AWS Compliance FAQs

In the event that you need assistance to complete a questionnaire to document AWS security and compliance positions, AWS has a recommended approach designed to provide you with the resources you need to answer your security and compliance questions in the context of the cloud and AWS’s business model. The most frequently used resources to complete security and compliance questionnaires are:

• AWS Artifact – AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’s security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) attestation of compliance, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).
• AWS Compliance Programs webpage - AWS Compliance Programs help customers to understand the robust controls in place at AWS to maintain security and compliance in the cloud.
• AWS Data Center Controls webpage – Many questionnaires have a section with questions related to data center physical security. This webpage provides you with insight into some of our physical and environmental controls.
• AWS Risk and Compliance whitepaper – This document addresses AWS-specific information around general cloud computing compliance questions.
• CSA Consensus Assessments Initiative Questionnaire – The CSA Consensus Assessments Initiative Questionnaire provides a set of questions the CSA anticipates a cloud consumer and/or auditor would ask of a cloud provider. It provides a series of security, control, and process questions which can then be used for a wide range of uses, including cloud provider selection and security evaluation. This document contains the AWS answers to the CSA questionnaire.
• AWS CyberGRX Assessment – Customers can leverage the AWS CyberGRX report to reduce their supplier due-diligence burden by replacing outdated static spreadsheets as well as the need to repetitively request access to AWS’ assessment each year. Customers can also use CyberGRX’s Framework Mapper feature which will allow them to map the AWS assessment to commonly used industry frameworks and standards to instantly gain visibility into controls coverage.
• AWS CyberVadis Assessment – Customers can leverage the AWS CyberVadis risk assessment report and scorecard for their supplier due-diligence. CyberVadis assessment provides advanced capabilities by integrating AWS’ responses with analytics and sophisticated risk models, to provide an in-depth view of AWS’s security posture. Customers can use CyberVadis results to map the AWS assessment to commonly used industry frameworks and standards to instantly gain visibility into controls coverage.
• SIG Questionnaire - The Standardized Information Gathering (SIG) questionnaire is intended for use by customers using Shared Assessment's SIG Questionnaire Tools to standardize their process for third party risk assessments. AWS has completed the questionnaire with narrative responses to assist AWS customers with their due diligence process of the AWS Cloud. SIG can be found on AWS Artifact.

The AWS Services in Scope webpage provides a list of services that are assessed to comply with common compliance standards.

AWS may engage the entities listed on the AWS Sub-Processors webpage to carry out specific processing activities on behalf of the customer or data center facility management activities. This webpage also provides customers with the option to subscribe to email notifications if the list of sub-processors changes.

You can learn about data privacy in the AWS Data Privacy Center. This webpage provides information on privacy at AWS, privacy laws and regulations, FAQs, and resources.

AWS keeps our data center locations strictly confidential to maintain the security and privacy of customer data. The naming convention for our AWS Regions are indicative of the general geographic location of the availability zones and data centers that make-up that Region. Additional detail regarding the general location of data centers is contained in our PCI-DSS report available through AWS Artifact. To learn more, visit our AWS Global Infrastructure webpage.

Customers can assess the security and resiliency of the AWS physical infrastructure by considering all of the security controls that AWS has in place for its data centers. To help customers more deeply understand our physical security and resiliency controls, an independent and competent auditor validates the presence and operation of controls as part of our SOC reports which are available to customers through AWS Artifact. This broadly accepted third-party validation provides customers with the independent attestation of the effectiveness of controls in place. Independent reviews of data center physical security is also a part of the ISO 27001, PCI, ITAR, and the FedRAMP compliance programs.

No. Due to the fact that our data centers host multiple customers, AWS does not allow data center tours by customers, as this exposes a wide range of customers to physical access of a third party. However, customers and the general public can take a digital tour of an AWS Data Center to better understand our infrastructure and controls on our website.

Customers evaluating AWS as part of their disaster recovery planning should first identify their resiliency goals and consider any applicable regulatory requirements for resiliency and disaster recovery. Customers can then architect their AWS environment to meet their resiliency goals and regulatory requirements. For example, to mitigate environmental risks, customers can architect their AWS workloads to take advantage of physically separated Availability Zones and Regions to reach their objectives. When planning for business continuity and disaster recovery AWS customers should utilize the best practices contained in the reliability pillar of the AWS Well Architected Framework. More information on disaster recovery recommendations is available at Disaster Recovery of Workloads on AWS: Recovery in the Cloud.

