This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Applicability of 21 CFR 11 to regulated medical products and GxP systems are the responsibility of the customer, as determined by the intended use of the system(s) or product(s). AWS has mapped some of these requirements based on the AWS Shared Responsibility Model; however, customers are responsible for meeting their own regulatory obligations.
Below, we have identified each subpart of 21 CFR 11 and clarified areas where AWS services and operations and the customer share responsibility in order to meet 21 CFR 11 requirements.
| 21 CFR Subpart | AWS Responsibility | Customer Responsibility |
|---|---|---|
| 11.10 Controls for closed systems. Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: | ||
| 11.10(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. |
AWS services are built and tested to conform to IT industry standards,
including SOC, ISO, PCI, and others https://aws.amazon.com/compliance/programs/ Control over the installation and operation of AWS product components, including both software components and hardware components; Control over product changes and configuration management; Risk management program; Management review, planning, and operational monitoring; Security management of information availability, integrity, and confidentiality; and Data protection controls including mechanisms for data backup, restore and archiving. All purchased materials and services intended for use in production processes are documented, and documentation is reviewed and approved prior to use and verified to be in conformance with the specifications. Final inspection and testing is performed on AWS services prior to their release to general availability. The final service release review procedure includes a verification that all acceptance data is present and that all product requirements were met. Once in production, AWS services undergo continuous performance monitoring. In addition, AWS’s significant customer base, authorization for use by
government agencies, and recognition by industry analysts as a leading cloud services
provider are further evidence of AWS products delivering their documented
functionality https://aws.amazon.com/documentation/ |
AWS products are basic building blocks that allow you to create private, virtualized infrastructure environments for your custom software applications and commercial-off-the-shelf applications. In this way, you remain responsible for enabling (i.e. installing), configuring, and operating AWS products to meet your data-, application-, and industry-specific needs like GxP software validation and GxP infrastructure qualification as well as validation to support 21 CFR Part 11 requirements. AWS products are, however, unlike traditional infrastructure software products in that they are highly automatable, allowing you to programmatically create qualified infrastructure via version controlled JSON[1] scripts instead of manually-executed paper protocols, where applicable. This automation capability not only reduces effort, it increases control and consistency of the infrastructure environment such that continuous qualification [2] is possible. Installation qualification of AWS services into your environment, operational and performance qualification (IQ/OQ/PQ) are your responsibility, as are the validation activities to demonstrate that systems with GxP workloads managing electronic records are appropriate for the intended use and meet regulatory requirements. |
| 11.10(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. | Controls are implemented subject to industry best practices in order to ensure services provide complete and accurate outputs with expected performance committed to in SLAs.; Relevant SOC2 Common Criteria: A1.1 | AWS has a series of Security Best Practices (https://aws.amazon.com/security/security-resources/ |
| (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. |
Controls are implemented subject to industry best practices in order to ensure services provide complete and accurate outputs with expected performance committed to in SLAs.; Relevant SOC2 Common Criteria: A1.1 AWS has identified critical system components required to maintain the availability of our system and recover service in the event of outage. Critical system components are backed up across multiple, isolated locations known as Availability Zones, and backups are maintained. Each Availability Zone is engineered to operate independently with high reliability. Backups of critical AWS system components are monitored for successful replication across multiple Availability Zones. Refer to the AWS SOC 2 Report CC A1.2. The AWS Resiliency Program encompasses the processes and procedures by which AWS identifies, responds to, and recovers from a major event or incident within our environment. This program builds upon the traditional approach of addressing contingency management, which incorporates elements of business continuity and disaster recovery plans and expands this to consider critical elements of proactive risk mitigation strategies such as engineering physically separate Availability Zones (AZs) and continuous infrastructure capacity planning. AWS service resiliency plans are periodically reviewed by members of the Senior Executive management team and the Audit Committee of the Board of Directors. The AWS Business Continuity Plan outlines measures to avoid and lessen environmental disruptions. It includes operational details about steps to take before, during, and after an event. The Business Continuity Plan is supported by testing that includes simulations of different scenarios. During and after testing, AWS documents people and process performance, corrective actions, and lessons learned with the aim of continuous improvement. AWS data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. Core applications are deployed to an N+1 standard, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. Refer to the AWS SOC 2 Report CC3.1, CC3.2, A1.2, A1.3. |
