Compliance validation for AWS Outposts - AWS Outposts

Compliance validation for AWS Outposts

AWS publishes a list of specific in scope compliance certifications for AWS Outposts. For more information, see AWS Services in Scope by Compliance Program. However, these services are not in scope when running locally on AWS Outposts unless AWS Outposts is also separately listed for the specific compliance or assurance program.

Third-party auditors assess the security and compliance of AWS Outposts as part of multiple AWS compliance programs. These include ISO, PCI, HIPAA, and others.

Under the shared responsibility model, AWS is responsible for the hardware and software that run AWS services. This applies to AWS Outposts, just as it does to an AWS Region. This includes patching the infrastructure software and configuring infrastructure devices. As a customer, you are responsible for implementing best practices for data encryption, patching their guest operating system and applications, identity and access management, and operating system, network, and firewall configurations.

For more information about security and compliance for AWS Outposts, see AWS Outposts FAQ.

AWS uses secure channels from manufacturing through installation and delivery of the Outpost equipment. When the Outpost equipment is on your site, any replacement parts are delivered through the same secure channels and are checked for tampering. No server or switch repairs occur on site.

As a customer, you are responsible for the physical security and environmental controls at the facility where the Outpost is located, and for providing networking between the Outpost and the AWS Region. Your responsibilities include the following:

  • Physical and environmental security of the Outpost, starting from the moment that the Outpost equipment arrives at your facility to the point at which the Outpost equipment is removed at the end of the term or for repairs.

  • Physical access controls around the Outpost equipment at your facility. This includes background checks and security training for facility staff.

  • Data management policies, including terminating EC2 instances and deleting data volumes before the Outpost equipment is removed at the end of the term or for repairs.

  • Configuring and maintaining a network connection between the Outpost and the AWS Region. Communication sent over this connection between the Outpost and the Region is encrypted by AWS.

  • Encrypting any traffic traveling over your network to the local gateway.