data or reports
RK

used: (1) inspect the source of the IPE, (2) inspect the query, script, or parameters used to generate the
IPE, (3) tie data between the IPE and the source, and/or (4) inspect the IPE for anomalous gaps in sequence
or timing to determine the data is complete, accurate, and maintains its integrity. In addition to the above
procedures, for tests of controls requiring management’s use of IPE in the execution of the controls (e.g.,
E

periodic reviews of user access listings), EY inspected management’s procedures to assess the validity of
n-

the IPE source and the completeness, accuracy, and integrity of the data or reports.

Trust Services Criteria and Related Controls for Systems and Applications
ke

On the pages that follow, the description of control objectives and the controls to achieve the objectives
have been specified by, and are the responsibility of, AWS. The “Tests Performed by EY” and the “Results
-to

of Tests” are the responsibility of the service auditor.

Note: A comparison of AWS controls that have been revised during the examination period is provided in
rm

Section V of this report, “Other Information Provided By Amazon Web Services” for informational
purposes.
te

AWS Confidential
96
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Information System Control Environment

H1
The following controls apply to the services listed in the System Description and their supporting data
centers, except where controls are unique to one of the services – in those cases, the controls are
indicated as “S3-Specific,” “EC2-Specific,” “VPC-Specific,” “KMS-Specific,” “RDS-Specific,” “Outposts-

OV
Specific,” or otherwise noted as being specific to a certain service or set of services.

AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

F
Supporting AWS

QE
Criteria Control Activity Criteria Description
(AWSCA)
CC1.0 – Common Criteria Related to Control Environment

3F
CC1.1 AWSCA-1.1; COSO Principle 1: The entity demonstrates a commitment to integrity and
AWSCA-1.2; ethical values.

ab
AWSCA-9.2;
AWSCA-9.3;
AWSCA-9.7;
AWSCA-9.9;
AWSCA-11.1;
M
rro
AWSCA-11.2

CC1.2 AWSCA-1.7; COSO Principle 2: The board of directors demonstrates independence from
AWSCA-1.8; management and exercises oversight of the development and performance
ap

AWSCA-9.8 of internal control.

CC1.3 AWSCA-1.1; COSO Principle 3: Management establishes, with board oversight,

AWSCA-1.2 structures, reporting lines, and appropriate authorities and responsibilities

in the pursuit of objectives.
RK

CC1.4 AWSCA-1.2; COSO Principle 4: The entity demonstrates a commitment to attract,

AWSCA-1.4; develop, and retain competent individuals in alignment with objectives.
AWSCA-1.7;
E

AWSCA-1.8;
AWSCA-9.2;
n-

AWSCA-9.3;
AWSCA-9.9;
ke

AWSCA-11.1;
AWSCA-11.2
-to
rm
te

AWS Confidential
97
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description

OV
(AWSCA)
CC1.5 AWSCA-1.1; COSO Principle 5: The entity holds individuals accountable for their internal
AWSCA-1.2; control responsibilities in the pursuit of objectives.

F
AWSCA-1.3;
AWSCA-9.3;

QE
AWSCA-9.7

CC2.0 – Common Criteria Related to Communication and Information

3F
CC2.1 AWSCA-1.2; COSO Principle 13: The entity obtains or generates and uses relevant,
AWSCA-1.5; quality information to support the functioning of internal control.

ab
AWSCA-1.9;
AWSCA-1.10;
AWSCA-3.6;
AWSCA-8.1;
AWSCA-8.2;
M
AWSCA-9.8
rro

CC2.2 AWSCA-1.2; COSO Principle 14: The entity internally communicates information,
AWSCA-1.4; including objectives and responsibilities for internal control, necessary to
ap

AWSCA-1.6; support the functioning of internal control.

AWSCA-1.9;
AWSCA-9.1;
W

AWSCA-9.5;
AWSCA-9.6;
AWSCA-10.3;
RK

AWSCA-11.1;
AWSCA-11.3
E

CC2.3 AWSCA-1.4; COSO Principle 15: The entity communicates with external parties
AWSCA-1.6; regarding matters affecting the functioning of internal control.
n-

AWSCA-9.1;
AWSCA-9.5;
ke

AWSCA-11.1;
AWSCA-11.2;
AWSCA-11.3;
-to

AWSCA-12.1;
AWSCA-12.2;
AWSCA-12.3;
AWSCA-12.4;
rm

AWSCA-12.5
te

AWS Confidential
98
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description

OV
(AWSCA)
CC3.0 – Common Criteria Related to Risk Assessment

F
CC3.1 AWSCA-1.5; COSO Principle 6: The entity specifies objectives with sufficient clarity to
AWSCA-1.9; enable the identification and assessment of risks relating to objectives.

QE
AWSCA-1.10;
AWSCA-9.8

3F
CC3.2 AWSCA-1.5; COSO Principle 7: The entity identifies risks to the achievement of its
AWSCA-1.9; objectives across the entity and analyzes risks as a basis for determining
AWSCA-1.10; how the risks should be managed.

ab
AWSCA-3.4;
AWSCA-5.12;
AWSCA-10.3
M
rro
CC3.3 AWSCA-1.5; COSO Principle 8: The entity considers the potential for fraud in assessing
AWSCA-1.10; risks to the achievement of objectives.
AWSCA-3.4;
AWSCA-5.12;
ap

AWSCA-10.3

CC3.4 AWSCA-1.5; COSO Principle 9: The entity identifies and assesses changes that could
W

AWSCA-1.10; significantly impact the system of internal control.

AWSCA-3.4;
RK

AWSCA-5.12;
AWSCA-10.3

CC4.0 – Common Criteria Related to Monitoring Activities

E
n-

CC4.1 AWSCA-1.10; COSO Principle 16: The entity selects, develops, and performs ongoing
AWSCA-3.4; and/or separate evaluations to ascertain whether the components of
AWSCA-5.12; internal control are present and functioning.
ke

AWSCA-9.8;
AWSCA-11.2
-to

CC4.2 AWSCA-1.5; COSO Principle 17: The entity evaluates and communicates internal control
AWSCA-1.10; deficiencies in a timely manner to those parties responsible for taking
AWSCA-9.8 corrective action, including senior management and the board of directors,
rm

as appropriate.

CC5.0 – Common Criteria Related to Control Activities

AWS Confidential
99
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description

OV
(AWSCA)
CC5.1 AWSCA-1.2; COSO Principle 10: The entity selects and develops control activities that
AWSCA-1.3; contribute to the mitigation of risks to the achievement of objectives to

F
AWSCA-1.5; acceptable levels.
AWSCA-1.10

QE
CC5.2 AWSCA-1.2; COSO Principle 11: The entity also selects and develops general control
AWSCA-1.3; activities over technology to support the achievement of objectives.

3F
AWSCA-1.5;
AWSCA-1.10

AWSCA-1.1;

ab
CC5.3 COSO Principle 12: The entity deploys control activities through policies that
AWSCA-1.2; establish what is expected and in procedures that put policies into action.
AWSCA-1.3;
AWSCA-1.5; M
AWSCA-1.10;
AWSCA-10.3
rro

CC6.0 - Common Criteria Related to Logical and Physical Access Controls

CC6.1 AWSCA-1.2; The entity implements logical access security software, infrastructure, and
ap

AWSCA-2.1; architectures over protected information assets to protect them from

AWSCA-2.2; security events to meet the entity's objectives.
AWSCA-2.3;
W

AWSCA-2.4;
AWSCA-2.5;
RK

AWSCA-2.6;
AWSCA-3.1;
AWSCA-3.2;
AWSCA-3.3;
E

AWSCA-3.5;
AWSCA-3.6;
n-

AWSCA-3.7;
AWSCA-3.8;
ke

AWSCA-3.9;
AWSCA-3.10;
AWSCA-3.11;
-to

AWSCA-3.12;
AWSCA-3.13;
AWSCA-3.14;
rm

AWSCA-3.15;
AWSCA-3.17;
AWSCA-3.19;
te

AWS Confidential
100
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description

OV
(AWSCA)
AWSCA-4.4;
AWSCA-4.5;
AWSCA-4.6;

F
AWSCA-4.7;

QE
AWSCA-4.8;
AWSCA-4.9;
AWSCA-4.10;
AWSCA-4.11;

3F
AWSCA-4.12;
AWSCA-4.13;
AWSCA-4.14;

ab
AWSCA-4.15;
AWSCA-6.1;
AWSCA-8.1; M
AWSCA-8.2;
AWSCA-9.4
rro

CC6.2 AWSCA-2.1; Prior to issuing system credentials and granting system access, the entity
AWSCA-2.2; registers and authorizes new internal and external users whose access is
ap

AWSCA-2.3; administered by the entity. For those users whose access is administered
AWSCA-2.4 by the entity, user system credentials are removed when user access is no
longer authorized.
W

CC6.3 AWSCA-2.1; The entity authorizes, modifies, or removes access to data, software,
AWSCA-2.2; functions, and other protected information assets based on roles,
RK

AWSCA-2.3; responsibilities, or the system design and changes, giving consideration to

AWSCA-2.4; the concepts of least privilege and segregation of duties, to meet the
AWSCA-2.5; entity’s objectives.
AWSCA-2.6
E

CC6.4 AWSCA-3.16; The entity restricts physical access to facilities and protected information
n-

AWSCA-4.12; assets (for example, data center facilities, back-up media storage, and
AWSCA-4.13; other sensitive locations) to authorized personnel to meet the entity’s
ke

AWSCA-4.15; objectives.
AWSCA-5.1;
AWSCA-5.2;
-to

AWSCA-5.3;
AWSCA-5.4;
AWSCA-5.5
rm
te

AWS Confidential
101
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description

OV
(AWSCA)
CC6.5 AWSCA-5.13; The entity discontinues logical and physical protections over physical assets
AWSCA-7.7; only after the ability to read or recover data and software from those

F
AWSCA-7.8; assets has been diminished and is no longer required to meet the entity’s
AWSCA-7.9 objectives.

QE
CC6.6 AWSCA-2.6; The entity implements logical access security measures to protect against
AWSCA-3.1; threats from sources outside its system boundaries.

3F
AWSCA-3.2;
AWSCA-3.3;
AWSCA-3.7;

ab
AWSCA-3.8;
AWSCA-3.9;
AWSCA-4.14;
AWSCA-8.1;
AWSCA-8.2
M
rro
AWSCA-1.2;
CC6.7 The entity restricts the transmission, movement, and removal of
AWSCA-1.4;
information to authorized internal and external users and processes, and
AWSCA-1.6;
protects it during transmission, movement, or removal to meet the entity’s
AWSCA-2.2;
ap

objectives.
AWSCA-2.3;
AWSCA-3.16;
AWSCA-3.17;
W

AWSCA-3.18;
AWSCA-3.19;
RK

AWSCA-4.1;
AWSCA-4.2;
AWSCA-4.3;
AWSCA-4.4;
E

AWSCA-4.6;
n-

AWSCA-4.7;
AWSCA-4.9;
AWSCA-4.11;
ke

AWSCA-4.14;
AWSCA-4.15;
AWSCA-5.1;
-to

AWSCA-5.2;
AWSCA-5.3;
AWSCA-5.13;
rm

AWSCA-7.1
te

AWS Confidential
102
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description

OV
(AWSCA)
CC6.8 AWSCA-2.2; The entity implements controls to prevent or detect and act upon the
AWSCA-2.3; introduction of unauthorized or malicious software to meet the entity’s

F
AWSCA-3.4; objectives.
AWSCA-3.18;

QE
AWSCA-6.1;
AWSCA-6.2;
AWSCA-6.3;

3F
AWSCA-6.4;
AWSCA-6.5;
AWSCA-6.6;

ab
AWSCA-8.1;
AWSCA-8.2;
AWSCA-9.4

CC7.0 - Common Criteria Related to System Operations

M
rro
CC7.1 AWSCA-3.1; To meet its objectives, the entity uses detection and monitoring
AWSCA-3.2; procedures to identify (1) changes to configurations that result in the
AWSCA-3.3; introduction of new vulnerabilities, and (2) susceptibilities to newly
ap

AWSCA-3.4; discovered vulnerabilities.

AWSCA-3.6;
AWSCA-6.6;
W

AWSCA-7.10;
AWSCA-9.4
RK

CC7.2 AWSCA-1.2; The entity monitors system components and the operation of those
AWSCA-3.4; components for anomalies that are indicative of malicious acts, natural
AWSCA-5.6; disasters, and errors affecting the entity's ability to meet its objectives;
E

AWSCA-8.1; anomalies are analyzed to determine whether they represent security

AWSCA-8.2; events.
n-

AWSCA-9.6
ke

CC7.3 AWSCA-1.1; The entity evaluates security events to determine whether they could or
AWSCA-5.6; have resulted in a failure of the entity to meet its objectives (security
AWSCA-5.11; incidents) and, if so, takes actions to prevent or address such failures.
-to

AWSCA-5.12;
AWSCA-8.1;
AWSCA-8.2;
AWSCA-9.6;
rm

AWSCA-10.3;
AWSCA-12.5
te

AWS Confidential
103
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description

OV
(AWSCA)
CC7.4 AWSCA-1.1; The entity responds to identified security incidents by executing a defined
AWSCA-1.2; incident-response program to understand, contain, remediate, and

F
AWSCA-3.4; communicate security incidents, as appropriate.
AWSCA-5.11;

QE
AWSCA-5.12;
AWSCA-8.1;
AWSCA-8.2;

3F
AWSCA-9.6;
AWSCA-9.7;
AWSCA-10.3;

ab
AWSCA-12.5

CC7.5 AWSCA-5.11; The entity identifies, develops, and implements activities to recover from
M
AWSCA-5.12; identified security incidents.
AWSCA-6.1;
rro
AWSCA-8.2;
AWSCA-9.6;
AWSCA-10.3
ap

CC8.0 - Common Criteria Related to Change Management

CC8.1 AWSCA-3.1; The entity authorizes, designs, develops or acquires, configures,

AWSCA-3.2; documents, tests, approves, and implements changes to infrastructure,
RK

AWSCA-3.3; data, software, and procedures to meet its objectives.

AWSCA-3.6;
AWSCA-3.16;
AWSCA-6.1;
E

AWSCA-6.2;
AWSCA-6.3;
n-

AWSCA-6.4;
AWSCA-6.5;
ke

AWSCA-6.6;
AWSCA-6.7;
AWSCA-8.2;
-to

AWSCA-9.4;
AWSCA-10.3;
AWSCA-12.4
rm

CC9.0 – Risk Mitigation

AWS Confidential
104
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description

OV
(AWSCA)
CC9.1 AWSCA-1.2; The entity identifies, selects, and develops risk mitigation activities for risks
AWSCA-1.5; arising from potential business disruptions.

F
AWSCA-1.10;
AWSCA-10.3

QE
CC9.2 AWSCA-1.5; The entity assesses and manages risks associated with vendors and
AWSCA-1.10; business partners.

3F
AWSCA-5.11;
AWSCA-5.12;
AWSCA-9.7;

ab
AWSCA-11.1;
AWSCA-11.2;
AWSCA-11.3;
AWSCA-12.4
M
rro
ap
W
E RK
n-
ke
-to
rm
te

AWS Confidential
105
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description
(AWSCA)

OV
Additional Criteria for Availability

A1.1 AWSCA-8.1; The entity maintains, monitors, and evaluates current processing capacity

F
AWSCA-10.3; and use of system components (infrastructure, data, and software) to
AWSCA-10.4 manage capacity demand and to enable the implementation of additional

QE
capacity to help meet its objectives.

A1.2 AWSCA-1.2; The entity authorizes, designs, develops or acquires, implements, operates,

3F
AWSCA-1.5; approves, maintains, and monitors environmental protections, software,
AWSCA-1.10; data backup processes, and recovery infrastructure to meet its objectives.
AWSCA-5.7;

ab
AWSCA-5.8;
AWSCA-5.9;
AWSCA-5.10;
AWSCA-5.11;
AWSCA-5.12;
M
AWSCA-7.3;
rro
AWSCA-7.4;
AWSCA-7.5;
AWSCA-7.6;
ap

AWSCA-8.1;
AWSCA-8.2;
AWSCA-10.1;
W

AWSCA-10.2;
AWSCA-10.3;
RK

AWSCA-10.4

A1.3 AWSCA-1.2; The entity tests recovery plan procedures supporting system recovery to
E

AWSCA-10.2; meet its objectives.

AWSCA-10.3
n-
ke
-to
rm
te

AWS Confidential
106
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description
(AWSCA)

OV
Additional Criteria for Confidentiality

C1.1 AWSCA-1.2; The entity identifies and maintains confidential information to meet the

F
AWSCA-7.2; entity’s objectives related to confidentiality.
AWSCA-7.3;

QE
AWSCA-7.4;
AWSCA-7.5;
AWSCA-7.6;

3F
AWSCA-7.8;
AWSCA-10.2

ab
C1.2 AWSCA-5.13; The entity disposes of confidential information to meet the entity’s
AWSCA-7.7; objectives related to confidentiality.
AWSCA-7.9 M
Additional Criteria Related to Privacy
rro

P1.1 AWSCA-12.1; The entity provides notice to data subjects about its privacy practices to
AWSCA-12.2; meet the entity’s objectives related to privacy. The notice is updated and
AWSCA-12.4 communicated to data subjects in a timely manner for changes to the
ap

entity’s privacy practices, including changes in the use of personal

information, to meet the entity’s objectives related to privacy.
W

AWSCA-12.1;
P2.1 The entity communicates choices available regarding the collection, use,
AWSCA-12.3
retention, disclosure, and disposal of personal information to the data
RK

subjects and the consequences, if any, of each choice. Explicit consent for
the collection, use, retention, disclosure, and disposal of personal
information is obtained from data subjects or other authorized persons, if
required. Such consent is obtained only for the intended purpose of the
E

information to meet the entity’s objectives related to privacy. The entity’s

basis for determining implicit consent for the collection, use, retention,
n-

disclosure, and disposal of personal information is documented.