AWS has a series of Security Best Practices (https://aws.amazon.com/security/security-resources/ You are responsible for properly configuring and using the Service Offerings
and taking your own steps to maintain appropriate security, protection, and backup
of your Customer Content, which may include the use of encryption technology (to
protect your content from unauthorized access) and routine archiving. Using Service
Offerings such as Amazon S3, Amazon Glacier, and Amazon RDS, in combination with
replication and high availability configurations, AWS's broad range of storage
solutions for backup and recovery are designed for many customer workloads. https://aws.amazon.com/backup-recovery/ AWS services provide you with capabilities to design for resiliency and maintain business continuity, including the utilization of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions as well as across multiple Availability Zones within each region. You need to architect your AWS usage to take advantage of multiple regions and availability zones. Distributing applications across multiple availability zones provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures. The AWS cloud supports many popular disaster recovery (DR) architectures, from “pilot light” environments that are ready to scale up at a moment’s notice to “hot standby” environments that enable rapid failover. You are responsible for DR planning and testing. |
| (d) Limiting system access to authorized individuals. |
AWS implements both physical and logical security controls. Physical access to all AWS data centers housing IT infrastructure components is restricted to authorized data center employees, vendors, and contractors who require access in order to execute their jobs. Employees requiring data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Access to data centers is regularly reviewed. Access is automatically revoked when an employee’s record is terminated in Amazon’s HR system. In addition, when an employee or contractor’s access expires in accordance with the approved request duration, his or her access is revoked, even if he or she continues to be an employee of Amazon. AWS restricts logical user access privileges to the internal Amazon network based on business need and job responsibilities. AWS employs the concept of least privilege, allowing only the necessary access for users to accomplish their job function. New users are created to have minimal access. User access to AWS systems requires approval from the authorized personnel, and validation of the active user. Access privileges to AWS systems are reviewed on a regular basis. When an employee no longer requires these privileges, his or her access is revoked. Refer to the AWS SOC 2 Report C1.2, C1.3, and CC6.1-6.6 to verify the AWS physical and logical security controls. |
AWS provides you with the ability to configure and use the AWS service offerings in order to maintain appropriate security, protection, and backup of content, which may include the use of encryption technology to protect your content from unauthorized access. You maintain full control and responsibility for establishing and verifying configuration of access to your data and AWS accounts, as well as periodic review of access to data and resources. Using AWS Identity and Access Management (IAM), a web service that allows you to securely control access to AWS resources, you must control who can access and use your data and AWS resources (authentication) and what data and resources they can use and in what ways (authorization). IAM is a feature of all AWS accounts offered at no additional charge. You will
be charged only for use of other AWS services by your users, https://aws.amazon.com/iam/ Maintaining physical access to your facilities and assets is solely your responsibility. |
| (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. |
AWS maintains centralized repositories that provide core log archival functionality available for internal use by AWS service teams. Leveraging S3 for high scalability, durability, and availability, it allows service teams to collect, archive, and view service logs in a central log service. Production hosts at AWS are equipped with logging for security purposes. This service logs all human actions on hosts, including logons, failed logon attempts, and logoffs. These logs are stored and accessible by AWS security teams for root cause analysis in the event of a suspected security incident. Logs for a given host are also available to the team that owns that host. A frontend log analysis tool is available to service teams to search their logs for operational and security analysis. Processes are implemented to protect logs and audit tools from unauthorized access, modification, and deletion. Refer to the AWS SOC 2 Report CC5.1, CC7.1 |
