AMS compliance - AMS Advanced User Guide

AMS compliance

AMS has undergone auditing for the following standards and is eligible for use as part of solutions for which you must obtain compliance certification.

AMS Supported Compliance Standards

AMS supports AWS compliance standards. To learn more about AWS compliance programs, see AWS Compliance.

These are the current compliance standards supported by AMS.

FedRAMP: The US Federal Government is dedicated to delivering its services to the American people in the most innovative, secure, and cost-efficient fashion. Cloud computing plays a key part in how the federal government can achieve operational efficiencies and innovate on demand to advance their mission across the nation. That is why many federal agencies today are using AWS cloud services to process, store, and transmit federal government data.

For more information, see FedRAMP.

HIPAA: AWS has expanded its Health Insurance Portability and Accountability Act (HIPAA) compliance program to include AMS as a HIPAA Eligible Service. If you have a Business Associate Agreement (BAA) with AWS, you can use AMS to help build your HIPAA-compliant applications.

See HIPAA-focused whitepaper to learn how to leverage AMS for the processing and storage of health information. For more information, see HIPAA Compliance.

HITRUST: The Health Information Trust Alliance Common Security Framework (HITRUST CSF) leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, and HIPAA to create a comprehensive set of baseline security and privacy controls.

For more information, see HITRUST CSF.

ISO 27001: ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) which defines how AWS perpetually manages security in a holistic, comprehensive manner.

For more information, see ISO/IEC 27001:2013.

ISO 27017: ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers.

For more information, see ISO/IEC 27017:2015 Compliance.

ISO 27018: ISO/IEC 27018:2019 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002 control set.

For more information, see ISO/IEC 27018:2019 Compliance.

ISO 9001: ISO 9001:2015 outlines a process-oriented approach to documenting and reviewing the structure, responsibilities, and procedures required to achieve effective quality management within an organization. Specific sections of the standard contain information on topics such as:

  • Requirements for a quality management system, including documentation of a quality manual, document control, and determining process interactions

  • Responsibilities of management

  • Management of resources, including human resources and an organization’s work environment

  • Service development, including the steps from design to delivery

  • Customer satisfaction

  • Measurement, analysis, and improvement of the QMS through activities like internal audits and corrective and preventive actions

For more information, see ISO 9001:2015 Compliance.

PCI: AMS has an Attestation of Compliance for Payment Card Industry (PCI) Data Security Standard (DSS) version 3.2 at Service Provider Level 1. Customers who use AWS products and services to store, process, or transmit cardholder data can use AMS as they manage their own PCI DSS compliance certification.

For more information about PCI DSS, including how to request a copy of the AWS PCI Compliance Package, see PCI DSS Level 1. Importantly, you must configure fine-grained password policies in AMS to be consistent with PCI DSS version 3.2 standards. For details on which policies must be enforced, see Enable PCI Compliance for Your AWS Microsoft AD Directory.

SOC: AMS System & Organization Control (SOC) Reports are independent, third-party examination reports that demonstrate how AMS achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the AMS controls established to support operations and compliance. There are three types of AMS SOC reports:

For more information, see SOC Compliance.

Shared Responsibility

Security, including PCI compliance, is a shared responsibility. It is important to understand that AMS compliance status does not automatically apply to applications that you run in the AWS Cloud. You need to ensure that your use of AWS services complies with the standards. For more details on how AMS works together with customers across specific activities, see the AMS AMS responsibility matrix (RACI).