P3.1 AWSCA-1.4; Personal information is collected consistent with the entity’s objectives
AWSCA-3.6; related to privacy.
AWSCA-12.1;
-to

AWSCA-12.4
rm
te

AWS Confidential
107
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description
(AWSCA)

OV
P3.2 Not Applicable - For information requiring explicit consent, the entity communicates the
Customers need for such consent as well as the consequences of a failure to provide
maintain consent for the request for personal information and obtains the consent

F
ownership of their prior to the collection of the information to meet the entity’s objectives
content, and related to privacy.

QE
select which AWS
services can
process, store, and

3F
host their content.
AWS does not
access or use

ab
customer content
for any purpose
without explicit
customer consent.
Customers are
M
rro
responsible for
complying with
any regulations or
laws around the
ap

collection of
personal
information.
W

P4.1 AWSCA-1.2; The entity limits the use of personal information to the purposes identified
AWSCA-1.4; in the entity’s objectives related to privacy.
RK

AWSCA-3.6;
AWSCA-7.7;
AWSCA-11.2;
AWSCA-12.4
E
n-

P4.2 AWSCA-1.2; The entity retains personal information consistent with the entity’s
AWSCA-3.6; objectives related to privacy.
AWSCA-7.7;
ke

AWSCA-7.8;
AWSCA-7.9;
AWSCA-12.4
-to
rm
te

AWS Confidential
108
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description
(AWSCA)

OV
P4.3 AWSCA-1.2; The entity securely disposes of personal information to meet the entity’s
AWSCA-5.13; objectives related to privacy.
AWSCA-7.7;

F
AWSCA-7.8;
AWSCA-7.9

QE
P5.1 AWSCA-9.5; The entity grants identified and authenticated data subjects the ability to
AWSCA-12.1; access their stored personal information for review and, upon request,

3F
AWSCA-12.5; provides physical or electronic copies of that information to data subjects
AWSCA-12.6; to meet the entity’s objectives related to privacy. If access is denied, data
AWSCA-12.7; subjects are informed of the denial and reason for such denial, as required,

ab
to meet the entity’s objectives related to privacy.

P5.2 AWSCA-9.5; The entity corrects, amends, or appends personal information based on
AWSCA-12.1; M
information provided by data subjects and communicates such information
AWSCA-12.5; to third parties, as committed or required, to meet the entity’s objectives
AWSCA-12.6; related to privacy. If a request for correction is denied, data subjects are
rro
AWSCA-12.7 informed of the denial and reason for such denial to meet the entity’s
objectives related to privacy.
AWSCA-11.2;
ap

P6.1 The entity discloses personal information to third parties with the explicit
AWSCA-12.1;
consent of data subjects and such consent is obtained prior to disclosure to
AWSCA-12.4;
meet the entity’s objectives related to privacy.
AWSCA-12.7;
W

AWSCA-12.9;
AWSCA-12.11
RK

P6.2 AWSCA-12.7 The entity creates and retains a complete, accurate, and timely record of
authorized disclosures of personal information to meet the entity’s
objectives related to privacy.
E

P6.3 AWSCA-8.1; The entity creates and retains a complete, accurate, and timely record of
n-

AWSCA-8.2; detected or reported unauthorized disclosures (including breaches) of

AWSCA-9.5; personal information to meet the entity’s objectives related to privacy.
ke

AWSCA-10.3;
AWSCA-12.5
-to

P6.4 AWSCA-11.1; The entity obtains privacy commitments from vendors and other third
AWSCA-11.2; parties who have access to personal information to meet the entity’s
AWSCA-11.3; objectives related to privacy. The entity assesses those parties’ compliance
AWSCA-12.4; on a periodic and as-needed basis and takes corrective action, if necessary.
rm

AWSCA-12.5
te

AWS Confidential
109
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
AWS Controls Mapped to the Security, Availability, Confidentiality, and Privacy Criteria

H1
Supporting AWS
Criteria Control Activity Criteria Description
(AWSCA)

OV
P6.5 AWSCA-8.1; The entity obtains commitments from vendors and other third parties with
AWSCA-8.2; access to personal information to notify the entity in the event of actual or
AWSCA-11.1; suspected unauthorized disclosures of personal information. Such

F
AWSCA-11.2; notifications are reported to appropriate personnel and acted on in
AWSCA-11.3; accordance with established incident-response procedures to meet the

QE
AWSCA-12.5 entity’s objectives related to privacy.

P6.6 AWSCA-8.2; The entity provides notification of breaches and incidents to affected data

3F
AWSCA-12.5 subjects, regulators, and others to meet the entity’s objectives related to
privacy.

ab
P6.7 AWSCA-1.2; The entity provides data subjects with an accounting of the personal
AWSCA-8.2; information held and disclosure of the data subjects’ personal information,
AWSCA-12.5; upon the data subjects’ request, to meet the entity’s objectives related to
AWSCA-12.7;
AWSCA-12.8;
privacy. M
AWSCA-12.10;
rro
AWSCA-12.12

P7.1 AWSCA-1.2; The entity collects and maintains accurate, up-to-date, complete, and
ap

AWSCA-12.6 relevant personal information to meet the entity’s objectives related to

privacy.
W

P8.1 AWSCA-1.5; The entity implements a process for receiving, addressing, resolving, and
AWSCA-8.2; communicating the resolution of inquiries, complaints, and disputes from
AWSCA-9.5; data subjects and others and periodically monitors compliance to meet the
RK

AWSCA-9.7; entity’s objectives related to privacy. Corrections and other necessary

AWSCA-9.8; actions related to identified deficiencies are made or taken in a timely
AWSCA-12.1; manner.
E

AWSCA-12.5
n-
ke
-to
rm
te

AWS Confidential
110
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-1.1: The CC1.1; Inquired of an AWS IT Security Response No deviations noted.
AWS organization CC1.3; Director to ascertain the AWS organization
has defined CC1.5; has defined structures, reporting lines with

F
structures, reporting CC5.3; assigned authority, and responsibilities to

QE
lines with assigned CC7.3; appropriately meet business requirements,
authority and CC7.4 including an information security function.
responsibilities to
appropriately meet Inspected the organizational chart and the No deviations noted.

3F
requirements Integrated Information Management System
relevant to security, Policy to ascertain the AWS organization has
availability, defined structures, reporting lines with

ab
confidentiality, and assigned authority, and responsibilities to
privacy. appropriately meet security, availability,
confidentiality, and privacy requirements,
M
including an information security function.
rro
Inspected the Integrated Information No deviations noted.
Management System Policy to ascertain the
full document was approved within the last
year by Security Leadership and that any
ap

changes were approved by appropriate

members of the Security team.
W

AWSCA-1.2: AWS CC1.1; Inquired of an AWS Security Assurance No deviations noted.

maintains formal CC1.3; Program Manager to ascertain formal
RK

policies that provide CC1.4; security policies exist, including designation

guidance for CC1.5; of responsibility and accountability for
information security CC2.1; managing the system and controls, and
within the CC2.2; providing guidance for information security
E

organization and the CC5.1; within the organization and the supporting IT
supporting IT CC5.2; environment.
n-

environment. CC5.3;
ke
-to
rm
te

AWS Confidential
111
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
CC6.1;
Inspected the information security policies No deviations noted.
CC6.7;
listed in the System Description and the
CC7.2;
internal Amazon Policy tool to ascertain they

F
CC7.4;
included organization-wide security
CC9.1;

QE
procedures as guidance for the AWS
P4.1;
environment and the supporting IT
P4.2;
environment.
P4.3;
P6.7;

3F
P7.1;
A1.2;
A1.3;

ab
C1.1

AWSCA-1.3: Security CC1.5; Inquired of an AWS Security Assurance

M No deviations noted.
policies are reviewed CC5.1; Program Manager to ascertain the security
and approved on an CC5.2; policies that were reviewed and approved at
rro
annual basis by CC5.3 least annually by Security Leadership.
Security Leadership.
Inspected the security policies listed in the No deviations noted.
ap

System Description and the internal Amazon

Policy tool to ascertain they are approved
within the last 12 months by reviewing the
W

approval date and Security Leadership

approval from the tool logs.
RK

AWSCA-1.4: AWS CC1.4; Inquired of a Technical Training Operations No deviations noted.

maintains employee CC2.2; Specialist to ascertain employee training
training programs to CC2.3; programs were established to promote
promote awareness CC6.7; awareness of AWS information security and
E

of AWS information P3.1; data privacy requirements.

security P4.1
requirements as
defined in the AWS
ke

Security Awareness
Training Policy.
-to
rm
te

AWS Confidential
112
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For a sample of AWS employees selected No deviations noted.
from the HR active employees and
contractors listing, inspected the training

F
transcript to ascertain the employees

QE
completed the Amazon Security Awareness
(ASA) training course within 60 days of role
assignment and that the training course
included information security requirements

3F
and data privacy requirements as defined in
the AWS Security Awareness Training Policy.

ab
AWSCA-1.5: AWS CC2.1; Inquired of an AWS Senior Regulatory Risk No deviations noted.
maintains a formal CC3.1; Manager to ascertain a formal risk
risk management CC3.2; management program was maintained to
M
program to identify, CC3.3; identify, analyze, treat, and continuously
analyze, treat and CC3.4; monitor and report risks that affect AWS’
rro
continuously CC4.2; business objectives, regulatory requirements,
monitor and report CC5.1; and customers. The program identifies risks,
risks that affect CC5.2; documents them in a risk register as
AWS’ business CC5.3; appropriate, and reports results to leadership
ap

objectives and CC9.1; at least semi-annually.

regulatory CC9.2;
requirements. The A1.2; Inspected the AWS Risk Management policy No deviations noted.
W

program identifies P8.1 to ascertain, it was designed to outline how

risks, documents to identify, analyze, treat, and continuously
RK

them in a risk monitor and report risks that affect AWS’

register as business objectives, regulatory requirements
appropriate, and and customers, as well as detailed risk
reports results to treatment options such as acceptance,
E

leadership at least avoidance, mitigation, and transfer.

semi-annually.
n-

For a sample of risks selected from the risk No deviations noted.

to ascertain the risk was identified, analyzed,

treated, and monitored by management.
-to
rm
te

AWS Confidential
113
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-1.6: KMS- CC2.2; Inquired of a Cryptography Technical No deviations noted.
Specific – Roles and CC2.3; Program Manager to ascertain roles and
responsibilities for CC6.7 responsibilities for KMS cryptographic

F
KMS cryptographic custodians were formally documented and

QE
custodians are acknowledged by those individuals when
formally assumed or when responsibilities change.
documented and
agreed to by those

3F
individuals when For a sample of individuals selected from the No deviations noted.
they assume the role KMS cryptographic custodians group with
or when access to systems that store or use key

ab
responsibilities material, inspected the roles and
change. responsibilities documents to ascertain user
responsibilities were formally documented
M
and that the individuals signed the
document.
rro

AWSCA-1.7: The CC1.2; Inquired of the Amazon Corporate Counsel to No deviations noted.
Amazon Board and CC1.4 ascertain the Board and its Committees had
its Committees have the required number of independent Board
ap

the required number members, and each Board and Committee

of independent member was qualified to serve in such
W

Board members, and capacity.

the Board and each
Committee member Inspected Amazon’s Company Bylaws and No deviations noted.
RK

is qualified to serve the Company’s Corporate Governance

in such capacity. guidelines to ascertain they defined the
Annually, Board number and roles of officers on the Board of
members complete Directors and their responsibilities.
E

questionnaires to
n-

establish whether Inspected the annual Board member No deviations noted.

they are questionnaire to ascertain the questionnaires
independent and were completed by all Board members and
ke

qualified to serve on included questions to establish whether

each Board members were independent and qualified to
Committee under serve on each part of the Board Committee
-to

applicable rules. under the applicable bylaws and guidelines.

rm
te

AWS Confidential
114
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-1.8: The CC1.2; Inquired of the Amazon Corporate Counsel to No deviations noted.
Board of Directors CC1.4 ascertain the Board of Directors conducted
conducts an annual an annual assessment of individual Board

F
assessment of members and overall Board performance,

QE
individual Board the nominating and Corporate Governance
members and overall Committee periodically reviewed and
Board performance. assessed the composition of the Board, and
The Nominating and the Leadership Development and

3F
Corporate Compensation Committee evaluated the
Governance succession plan for each member of the
Committee senior management team, including the CEO.

ab
periodically reviews
and assesses the Inspected the Nominating and Corporate No deviations noted.
composition of the Governance meeting minutes to ascertain
M
board. The the annual assessment and review of the
Leadership composition of the Board of Directors was
rro
Development and discussed and completed.
Compensation
Committee, with the Inspected the Board of Directors meeting No deviations noted.
full Board present, minutes to ascertain that the Board reviewed
ap

annually evaluates the succession plan for the CEO and senior
the succession plan management team as part of the annual
for each member of Company and CEO performance review.
W

the senior
management team.
RK

As part of the annual

Company and CEO
Performance review,
the Board reviews
E

the succession plan

for the CEO.

ke
-to
rm
te

AWS Confidential
115
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-1.9: AWS CC2.1; Inquired of the Financial Planning and No deviations noted.
prepares and CC2.2; Analysis Director to ascertain AWS prepared
consolidates the CC3.1; and consolidated the operational planning

F
operational planning CC3.2 document annually including operational and

QE
document annually. performance objectives as well as regulatory
The operational plan and compliance requirements with sufficient
includes operational clarity to enable the identification and
and performance assessment of risks relating to objectives.

3F
objectives, regulatory
Inspected the Operational Plan related to the No deviations noted.
and compliance
requirements with creation of the operational planning

ab
sufficient clarity to document to ascertain it included
enable the operational and performance objectives as
identification and well as regulatory and compliance
M
assessment of risks requirements that identified and assessed
relating to objectives. risks relating to those objectives.
rro

AWSCA-1.10: AWS CC2.1; Inquired of the AWS Data Center Risk No deviations noted.
has a process in place CC3.1; Management Head to ascertain
to review CC3.2; environmental and geo-political risks were
ap

environmental and CC3.3; reviewed before launching new data center

geo-political risks CC3.4; regions.
before launching a CC4.1;
W

new region. CC4.2; For all new in-scope data center regions No deviations noted.
CC5.1; selected from the data center inventory
RK

CC5.2; system, inspected review documentation to

CC5.3; ascertain a review of environmental and
geopolitical risks was performed before the
CC9.1;
new data center region was launched.
E

CC9.2;
A1.2
n-

AWSCA-2.1: User CC6.1; Inquired of an Employee Onboarding No deviations noted.

access to the CC6.2; Software Development Engineer to ascertain
ke

internal Amazon CC6.3 user access to the internal Amazon network

network is not was not activated unless an active record was
-to

provisioned unless created in the HR System by Human

an active record is Resources, that access was automatically
created in the HR provisioned with least privilege per job
System by Human function, and that first-time passwords were
rm

Resources. Access is set to a unique value and changed

automatically immediately after first use.
te

AWS Confidential
116
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
provisioned with
Inspected the system configurations No deviations noted.
least privilege per
responsible for provisioning access to the
job function. First
internal Amazon network to ascertain access

F
time passwords are
to Windows and UNIX user accounts could
set to a unique value

QE
not be provisioned unless an active record
and changed
was created in the HR System by Human
immediately after
Resources, that access was provisioned
first use.
automatically with least privilege per job

3F
function prior to employee start dates, and
that first time passwords were configured to
create a unique value and were required to

ab
be changed immediately after first use.

For one corporate new hire and one No deviations noted.

M
associate new hire selected from an HR
system generated listing of new hires,
rro
inspected the employee’s HR System record
to ascertain the HR system activated the
employee’s record prior to the creation of an
employee’s Windows and UNIX accounts and
ap

that the first-time passwords are changed

immediately after employee's first use of the
account.
W

AWSCA-2.2: IT CC6.1; Inquired of Software Development Managers No deviations noted.

access above least CC6.2; to ascertain IT access above least privileged,

privileged, including CC6.3; including administrator accounts, was
administrator CC6.7; approved by appropriate personnel prior to
accounts, is CC6.8 access provisioning.
E

approved by
appropriate Inspected the system configurations No deviations noted.
n-

personnel prior to responsible for the access provisioning

access provisioning. process to ascertain IT access above least
ke

privileged, including administrator accounts,

was required to be approved by appropriate
personnel prior to automatic access
-to

provisioning.
rm
te

AWS Confidential
117
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For one active employee, inspected the No deviations noted.
process of access provisioning to ascertain
approval of the access was provided by

F
appropriate personnel prior to the automatic

QE
provisioning of the access.

For one active manager who met the access No deviations noted.
rules, inspected the access provisioning

3F
process to ascertain the manager could not
add users who were not their direct reports.

ab
For one active manager that did not meet the No deviations noted.
access rules, inspected the access
provisioning process to ascertain the
M
manager could not add users.
rro
AWSCA-2.3: IT CC6.1; Inquired of Software Development Managers No deviations noted.
access privileges are CC6.2; to ascertain access to systems supporting the
reviewed on a CC6.3; infrastructure and network above least
periodic basis by CC6.7; privilege was reviewed and approved on a
ap

appropriate CC6.8 quarterly basis by appropriate personnel.

personnel.
Inquired of Software Development Managers No deviations noted.
W

to ascertain access to internal AWS accounts

above least privilege was reviewed and
RK

approved on a semi-annual basis by

appropriate personnel.

Inspected the system configurations No deviations noted.

responsible for the access review process to

ascertain IT infrastructure and network

access privileges were reviewed on a
quarterly basis by appropriate personnel or
ke

access was automatically removed.

Inspected the system configurations No deviations noted.

-to

responsible for the temporary access

revocation process to ascertain that when the
temporary privileges to resources expired
rm

access to the resources was automatically

removed.
te

AWS Confidential
118
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Inspected the system configurations No deviations noted.
responsible for the internal transfer
revocation process to ascertain when users

F
transferred internally, access to the previous

QE
resources was automatically removed.

Selected an active access group of IT No deviations noted.

infrastructure and network access privileges

3F
marked for removal as part of the user access
review process and inspected the access log
to ascertain access was automatically

ab
revoked.

Observed a Software Development Manager

M No deviations noted.
mark an active internal AWS account for
removal as part of the user access review
rro
process and inspected the account after the
review to ascertain access was automatically
revoked.
ap

Selected a user with temporary access to the No deviations noted.