Verification and implementation of audit trails, as well as back up and retention procedures of your electronic records are your responsibility. AWS provides you with the ability to properly configure and use the Service Offerings in order to maintain appropriate audit trail and logging of data access, use and modification (including prohibiting disablement of audit trail functionality). Logs within your control (described below) can be used for monitoring and detection of unauthorized changes to your data. Using Service Offerings such as AWS CloudTrail, AWS CloudWatch Logs, and VPC Flow Logs, you can monitor your AWS data operations in the cloud by getting a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support AWS CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can integrate AWS CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn logging services on and off. AWS CloudTrail records two types of events: (1) Management Events: Represent standard API activity for AWS services. For example, AWS CloudTrail delivers management events for API calls such as launching EC2 instances or creating S3 buckets. (2) Data Events: Represent S3 object-level API activity, such as Get, Put,
Delete and List actions. https://aws.amazon.com/cloudtrail/ |
| (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. | Not applicable to AWS – this requirement only applies to the customer’s system. | You are responsible for configuring, establishing and verifying enforcement of permitted sequencing of steps and events within the regulated environment. |
| (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. | Not applicable to AWS – this requirement only applies to the customer’s system. |
AWS provides you with the ability to configure and use the AWS service offerings in order to maintain appropriate security, protection, and backup of content, which may include the use of encryption technology to protect your content from unauthorized access. You maintain full control and responsibility for establishing and verifying configuration of access to your data and AWS accounts, as well as periodic review of access to data and resources. Using AWS Identity and Access Management (IAM), a web service that allows you to securely control access to AWS resources, you must control who can access and use your data and AWS resources (authentication) and what data and resources they can use and in what ways (authorization). IAM is a feature of all AWS accounts offered at no additional charge. You will
be charged only for use of other AWS services by your users, https://aws.amazon.com/iam/ |
| (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. | Not applicable to AWS – this requirement only applies to the customer’s system. | You are responsible for establishing and verifying the source of the data input into your system is valid, whether manually, or, for example, by enforcing only certain input devices or sources are utilized. |
| (i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. | AWS has implemented formal, documented training policies and procedures that address purpose, scope, roles, responsibilities, and management commitment. AWS maintains and provides security awareness training to all information system users on an annual basis. The policy is disseminated through the internal Amazon communication portal to all employees. Relevant SOC2 Common Criteria: CC1.3, CC1.4, CC2.2, CC2.3 |
You are responsible for ensuring your AWS users— including IT staff,
developers, validation specialists, and IT auditors—review the AWS product
documentation and complete the product training programs you have determined are
appropriate for your personnel. AWS products are extensively documented online,
https://aws.amazon.com/documentation/ Adequacy of training programs for your personnel, as well as maintenance of documentation of personnel training and qualifications (such as training record, job description and resumes) are your responsibility. |
| (j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. | Not applicable to AWS – this requirement only applies to the customer’s system. | Establishment and enforcement of policies to hold personnel accountable and responsible for actions initiated under their electronic signatures is your responsibility, including training and associated documentation. |
| (k) Use of appropriate controls over systems documentation including: | ||
| (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. |
AWS maintains formal, documented policies and procedures that provide guidance for operations and information security within the organization and the supporting AWS environments. Policies are maintained in a centralized location that is only accessible by employees. Security policies are reviewed and approved on an annual basis by Security Leadership, and are assessed by third-party auditors as part of our audits. Refer to SOC2 Common Criteria CC2.2, CC2.3, CC5.3 |
You are responsible to establish and maintain your own controls over the distribution, access and use of documentation and documentation systems for system operation and maintenance. |
| (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. |
AWS policies and procedures go through processes for approval, version control,
and distribution by the appropriate personnel and/or members of management. These
documents are reviewed periodically and, when necessary, supporting data is evaluated
to ensure the document fulfills its intended use. Revisions are reviewed and approved
by the team that owns the document, unless otherwise specified. Invalid or obsolete
documents are identified and removed from use. Internal policies are reviewed and
approved by AWS leadership at least annually, or following a significant change to
the AWS environment. Where applicable, AWS Security leverages the information
system framework and policies established and maintained by Amazon Corporate
Information Security. AWS service documentation is maintained in a publicly
accessible online location so that the most current version is available by default.
