Compliance validation for AWS Outposts - AWS Outposts

Compliance validation for AWS Outposts

The existing compliance certifications for AWS Services apply to services running entirely in an AWS Region. AWS Outposts and services on an Outpost require a separate evaluation for certifications.

Under the shared responsibility model, AWS is responsible for the hardware and software that run AWS services. This applies to AWS Outposts, just as it does to an AWS Region. This includes patching the infrastructure software and configuring infrastructure devices. As a customer, you are responsible for implementing best practices for data encryption, patching their guest operating system and applications, identity and access management, and operating system, network, and firewall configurations.

AWS uses secure channels from manufacturing through installation and delivery of the Outpost equipment. When the Outpost equipment is on your site, any replacement parts are delivered through the same secure channels and are checked for tampering. No server or switch repairs occur on site.

As a customer, you are responsible for the physical security and environmental controls at the facility where the Outpost is located, and for providing networking between the Outpost and the AWS Region. Your responsibilities include the following:

  • Physical and environmental security of the Outpost, starting from the moment that the Outpost equipment arrives at your facility to the point at which the Outpost equipment is removed at the end of the term or for repairs.

  • Physical access controls around the Outpost equipment at your facility. This includes background checks and security training for facility staff.

  • Data management policies, including terminating EC2 instances and deleting data volumes before the Outpost equipment is removed at the end of the term or for repairs.

  • Configuring and maintaining a network connection between the Outpost and the AWS Region. Communication sent over this connection between the Outpost and the Region is encrypted by AWS.

  • Encrypting any traffic traveling over your network to the local gateway.