IT infrastructure and network access
privileges to ascertain that when the
W

temporary privileges to the resource expired,

access was automatically revoked.
RK

Selected an active access group of IT No deviations noted.

infrastructure and network access privileges
that was not reviewed during the quarter and
E

inspected the access log to ascertain access

privileges were automatically revoked.

Selected an active access group and inspected No deviations noted.

the access review process to ascertain IT

infrastructure and network access privileges
were reviewed quarterly by appropriate
-to

personnel.
rm
te

AWS Confidential
119
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Selected a sample of AWS accounts from a No deviations noted.
system generated listing of active internal
AWS accounts and inspected the access

F
review process to ascertain internal AWS

QE
account access privileges were reviewed
semi-annually by appropriate personnel.

AWSCA-2.4: User CC6.1; Inquired of a Sr Screening and Work No deviations noted.

3F
access to Amazon CC6.2; Authorization SDM to ascertain access to
systems is revoked CC6.3 systems was automatically revoked within 24
within 24 hours of hours of an employee record being

ab
the employee record terminated (deactivated) in the HR System.
being terminated
(deactivated) in the Inspected the system configurations
M No deviations noted.
HR System by responsible for terminating access to Amazon
Human Resources. systems, to ascertain access to Windows and
rro
UNIX user accounts were configured to be
automatically revoked within 24 hours after
an employee's record was terminated
(deactivated) in the HR System by Human
ap

Resources.

For one terminated employee, inspected the No deviations noted.

employee's HR system record, to ascertain

access to the Amazon systems was
RK

automatically revoked within 24 hours on

both Unix/LDAP and Windows/AD accounts.

AWSCA-2.5: CC6.1; Inquired of a Corporate Systems Manager No deviations noted.

Password settings CC6.3 and Corporate Response Manager to

are managed in ascertain password complexity, length,
n-

compliance with maximum age, history, lockout and

Amazon.com’s credential monitoring was enforced per the
ke

Password Policy. Amazon.com Password Policy.

Inspected the password configurations in the No deviations noted.

-to

Active Directory domain to ascertain they

were configured to enforce the Amazon.com
Password Policy, including:
rm

• Passwords must be at least eight (8)

characters long
te

AWS Confidential
120
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
• Passwords must contain a combination of
letters, numbers, and special characters

F
• Passwords must not contain the user’s real
name or username

QE
• Passwords must not be modifications or
increments of a recently used password for
the account

3F
• Accounts are set to lockout after 6 invalid
attempts

ab
Observed that the following password No deviations noted.
configurations were enforced according to
M
the Amazon.com Password Policy after
attempting to set a combination of out-of-
rro
policy passwords using the password tool
within the production environment:
• Passwords must be at least eight characters
ap

long

• Passwords must contain a combination of

letters, numbers, and special characters
W

• Passwords must not contain the user’s real

name or username

• Passwords must not be the same as or

similar to a recently used password
E

• Passwords must not contain 'Amazon' or

any other business name

Inspected the credential compromise No deviations noted.

monitoring configuration to ascertain that
tickets for incidents were created
-to

automatically and logged within a ticketing

system per the Amazon.com Password Policy.
rm
te

AWS Confidential
121
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Inspected an incident ticket created for No deviations noted.
impacted user credentials to ascertain
credentials of flagged Amazon accounts were

F
identified, tracked and rotated in a timely

QE
manner.

AWSCA-2.6: AWS CC6.1; Inquired of a Network Development Engineer No deviations noted.

requires two-factor CC6.3; to ascertain two-factor authentication over

3F
authentication over CC6.6 an approved cryptographic channel was
an approved required to access the Amazon corporate
cryptographic network from remote locations.

ab
channel for
authentication to the Inspected the RADIUS and SAML servers No deviations noted.
internal AWS authentication protocol configuration to
M
network from ascertain authentication to the internal AWS
remote locations. network from remote locations required
rro
two-factor authentication over an approved
cryptographic channel.

Attempted to login to the Amazon corporate No deviations noted.

network from a remote location to ascertain

both a physical token and password were
required to access the Amazon corporate
W

network over an approved cryptographic

channel.
E RK
n-
ke
-to
rm
te

AWS Confidential
122
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-3.1: Firewall CC6.1; Inquired of an AWS Infrastructure Security No deviations noted.
devices are CC6.6; Engineer to ascertain firewall devices were
configured to restrict CC7.1; configured to restrict access to the

F
access to the CC8.1 computing environment and enforce

QE
computing boundaries of computing clusters.
environment and
enforce boundaries For a sample of in-scope firewalls selected No deviations noted.
of computing from a system generated list within the

3F
clusters. firewall management tool, inspected the
access control lists to ascertain the devices
were configured to deny all access to the

ab
computing environment and enforce
boundaries of computing clusters, unless
explicitly authorized.
M
AWSCA-3.2: Firewall CC6.1; Inquired of an AWS Infrastructure Security No deviations noted.
rro
policies CC6.6; Engineer to ascertain firewall policies were
(configuration files) CC7.1; automatically pushed to production firewall
are automatically CC8.1 devices.
pushed to
ap

production firewall For a sample of in-scope firewall devices No deviations noted.

devices. selected from a system generated list within
the firewall management tool, inspected the
W

deployment log output to ascertain policies

were automatically pushed to production
RK

firewall devices.

AWSCA-3.3: Firewall CC6.1; Inquired of an AWS Infrastructure Security No deviations noted.

policy updates are CC6.6; Engineer to ascertain data center firewall
E

reviewed and CC7.1; policy updates were reviewed and approved.

CC8.1
n-

approved.

For a sample of in-scope firewall policy No deviations noted.

updates selected from a system generated

list within the firewall management tool,
inspected approval evidence to ascertain
-to

they were reviewed and approved by

appropriate personnel prior to
implementation.
rm
te

AWS Confidential
123
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For a sample of employees selected from a No deviations noted.
system generated list of individuals eligible to
approve ACL requests, inspected the job title

F
and team of the employee to ascertain that

QE
approval and user access rights were
appropriate.

AWSCA-3.4: AWS CC3.2; Inquired of an AWS Security Engineer to No deviations noted.

3F
performs external CC3.3; ascertain quarterly external vulnerability
vulnerability CC3.4; assessments were performed and that
assessments at least CC4.1; identified issues were investigated and

ab
quarterly, identified CC6.8; tracked to resolution.
issues are CC7.1;
investigated and CC7.2; Inspected the listing of production end points
M No deviations noted.
tracked to resolution CC7.4 used by the vulnerability assessment tools of
in a timely manner. the quarterly external vulnerability
rro
assessments performed to ascertain
production hosts for the in-scope services
(that supported public end points) were
included in the quarterly scans.
ap

For a sample of quarters, inspected evidence No deviations noted.

of external vulnerability assessments to
W

ascertain assessments were performed,

results were documented, and that the
RK

process existed for any identified issues to be

tracked, addressed, and resolved in a timely
manner.
E

AWSCA-3.5: AWS CC6.1 Inquired of Software Development Managers No deviations noted.

enables customers and Sr. Software Engineers to ascertain AWS
n-

to select who has enabled customers to select who had access

access to AWS to AWS services and resources that they
ke

services and owned, that customers were prevented from

resources that they accessing AWS resources that were not
own. AWS prevents assigned to them via access permissions, and
-to

customers from that content was only returned to individuals

accessing AWS authorized to access the specific AWS service
resources that are or resource.
rm
te

AWS Confidential
124
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
not assigned to them Inspected the configurations in-place for the No deviations noted.
via access AWS services that managed external access
permissions. Content to AWS services and resources (if resource-

F
is only returned to level permissions were applicable to the
individuals

QE
service), to ascertain services were designed
authorized to access to return content only to individuals
the specified AWS authorized to access the specified AWS
service or resource service or resource, and that AWS prevented

3F
(if resource-level customers from accessing resources that had
permissions are not been assigned to them via access
applicable to the permissions.

ab
service).
Observed a user with authorized access No deviations noted.
permissions attempt to access AWS services
M
and resources, to ascertain that services
returned content to individuals authorized to
rro
access the specified AWS service or resource.

Observed a user without authorized access No deviations noted.

permissions attempt to access AWS services
ap

and resources, to ascertain that services did

not return content to individuals without
authorized access to the specified AWS
W

service or resource.

AWSCA-3.6: AWS Inquired of an Application Security Technical No deviations noted.

CC2.1;
performs application CC6.1; Program Manager to ascertain AWS
security reviews for CC7.1; performed application security reviews for
externally launched CC8.1; launched products, services, and significant
E

products, services, feature additions prior to launch to evaluate

P3.1;
and significant whether security risks were identified and
n-

P4.1;
feature additions mitigated.
P4.2
prior to launch to
For a sample of products, services, and No deviations noted.
ke

evaluate whether
security risks are significant feature additions selected from a
identified and system generated list of trouble tickets
representing launches during the period,
-to

mitigated.
inspected the Application Security team’s
review to ascertain the products, services,
and significant feature additions were
rm

reviewed and approved prior to launch.

AWS Confidential
125
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-3.7: S3- CC6.1; Inquired of an S3 Software Development No deviations noted.
Specific – Network CC6.6; Engineer to ascertain network devices were
devices are configured to only allow access to specific

F
configured by AWS ports on server systems within Amazon S3.

QE
to only allow access
to specific ports on For a sample of S3 network devices selected No deviations noted.
other server systems from a listing of S3 network devices
within Amazon S3. generated from the S3 code repository,

3F
inspected the configuration settings to
ascertain the devices were configured to only
allow access to specified ports.

ab
AWSCA-3.8: S3- CC6.1; Inquired of an S3 Software Development No deviations noted.
Specific – External CC6.6; Engineer to ascertain external data access
data access is logged
with the following
M
was logged with the data accessor IP address,
object, and operation, and that logs were
rro
information: data retained for at least 90 days.
accessor IP address,
object and Inspected the configuration settings pushed No deviations noted.
operation. Logs are to the S3 web servers to ascertain the servers
ap

retained for at least were configured to log the data accessor IP

90 days. address, object, and operation information.
W

For a sample of AWS Availability Zones (AZs) No deviations noted.

selected from a listing of AZs generated from
RK

the AZ code repository, inspected the

environment operational configurations for
log retention of external access to data to
ascertain that logs were configured to be
E

retained for 90 days.

Observed a Software Development Engineer No deviations noted.

perform an access operation on an S3 object
ke

and inspected the external data access log

output after 90 days to ascertain the
-to

following information was logged for at least

90 days: data accessor IP accessing the data,
object accessed, and operation performed.
rm
te

AWS Confidential
126
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-3.9: EC2- CC6.1; Inquired of an EC2 Security Engineer to No deviations noted.
Specific – Physical CC6.6 ascertain EC2 physical hosts had host-based
hosts have host- firewalls, or access was logically restricted, to

F
based firewalls to prevent unauthorized access.

QE
prevent
unauthorized access. Inspected the automated configurations No deviations noted.
responsible for configuring a new host to
ascertain that host-based firewalls were

3F
automatically added during the build process
of new hosts.
Inspected the monitoring configurations of No deviations noted.

ab
physical hosts to ascertain that monitoring
was in place to notify service team members
in the case that a physical host did not have
M
an active firewall.
rro
Observed an EC2 Security Engineer make an No deviations noted.
API request with and without the appropriate
token to ascertain a host based access token
was required to authorize access to the host.
ap

For a sample of EC2 physical hosts supporting No deviations noted.

in-scope AWS regions selected from listings
W

of production hosts for each region,

inspected the host-based firewall settings to
ascertain host-based firewalls were in place
RK

and operational to prevent unauthorized

access.
E

AWSCA-3.10: EC2- CC6.1 Inquired of an EC2 Security Manager to No deviations noted.

Specific – Virtual ascertain virtual hosts were behind software
n-

hosts are behind firewalls, which prevented TCP/IP spoofing,

software firewalls packet sniffing, and restricted incoming
ke

which are configured connections to customer-specified ports.

to prevent TCP/IP
spoofing, packet Observed an EC2 Security Engineer create a No deviations noted.
-to

sniffing, and restrict virtual EC2 host with a firewall configured to

incoming communicate with only specified IP
connections to addresses and ascertained that
communications with the specified IP
rm

address were successful.

AWS Confidential
127
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
customer-specified
Observed an EC2 Security Engineer attempt No deviations noted.
ports.
to communicate with an unspecified IP
address to ascertain the attempts were

F
denied.

QE
Observed an EC2 Security Engineer create a No deviations noted.
virtual EC2 host and inspected the IP table
configurations to ascertain traffic was routed

3F
to prevent TCP/IP spoofing.

Observed an EC2 Security Engineer create No deviations noted.

ab
two EC2 instances on a single physical EC2
host and generate network traffic on each
instance to ascertain neither of the instances
M
was able to packet sniff the traffic of the
other instance.
rro

AWSCA-3.11: EC2- CC6.1 Inquired of an EC2 Security Manager to No deviations noted.

Specific – AWS ascertain AWS prevented customers from
prevents customers accessing custom AMIs not assigned to them
ap

from accessing by default launch-permissions.

custom AMIs not
assigned to them by Inspected the AMI launch-permissions No deviations noted.
W

a property of the configuration within the AWS console to

AMI called launch- ascertain that by default the launch
RK

permissions. By permission of an AMI restricted its use to the

default, the launch- account that created it unless the customer
permissions of an granted access permissions.
AMI restrict its use
E

to the Created an AMI, attempted to access the AMI No deviations noted.

without the designated launch permissions,
n-

customer/account
that created and and inspected the error message within the
registered it. AWS management console, to ascertain
ke

access was restricted.

-to
rm
te

AWS Confidential
128
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-3.12: EC2- CC6.1 Inquired of an EC2 Security Manager to No deviations noted.
Specific – AWS ascertain customers were restricted from
prevents customers accessing physical hosts or instances not

F
from accessing assigned to them by filtering through the

QE
physical hosts or virtualization software.
instances not
assigned to them by Observed an EC2 Security Engineer attempt No deviations noted.
filtering through the to IP ping the physical EC2 host from an EC2

3F
virtualization instance within the host, to ascertain the
software. physical host was isolated from the
instances.

ab
Observed an EC2 Security Engineer attempt No deviations noted.
to access a file stored on an EC2 instance
M
from the physical EC2 host the instance was
located on, to ascertain the instances located
rro
on physical hosts were unable to be
accessed.

Observed an EC2 Security Engineer attempt No deviations noted.

to access a file stored on an EC2 instance

from a different instance on the same
physical EC2 host, to ascertain the instances
W

on the same physical hosts were isolated

from one another.
RK

AWSCA-3.13: VPC- CC6.1 Inquired of an EC2 Networking Software No deviations noted.

Specific – Network Development Engineer to ascertain network
communications communications between different VPCs
E

within a VPC are were isolated from one another.

isolated from
n-

network Observed an EC2 Networking Software No deviations noted.

communications Development Engineer configure the VPC
ke

within other VPCs. infrastructure for two VPCs and attempt to

communicate between instances across the
two VPCs to ascertain network
-to

communication between the two VPCs was

isolated.
rm
te

AWS Confidential
129
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-3.14: VPC- CC6.1 Inquired of an EC2 Networking Software No deviations noted.
Specific – Network Development Engineer to ascertain network
communications communications between VPN gateways

F
within a VPN were isolated from one another.

QE
Gateway are isolated
from network Observed an EC2 Networking Software No deviations noted.
communications Development Engineer configure a VPC
within other VPN infrastructure with two VPN Gateways and

3F
Gateways. attempt to communicate between instances
across the two VPN Gateways, to ascertain
network communication between VPN

ab
gateways was isolated.

AWSCA-3.15: VPC- CC6.1 Inquired of a Sr. Software Engineer, EC2 VPC

M No deviations noted.
Specific – Internet to ascertain internet traffic through an
traffic through an Internet Gateway was only forwarded to an
rro
Internet Gateway is instance in a VPC when an Internet Gateway
forwarded to an was attached to the VPC, and a public IP was
instance in a VPC mapped to the instance in the VPC.
only when an
ap

Internet Gateway is Created a VPC, attached an Internet No deviations noted.

attached to the VPC Gateway, allocated a public IP, and per
and a public IP is inspection of traffic on an instance,
W

mapped to the ascertained traffic was successfully

instance in the VPC. forwarded.
RK

Removed the Internet Gateway and public IP No deviations noted.

from the VPC and per inspection of the traffic
on the instance, ascertained traffic was
E

prevented from being forwarded.

n-
ke
-to
rm
te

AWS Confidential
130
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-3.16: AWS CC6.4; Inquired of an AWS Risk Management No deviations noted.
maintains formal CC6.7; Program Manager to ascertain formal
policies and CC8.1 policies and procedures for the use of mobile

F
procedures that devices existed and included guidance for

QE
provide guidance for operations and information security for
operations and organizations that support AWS
information security environments.
within the

3F
organization and the Inspected the AWS internal website to
supporting AWS ascertain formal policies and procedures for
No deviations noted.
environments. The the use of mobile devices were available to

ab
mobile device policy AWS employees.
provides guidance
on: Inspected the mobile device policy to
M No deviations noted.
ascertain it included organization-wide
• Use of mobile
security procedures as guidance for the AWS
devices.
rro
environment regarding:
• Protection of
devices that
access content • Use of mobile devices
ap

for which
• Protection of devices that access content
Amazon is
for which Amazon is responsible
responsible.
W

• Remote wipe capability

• Remote wipe
capability. • Password-guessing protection
RK

restrictions
• Password-
guessing • Remote synchronization requirements
protection • Security patch requirements
E

restrictions.
• Approved methods for accessing Amazon
n-

• Remote data
synchronization
requirements.
ke

• Security patch
requirements
-to

• Approved
methods for
accessing
rm

Amazon data.
te

AWS Confidential
131
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-3.17: CC6.1; Inquired of an AWS Senior Software No deviations noted.
Outposts-Specific – CC6.7 Development Manager to ascertain a Service
Service link is link was established between Outposts and

F
established between AWS Region by use of a secured VPN

QE
Outposts and AWS connection over public internet or AWS
Region by use of a Direct Connect.
secured VPN
connection over Inspected the Outpost configurations to No deviations noted.