https://aws.amazon.com/documentation/ Refer to the AWS SOC 2 Report CC2.3, CC3.4, CC6.7, CC8.1 |
You are responsible for changes to your computerized systems running within
your AWS accounts. System components must be authorized, designed, developed,
configured, documented, tested, approved, and implemented according to your security
and availability commitments and system requirements. Using Service Offerings such
as AWS Config, you can manage and record your AWS resource inventory, configuration
history, and configuration change notifications to enable security and governance.
AWS Config Rules also enables you to create rules that automatically check the
configuration of AWS resources recorded by AWS Config, https://aws.amazon.com/documentation/config/ Change records and associated logs within your environment may be retained according to your record retention schedule. You are responsible for storing, managing and tracking electronic documents in your AWS account and as part of your overall quality management system, including maintaining an audit trail that documents time-sequenced development and modification of systems documentation. |
|
§11.30 Controls for open systems. Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in §11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. |
Industry standard controls and procedures are in place to protect and maintain the authenticity, integrity and confidentiality of customer data. Refer to the AWS SOC 2 Report C1.1-C1.2 |
You are responsible for determining whether your use of AWS services within your environment meets the definition of an open or closed system and whether these requirements apply. Refer to the responsibilities in §11.10 above for more information for recommended procedures and controls. Additional measures such as document encryption and use of appropriate digital signature standards are your responsibility to maintain data integrity, authenticity and confidentiality. |
|
§11.50 Signature manifestations. (a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. (b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). |
Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications meet the signed electronic records requirements identified. |
|
§11.70 Signature/ record linking. Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. |
Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the signature/record linking requirements identified, including any required policies and procedures. |
|
Subpart C—Electronic Signatures §11.100 General requirements. (a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. |
Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the general electronic signature requirements identified, including any required policies and procedures to enforce electronic signature governance. |
| (b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. | Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the general electronic signature requirements identified, including any required policies and procedures to verify individual identity prior to use of an electronic signature. |
|
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. (1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857. (2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature. |
Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the general electronic signature requirements identified, including determining whether any required notification to the agency is required, and documenting accordingly. |
| §11.200 Electronic signature components and controls. | ||
|
(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. |
Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the electronic signature components and controls identified, including establishing the procedures for use of identifying components, and use by genuine owners. |
| (b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. | Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the electronic signature components and controls identified, including establishing the procedures for use by genuine owners. |
|
§11.300 Controls for identification codes/passwords. Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: |
||
| (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. | Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the electronic signature controls identified, including establishing the procedures and controls for uniqueness of password and ID code combinations. |
| (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). | Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the electronic signature controls identified, including establishing the procedures and controls for periodic review of password issuance. |
| (c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. | Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the electronic signature controls identified, including establishing the procedures and controls for loss management of compromised devices that generate ID code or passwords. |
| (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. | Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the electronic signature controls identified, including establishing the procedures and controls to prevent, detect and report unauthorized use of ID codes and/or passwords. |
| (e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. | Not applicable to AWS – this requirement only applies to the customer’s applications. | You are responsible for establishing and verifying that your applications/systems meet the electronic signature controls identified, including establishing the procedures and controls to periodically test devices that generate ID codes or passwords for proper functionality. |
[1] In computing, JSON (JavaScript Object Notation) is the open-standard syntax used for AWS CloudFormation templates, https://aws.amazon.com/documentation/cloudformation/.
[2] https://www.continuousvalidation.com/
