Compliance
AWS Compliance empowers customers to understand the robust controls in place at AWS to
maintain security and data protection in the AWS Cloud. When systems are built in the AWS Cloud,
AWS and customers share compliance responsibilities. AWS computing environments are continuously
audited, with certifications from accreditation bodies across geographies and verticals,
including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001,
FedRAMP, DoD SRG, and PCI DSS Level 1.i. Additionally, AWS also has assurance programs that
provide templates and control mappings to help customers establish the compliance of their
environments running on AWS, for a full list of programs, see AWS Compliance Programs
We can confirm that all AWS services can be used in compliance with
the GDPR. This means that, in addition to benefiting from all of the
measures that AWS already takes to maintain services security,
customers can deploy AWS services as a part of their GDPR compliance
plans. AWS offers a GDPR-compliant Data Processing Addendum (GDPR
DPA), enabling you to comply with GDPR contractual obligations. The
AWS GDPR DPA is incorporated into the AWS Service Terms and applies
automatically to all customers globally who require it to comply
with the GDPR. Amazon.com, Inc. is certified under the EU-US Privacy
Shield and AWS is covered under this certification. This helps
customers who choose to transfer personal data to the US to meet
their data protection obligations. Amazon.com Inc.’s certification
can be found on the EU-US Privacy Shield website:
https://www.privacyshield.gov/list
By operating in an accredited environment, customers reduce the scope and cost of audits they need to perform. AWS continuously undergoes assessments of its underlying infrastructure—including the physical and environmental security of its hardware and data centers—so customers can take advantage of those certifications and simply inherit those controls.
In a traditional data center, common compliance activities are often manual, periodic activities. These activities include verifying asset configurations and reporting on administrative activities. Moreover, the resulting reports are out of date before they are even published. Operating in an AWS environment allows customers to take advantage of embedded, automated tools like AWS Security Hub, AWS Config and AWS CloudTrail for validating compliance. These tools reduce the effort needed to perform audits, since these tasks become routine, ongoing, and automated. By spending less time on manual activities, you can help evolve the role of compliance in your company from one of a necessary administrative burden, to one that manages your risk and improves your security posture.