3F
public internet or ascertain a Service link was established
AWS Direct Connect. between Outposts and AWS Region by use of
a secured VPN connection over the public

ab
internet or AWS Direct Connect.

Inspected dashboards of an active Outpost to

M No deviations noted.
ascertain the health of the secure VPN
connection between Outpost and AWS
rro
region was tracked and monitored.

Inspected the monitoring configurations of No deviations noted.

an active Outpost to ascertain alarming
ap

around the secure VPN connection was

configured to notify service team members in
the case of network issues.
W

AWSCA-3.18: Anti- CC6.7; Inquired of an AWS Security Platform No deviations noted.

virus software is CC6.8 Manager to ascertain anti-virus software was

installed, updated installed, updated, and running on
and running on workstations.
workstations.
E

Inspected the anti-virus configurations on the No deviations noted

administrator console for the imaging of
n-

workstations to ascertain the anti-virus

software was in place to monitor for
ke

malicious code, was automatically updated

with new release or virus definitions and
prevented end-users from disabling the
-to

service.

Inspected a workstation that had disabled No deviations noted

anti-virus software to ascertain that the

workstation was in process of being isolated
from the network.
te

AWS Confidential
132
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Inspected a workstation to ascertain anti- No deviations noted.
virus software was installed, updated and
running in accordance with the AWS System

F
and Information Integrity Policy.

QE
AWSCA-3.19: S3- CC6.1; Inquired of a Software Development No deviations noted.
Specific - All new CC6.7 Engineer to ascertain new objects uploaded
objects uploaded to to Amazon S3 were automatically encrypted

3F
Amazon S3 are with server-side encryption.
automatically
encrypted with Inspected the code configurations to No deviations noted.

ab
server-side ascertain new objects uploaded to Amazon
encryption. S3 were automatically encrypted with server-
side encryption. M
Observed a Software Development Engineer No deviations noted.
rro
upload a new object to a general-purpose S3
bucket, and inspected the object's attributes
to ascertain the newly uploaded object was
encrypted with server-side encryption.
ap

AWSCA-4.1: EC2- CC6.7 Inquired of a Technical Program Manager to No deviations noted.

Specific – Upon ascertain upon initial communication with an
W

initial AWS-provided Linux AMI, AWS enabled a

communication with secure communication by SSH configuration
RK

an AWS-provided on the instance by generating and delivering

Linux AMI, AWS a unique host-key fingerprint to the user over
enables secure a trusted channel.
communication by
E

SSH configuration on Launched a public Linux AMI EC2 instance No deviations noted.
the instance, by and inspected the EC2 console to ascertain
n-

generating a unique the unique host-key fingerprint was

host-key and accessible from the system log.
ke

delivering the key’s

fingerprint to the Using the launched public Linux AMI EC2 No deviations noted.
user over a trusted instance, connected to the instance via SSH
-to

channel. using the unique host-key fingerprint and

inspected the connection logs to ascertain
the unique host-key fingerprint was listed.
rm
te

AWS Confidential
133
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Launched a second public Linux AMI EC2 No deviations noted.
instance and inspected the EC2 console and
instance connection logs to ascertain the

F
unique host-key fingerprint was different

QE
from the first instance.

Using the second public Linux AMI EC2 No deviations noted.

instance, attempted to connect to the

3F
instance via SSH using the first instance's
unique host-key fingerprint and observed the
attempt was rejected by the system, to

ab
ascertain that the connection to a Linux AMI
EC2 instance could only be performed using
the instance's unique host-key fingerprint.
M
AWSCA-4.2: EC2- CC6.7 Inquired of a Technical Program Manager to No deviations noted.
rro
Specific – Upon ascertain upon initial communication with an
initial AWS-provided Windows AMI, AWS enabled a
communication with secure communication by configuring
an AWS-provided Windows Terminal Services on the instance
ap

Windows AMI, AWS by generating a unique self-signed server

enables secure certificate and delivering the certificate’s
communication by thumbprint to the user over a trusted
W

configuring Windows channel.

Terminal Services on
RK

the instance by Launched a public Windows AMI EC2 No deviations noted.

generating a unique instance and inspected the EC2 console and
self-signed server the system log to ascertain the self-signed
certificate and server certificate was accessible.
E

delivering the
certificate’s Using the launched public Windows AMI EC2 No deviations noted.
n-

thumbprint to the instance, connected to the instance using the

user over a trusted unique self-signed server certificate to
ke

channel. ascertain the connection logs matched the

unique self-signed server certificate from the
instance’s EC2 console system log.
-to

Launched a second public Windows AMI EC2 No deviations noted.

instance and inspected the EC2 console and
rm

instance connection logs to ascertain the

unique self-signed server certificate was
different than for the first instance.
te

AWS Confidential
134
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Using the second public Windows AMI EC2 No deviations noted.
instance, attempted to connect to the
instance using the first instance's unique self-

F
signed server certificate and observed the

QE
attempt was rejected by the system, to
ascertain that connection to a Windows AMI
EC2 instance can only be performed using
the instance's unique self-signed server

3F
certificate.

AWSCA-4.3: VPC- CC6.7 Inquired of a VPC Manager of Software No deviations noted.

ab
Specific – Amazon Development to ascertain Amazon enabled
enables secure VPN secure VPN communication to a VPN
communication to a Gateway through a secret key that
M
VPN Gateway by established IPSec Associations.
providing a shared
rro
secret key that is Observed a VPC Manager of Software No deviations noted.
used to establish Development use the shared secret key to
IPSec Associations. establish IPSec Associations to ascertain the
connection was successful.
ap

Observed the VPC Manager of Software No deviations noted.

Development alter the shared secret key to
W

establish IPSec Security Associations to

ascertain the connection was unsuccessful.
RK

AWSCA-4.4: S3- CC6.1; Inquired of an S3 Software Development No deviations noted.

Specific – S3 CC6.7 Engineer to ascertain S3 generated and
generates and stores stored a one-way salted HMAC of the
E

a one-way salted customer encryption key, and that the salted

HMAC of the HMAC value was not logged.
n-

customer encryption
key. This salted Observed an S3 Software Development No deviations noted.
ke

HMAC value is not Engineer upload an encrypted object to S3

logged. and inspected the metadata for the stored
object to ascertain the encryption
-to

information included a one-way salted HMAC

of the customer encryption key.
rm
te

AWS Confidential
135
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Observed an S3 Software Development No deviations noted.
Engineer upload an encrypted object to S3
and searched the S3 host logs for the one-

F
way salted HMAC value to ascertain it was

QE
not logged.

Observed an S3 Software Development No deviations noted.

Engineer attempt to decrypt an object in S3

3F
with an incorrect encryption key to ascertain
the decrypt function failed and the object
was unreadable.

ab
AWSCA-4.5: KMS- CC6.1 Inquired of an AWS Cryptography Software No deviations noted.
Specific – KMS keys Development Engineer to ascertain no AWS
M
used for employee could gain logical access to the
cryptographic hardened security modules where customer
rro
operations in KMS keys were used for cryptographic operations.
are logically secured
so that no AWS Inspected the configurations for gaining No deviations noted.
employee can gain
ap

logical access to the hardened security

access to the key module to ascertain KMS keys used for
material. cryptographic operations in KMS were
W

logically secured so that no AWS employee

could gain access to the key material.
RK

Inspected the KMS key material access No deviations noted.

configurations to ascertain no single AWS
employee could modify rulesets, host or
E

operator membership to the domain of the

hardened security appliance.
n-

Observed an AWS Cryptography Software No deviations noted.

Development Engineer attempt to gain

logical access to the hardened security
module where customer keys were used in
-to

memory to ascertain this was not possible.

rm
te

AWS Confidential
136
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Observed an AWS Cryptography Software No deviations noted.
Development Engineer attempt to remove a
host or operator without meeting the

F
quorum rules to ascertain the actions

QE
resulted in a quorum rule error.

AWSCA-4.6: KMS- CC6.1; Inquired of an AWS Cryptography Technical No deviations noted.

Specific – AWS CC6.7 Program Manager to ascertain AWS Services

3F
Services that which integrate with AWS KMS for key
integrate with AWS management used a 256-bit AES data key
KMS for key locally to protect customer content.

ab
management use a
256-bit data key Inspected the API call configurations of the No deviations noted.
locally to protect services which integrated with KMS for
M
customer content. services that stored customer content to
ascertain each service was configured to
rro
send 256-bit AES key requests to KMS.

AWSCA-4.7: KMS- CC6.1; Inquired of an AWS Cryptography Technical No deviations noted.

Specific – The key CC6.7 Program Manager to ascertain keys provided
ap

provided by KMS to by KMS to integrated services were 256-bit

integrated services is AES keys and were themselves encrypted by
a 256-bit key and is 256-bit AES keys unique to each customer’s
W

encrypted with a AWS account.

256-bit AES key
RK

unique to the Inspected the KMS key creation configuration No deviations noted.
customer’s AWS to ascertain KMS keys created by KMS
account. utilized the AES-256 cryptographic algorithm.
E

Inspected the KMS encryption activity No deviations noted.

configuration to ascertain 256-bit AES keys
n-

were returned for 256-bit AES key requests

coming from the integrated KMS services to
ke

encrypt customer data.

Observed an AWS Cryptography Software No deviations noted.

-to

Development Engineer create a resource

with content enabled for encryption using
KMS to ascertain a KMS key was used to
rm

encrypt a 256-bit AES data encryption key

(which was used to encrypt the content) as
requested from the service.
te

AWS Confidential
137
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Observed an AWS Cryptography Software No deviations noted.
Development Engineer create a resource
with content enabled for encryption using

F
KMS and then attempt to access the data

QE
without decrypting to ascertain it was
unreadable.

Observed an AWS Cryptography Software No deviations noted.

3F
Development Engineer create a resource
with content enabled for encryption using
KMS and then attempt to decrypt the data

ab
using the required 256-bit AES data
encryption key to ascertain the data was
successfully decrypted.
M
Uploaded test data using a KMS-integrated No deviations noted.
rro
service encrypted with a data encryption key,
encrypted by a KMS key relating to an AWS
account and attempted to perform the same
activity, using another AWS account, calling
ap

upon the same KMS key to observe an

upload failure occurred due to an
authorization failure caused by a mismatch
W

between the owner of the KMS key and the

AWS account.
RK

AWSCA-4.8: KMS- CC6.1 Inquired of an AWS Cryptography Technical No deviations noted.

Specific – Requests Program Manager to ascertain API calls made
in KMS are logged in by the AWS services that integrate with KMS
E

AWS CloudTrail. were captured when the logging feature was

enabled.
n-

Inspected the configuration for KMS logging No deviations noted.

to ascertain requests in KMS were designed

to be logged in AWS CloudTrail.
-to
rm
te

AWS Confidential
138
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Enabled CloudTrail logging on a service that No deviations noted.
integrated with KMS, uploaded data using a
KMS key for encryption, and downloaded the

F
same file for decryption and inspected the

QE
logs in AWS CloudTrail to ascertain activity
from both encryption and decryption API
calls was logged.

3F
AWSCA-4.9: KMS- CC6.1; Inquired of an AWS Cryptography Technical No deviations noted.
Specific – KMS CC6.7 Program Manager to ascertain KMS
endpoints can only endpoints could only be accessed using TLS

ab
be accessed by with cipher suites to support forward
customers using TLS secrecy.
with cipher suites M
that support forward Inspected the configuration for KMS TLS No deviations noted.
secrecy. communication to ascertain the cipher suites
rro
listed supported forward secrecy.

Observed an AWS Security Assurance No deviations noted.

Manager attempt to connect to a public KMS
ap

service endpoint using an unsupported

cipher suite to ascertain the endpoints could
not be accessed.
W

Observed an AWS Security Assurance No deviations noted.

Manager attempt to connect to a public KMS

service endpoint using a supported cipher
suite supporting forward secrecy to ascertain
the endpoint connection was successful.
E

AWSCA-4.10: KMS- CC6.1 Inquired of an AWS Cryptography Technical No deviations noted.

Specific – Keys used Program Manager to ascertain keys used in

in AWS KMS are only AWS KMS were only used for a single
ke

used for a single purpose as defined by the key usage

purpose as defined parameter for each key.
by the key usage
-to

parameter for each Inspected the source code responsible for No deviations noted.
key. AWS KMS key usage, to ascertain the key
usage parameter was configured at the key
rm

level and that key operations required the

use of keys designated by the system for that
operation.
te

AWS Confidential
139
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Created an AWS KMS key and attempted to No deviations noted.
perform a key operation in alignment with
the key usage parameter to ascertain the

F
operation was performed in accordance with

QE
the set parameter.

Created an AWS KMS key and attempted to No deviations noted.

perform a key operation not in alignment

3F
with the key usage parameter to ascertain
the operation resulted in a key usage error.

ab
AWSCA-4.11: KMS- CC6.1; Inquired of an AWS Cryptography Technical No deviations noted.
Specific – KMS keys CC6.7 Program Manager to ascertain the KMS
created by KMS are service included functionality for KMS keys to
M
rotated on a defined be rotated on a defined frequency, if enabled
frequency if enabled by the customer.
rro
by the customer.
Inspected the source code responsible for No deviations noted.
KMS key rotation to ascertain a new backing
key would be created in accordance with the
ap

customer defined frequency, if enabled.

Inspected the on-demand key rotation event No deviations noted.

log for an AWS internal key to ascertain the

key was rotated immediately, and that the
RK

rotation event was logged.

Inspected a scheduled key rotation event log No deviations noted.

for an AWS internal key to ascertain the
E

backing key was rotated in accordance with

the defined frequency, and the rotation
n-

event was logged.

AWSCA-4.12: KMS- CC6.1; Inquired of an AWS Cryptography Technical No deviations noted.

Specific – Recovery CC6.4 Program Manager to ascertain recovery key
key materials used materials used for disaster recovery
-to

for disaster recovery processes by KMS were physically secured

processes by KMS offline so that no single AWS employee could
are physically gain access to the key material.
rm
te

AWS Confidential
140
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
secured offline so
For all employees with physical access to the No deviations noted.
that no single AWS
recovery key material resources used for
employee can gain
disaster recovery processes by KMS,

F
access to the key
inspected their job titles and reporting
material.

QE
structure within the employee directory tool,
to ascertain access privileges were
appropriate based on their roles and
responsibilities.

3F
Inspected a physical access log of access No deviations noted.
attempts to recovery key materials to

ab
ascertain no single AWS employee could gain
access by themselves.

AWSCA-4.13: KMS- CC6.1;

M
Inquired of an AWS Cryptography Technical No deviations noted.
Specific – Access CC6.4 Program Manager to ascertain access
rro
attempts to recovery attempts to recovery key materials were
key materials are reviewed by authorized operators on a
reviewed by cadence defined in team documentation.
authorized operators
ap

on a cadence Inspected the reviews of access attempts or No deviations noted.

defined in team requests to recovery key materials to
documentation. ascertain reviews were performed and
W

documented by authorized operators on a

cadence defined in team documentation.
RK

AWSCA-4.14: KMS- CC6.1; Inquired of an AWS Cryptography Technical No deviations noted.

Specific – Each CC6.6; Program Manager to ascertain the
production firmware CC6.7 production firmware version of the AWS Key
E

version release for Management Service HSM was certified with

the AWS Key NIST under the FIPS 140-2 level 3 standard or
n-

Management Service is in the process of being certified under the

HSM (Hardware FIPS 140-3 level 3 standard.
ke
-to
rm
te

AWS Confidential
141
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Security Module)
For all in scope regions, inspected the No deviations noted.
either holds or is in
firmware version running on production AWS
the process of
Key Management Service HSM devices to

F
actively pursuing
ascertain the production firmware version of
FIPS-3 level 3

QE
the AWS Key Management Service HSMs was
certification from
certified by NIST Cryptographic Module
the National
Validation Program Certificate under the FIPS
Institute of
140-2 level 3 standard or updated firmware

3F
Standards and
was in the process of being certified under
Technology’s (NIST)
the FIPS 140-3 level 3 standard.
Cryptographic

ab
Module Validation
Program (CMVP).

AWSCA-4.15: CC6.1; M
Inquired of a CloudHSM Technical Program No deviations noted.
CloudHSM-Specific - CC6.4; Manager to ascertain Production HSM
Production HSM CC6.7
rro
devices were received in tamper evident
devices are received authenticable bags and tamper evident
in tamper evident authenticable bag serial numbers and
authenticable bags.
production HSM serial numbers were
ap

Tamper evident
verified against data provided out-of-band
authenticable bag
by the manufacturer and logged by
serial numbers and
individuals approved for access to tracking
W

production HSM
serial numbers are systems based on roles and responsibilities
verified against data in adherence with AWS security and
RK

provided out-of- operational standards.

band by the
manufacturer and Inspected the configuration of the No deviations noted.
E

logged into tracking automated verifications performed prior to

systems by approved moving an HSM device to production to
n-

individuals. ascertain HSM serial numbers were verified

against data provided out-of-band before
ke

entering production.

For one HSM device that failed validation, No deviations noted.

-to

inspected the validations log to ascertain that

the HSM device was automatically prohibited
from entering production when the HSM
serial number could not be verified against
rm

data provided out-of-band by the

manufacturer.
te

AWS Confidential
142
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For one production HSM device, inspected No deviations noted.
the validations log to ascertain the HSM
device’s serial number was verified against

F
data provided out-of-band before it entered

QE
into production.

AWSCA-5.1: Physical CC6.4; Inquired of an AWS DC Security Senior Global No deviations noted.
access to data CC6.7 Program Manager to ascertain physical

3F
centers is approved access to data centers was approved by an
by an authorized authorized individual.
individual.

ab
Inspected the configuration for executing the No deviations noted.
physical access approval and provisioning
within the data center access management
M
system to ascertain physical access to data
centers was designed to be granted after an
rro
approval by an authorized individual.