AWS Artifact provides compliance reports issued by third-party auditors who have tested and verified our compliance with a variety of global, regional, and industry-specific security standards and regulations. When new reports are released, they are made available for customers to download in AWS Artifact. For more information, go to the Compliance Reports FAQ. You can also access AWS Artifact directly from the AWS Management Console.

Based on the AWS continuous coverage provided by our 12-month SOC reports issued multiple times per year, we publish a SOC Continued Operations Letter instead of a bridge letter or gap letter. These regularly published letters can be downloaded using AWS Artifact from the AWS Management Console.

No. SOC audits are performed over a period of time. Once the audit period is over, the report is prepared and made available to customers in approximately 6 weeks. Starting from September 30, 2023, AWS issues SOC reports covering 12-month periods multiple times per year. SOC 1 reports are issued quarterly, and SOC 2 and SOC 3 reports are issued every 6 months. When new SOC reports are released, they are made available for customers to download in AWS Artifact.

AWS is happy to provide your customer with a copy of our SOC 1 or SOC 2 report. To best support your customers, we recommend they utilize the Getting Started with AWS Artifact guide to download the SOC 1 or SOC 2 report by using their own AWS Account. There is no charge associated with creating an account. After logging into their account, your customers can access available reports in the AWS Console by navigating to Artifact under Security, Identity & Compliance.

Alternatively, you can download the AWS compliance reports from AWS Artifact and share with your customers directly if permitted by the terms and conditions applicable to the specific AWS compliance report. Please refer to the applicable terms and conditions on the first page of the AWS compliance report downloaded from AWS Artifact to check whether or not sharing of that report is permitted.

We also publish the AWS SOC 3 report on our SOC Compliance web page. The SOC 3 report is a summary of the AWS SOC 2 report; it provides assurance, including the external auditor’s opinion, that AWS maintains effective operation of controls based on the criteria set forth in the AICPA’s Trust Services Principles.

There is no HIPAA certification for a cloud service provider (CSP) such as AWS. However, AWS aligns its HIPAA risk management program with the US Department of Health and Human Services Privacy (45 CFR Part 160 and Subparts A and E of Part 164) and Security (45 CFR Part 160 and Subparts A and C of Part 164) Rules, HIPAA Administrative Simplification Regulations (45 CFR 160, 162, and 164), FedRAMP, NIST 800-30 and NIST 800-53. NIST supports this alignment and has issued SP 800-66 Rev. 1, An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule. Refer to the AWS HIPAA webpage for more information about HIPAA compliance on AWS.

Yes. AWS has a standard BAA we enter into with customers. It takes into account the unique services AWS provides and accommodates the AWS Shared Responsibility Model.

To review, accept, and manage the status of the BAA for your account, or for all accounts that are part of your organization in AWS Organizations, sign in to AWS Artifact from the AWS Management Console.

AWS follows a standards-based risk management program to ensure that the HIPAA-eligible services specifically support the security, control, and administrative processes required under HIPAA. Customers may use any AWS service in an account designated as a HIPAA account, but should only process, store, and transmit protected health information (PHI) using HIPAA-eligible services. Refer to the following AWS resources for more information about HIPAA compliance on AWS:

• Common architecting strategies for HIPAA
• HIPAA FAQs
• HIPAA-related blog posts

Customers may look to leverage the AWS HITRUST CSF certification of in-scope services to support their own HITRUST CSF certification. For the latest list of HITRUST CSF certified AWS services, see the AWS Services in Scope  webpage. AWS customers can inherit AWS HITRUST CSF certification provided that customers use only in-scope services and apply the controls detailed in the HITRUST Alliance website. Customers can download the AWS Custom HITRUST Shared Responsibility Matrix to determine HITRUST requirements that AWS customers can inherit as part of the shared responsibility model. Customers should refer to MyCSF User Guide webpage for guidance on how to initiate inheritance request.

You do not need to take any action to get the benefit of the GDPR DPA. The terms of the GDPR DPA are incorporated into the AWS Service Terms and, since May 25, 2018, the GDPR DPA automatically applies to customers whose activities come within the scope of the GDPR. Refer to this AWS Security blog post to learn more about AWS's DPA. For additional information visit the GDPR Center.

The AWS Compliance Program helps customers to understand the robust controls in place at AWS to maintain security and compliance of the cloud. You can find which specific regional (Global, Americas, Asia Pacific, Europe, Middle East & Africa) programs AWS complies with on the AWS Compliance Programs webpage.