AWS Compliance Programs
The AWS Compliance Program helps customers to understand the robust controls in place at AWS to maintain security and compliance of the cloud. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS Compliance Enablers build on traditional programs, helping customers to establish and operate in an AWS security control environment.
IT standards we comply with are broken out by Certifications and Attestations; Laws, Regulations and Privacy; and Alignments and Frameworks. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. AWS customers remain responsible for complying with applicable compliance laws, regulations and privacy programs. Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function.
Global
CSA
Cloud Security Alliance Controls
CyberGRX
Third Party Risk Management
CyberVadis
Third Party Risk Management
EC
Global Export Compliance
ISO 9001
Global Quality Standard
ISO 14001
Environmental management systems
ISO 20000
Service Management
ISO 22301
Security and Resilience
ISO 27001
Security Management Controls
ISO 27017
Cloud Specific Controls
ISO 27701
Privacy Information Management
ISO 27018
Personal Data Protection
ISO 50001
Energy Management
PCI DSS Level 1
Payment Card Standards
SOC 1
Audit Controls Report
SOC 2
Security, Availability, & Confidentiality Report
SOC 3
General Control Report
Americas
CCCS
Canadian Centre for Cyber Security (CCCS) Assessment
CJIS
Criminal Justice Information Services
CMMC
Cybersecurity Maturity Model Certification
DFARS
Defense Federal Acquisition Regulation Supplement
DoD SRG
Department of Defense Data Processing
FedRAMP
Government Data Standards
FERPA
Educational Privacy Act
FIPS
Government Security Standards
FISMA
Federal Information Security Management
GxP
Quality Guidelines and Regulations
HIPAA
Protected Health Information
HITRUST CSF
Health Information Trust Alliance Common Security Framework
ITAR
International Traffic in Arms Regulations
MPAA
Protected Media Content
NIST
National Institute of Standards and Technology
PIPEDA
Canada’s Federal Private Sector Privacy Legislation
SEC Rule 17a-4(f)
Recordkeeping Rules
VPAT / Section 508
Accessibility Standards
Asia Pacific
FinTech
Reference Architecture in Japan
FISC
Center for Financial Industry Information Systems in Japan
IRAP
Security Standards in Australia
ISMAP
Government program to assess security of public cloud services in Japan
ISO 20000
Service Management
K-ISMS
Information Security in Korea
Medical Information Guidelines
Guidelines in Japan
MeitY
Ministry of Electronics and Information Technology
MTCS Tier 3
Multi-Tier Cloud Security Standard in Singapore
NISC
National Center of Incident Readiness and Strategy for Cybersecurity in Japan
OSPAR
Outsourcing Guidelines in Singapore
SNI 27001
Standar Nasional Indonesia
Europe, Middle East & Africa
BIO Thema-uitwerking Clouddiensten
The Baseline Informatiebeveiliging Overheid (BIO) Thema-uitwerking Clouddiensten in the Netherlands
C5
Operational Security Attestation in Germany
Data Protection Code of Conduct
Cloud Infrastructure Services Providers in Europe (CISPE)
CPSTIC
Spanish National Cryptologic Center (CCN) STIC Products and Services Catalogue (CPSTIC)
Cyber Essentials Plus
Cyber Threat Protection in the UK
DESC CSP
Dubai Electronic Security Centre Cloud Service Provider Security Standard
ENS High
Government Standards in Spain
FINMA ISAE 3000 Type 2 Report
Attestation for Swiss Financial Market Supervisory Authority Circulars
G-Cloud
Government Standards in the UK
GNS
National Restricted certified by National Security Office Portugal
GSMA
GSM Association
HDS
Personal Health Data Protection in France
IAR
United Arab Emirates Information Assurance Regulation
NHS DSPT
National Health Service Data Security and Protection Toolkit
PASF
Police-Assured Secure Facilities
Pinakes
Banking association CCI - Third Party Qualification
PiTuKri ISAE 3000 Type II Report
Criteria for Assessing the Information Security of Cloud Services
TiSAX
Automotive Industry Standard
Certifications / Attestations:
Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance.
Laws / Regulations:
AWS customers remain responsible for complying with applicable compliance laws and regulations. In some cases, AWS offers functionality (such as security features), enablers, and legal agreements (such as the AWS Data Processing Agreement and Business Associate Addendum) to support customer compliance.
No formal certification is available to (or distributable by) a cloud service provider within these law and regulatory domains.
Alignments / Frameworks:
Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function. AWS provides functionality (such as security features) and enablers (including compliance playbooks, mapping documents, and whitepapers) for these types of programs.
Requirements under specific alignments and frameworks may not be subject to certification or attestation; however, some alignments and frameworks are covered by other compliance programs.
Privacy
At AWS, customer trust is our top priority. We deliver services to millions of active customers, including enterprises, educational institutions, and government agencies in over 190 countries. Our customers include financial services providers, healthcare providers, and governmental agencies, who trust us with some of their most sensitive information.