For one user provisioned data center access No deviations noted.

during the period, inspected the data center
ap

physical access provisioning records to

ascertain physical access was granted after it
was approved by an authorized individual.
W

AWSCA-5.2: Physical CC6.4; Inquired of an AWS DC Security Senior Global No deviations noted.
access is revoked CC6.7 Program Manager to ascertain physical
RK

within 24 hours of access was automatically revoked within 24

the employee or hours of the employee or vendor record
vendor record being being deactivated.
E

deactivated.
Inspected the system configurations within No deviations noted.
n-

the data center access management system

to ascertain physical access was
automatically revoked within 24 hours of the
ke

employee, contractor or vendor record being

deactivated in the HR system.
-to

For one terminated employee, inspected the No deviations noted.

HR System record to ascertain physical access
was systematically revoked within 24 hours
rm

of the employee record being deactivated in

the HR system by the access provisioning
system.
te

AWS Confidential
143
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-5.3: Physical CC6.4; Inquired of an AWS DC Security Global No deviations noted.
access to data CC6.7 Program Manager to ascertain physical
centers is reviewed access to data centers was reviewed on a

F
on a quarterly basis quarterly basis by appropriate personnel.

QE
by appropriate
personnel. Inspected most recent quarterly physical No deviations noted.
access review to ascertain that reviews of
physical access were completed at least once

3F
per quarter.

ab
For one user marked for removal during the No deviations noted.
most recent quarterly physical access review,
inspected the CloudWatch logs for
M
revocation activities to ascertain the user's
access was appropriately removed from the
rro
data center access management system.

For a sample of users who had data center No deviations noted.

access selected from a listing of in-scope
ap

data center access levels within the period,

inspected the access reviews to ascertain the
reviews were performed quarterly and that
W

access was approved by appropriate

personnel.
RK

AWSCA-5.4: CCTV CC6.4 Inquired of an AWS Security Industry No deviations noted.

are used to monitor Specialist to ascertain physical access points
server locations in to server locations were monitored by a
E

data centers. Images closed circuit television camera (CCTV) and

are retained for 90 that images were retained for 90 days unless
days, unless limited limited by legal or contractual obligations.
by legal or
ke

contractual
obligations. For a sample of data centers selected from No deviations noted.
the asset management tool, observed the
-to

CCTV footage or inspected screenshots of

video recordings around server location
access points, to ascertain physical access
rm

points to server locations were recorded.

AWS Confidential
144
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For a sample of data centers selected from No deviations noted.
the asset management tool, inspected the
network video recorder configuration to

F
ascertain CCTV images to server locations

QE
were retained for at least 90 days, unless
limited by legal or contractual obligations.

AWSCA-5.5: Access CC6.4 Inquired of an AWS DC Security Senior No deviations noted.

3F
to server locations is Program Manager to ascertain physical
managed by access points to server locations were
electronic access managed by electronic access control

ab
control devices. devices.

For a sample of data centers selected from

M No deviations noted.
the asset management tool, observed
electronic access control devices at physical
rro
access points to server locations or inspected
the physical security access control
configurations to ascertain electronic access
control devices were installed at physical
ap

access points to server locations and that

they required authorized Amazon badges
with corresponding PINs to enter server
W

locations.
RK

AWSCA-5.6: CC7.2; Inquired of an AWS Security Industry No deviations noted.

Electronic intrusion CC7.3 Specialist to ascertain electronic intrusion
detection systems detection systems were installed and capable
are installed within of detecting breaches into data center server
E

data server locations locations.

to monitor, detect,
n-

and automatically
alert appropriate
ke

personnel of security
incidents.
-to
rm
te

AWS Confidential
145
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For a sample of data centers selected from No deviations noted.
the asset management tool, observed on-
premise electronic intrusion detection

F
systems or inspected the physical security

QE
access control configurations to ascertain
electronic intrusion detection systems were
installed, that they were capable of detecting
intrusion attempts, and that they

3F
automatically alerted security personnel of
detected events for investigation and
resolution.

ab
AWSCA-5.7: A1.2 Inquired of Data Center Operations No deviations noted.
Amazon-owned data Managers to ascertain Amazon-owned data
M
centers are centers were protected by fire detection and
protected by fire fire suppression systems.
rro
detection and
suppression systems. For a sample of Amazon-owned data centers No deviations noted.
selected from the asset management tool,
observed on-premise fire detection systems
ap

to ascertain they were located throughout

the data centers.
W

For a sample of Amazon-owned data centers, No deviations noted.

observed on-premise fire suppression
RK

devices to ascertain they were located

throughout the data centers.

AWSCA-5.8: A1.2 Inquired of Data Center Operations No deviations noted.

Amazon-owned data Managers to ascertain Amazon-owned data

centers are air centers were air conditioned to maintain
n-

conditioned to appropriate environmental conditions and

maintain appropriate that the units were monitored by personnel
ke

environmental and systems to control air temperature and

conditions. humidity at appropriate levels.
Personnel and
-to

systems monitor and For a sample of Amazon-owned data centers No deviations noted.
control air selected from the asset management tool,
temperature and observed on-premise air-conditioning
rm

humidity at systems to ascertain they monitored and

appropriate levels. controlled temperature and humidity at
appropriate levels.
te

AWS Confidential
146
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-5.9: A1.2 Inquired of Data Center Operations No deviations noted.
Uninterruptible Managers and Hardware Engineering
Power Supply (UPS) Services Software Development Engineer to

F
units provide backup ascertain UPS units provided backup power

QE
power in the event in the event of an electrical failure in
of an electrical Amazon-owned data centers and in
failure in Amazon- colocation sites where Amazon maintains the
owned data centers UPS units.

3F
and third-party
colocation sites Inspected the system configuration No deviations noted.
where Amazon responsible for the automatic onboarding

ab
maintains the UPS and continuous monitoring of the health of
units. Amazon maintained backup battery units
(BBU) to ascertain that BBUs were being
M
monitored and would send an alert in the
event of an electrical failure.
rro
For a sample third-party colocation site, No deviations noted.
inspected evidence that BBUs were being
monitored and would send an alert in the
ap

event of an electrical failure.

For a sample of Amazon-owned data centers No deviations noted.

selected from the asset management tool,

observed on-premise UPS equipment to
RK

ascertain UPS units were configured to

provide backup power in the event of an
electrical failure.
E

AWSCA-5.10: A1.2 Inquired of Data Center Operations No deviations noted.

Amazon-owned data Managers to ascertain Amazon-owned data
n-

centers have centers had generators to provide backup

generators to power in case of utility power failure.
ke

provide backup
power in case of For a sample of Amazon-owned data centers No deviations noted.
electrical failure. selected from the asset management tool,
-to

observed on-premise generator equipment

to ascertain generators were configured to
provide backup power in case of electrical
rm

failure.
te

AWS Confidential
147
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-5.11: CC7.3; Inquired of AWS Legal Corporate Counsel to No deviations noted.
Contracts are in CC7.4; ascertain contracts were in place at the
place with third- CC7.5; colocation service providers which included

F
party colocation CC9.2; provisions for fire suppression systems, air

QE
service providers A1.2 conditioning, UPS units, and redundant
which include power supplies as well as provisions requiring
provisions to provide communication of incidents or events that
fire suppression impacted Amazon assets or customers to

3F
systems, air AWS.
conditioning to
maintain appropriate For a sample of data centers managed by No deviations noted.

ab
atmospheric colocation service providers selected from
conditions, the asset management tool, inspected the
Uninterruptible current contractual agreements between
M
Power Supply (UPS) service providers and AWS to ascertain they
units (unless included provisions for fire suppression
rro
maintained by systems, air conditioning, UPS units, and
Amazon), and redundant power supplies as well as
redundant power provisions requiring colocation service
supplies. Contracts providers to notify Amazon immediately of
ap

also include discovery of any unauthorized use or

provisions requiring disclosure of confidential information or any
communication of other breach.
W

incidents or events
that impact Amazon
RK

assets and/or
customers to AWS.

AWSCA-5.12: AWS CC3.2; Inquired of a Sr. Security Engineer, AWS No deviations noted.
E

performs periodic CC3.3; Infrastructure Security to ascertain periodic

reviews of colocation CC3.4; reviews were performed for colocation
n-

service providers to CC4.1; vendor relationships to validate adherence

validate adherence CC7.3; with AWS security and operational standards.
ke

with AWS security CC7.4;

and operational CC7.5; For a sample of data centers managed by No deviations noted.
standards. CC9.2; colocation service providers selected from
-to

A1.2 the asset management tool, inspected the

corresponding vendor reviews to ascertain
they were performed in accordance with the
rm

colocation business review schedule and

included an evaluation of adherence to AWS
security and operational standards.
te

AWS Confidential
148
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-5.13: All CC6.5; Inquired of an AWS Infrastructure Security Sr. No deviations noted.
AWS production CC6.7; Technical Program Manager and Data Center
media is securely C1.2; Operations Managers to ascertain AWS

F
decommissioned and P4.3 production media was securely

QE
physically destroyed, decommissioned and physically destroyed
verified by two prior to leaving AWS control.
personnel, prior to
leaving AWS control. Inspected the AWS Media Destruction No deviations noted.

3F
Standard Operating Procedures document to
ascertain that it included procedures for data
center personnel to securely decommission

ab
production media prior to leaving AWS
control.
M
For a sample of data centers selected from No deviations noted.
the asset management tool, observed on-
rro
premise security practices to ascertain
production media was restricted to the AWS
control, unless securely decommissioned and
physically destroyed.
ap

For a sample of data centers selected from No deviations noted.

the asset management tool, observed on-
W

premise equipment and media or inspected

media destruction logs for secure
RK

decommissioning and physical destruction to

ascertain production media was securely
decommissioned, physically destroyed, and
E

verified by two personnel prior to leaving

AWS control.
n-

AWSCA-6.1: AWS CC6.1; Inquired of Software Development Managers No deviations noted.

applies a systematic CC6.8; to ascertain customer-impacting changes of

approach to CC7.5; service to the production environment were
managing change to CC8.1 reviewed, tested, approved, and followed
-to

ensure changes to relevant change management guidelines and

customer-impacting that service-specific change management
aspects of a service processes were maintained, followed, and
are reviewed, tested communicated to the service teams.
rm
te

AWS Confidential
149
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
and approved.
For one sampled service, inspected the No deviations noted.
Change management
relevant change management guidelines to
policies/procedures
ascertain they communicated specific

F
are based on
guidance on change management processes,
Amazon guidelines

QE
including initiation, testing and approval, and
and tailored to the
that service team-specific steps were
specifics of each
documented and maintained by the teams.
AWS service.

3F
AWSCA-6.2: Change CC6.8; Inquired of Software Development Managers No deviations noted.
details are CC8.1 to ascertain changes were documented
documented within within one of Amazon's change management

ab
one of Amazon’s or deployment tools.
change management
or deployment tools. For a sample of changes selected from a
M No deviations noted.
system-generated listing of changes
deployed to production, inspected Amazon’s
rro
change management or deployment tools to
ascertain the change details were
documented and communicated to service
ap

team management.

AWSCA-6.3: Changes CC6.8; Inquired of Software Development Managers No deviations noted.

are tested according CC8.1 to ascertain changes were tested according

to service team to service team change management
change management standards prior to migration to production.
RK

policies/procedures
prior to migration to For a sample of changes selected from a No deviations noted.
production. system-generated listing of changes migrated
to production, inspected the change
E

management policy to ascertain changes

were tested according to service team

change management standards and testing
occurred in a development environment
ke

prior to migration to production.

AWSCA-6.4: AWS CC6.8; Inquired of Software Development Managers No deviations noted.

-to

maintains separate CC8.1 to ascertain AWS maintained separate

production and production and development environments.
development
rm

environments.
te

AWS Confidential
150
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For a sample of changes selected from a No deviations noted.
system-generated listing of changes
deployed to production, inspected the

F
related deployment pipelines to ascertain the

QE
production and development environments
were separate.

AWSCA-6.5: Changes CC6.8; Inquired of Software Development Managers No deviations noted.

3F
are reviewed for CC8.1 to ascertain changes were reviewed for
business impact and business impact and approved by authorized
approved by personnel prior to migration to production

ab
authorized according to service team change
personnel prior to management standards.
migration to M
production according For a sample of changes selected from a No deviations noted.
to service team system-generated listing of changes migrated
rro
change management to production, inspected the relevant change
policies/procedures. management or deployment tools to
ascertain changes were reviewed and
approved by authorized personnel prior to
ap

migration to production according to service

team change management standards.
W

Inspected the configurations in-place for No deviations noted.

publishing AWS managed IAM policies to
RK

ascertain that policies were designed to

require approvals prior to being moved to
production.
E

Inspected an AWS managed IAM policy to No deviations noted.

ascertain that the policy managed by AWS
n-

was approved prior to being moved to

production.
ke
-to
rm
te

AWS Confidential
151
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-6.6: AWS CC6.8; Inquired of Software Development Managers No deviations noted.
performs CC7.1; to ascertain AWS performed deployment
deployment CC8.1 validations and change reviews to detect

F
validations and changes that did not follow the change

QE
change reviews to management process and that appropriate
detect unauthorized actions were taken to track identified issues
changes to its to resolution.
environment and

3F
tracks identified
issues to resolution. For a sample of changes migrated to No deviations noted.
production, inspected the associated

ab
validation output to ascertain AWS
performed deployment validations and
change reviews to detect unauthorized
M
changes and that follow-up actions were
taken as necessary to remediate any issues
rro
identified.

For a sample of quarters, inspected the No deviations noted.

quarterly security business reviews and the

contents of the deployment violations
dashboard to ascertain unauthorized changes
W

were reviewed by AWS management.

For a sample of months for all services not No deviations noted.

enrolled in automated deployment

monitoring, inspected manual deployment
monitoring to ascertain that the related AWS
E

service team generated a listing of all

changes deployed to production during the
n-

month, assessed the changes for

appropriateness, and follow-up actions were
ke

taken as necessary to remediate any issues

identified.
-to

For a sample of months and services, No deviations noted.

inspected the contents of the deployment
violation dashboard to ascertain
rm

unauthorized changes were tracked to

resolution by AWS management.
te

AWS Confidential
152
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For a sample of GRC IDs, inspected the No deviations noted.
quarterly GRC baseline review to ascertain
that GRC IDs were reviewed to ensure that

F
all compliance-impacting change processes

QE
were registered in the automated change
management monitoring tool.

AWSCA-6.7: CC8.1 Inquired of software development managers, No deviations noted.

3F
Customer to ascertain production data, including
information, customer content and AWS employee data,

ab
including personal were not used in test or development
information, and environments.
customer content
are not used in test Inspected the contents of the Secure
M No deviations noted.
and development Software Development Policy intended for
environments. software development engineers and
rro
software development managers throughout
AWS to ascertain it provided instructions to
not use production data in test or
ap

development environments.

AWSCA-7.1: S3- CC6.7 Inquired of an S3 Software Development No deviations noted.

Specific – S3 Manager to ascertain S3 compared

compares checksums checksums to validate the integrity of data in
to validate the transit. If the customer provided or
RK

integrity of data in automatically calculated checksum did not

transit. If the match the S3’s server-side checksum
customer provided validation, the upload would fail, preventing
E

or automatically corrupted data from being written to S3.

calculated checksum
n-

does not match the Inspected the checksum configurations to No deviations noted.
S3’s server-side ascertain S3 was configured to continually
checksum validation, compare the user provided or automatically
ke

the upload will fail, calculated checksums with the S3’s server-
preventing side checksums to validate the integrity of
-to

corrupted data from data in transit.

being written to S3.
Observed an S3 Software Development No deviations noted.
Engineer upload a file with an invalid
rm

checksum, to ascertain the transfer was

aborted and an error message was displayed.
te

AWS Confidential
153
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Observed an S3 Software Development No deviations noted.
Engineer upload a file with a valid checksum
that matched the S3 calculated checksum to

F
ascertain the transfer was completed

QE
successfully.

AWSCA-7.2: S3- C1.1 Inquired of an S3 Software Development No deviations noted.

Specific – S3 Engineer to ascertain S3 performed

3F
performs continuous continuous integrity checks of the data at
integrity checks of rest and that objects were automatically
the data at rest. validated against their checksums to prevent

ab
Objects are object corruption.
continuously
validated against
Inspected the integrity checks configurations
M No deviations noted.
their checksums to
to determine S3 was configured to
prevent object
continually perform integrity checks of the
rro
corruption.
data at rest and validated against their
checksums.
ap

Observed an S3 Software Development No deviations noted

Engineer locate an object whose checksum
was not validated against its object locator,
W

to ascertain the object was automatically

detected by the S3 service to prevent object
RK

corruption.

Inspected system log files for an object at No deviations noted.

rest to ascertain checksums were utilized to
E

assess the continuous integrity checks of

data.
n-

Inspected the S3 logs to ascertain S3 was No deviations noted.

designed to automatically attempt to restore

normal levels of object storage redundancy
when disk corruption or device failure was
-to

detected.
rm
te

AWS Confidential
154
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-7.3: S3- A1.2; Inquired of an S3 Software Development No deviations noted.
Specific – When disk C1.1 Engineer to ascertain when disk corruption
corruption or device or device failure was detected, the system

F
failure is detected, automatically attempted to restore normal

QE
the system levels of object storage redundancy.
automatically
attempts to restore
Inspected the system repair configurations No deviations noted
normal levels of

3F
object storage to ascertain S3 was configured to
redundancy. automatically attempt to restore object
storage redundancy when disk corruption or

ab
device failure was detected.

Inspected the S3 logs to ascertain S3 was

M No deviations noted
designed to automatically attempt to restore
normal levels of object storage redundancy
rro
when disk corruption or device failure was
detected.
ap

Observed an S3 Software Development No deviations noted.

Engineer locate an object that was corrupted
or suffered device failure to ascertain the
W

object was rewritten to a known location,

which restored normal levels of object
storage redundancy.
RK

AWSCA-7.4: S3- A1.2; Inquired of an S3 Software Development No deviations noted.

Specific – Objects are C1.1 Engineer to ascertain objects were stored
E

stored redundantly redundantly across multiple fault-isolated

across multiple fault- facilities.
n-

isolated facilities.
Inspected the object sharding configurations No deviations noted.
to ascertain objects were stored redundantly
ke

across multiple fault-isolated facilities.

-to

Uploaded an object and observed an S3 No deviations noted.

