Compliance validation for AWS Secrets Manager
Your compliance responsibility when using Secrets Manager is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. AWS provides the following resources to help with compliance:
-
Security and Compliance Quick Start Guides
– These deployment guides discuss architectural considerations and provide steps for deploying security- and compliance-focused baseline environments on AWS. -
Architecting for HIPAA Security and Compliance Whitepaper – This whitepaper describes how companies can use AWS to create HIPAA-compliant applications.
AWS Compliance Resources
– This collection of workbooks and guides might apply to your industry and location. AWS Config assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations. For more information, see Monitor AWS Secrets Manager secrets for compliance by using AWS Config.
-
AWS Security Hub provides a comprehensive view of your security state within AWS that helps you check your compliance with security industry standards and best practices. For information about using Security Hub to evaluate Secrets Manager resources, see AWS Secrets Manager controls in the AWS Security Hub User Guide.
-
IAM Access Analyzer analyzes policies, including condition statements in a policy, that allow an external entity to access a secret. For more information, see Previewing access with Access Analyzer.
-
AWS Systems Manager provides predefined runbooks for Secrets Manager. For more information, see Systems Manager Automation runbook reference for Secrets Manager.
AWS Secrets Manager has undergone auditing for the following standards and can be part of your solution when you need to obtain compliance certification.
AWS has expanded its Health Insurance Portability and Accountability Act
(HIPAA) compliance program to include AWS Secrets Manager as a HIPAA-eligible
service |
|
AWS Secrets Manager has an Attestation of Compliance for Payment Card Industry
(PCI) Data Security Standard (DSS) version 3.2 at Service Provider Level 1.
Customers who use AWS products and services to store, process, or transmit
cardholder data can use AWS Secrets Manager as they manage their own PCI DSS compliance
certification. For more information about PCI DSS, including how to request a copy
of the AWS PCI Compliance Package, see PCI DSS Level
1 |
|
AWS Secrets Manager has successfully completed compliance certification for
ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001. For more information, see
ISO 27001 |
|
System and Organization Control (SOC) reports are independent third-party
examination reports that demonstrate how Secrets Manager achieves key compliance controls and
objectives. The purpose of these reports is to help you and your auditors understand
the AWS controls that are established to support operations and compliance. For more
information, see SOC
Compliance |
|
The Federal Risk and Authorization Management Program (FedRAMP) is a
government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and
services. The FedRAMP Program also provides provisional authorizations for services
and regions for East/West and GovCloud to consume government or regulated data. For
more information, see
FedRAMP Compliance. |
|
The Department of Defense (DoD) Cloud Computing Security Requirements Guide
(SRG) provides a standardized assessment and authorization process for cloud service
providers (CSPs) to gain a DoD provisional authorization, so that they can serve DoD
customers. For more information, see DoD SRG
Resources |
|
The Information Security Registered Assessors Program (IRAP) enables
Australian government customers to validate that appropriate controls are in place
and determine the appropriate responsibility model for addressing the requirements
of the Australian government Information Security Manual (ISM) produced by the
Australian Cyber Security Centre (ACSC). For more information, see IRAP
Resources |
|
Amazon Web Services (AWS) achieved the Outsourced Service Provider’s Audit
Report (OSPAR) attestation. AWS alignment with the Association of Banks in
Singapore (ABS) Guidelines on Control Objectives and Procedures for Outsourced
Service Providers (ABS Guidelines) demonstrates to customers AWS commitment to
meeting the high expectations for cloud service providers set by the financial
services industry in Singapore. For more information, see OSPAR
Resources |
You can download third-party audit reports using AWS Artifact. For more information, see Downloading Reports in AWS Artifact.