AWS Security FAQ

1. How can I best complete my annual AWS Vendor/Due Diligence Questionnaire?

If you need help completing a questionnaire to document AWS security and compliance posture, we recommend the following resources that are most commonly used to complete security and compliance questionnaires:

AWS Artifact:

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS security and compliance reports and select online agreements. The AWS SOC 2 report is particularly useful for completing questionnaires because it provides a complete overview of the implementation and operational effectiveness of AWS security controls. Another useful document is the Executive Briefing within the AWS FedRAMP Partner Package.

Cloud Security Alliance Consensus Assessment Initiative Questionnaire

The CSA Consensus Assessment Initiative Questionnaire provides a set of questions that the CSA anticipates a cloud consumer and/ or auditor would ask a cloud provider. It provides a series of security, control, and process questions that can then be used for a wide range of cases, including cloud vendor selection and security assessment. This document contains AWS’s responses to the CSA questionnaire.

Risks and Regulatory Compliance on AWS:

This document addresses AWS specific information on general cloud computing compliance subjects. It provides detailed descriptions of all AWS third-party certifications, programs, reports, and attestations.

AWS Data Centers Security Checks Website:

Many questionnaires have a complete section with questions related to the physical security of data centers. This website provides information about some of our physical and environmental controls.

Virtual Tour of an AWS Data Center:

Learn key aspects about how we build our data centers to provide you with security in the following layers:

  • Perimeter Layer
  • Infrastructure Layer
  • Data Layer
  • Environmental Layer

2. Which AWS services and features meet common cloud security and compliance standards?

AWS Services in Scope provides a list of services that are evaluated to meet common compliance standards. Unless specifically indicated as excluded, the characteristics of each of the listed services are considered within the scope of the compliance program and are reviewed and tested as part of the assessment. Check AWS documentation to know more about the features of an AWS service.

3. Can I meet my regulatory requirements on AWS?

AWS has customers throughout the world and continuously adapts to evolving regulations. AWS Compliance Center provides you with a central location to investigate cloud-related regulatory requirements and how they affect your industry. Select the country you are interested in, and the AWS Compliance Center will display the country’s regulatory position regarding the adoption of cloud services.

4. Does AWS have sub-processors? - Subcontractor access to data centers:

AWS may engage entities listed on the AWS sub-processor website to perform specific processing activities on behalf of the customer or data center facility management activities. This website also gives customers the option to subscribe to email notifications for changes to the list.

AWS proactively informs our customers about any subcontractors that have access to customer-owned content that you upload to AWS, including content that may contain personal data. There are no subcontractors authorized by AWS to access any customer-owned content you upload to AWS. To monitor access for subcontractors throughout the year, see the AWS Third-Party Access website.

5. Can you provide AWS data center locations for my business continuity or disaster recovery policies?

AWS data center locations are strictly confidential information to maintain the security and privacy of customer data. Locations are disclosed only to AWS employees and contractors who have an approved business need to be on-site.

Customers can assess the security and resilience of their AWS physical infrastructure by considering all the security controls that AWS has in place for their data centers. To help customers assess risks related to AWS data centers, AWS provides the AWS Data Center Controls website and the AWS SOC 2 report, available in AWS Artifact .

6. What factors are important for customers to evaluate as part of their disaster recovery plan?

Customers who evaluate AWS as part of their disaster recovery plan should first identify their resilience objectives and consider applicable regulatory requirements for resilience and disaster recovery. Customers can then design their AWS environment to meet their resilience goals and regulatory requirements. For example, to mitigate environmental risks, customers can design their AWS workloads to leverage physically separate Availability Zones and regions to achieve their goals. Customers with high availability requirements often use multiple Availability Zones or regions for critical applications. Learn more at the AWS Disaster Recovery website, the AWS Data Center Controls website, and the AWS SOC 2 report available at AWS Artifact .