Software Development Engineer access the
object location configuration to ascertain the
rm

object was stored redundantly across

multiple fault-isolated facilities.
te

AWS Confidential
155
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-7.5: S3- A1.2; Inquired of an S3 Software Development No deviations noted.
Specific – The design C1.1 Engineer to ascertain systems were designed
of systems is to sustain the loss of a data center facility

F
sufficiently without interruption to the service.

QE
redundant to sustain
the loss of a data Inspected the system configuration utilized No deviations noted.
center facility by S3 on stored objects to ascertain critical
without interruption services were designed to sustain the loss of

3F
to the service. a facility without interruption to the service.

AWSCA-7.6: RDS- A1.2; Inquired of an RDS Software Development No deviations noted.

ab
Specific – If enabled C1.1 Manager to ascertain, if enabled by the
by the customer, customer, RDS backed up customer
RDS backs up databases, stored backups for user-defined
M
customer databases, retention periods, and supported point-in-
stores backups for time recovery.
rro
user-defined
retention periods, Inspected the RDS backup configurations to No deviations noted.
and supports point- ascertain, if enabled by the customer, RDS
in-time recovery. backed up customer database and stored
ap

backups for user-defined retention periods.

Created an RDS database, enabled backups No deviations noted.

and backed up the database to ascertain RDS
RK

backed up customer databases via scheduled

backups according to a user-defined
retention period.
E

Created an RDS database, captured a point in No deviations noted

time database snapshot and restored the

RDS database using the captured snapshot,
ke

to ascertain RDS databases were capable of a

point-in-time recovery using database
snapshots.
-to

Restored an RDS database using a database No deviations noted.

backup, to ascertain RDS databases were
capable of a point-in-time recovery.
rm
te

AWS Confidential
156
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-7.7: AWS CC6.5; Inquired of an EC2 Principal Engineer to No deviations noted.
provides customers C1.2; ascertain AWS provided customers the ability
the ability to delete P4.1; to delete their content and render it

F
their content. Once P4.2; unreadable.

QE
successfully removed P4.3
the data is rendered Observed an EC2 Security Engineer create a No deviations noted.
unreadable. virtual host, upload content, delete the
underlying storage volume, then create a

3F
different instance within the same virtual
memory slot and query for the original
content to ascertain that the underlying

ab
storage volume and in memory data was
removed.
M
For the services that provide content storage No deviations noted.
as described in the System Description,
rro
inspected the configurations designed to
automatically delete content from buckets,
volumes, instances, or other means of
content storage, to ascertain it was designed
ap

to delete and render the data unreadable.

For the services that provide content storage No deviations noted.

as described in the System Description,

independently created an AWS cloud account
RK

registered to an independent email address

and created sample content into buckets,
volumes, instances, or other means of
content storage, and compared the time
E

stamp of creation with the current date and

time. Observed Software Development
n-

Managers query for the objects to ascertain

the objects existed and were in an active
ke

state.
-to
rm
te

AWS Confidential
157
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For the core storage services that provide No deviations noted.
content storage as described in the System
Description, created an AWS cloud account

F
registered to an independent email address

QE
and created sample content into buckets,
volumes, instances, or other means of
content storage, and compared the time
stamp of creation with the current date and

3F
time. Observed Software Development
Managers query the backend to ascertain the
objects existed and were in an active state.

ab
For the services that provide content storage No deviations noted.
as described in the System Description,
M
deleted the content and/or the underlying
buckets, volumes, instances, or other means
rro
of content storage, and inspected if the data
identifiers were removed or the data itself
was zeroed out after being deleted to
ascertain it was rendered unreadable.
ap

For the core storage services that provide No deviations noted.

content storage as described in the System
W

Description, observed Software Development

Managers query for the objects metadata for
RK

the deleted objects to ascertain that an error

was returned stating the object could not be
found.
E

AWSCA-7.8: AWS CC6.5; Inquired of an IAM Software Dev II to No deviations noted.

retains customer C1.1; ascertain AWS retained customer content
n-

content per P4.2 per the customer agreements.

customer
ke

agreements. Inspected the most recent copy of the AWS No deviations noted.
Customer Agreement to ascertain it was
communicated externally to customers and
-to

contained an effective date, which was the

most recent version of the agreement.
rm
te

AWS Confidential
158
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Inspected the AWS Customer Agreement to No deviations noted.
ascertain the contractual language in section
7.3b stated that AWS will not delete

F
customer information for up to 30 days in the

QE
event of AWS account termination, and that
the language explicitly stated the customer
agreed to the responsibilities regarding
confidential information disposal.

3F
Inspected the customer account content No deviations noted.
retention configuration to ascertain a

ab
centralized account service was designed to
send notifications to services to delete
customer content 90 days after account
closure.
M
For a sample AES integrated service, selected No deviations noted.
rro
a service that stores customer content
integrated with the centralized account
service, created a unit of content storage,
ap

closed the AWS account and inspected the

content throughout the 90- day lifecycle to
ascertain customer content was retained until
W

deleted 90 days after customer account

closure.
RK

AWSCA-7.9: CC6.5; Inquired of an AWS Senior Security Engineer No deviations noted.

Outpost-Specific – C1.2; to ascertain the Nitro Security Key was
Nitro Security Key is P4.2; configured in Outpost to encrypt customer
configured in
E

P4.3 content and allowed a customer to have a

Outpost to encrypt mechanical means to perform crypto
n-

customer content shredding of the content.

and allow a
customer to have a Inspected the Outpost configurations to No deviations noted.
ke

mechanical means to ascertain the Outpost was configured to

perform crypto encrypt customer content with the Nitro
shredding of the Security Key.
-to

content.
rm
te

AWS Confidential
159
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Inspected the Standard Operating No deviations noted.
Procedures for Outpost Retrieval document
to ascertain the Nitro Security Key was

F
mechanically destroyed at the time of

QE
retrieval.

Inspected logs of an Outpost with a valid No deviations noted.

Nitro Security Key to ascertain that it

3F
successfully encrypted the content on the
Outpost with a valid Nitro Security Key.

ab
Inspected logs of an Outpost without a valid No deviations noted.
Nitro Security Key to ascertain that it was not
able to unencrypt the content on the
M
Outpost without the valid Nitro Security Key.
rro
AWSCA-7.10: EC2- CC7.1 Inquired of an EC2 Software Development No deviations noted.
Specific - Amazon Manager to ascertain Amazon EC2 enabled
EC2 enables clock clock synchronization based on Network
synchronization Time Protocol in EC2 instances, to achieve
ap

based on Network accuracy within 1 millisecond of Coordinated

Time Protocol in EC2 Universal Time for non-supported instances
Linux instances, to and within 100 microseconds of Coordinated
W

achieve accuracy Universal Time for supported instances.

within 1 millisecond
RK

of Coordinated Inspected the clock synchronization No deviations noted.

Universal Time. configurations to ascertain the different
infrastructure layers were linked to ensure
clock synchronization.
E

Observed an EC2 Software Development No deviations noted.

Engineer create an EC2 instance and enable

clock synchronization to ascertain that clock
ke

synchronization achieved an accuracy within

1 millisecond of Coordinated Universal Time
for one non-supported instance and within
-to

100 microseconds of Coordinated Universal

Time for one supported instance.
rm
te

AWS Confidential
160
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For a supported instance, inspected the AWS No deviations noted
managed Grandmaster clock devices to
ascertain that the Grandmaster devices were

F
active, and that monitoring was enabled to

QE
ensure that an accuracy within 100
microseconds of Coordinated Universal Time.

For a sample of AWS Availability Zones (AZs) No deviations noted.

3F
selected from a listing of AZs generated from
the AZ code repository, inspected the AWS
managed Grandmaster clock devices to

ab
ascertain that the Grandmaster devices were
active, and that monitoring was enabled to
ensure that an accuracy within 1 millisecond
M
of Coordinated Universal Time was achieved.
rro
AWSCA-8.1: CC2.1; Inquired of an AWS IT Security Response No deviations noted.
Monitoring and CC6.1; Director and a Senior Security Engineer to
alarming are CC6.6; ascertain the production environment was
configured by CC6.8; monitored and that alarming was configured
ap

Service Owners to CC7.2; by Service Owners to notify operational and

identify and notify CC7.3; management personnel when early warning
operational and CC7.4; thresholds were crossed on key operational
W

management A1.1; metrics.

personnel of A1.2;
RK

incidents when early P6.3; For a sample of key operational metrics No deviations noted.
warning thresholds P6.5 selected from a listing of critical alarms,
are crossed on key inspected the applicable configurations to
operational metrics. ascertain related monitoring and alarming
E

were in place to notify appropriate personnel

when a threshold was reached or exceeded.
n-

Inspected the network monitoring tool No deviations noted.

configurations that automatically generate

tickets for Network Monitoring incidents to
ascertain incidents were logged within a
-to

ticketing system, assigned severity rating and

tracked to resolution.
rm
te

AWS Confidential
161
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
CC2.1;
AWSCA-8.2: Inquired of an AWS IT Security Response No deviations noted.
Incidents are logged CC6.1; Director to ascertain security incidents were
within a ticketing CC6.6; logged in a ticketing system, assigned a

F
system, assigned a CC6.8; severity level, and tracked through

QE
severity rating and CC7.2; resolution.
tracked to CC7.3;
resolution. CC7.4; For a sample of incidents selected from a No deviations noted.
CC7.5; system generated listing of security alerts,

3F
CC8.1; inspected associated entries in the ticketing
A1.2; system to ascertain incidents were assigned a
P6.3; severity level and tracked through to

ab
P6.5; resolution.
P6.6;
P6.7; M
P8.1
rro
AWSCA-9.1: AWS CC2.2; Inquired of the AWS Security Assurance No deviations noted.
maintains internal CC2.3 Technical Program Manager to ascertain
informational AWS maintained internal informational
websites describing websites describing the AWS environment,
ap

the AWS its boundaries, user responsibilities, and the

environment, its services.
boundaries, user
W

responsibilities and Inspected AWS internal informational No deviations noted.

services. websites for each in-scope AWS service to
RK

ascertain they described the AWS

environment, its boundaries, user
responsibilities, and the services.
E

AWSCA-9.2: AWS CC1.1; Inquired of the HR Specialist to ascertain No deviations noted.

conducts pre- CC1.4 AWS conducted pre-employment screening
n-

employment of full-time candidates prior to the

screening of employees’ start dates in accordance with
ke

candidates local laws.

commensurate with
the employee’s
-to

position and level, in

accordance with
local law and the
rm

AWS Personnel
Security Policy.
te

AWS Confidential
162
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
For a sample of AWS full-time new hires No deviations noted.
selected from a listing of active employees,
inspected pre-employment screening records

F
to ascertain pre-employment screening was

QE
performed prior to each employee’s start
date.

AWSCA-9.3: AWS CC1.1; Inquired of the Principal, HR Business Partner No deviations noted.

3F
performs annual CC1.4; to ascertain a process was in place to
formal evaluation of CC1.5 perform a formal evaluation of resourcing
resourcing and and staffing annually, including an

ab
staffing including assessment of employee qualification
assessment of alignment with entity objectives and that
employee employees received feedback on their
M
qualification strengths and growth ideas.
alignment with
rro
entity objectives. For a sample of AWS employees selected No deviations noted.
Employees receive from an HR system-generated listing,
feedback on their inspected performance evaluation records to
strengths and ascertain each employee was formally
ap

growth ideas evaluated against entity objectives during the

annually. most recent annual formal evaluation of
resourcing and staffing.
W

AWSCA-9.4: AWS CC6.1; Inquired of a System Engineering Manager No deviations noted.

host configuration CC6.8; and Software Development Manager to

settings are CC7.1; ascertain AWS host configuration settings
monitored to CC8.1 were monitored to validate compliance with
validate compliance AWS security standards and that settings
E

with AWS security were automatically deployed to the fleet.

standards and to
n-

verify that settings Inspected the monitoring configurations to No deviations noted.

are automatically ascertain production hosts were configured
ke

deployed to the host to monitor compliance with AWS security

fleet. standards and to automatically request and
install host configuration setting updates
-to

deployed to the fleet.

rm
te

AWS Confidential
163
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Inspected the provisioning configurations to No deviations noted.
ascertain hosts could not be deployed into
production environment without the

F
successful installation of configuration

QE
management tools.

For a sample of production hosts selected No deviations noted.

from listings of production hosts for each in-

3F
scope AWS region, inspected the automated
deployment logs to ascertain production
hosts automatically requested and installed

ab
host configuration setting updates deployed
to the fleet.
M
Inspected the ticket details for one incident No deviations noted.
ticket created for a failed deployment
rro
attempt for each host deployment
mechanism to ascertain the unsuccessful
installation of host configuration settings was
identified, tracked and resolved in a timely
ap

manner.

AWSCA-9.5: AWS CC2.2; Inquired of an AWS Security Compliance No deviations noted.

provides publicly CC2.3; Program Manager to ascertain AWS provided

available P5.1; publicly available mechanisms for customers
RK

mechanisms for P5.2; to contact AWS to report security events and

customers to contact P6.3; published information including a system
AWS to report P8.1 description and security and compliance
security events and information addressing AWS commitments
E

publishes and responsibilities.

information
n-

including a system Inspected AWS informational websites to No deviations noted.

description and ascertain they provided publicly available
ke

security and mechanisms for customers to contact AWS to

compliance report security events.
information
-to

addressing AWS Inspected the AWS whitepapers and public No deviations noted.
commitments and websites to ascertain they provided
responsibilities. information including a system description
rm

and security and compliance information

addressing AWS commitments and
responsibilities.
te

AWS Confidential
164
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Inspected a ticket resulting from a customer No deviations noted.
inquiry, to ascertain a process is in place to
address, track and resolve customer inquiries

F
in a timely manner.

QE
For a sample of customer submitted No deviations noted
compliance inquiries selected from the AWS
Contact Us Compliance Support portal,

3F
inspected supporting documentation to
ascertain that each inquiry was followed up
on timely through email or phone call by a

ab
marketing representative.

AWSCA-9.6: The CC2.2; Inquired of a Vice President of Litigation Legal

M No deviations noted.
Company provides a CC7.2; to ascertain the company provided a hotline
hotline for CC7.3; for employees to anonymously report on
rro
employees to CC7.4; possible violations of conduct.
anonymously report CC7.5
on possible
violations of Inspected the Owner’s Manual and Guide to No deviations noted.
ap

conduct. Employment policy to ascertain employees

were provided access to the ethics hotline in
all geographies during orientation.
W

Called the fraud hotline number to ascertain No deviations noted.

it was available for employees to

anonymously report on possible violations of
conduct.
E
n-
ke
-to
rm
te

AWS Confidential
165
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-9.7: Material CC1.1; Inquired of a Principal of Corporate No deviations noted.
violations of the CC1.5; Employee Relations to ascertain material
Company's Code of CC9.2; violations of the Company’s Code of Business

F
Business Conduct P8.1 Conduct and Ethics and similar policies were

QE
and Ethics and appropriately handled in terms of
similar policies are communications and possible disciplinary
appropriately action or termination, and violations
handled in terms of involving third parties or contractors were

3F
communication and reported to their respective employers which
possible disciplinary were responsible for any possible disciplinary
action or action, removal of assignment with Amazon,

ab
termination. or termination.
Violations involving
third parties or Inspected the Code of Business Conduct and No deviations noted.
contractors are
M
Ethics policy to ascertain that employee
expectations were published on the intranet
reported to their
rro
respective for employees to review and consequences
employers which will for certain violations were documented
carry out any within the policy.
possible disciplinary
ap

Inspected the Human Resources team No deviations noted.

action, removal of
investigation process wiki and Enterprise
assignment with
Case Management system to ascertain they
Amazon, or
W

detailed standard operating procedures for

termination.
the handling of a potential material violation
of the Company’s Code of Business Conduct
RK

Ethics for both employees and vendors,

including the handling of communication and
possible disciplinary action.
E

AWSCA-9.8: AWS CC1.2; Inquired of a Business Risk Management No deviations noted.

has established a CC2.1; Director to ascertain AWS had established a

formal audit CC3.1; formal audit program that included
program that CC4.1; continual, independent internal and external
ke

includes continual, CC4.2; assessments to validate the implementation

independent internal P8.1 and operating effectiveness of the AWS
-to

and external control environment.

assessments to
rm
te

AWS Confidential
166
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
validate the Inspected the audit framework and list of No deviations noted.
implementation and interviewees to ascertain AWS functional
operating areas including AWS Security and AWS

F
effectiveness of the Service teams were covered within the
AWS control

QE
Internal Audit Risk assessment creation.
environment.
Inspected the yearly audit plan created by No deviations noted.
Internal Audit and submitted to the Audit

3F
Committee to ascertain Internal Audit
formalized and outlined their specific audit
plan as a response of the risk assessment

ab
conducted, and that the audit plan contained
the AWS organization.

AWSCA-9.9: AWS CC1.1; Inquired of a Security Program Manager to

M No deviations noted.
has a process to CC1.4; ascertain employees with access to resources
assess whether AWS that store or process customer data via
rro
employees who have permission groups received a background
access to resources check, as applicable with local law, no less
that store or process than once per calendar year.
ap

customer data via

permission groups For a sample of AWS employees selected No deviations noted.
are subject to a post- from a system generated listing of accounts
W

hire background with access to resources that stored or

check as applicable processed customer data, inspected their
background check status to ascertain
RK

with local law and

the AWS Personnel background checks were completed once per
Security Policy. calendar year or access to resources that
stored or processed customer data was
E

removed as appropriate.
n-

For a sample of AWS employees selected No deviations noted.

from a system generated listing of accounts
that had opted out of a background check,
ke

inspected their group membership audit

history to ascertain that access to permission
groups granting access to resources that
-to

stored or processed customer data had been

removed.
rm
te

AWS Confidential
167
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-10.1: Critical A1.2 Inquired of Software Development Manager No deviations noted.
AWS system and AWS Code Services Sr. Software
components are Development Engineer to ascertain critical

F
replicated across AWS system components were replicated

QE
multiple Availability across multiple Availability Zones and that
Zones and backups backups were maintained.
are maintained.
Inspected the replication configurations to No deviations noted.

3F
ascertain critical AWS system components
were configured to be replicated across
multiple Availability Zones.

ab
Inspected the backup configurations to No deviations noted.
ascertain critical AWS system components
M
were backed up as changes were deployed or
in accordance with periodically-configured
jobs throughout the day.
rro

For a package of system component files, No deviations noted.

inspected the production environment
ap

replication and backup logs for the related

AWS service to ascertain data was replicated
and backed up across multiple Availability
W

Zones.
AWSCA-10.2: A1.2; Inquired of an AWS Code Services Sr. No deviations noted.
RK

Backups of critical A1.3; Software Development Engineer to ascertain

AWS system C1.1 critical AWS system components were
components are monitored for replication across multiple
monitored for Availability Zones.
E

successful
replication across Inspected the backup monitoring No deviations noted.
n-

multiple Availability configuration to ascertain that error incident

Zones. tickets were automatically generated in the
ke

event of backup failures.

For a critical alarm, inspected monitoring No deviations noted.
dashboards and alarming configurations to
-to

ascertain an alarming mechanism existed to

notify appropriate personnel of replication
and backup successes and failures and when
rm

files were insufficiently replicated across

multiple Availability Zones.
te

AWS Confidential
168
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Inspected notifications of when a backup did No deviations noted.
not complete and when files were
insufficiently represented across multiple

F
Availability Zones to ascertain the service

QE
team initiated the remediation process and
tracked the issues to resolution.

AWSCA-10.3: AWS CC2.2; Inquired of an AWS Security Business No deviations noted.

3F
contingency planning CC3.2; Continuity Manager to ascertain AWS
and incident CC3.3; maintained an overall contingency planning
response playbooks CC3.4; procedure that reflected emerging continuity

ab
are maintained and CC5.3; risks and incorporated lessons learned from
updated to reflect CC7.3; past incidents, and that the AWS contingency
emerging continuity CC7.4; plan was tested on at least an annual basis.
risks and lessons
learned from past
CC7.5;
CC8.1;
M
Inquired of AWS Security Business Continuity No deviations noted.
incidents. The AWS Manager to ascertain AWS contingency
rro
CC9.1;
contingency plan is A1.1; planning and incident response playbooks
tested on at least an A1.2; specific to each service team were
annual basis. A1.3; maintained and updated to reflect emerging
ap

P6.3 continuity risks and lessons learned from

past incidents.

Inspected the AWS contingency plan

No deviations noted.
documentation to ascertain it was reviewed
and approved at least annually, and that
RK

playbooks for each service existed, were

maintained, and updated to reflect emerging
continuity risks and lessons learned from
past incidents.
E

For a recent AWS contingency plan test, No deviations noted.

inspected the ticket, to ascertain the

contingency plan was tested within the past
ke

year, and that drills conducted to imitate

incidents were resolved and service
availability was restored.
-to
rm
te

AWS Confidential
169
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-10.4: AWS A1.1; Inquired of a Senior Tech Infrastructure No deviations noted.
maintains a capacity A1.2 Program Manager, to ascertain AWS
planning model to maintained a centralized capacity planning

F
assess infrastructure model that assessed infrastructure usage,

QE
usage and demands forecasted demand, and additional resources
at least monthly, and required to meet the availability
usually more requirements.
frequently (e.g.,

3F
weekly). In addition, For a sample of Regions and Edge locations, No deviations noted.
the AWS capacity inspected the capacity planning model to
planning model ascertain capacity was assessed per the

ab
supports the defined cadence, and the model contained
planning of future forecasting for future demands and resource
demands to acquire availability. M
and implement
additional resources
rro
based upon current
resources and
forecasted
requirements.
ap

AWSCA-11.1: CC1.1; Inquired of AWS Legal Corporate Counsel to No deviations noted.

Vendors and third CC1.4; ascertain vendors or third parties with
W

parties with CC2.2; restricted access, that engage in business

restricted access, CC2.3; with AWS, were subject to confidentiality
RK

that engage in CC9.2; agreements as part of their agreements with

business with P6.4; AWS and that these agreements were
Amazon are subject P6.5 reviewed by AWS and the third party at the
to confidentiality time of contract creation or execution.
E

commitments as part
of their agreements For a sample of external vendors and third No deviations noted.
n-

with Amazon. parties with restricted access who engage in

Confidentiality business with AWS, inspected vendor
ke

commitments agreements to ascertain the agreements

included in contained confidentiality commitments.
-to
rm
te

AWS Confidential
170
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
agreements with
For a sample of external vendors and third No deviations noted.
vendors and third
parties with restricted access who engage in
parties with
business with AWS, inspected vendor

F
restricted access are
agreements to ascertain the agreements
reviewed by AWS

QE
were signed and approved by the vendor and
and the third party
AWS.
at time of contract
creation or

3F
execution.
CC1.1;
AWSCA-11.2: AWS Inquired of the Data Center Global Services No deviations noted.
CC1.4;
has a program in team to ascertain AWS has a program in

ab
CC2.3;
place for evaluating place for evaluating vendor performance and
CC4.1;
vendor performance compliance with contractual obligations.
CC9.2;
and compliance with M
P4.1; Inspected the AWS evaluation program No deviations noted.
contractual
P6.1; calendars for vendor performance and
obligations.
rro
P6.4; compliance with contractual obligations to
P6.5 ascertain reviews for vendors with restricted
access were scheduled on a frequency
ap

subject to the overall risk of doing business

with each vendor.
W

For a sample of vendors selected from a No deviations noted.

listing of third-party vendors, inspected
vendor evaluations of performance and
RK

compliance with contractual obligations to

ascertain reviews were performed in
accordance with policy and served as means
E

for evaluations of vendor performance with

contractual obligations, based on risk.
n-

AWSCA-11.3: AWS CC2.2; Inquired of an AWS Security Assurance No deviations noted.

communicates CC2.3; Technical Program Manager to ascertain
ke

confidentiality CC9.2; AWS communicated confidentiality

requirements in P6.4; requirements in agreements when they were
-to

agreements when P6.5 renewed with vendors and third parties with
they are renewed restricted access and that changes to
with vendors and standard confidentiality commitments to
third parties with customers were communicated on the AWS
rm

restricted access. website via the AWS customer agreement.

AWS Confidential
171
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Changes to standard
Inspected the public-facing AWS Customer No deviations noted.
confidentiality
Agreement located on the AWS website to
commitments to
ascertain changes to standard confidentiality

F
customers are
commitments were communicated via the
communicated on

QE
AWS Customer Agreement and made publicly
the AWS website via
available via an embedded change log.
the AWS customer
agreement.

3F
P1.1;
AWSCA-12.1: AWS Inquired of AWS Corporate Counsel to No deviations noted.
P2.1;
informs customers of ascertain AWS informed customers of the
P3.1;
the AWS Data AWS Data security and privacy commitments

ab
P5.1;
security and privacy within the AWS Customer Agreement prior to
P5.2;
commitments within activating an AWS account and made it
P6.1;
the AWS Customer available to customers to review any time on
M
P8.1
Agreement prior to the AWS website.
activating an AWS
rro
account and makes it Attempted to create an AWS account No deviations noted.
available to without acknowledging the AWS Customer
customers to review Agreement and observed the system
ap

at any time on the prevented proceeding any further with

AWS website. opening the account.
W

Acknowledged the AWS Customer No deviations noted.

Agreement and successfully created an AWS
RK

account to ascertain that acknowledgement

of the AWS Customer Agreement was
required prior to opening an AWS account.
E

Inspected the AWS Customer Agreement on No deviations noted.

the AWS website to ascertain that the AWS
n-

Customer Agreement is publicly available for

customers to review and informed customers
ke

of AWS data security and privacy

commitments.
-to
rm
te

AWS Confidential
172
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-12.2: AWS CC2.3; Inquired of AWS Corporate Counsel to No deviations noted.
informs customers of P1.1 ascertain AWS informed customers of
changes made to the changes made to the AWS Customer

F
AWS Customer Agreement via the AWS public website.

QE
Agreement via the
AWS public website.

3F
Inspected the AWS Customer Agreement via No deviations noted.
the AWS website to ascertain that the last
update date was displayed to customers.

ab
Inspected the AWS Customer Agreement to No deviations noted.
ascertain that it contained a commitment
M
from management to make available to
customers any changes made to the AWS
rro
Customer Agreement.

AWSCA-12.3: AWS P2.1 Inquired of a Senior Digital Marketing Leader No deviations noted.
offers customers the to ascertain that Amazon offered customers
ap

capability to update the capability to update their communication

communication preferences via the AWS console.
preferences via the
W

AWS console. Observed a Senior Digital Marketing Leader No deviations noted.

update communication preferences for an
RK

AWS account via the AWS console; inspected

the update in the back-end repository, and
inspected the communication preferences
update confirmation notification to ascertain
E

that Amazon offered customers the

capability to update communication
n-

preferences via the AWS console.

AWSCA-12.4: AWS CC2.3; Inquired of an AWS Security Manager to No deviations noted.

performs application P1.1; ascertain that AWS performed application
security reviews for P3.1; security reviews for third-party systems that
-to

Third-Party systems P4.1; collect customer content in accordance with

that collect customer P4.2; team processes, to ascertain security risks
content in P6.1; were identified and mitigated.
rm
te

AWS Confidential
173
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
accordance with P6.4
Inspected team documentation of external No deviations noted.
team processes, to
party onboarding for providers of third-party
ascertain security
systems that collected customer content to

F
risks are identified
ascertain that external parties were assessed
and mitigated.

QE
for the collection of customer content and
referred for additional security reviews.

Selected a sample of security reviews for No deviations noted.

3F
third-party systems that collected customer
content which went live during the
examination period to ascertain that the

ab
system was assessed prior to launch to
evaluate whether security risks were
identified and mitigated.
M
AWSCA-12.5: AWS P5.1; Inquired of Corporate Counsel to ascertain No deviations noted.
rro
notifies affected P5.2; that AWS notified affected data subjects and
data subjects and P6.3; regulators of breaches and incidents as
regulators of P6.4; legally required in accordance with team
breaches and P6.6; processes.
ap

incidents as legally P6.7;

required in P8.1; Inspected the AWS Internal Privacy Policy to No deviations noted.
accordance with CC2.3; ascertain that AWS notified affected data
W

team processes. CC7.4 subjects and regulators of breaches and

incidents as legally required in accordance
RK

with team processes.

Inspected the AWS internal Wiki Page to No deviations noted.

ascertain that AWS Security Operations
E

should be engaged for security incidents

above Sev 2.
n-

Inspected the Personal Health Dashboard of No deviations noted.

AWS account to ascertain that privacy events

affecting AWS resources were listed.
-to
rm
te

AWS Confidential
174
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Inspected incident response details for a No deviations noted
sample of security alert incident tickets to
ascertain if evaluations were conducted to

F
determine if disclosures were required to be

QE
made to affected data subjects and
regulators of breaches, and if required
disclosures were appropriately made
according to incident response

3F
documentation.

AWSCA-12.6: AWS P5.1; Inquired of Corporate Counsel to ascertain No deviations noted.

ab
provides P5.2; that AWS provided authenticated customers
authenticated P7.1 the ability to access, update, and confirm
customers the ability their data. Additionally, inquired of
M
to access, update, Corporate Counsel to ascertain what
and confirm their conditions would trigger a denial of access
rro
data. Denial of and that a denial of access will be
access will be communicated using the AWS console.
communicated using
the AWS console. Inspected the AWS Customer Agreement to No deviations noted.
ap

ascertain that AWS committed to notifying

customers prior to denial of access.
W

Updated personal account information in the No deviations noted.

AWS Console to ascertain that AWS provided
RK

authenticated customers the ability to

access, update, and confirm their data.

P5.1;
AWSCA-12.7: AWS Inquired of AWS Corporate Counsel to No deviations noted.
E

P5.2;
records customer ascertain that AWS recorded customer
P6.1;
n-

information requests information requests to maintain a complete,

P6.2;
to maintain a accurate, and timely record of such requests.
P6.7;
complete, accurate,
ke

and timely record of Inspected the configurations for the No deviations noted.
such requests. recording of customer information requests
through the Amazon Law Enforcement
-to

Request Tracker system to ascertain that

AWS recorded customer information
requests to maintain a complete, accurate,
rm

and timely record of such requests.

AWS Confidential
175
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
Observed the repository of AWS customer No deviations noted.
information requests to ascertain that AWS
recorded customer information requests.

F
QE
AWSCA-12.8: Unless P6.7 Inquired of AWS Corporate Counsel to No deviations noted.
prohibited from ascertain that AWS made a reasonable
doing so or there is a attempt to notify customers before disclosing
clear indication of Customer Content in response to

3F
illegal conduct in valid/binding law enforcement requests
connection with the unless legally prohibited from doing so.
use of AWS products

ab
or services, AWS Inspected the Amazon Law Enforcement No deviations noted.
makes a reasonable Guidelines public policy to ascertain that
attempt to notify AWS did not disclose customer information
M
customers before in response to government demands unless
disclosing Customer AWS was legally required by a binding order.
rro
Content in response In such cases, AWS notified customers before
to valid/binding law disclosure, unless legally prohibited from
enforcement doing so.
requests.
ap

For a Customer Content disclosure in No deviations noted.

response to a binding law enforcement
request, inspected an email notification sent
W

from AWS Legal to an AWS customer to

ascertain that AWS notified the customer
RK

before disclosure of customer content.

AWSCA-12.9: AWS P6.1 Inquired of AWS Senior Corporate Counsel to No deviations noted.
maintains contracts ascertain that AWS maintained contracts
E

with third party sub- with third party sub-processors that contain
processors that data protection, confidentiality
n-

contain data commitments, and security requirements.

protection,
ke

confidentiality For a sample of third party sub-processors No deviations noted.

commitments, and selected from the AWS sub-processor public
security website, inspected the contracts to ascertain
-to

requirements. that they contained data protection,

confidentiality commitments, and security
requirements.
rm
te

AWS Confidential
176
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-12.10: A P6.7 Inquired of AWS Senior Corporate Counsel to No deviations noted.
formal review of ascertain that a formal review of third-party
third-party sub- sub-processors was performed prior to AWS

F
processors is allowing any processing by third-party sub-

QE
performed prior to processors.
AWS allowing any
processing by third- For a sample of third party sub-processors No deviations noted.
party sub-processors selected from the AWS sub-processor public

3F
to determine that website, inspected the application security
appropriate review performed by the Application Vendor
restrictions are in Security (AVS) team to ascertain that

ab
place to limit the restrictions to limit the processing of
third-party sub- customer content by third-party sub-
processors’ processors only to the customer content that
M
processing of was necessary to provide or maintain the
customer content AWS services selected by the customer were
rro
only to the customer reviewed prior to AWS allowing any
content that is processing by the third-party sub-processor.
necessary to provide
or maintain the AWS
ap

services selected by
the customer.
W

AWSCA-12.11: AWS P6.1 Inquired of AWS Senior Corporate Counsel to No deviations noted.
conducts annual ascertain that AWS had a process in place to
RK

reassessments of conduct annual reassessments of third-party

third-party sub- sub-processors, or after major incidents or
processors, or after significant changes.
major incidents or
E

significant changes. For a sample of third party sub-processors No deviations noted.

selected from the AWS sub-processor public
n-

website, inspected the application security

review performed by the Application Vendor
ke

Security (AVS) team to ascertain that

reassessments of third-party sub-processors
were performed annually or following major
-to

incidents or significant changes.

rm
te

AWS Confidential
177
Section IV – Description of Criteria, AWS Controls, Tests, and Results of Tests

s Ij
Security, Availability, Confidentiality, and Privacy Criteria Mapped to AWS Controls & Service Auditor’s
Testing Performed and Results

H1
Controls Specified by
Criteria Tests Performed by EY Results of Tests
AWS

OV
AWSCA-12.12: The P6.7 Inquired of AWS Senior Corporate Counsel to No deviations noted.
launch process for ascertain the launch process for new third-
new third-party sub- party sub-processors required addition to the

F
processors requires publicly available list of third-party sub-

QE
addition to the processors engaged by AWS.
externally posted list
of third-party sub-
processors that are Inspected the AWS Products Legal sub- No deviations noted.

3F
currently engaged by processor page to ascertain that AWS notified
AWS to process customers when it engaged a third-party to
customer data process customer data.

ab
depending on the
AWS region and AWS Inspected the launch playbook to ascertain No deviations noted.
service the customer that it included requirements on notifying the
M
selects. appropriate team and adding third-party sub-
processors to the externally posted list of
rro
sub-processors for the public disclosure of
the use of new third-party sub-processors
prior to AWS allowing any processing by
ap

third-party sub-processors.
W
E RK
n-
ke
-to
rm
te

AWS Confidential
178
Ij
s
H1
F OV
QE
3F
ab
M
rro

SECTION V – Other Information Provided By Amazon Web Services

ap
W
E RK
n-
ke
-to
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
H1
For the current Spring SOC report (4/1/2024 – 3/31/2025) AWS has added new controls and made
enhancements to the existing controls and related information presented compared to the previous SOC
report. These changes were driven by our commitment to continuous improvement, a desire to better
align our documented controls with our evolving operational processes, AICPA SOC guidance and

OV
feedback received from our customers. The Sections below provide an overview of the changes:

Modifications to existing controls

F
Minor wording changes were made to the following control descriptions to more accurately reflect the
existing processes.

QE
OLD – Fall 2024 NEW – Spring 2025
AWSCA-1.7: The Board and its Committees have AWSCA-1.7: The Amazon Board and its

3F
the required number of independent Board Committees have the required number of
members and each Board and Committee independent Board members, and the Board and
member is qualified to serve in such capacity. each Committee member is qualified to serve in

ab
Annually, Board members complete such capacity. Annually, Board members
questionnaires to establish whether they are complete questionnaires to establish whether
independent and qualified to serve on each they are independent and qualified to serve on
M
Board Committee under applicable rules. each Board Committee under applicable rules.
AWSCA-3.5: AWS enables customers to select AWSCA-3.5: AWS enables customers to select
rro
who has access to AWS services and resources (if who has access to AWS services and resources
resource-level permissions are applicable to the that they own. AWS prevents customers from
service) that they own. AWS prevents customers accessing AWS resources that are not assigned to
from accessing AWS resources that are not them via access permissions. Content is only
ap

assigned to them via access permissions. Content returned to individuals authorized to access the
is only returned to individuals authorized to specified AWS service or resource (if resource-
access the specified AWS service or resource (if level permissions are applicable to the service).
W

resource-level permissions are applicable to the

service).
RK

AWSCA-3.17: Outpost-Specific – Service link is AWSCA-3.17: Outposts-Specific – Service link is

established between Outpost and AWS Region by established between Outposts and AWS Region
use of a secured VPN connection over public by use of a secured VPN connection over public
internet or AWS Direct Connect. internet or AWS Direct Connect.
E

AWSCA-4.14: Each production firmware version AWSCA-4.14: Each production firmware version
for the AWS Key Management Service HSM release for the AWS Key Management Service
n-

(Hardware Security Module) has been certified HSM (Hardware Security Module) either holds or
with NIST under the FIPS 140-2 level 3 standard is in the process of actively pursuing FIPS 140-3
ke

or is in the process of being certified under FIPS level 3 certification from the National Institute of
140-3 level 3. Standards and Technology's (NIST) Cryptographic
Module Validation Program (CMVP).
-to

AWSCA-6.1: AWS applies a systematic approach AWSCA-6.1: AWS applies a systematic approach
to managing change to ensure changes to to managing change to ensure changes to
customer-impacting aspects of a service are customer-impacting aspects of a service are
rm

reviewed, tested and approved. Change reviewed, tested and approved. Change
management policies/procedures are based on
te

Proprietary and Confidential Information - Trade Secret

s Ij
OLD – Fall 2024 NEW – Spring 2025

H1
management standards are based on Amazon Amazon guidelines and tailored to the specifics of
guidelines and tailored for each AWS service. each AWS service.
AWSCA-6.3: Changes are tested according to AWSCA-6.3: Changes are tested according to

OV
service team change management standards service team change management
prior to migration to production. policies/procedures prior to migration to
production.
AWSCA-6.5: Changes are reviewed for business AWSCA-6.5: Changes are reviewed for business

F
impact and approved by authorized personnel impact and approved by authorized personnel
prior to migration to production according to prior to migration to production according to

QE
service team change management standards. service team change management
policies/procedures.
AWSCA-7.1: S3-Specific – S3 compares user AWSCA-7.1: S3-Specific — S3 compares

3F
provided checksums to validate the integrity of checksums to validate the integrity of data in
data in transit. If the customer provided MD5 transit. If the customer provided or automatically
checksum does not match the MD5 checksum calculated checksum does not match S3's server-

ab
calculated by S3 on the data received, the REST side checksum validation, the upload will fail,
PUT will fail, preventing data that was corrupted preventing corrupted data from being written to
on the wire from being written into S3. S3.
AWSCA-9.4: AWS host configuration settings are
monitored to validate compliance with AWS
M
AWSCA-9.4: AWS host configuration settings are
monitored to validate compliance with AWS
rro
security standards and automatically pushed to security standards and to verify that settings are
the host fleet. automatically deployed to the host fleet.
AWSCA-9.9: AWS has a process to assess AWSCA-9.9: AWS has a process to assess
whether AWS employees who have access to whether AWS employees who have access to
ap

resources that store or process customer data via resources that store or process customer data via
permission groups are subject to a post-hire permission groups are subject to a post-hire
background check as applicable with local law. background check as applicable with local law
W

AWS employees who have access to resources and the AWS Personnel Security Policy.
that store or process customer data will have a
RK

background check in accordance to the AWS

Personnel Security Policy.
E

Addition of new controls

A new control was added to the AWS SOC report scope to expand our control framework capabilities,
reflecting our commitment to continuous security improvement.
ke

New Controls Mapped to Criteria

AWSCA-3.19: S3-Specific - All new objects CC6.1, CC6.7
uploaded to Amazon S3 are automatically
-to

encrypted with server-side encryption.

rm
te

Proprietary and Confidential Information - Trade Secret

APPENDIX – Glossary of Terms

ap
W
RK
E
n-
ke
-to
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
Appendix – Glossary of Terms

H1
AMI: An Amazon Machine Image (AMI) is an encrypted machine image stored in Amazon S3. It contains
all the information necessary to boot instances of a customer’s software.

OV
API: Application Programming Interface (API) is an interface in computer science that defines the ways by
which an application program may request services from libraries and/or operating systems.
Authentication: Authentication is the process of determining whether someone or something is, in fact,

F
who or what it is declared to be.

QE
Availability Zone: Amazon EC2 locations are composed of regions and Availability Zones. Availability
Zones are distinct locations that are engineered to be insulated from failures in other Availability Zones
and provide inexpensive, low latency network connectivity to other Availability Zones in the same region.
Bucket: A container for objects stored in Amazon S3. Every object is contained within a bucket. More

3F
information can be found in https://docs.aws.amazon.com/AmazonS3/latest/dev/Introduction.html
#BasicsBucket

ab
AWS Content: “AWS Content” means Content we or any of our affiliates make available in connection
with the Services or on the AWS Site to allow access to and use of the Services, including APIs; WSDLs;
Documentation; sample code; software libraries; command line tools; roofs of concept; templates; and
M
other related technology (including any of the foregoing that are provided by our personnel). AWS
Content does not include the Services or Third-Party Content.
rro
Customer Content: Defined as “Your Content” in https://aws.amazon.com/agreement/
HMAC: In cryptography, a keyed-Hash Message Authentication Code (HMAC or KHMAC), is a type of
message authentication code (MAC) calculated using a specific algorithm involving a cryptographic hash
ap

function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both
the data integrity and the authenticity of a message. Any iterative cryptographic hash function, such as
MD5 or SHA-1, may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-
W

MD5 or HMAC-SHA1, accordingly. The cryptographic strength of the HMAC depends upon the
cryptographic strength of the underlying hash function, on the size and quality of the key and the size of
RK

the hash output length in bits.

Personal Information: Personal information that AWS collects in the course of providing
E

AWS’ offerings include:

•
n-

Information You Give Us: We collect any information you provide in relation to AWS Offerings.
Click here to see examples of information you give us.
•
ke

Automatic Information: We automatically collect certain types of information when you interact
with AWS Offerings. Click here to see examples of information we collect automatically.
• Information from Other Sources: We might collect information about you from other sources,
-to

including service providers, partners, and publicly available sources. Click here to see examples
of information we collect from other sources.
rm
te

Proprietary and Confidential Information - Trade Secret

s Ij
Hypervisor: A hypervisor, also called Virtual Machine Monitor (VMM), is computer software/hardware

H1
virtualization software that allows multiple operating systems to run on a host computer concurrently.
IP Address: An Internet Protocol (IP) address is a numerical label that is assigned to devices participating
in a computer network utilizing the Internet Protocol for communication between its nodes.

OV
IP Spoofing: Creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing,
with the purpose of concealing the identity of the sender or impersonating another computing system.
MD5 checksums: In cryptography, MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash

F
function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide

QE
variety of security applications and is also commonly used to check the integrity of files.
Object: The fundamental entities stored in Amazon S3. Objects consist of object data and metadata. The
data portion is opaque to Amazon S3. The metadata is a set of name-value pairs that describe the object.
These include some default metadata such as the date last modified and standard HTTP metadata such

3F
as Content-Type. The developer can also specify custom metadata at the time the Object is stored.
Port Scanning: A port scan is a series of messages sent by someone attempting to break into a computer

ab
to learn which computer network services, each associated with a “well-known” port number, the
computer provides.
Privacy Policy: “Privacy Policy” means the privacy policy located at https://aws.amazon.com/privacy/
M
(and any successor or related locations designated by us), as it may be updated by AWS from time to time.
rro
User entity: The entities that use the services of a service organization during some or all of the review
period.
Service: Software or computing ability provided across a network (e.g., Amazon EC2, Amazon S3).
ap

Service Organization: An organization or segment of an organization that provides services to user entities
that are likely to be relevant to those user entities’ internal control over financial reporting.
Signature Version 4: Signature Version 4 is the process to add authentication information to AWS
W

requests. For security, most requests to AWS must be signed with an access key, which consists of an
access key ID and secret access key.
RK

Subservice Organization: A service organization used by another service organization to perform some of
the services provided to user entities that are likely to be relevant to those user entities’ internal control
over financial reporting.
E

Virtual Instance: Once an AMI has been launched, the resulting running system is referred to as a virtual
instance. All instances based on the same AMI start out identical and any information on them is lost when
n-

the instances are terminated or fail.

X.509: In cryptography, X.509 is an ITU-T standard for a Public Key Infrastructure (PKI) for Single Sign-On
ke

(SSO) and Privilege Management Infrastructure (PMI). X.509 specifies, among other things, standard
formats for public key certificates, certificate revocation lists, attribute certificates and a certification path
-to

validation algorithm.
rm
te

Proprietary and Confidential Information - Trade Secret

System and Organization Controls (SOC) 2 Report
No ratings yet
System and Organization Controls (SOC) 2 Report
185 pages
System and Organization Controls (SOC) 2 Report
No ratings yet
System and Organization Controls (SOC) 2 Report
185 pages
System+and+Organization+Controls+ (SOC) +1+report+ +current
No ratings yet
System+and+Organization+Controls+ (SOC) +1+report+ +current
160 pages
AWS SOC 3 Report: Security & Privacy
No ratings yet
AWS SOC 3 Report: Security & Privacy
55 pages
AWS SOC 3 Security Report
No ratings yet
AWS SOC 3 Security Report
53 pages
Aws Soc3
No ratings yet
Aws Soc3
55 pages
SOC Continued Operations Letter
No ratings yet
SOC Continued Operations Letter
2 pages
SOC Continued Operations Letter
No ratings yet
SOC Continued Operations Letter
2 pages
ISO+27001 2022+Statement+of+Applicability+ (SoA)
No ratings yet
ISO+27001 2022+Statement+of+Applicability+ (SoA)
2 pages
AWS Compliance Guide for APRA
No ratings yet
AWS Compliance Guide for APRA
2 pages
Term-Token-Dmkmyhypvlgymdiim77Ujo8Q: Individual or Entity
No ratings yet
Term-Token-Dmkmyhypvlgymdiim77Ujo8Q: Individual or Entity
7 pages
ISO+27018 2019+Statement+of+Applicability+ (SoA)
No ratings yet
ISO+27018 2019+Statement+of+Applicability+ (SoA)
2 pages
Aws Soc3
No ratings yet
Aws Soc3
37 pages
ISO+27001 2022+certification
No ratings yet
ISO+27001 2022+certification
7 pages
System and Organization Controls (SOC) 1 Report
No ratings yet
System and Organization Controls (SOC) 1 Report
158 pages
Customer Compliance Guide
No ratings yet
Customer Compliance Guide
3 pages
ISO+27017 2015+certification
No ratings yet
ISO+27017 2015+certification
7 pages
AWS Security Fundamentals Overview
No ratings yet
AWS Security Fundamentals Overview
31 pages
Term Token J1Lyffxnedzrdtg9Bigowyoi
No ratings yet
Term Token J1Lyffxnedzrdtg9Bigowyoi
2 pages
Aws Glossary General PDF
No ratings yet
Aws Glossary General PDF
265 pages
ISO 27017 2015 Statement of Applicability (SoA)
100% (2)
ISO 27017 2015 Statement of Applicability (SoA)
4 pages
Aws General
No ratings yet
Aws General
325 pages
AcademyCloudFoundations Module 04
No ratings yet
AcademyCloudFoundations Module 04
35 pages
Amazon Web Services
No ratings yet
Amazon Web Services
7 pages
AWS Compliance Guide for Customers
No ratings yet
AWS Compliance Guide for Customers
4 pages
Iso 27001 Global Certificationbhfjjhhinmk
No ratings yet
Iso 27001 Global Certificationbhfjjhhinmk
7 pages
AWS Compliance Certificate for Security
No ratings yet
AWS Compliance Certificate for Security
6 pages
AWS Security Processes Overview
No ratings yet
AWS Security Processes Overview
12 pages
AWS Security Processes Overview
No ratings yet
AWS Security Processes Overview
9 pages
AWS Artifact Compliance Documents
No ratings yet
AWS Artifact Compliance Documents
11 pages
Cloud Practitioner Part2
No ratings yet
Cloud Practitioner Part2
15 pages
Aws General
No ratings yet
Aws General
676 pages
Aws General Desktop
No ratings yet
Aws General Desktop
754 pages
Aws General
No ratings yet
Aws General
791 pages
Aws General
No ratings yet
Aws General
1,127 pages
Aws General
No ratings yet
Aws General
750 pages
AWS General Reference
No ratings yet
AWS General Reference
752 pages
AWS General Reference
No ratings yet
AWS General Reference
731 pages
Aws General
No ratings yet
Aws General
739 pages
AWS Knowledge and Guide
No ratings yet
AWS Knowledge and Guide
729 pages
Accessing AWS CAIQ Document Guide
No ratings yet
Accessing AWS CAIQ Document Guide
101 pages
Participant Workbook: Becoming A Cloud Practitioner
No ratings yet
Participant Workbook: Becoming A Cloud Practitioner
15 pages
Governance and Security Essentials in AWS: Telefonica - Eleven Paths
No ratings yet
Governance and Security Essentials in AWS: Telefonica - Eleven Paths
37 pages
AWS Core Services Overview Guide
No ratings yet
AWS Core Services Overview Guide
5 pages
Overview of Amazon Web Services
No ratings yet
Overview of Amazon Web Services
104 pages
AWS Summary - Piyushwairale
No ratings yet
AWS Summary - Piyushwairale
20 pages
AWS Security
No ratings yet
AWS Security
5 pages
AWS - Powering The Cloud Revolution
No ratings yet
AWS - Powering The Cloud Revolution
3 pages
Part 3 - Amazon Web Services
No ratings yet
Part 3 - Amazon Web Services
10 pages
CC 7
No ratings yet
CC 7
22 pages
ISO 27001 2022 Certification
No ratings yet
ISO 27001 2022 Certification
8 pages
Architecting Hipaa Security and Compliance On Aws
No ratings yet
Architecting Hipaa Security and Compliance On Aws
54 pages
Amazon Web Services Overview
No ratings yet
Amazon Web Services Overview
8 pages
General AWS General Reference
No ratings yet
General AWS General Reference
612 pages
2020.10.8.AWS Security Best Practices - Full
No ratings yet
2020.10.8.AWS Security Best Practices - Full
312 pages
Cloud Security For Developers - Myles Hosford (AWS)
No ratings yet
Cloud Security For Developers - Myles Hosford (AWS)
32 pages
AWS S3 Web Hosting Guide
No ratings yet
AWS S3 Web Hosting Guide
6 pages
MAP Included Services List
No ratings yet
MAP Included Services List
5 pages
SAP Learning Hub Guide
100% (3)
SAP Learning Hub Guide
163 pages
Salesforce Skill Based Routing
No ratings yet
Salesforce Skill Based Routing
11 pages
Atp Assv1 Pl72888213 Letter
No ratings yet
Atp Assv1 Pl72888213 Letter
1 page
APSCHE Student and Faculty Directory
No ratings yet
APSCHE Student and Faculty Directory
19 pages
Azure ExpressRoute Knowledge Check
No ratings yet
Azure ExpressRoute Knowledge Check
2 pages
AWS Training Calendar Brazil March 2023
No ratings yet
AWS Training Calendar Brazil March 2023
3 pages
BMEE355L Cloud Computing Using Salesforce DA 1
No ratings yet
BMEE355L Cloud Computing Using Salesforce DA 1
6 pages
Course Challenge - Learn, Earn & Get Goodies !program Rules & Guidelines
No ratings yet
Course Challenge - Learn, Earn & Get Goodies !program Rules & Guidelines
2 pages
Info@Corelynx Billing Details - 05!11!19
No ratings yet
Info@Corelynx Billing Details - 05!11!19
4 pages
MuleSoft Groups Links
No ratings yet
MuleSoft Groups Links
2 pages
CC Assignment - 2
No ratings yet
CC Assignment - 2
6 pages
AWS India 'Tech Alliance' Program by Amazon Web Services
No ratings yet
AWS India 'Tech Alliance' Program by Amazon Web Services
2 pages
Microsoft Azure
No ratings yet
Microsoft Azure
5 pages
Home Dia1
No ratings yet
Home Dia1
1 page
Lab 1.1 - AWS Academy Learner Lab - Associate Services
No ratings yet
Lab 1.1 - AWS Academy Learner Lab - Associate Services
5 pages
VMware ESXi 8 - VCenter 8 - Workstation 17 License Key 2024 GitHub
100% (1)
VMware ESXi 8 - VCenter 8 - Workstation 17 License Key 2024 GitHub
1 page
Subscription License Suites - January 2025
No ratings yet
Subscription License Suites - January 2025
10 pages
AWSDevDay - Five Design Patterns To Build More Resilient Applications
No ratings yet
AWSDevDay - Five Design Patterns To Build More Resilient Applications
29 pages
Vendor DB
No ratings yet
Vendor DB
30 pages
8.3 AWS Services Overview - Storage Services
No ratings yet
8.3 AWS Services Overview - Storage Services
13 pages
AWS Technical Essentials
No ratings yet
AWS Technical Essentials
2 pages
Loading SAP Help Portal-Export
No ratings yet
Loading SAP Help Portal-Export
2 pages
Workbook AZ900 1
No ratings yet
Workbook AZ900 1
20 pages
Aws Ec2 Cli Cheatsheet
No ratings yet
Aws Ec2 Cli Cheatsheet
3 pages
AWS IoT With Edge ML and Cybersecurity: A Hands-On Approach 1st Edition Syed Rehan Download
100% (1)
AWS IoT With Edge ML and Cybersecurity: A Hands-On Approach 1st Edition Syed Rehan Download
53 pages
BBT Measurment DC-1
No ratings yet
BBT Measurment DC-1
25 pages
AWS Practitioner EXAM 3
No ratings yet
AWS Practitioner EXAM 3
4 pages
Apollo Contacts Export
No ratings yet
Apollo Contacts Export
6 pages